Reverse proxy, looping issue

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Reverse proxy, looping issue

Johan Widell
Hi,
We have trouble setting up Shibboleth with reverse proxy.

We have a reverse proxy with the following parameters:

https://frontend.dev.com/Shibboleth.sso/        TO: https://backend.dev.com/Shibboleth.sso/

https://frontend.dev.com/api/        TO: https://backend.dev.com/phl/

When I call https://frontend.dev.com/api/ I get redirected to the IDP but when I sign on I get an endless loop.

When I check the Shibd.log I get the following:

2015-05-04 10:46:04 INFO Shibboleth.AttributeExtractor.XML [16]: skipping unmapped SAML 2.0 Attribute with Name: LoginMethod, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
2015-05-04 10:46:04 DEBUG Shibboleth.SessionCache [16]: creating new session
2015-05-04 10:46:04 DEBUG Shibboleth.SessionCache [16]: storing new session...
2015-05-04 10:46:04 DEBUG XMLTooling.StorageService [16]: inserted record (session) in context (_8a01ad14275608df2c57ed54e33790e9) with expiration (1430733664)
2015-05-04 10:46:04 DEBUG XMLTooling.StorageService [16]: inserted record (_012acf2d498ff5dd66be08201e2032617b) in context (NameID) with expiration (1430757964)
2015-05-04 10:46:04 INFO Shibboleth.SessionCache [16]: new session created: ID (_8a01ad14275608df2c57ed54e33790e9) IdP (https://m00-mg-local.testidp.funktionstjanster.se/samlv2/idp/metadata/0/0) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (x.x.x.x)
2015-05-04 10:46:04 DEBUG XMLTooling.StorageService [16]: deleted record (7259cb4c25eabec05ca2a9b2cc1ce7f67a0fa639a73526ae65f05425befce1a6) in context (RelayState)
2015-05-04 10:46:05 DEBUG XMLTooling.StorageService [16]: inserted record (17a66adf4f76b8c447a2e58816a0cb64644237c93276659e902384a2d0bff9d5) in context (RelayState) with expiration (1430729765)
2015-05-04 10:46:05 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [16]: evaluating message flow policy (replay checking on, expiration 60)
2015-05-04 10:46:05 DEBUG XMLTooling.StorageService [16]: inserted record (_01ea37bf7256f608ac872c01b4c3554ebd) in context (MessageFlow) with expiration (1430729404)
2015-05-04 10:46:05 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [16]: evaluating message flow policy (replay checking on, expiration 60)
2015-05-04 10:46:05 DEBUG XMLTooling.StorageService [16]: inserted record (_01dd61bd2eb8e7bae2ad1320fe2036a41d) in context (MessageFlow) with expiration (1430729404)
2015-05-04 10:46:05 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [16]: validating signature profile
2015-05-04 10:46:05 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [16]: signature verified against message issuer
2015-05-04 10:46:05 DEBUG OpenSAML.SecurityPolicyRule.BearerConfirmation [16]: assertion satisfied bearer confirmation requirements
2015-05-04 10:46:05 WARN Shibboleth.AttributeDecoder.String [16]: skipping empty AttributeValue
2015-05-04 10:46:05 INFO Shibboleth.AttributeExtractor.XML [16]: skipping unmapped SAML 2.0 Attribute with Name: Subject_CountryName, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
2015-05-04 10:46:05 WARN Shibboleth.AttributeDecoder.String [16]: skipping empty AttributeValue
2015-05-04 10:46:05 INFO Shibboleth.AttributeExtractor.XML [16]: skipping unmapped SAML 2.0 Attribute with Name: Issuer_OrganizationName, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
2015-05-04 10:46:05 WARN Shibboleth.AttributeDecoder.String [16]: skipping empty AttributeValue
2015-05-04 10:46:05 INFO Shibboleth.AttributeExtractor.XML [16]: skipping unmapped SAML 2.0 Attribute with Name: CertificateSerialNumber, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
2015-05-04 10:46:05 WARN Shibboleth.AttributeDecoder.String [16]: skipping empty AttributeValue
2015-05-04 10:46:05 INFO Shibboleth.AttributeExtractor.XML [16]: skipping unmapped SAML 2.0 Attribute with Name: Subject_OrganisationName, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
2015-05-04 10:46:05 INFO Shibboleth.AttributeExtractor.XML [16]: skipping unmapped SAML 2.0 Attribute with Name: LoginMethod, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
2015-05-04 10:46:05 DEBUG Shibboleth.SessionCache [16]: creating new session
2015-05-04 10:46:05 DEBUG Shibboleth.SessionCache [16]: storing new session...
2015-05-04 10:46:05 DEBUG XMLTooling.StorageService [16]: inserted record (session) in context (_4a8dd8f447cb92b60429a96c6a4a260d) with expiration (1430733665)
2015-05-04 10:46:05 DEBUG XMLTooling.StorageService [16]: inserted record (_01fae6d4b91a8a009a1771c0fcefc57f60) in context (NameID) with expiration (1430757965)
2015-05-04 10:46:05 INFO Shibboleth.SessionCache [16]: new session created: ID (_4a8dd8f447cb92b60429a96c6a4a260d) IdP (https://m00-mg-local.testidp.funktionstjanster.se/samlv2/idp/metadata/0/0) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (x.x.x.x)
2015-05-04 10:46:05 DEBUG XMLTooling.StorageService [16]: deleted record (17a66adf4f76b8c447a2e58816a0cb64644237c93276659e902384a2d0bff9d5) in context (RelayState)
2015-05-04 10:46:05 DEBUG XMLTooling.StorageService [16]: inserted record (adddda5b8df5abc6f97ac34ec3341751eb040a83e62ca3b43f4393432597a23c) in context (RelayState) with expiration (1430729765)

The Shibboleth seems to be removing the record and then creating a new one.

If I try https://frontend.dev.com/Shibboleth.sse/Status I just get that I do not have a valid session.

Has anyone seen this before?

Regards