ACS URL mismatch with http and https with SSL Offloading in AWS
This post was updated on .
Not sure if this is the correct forum for Shibboleth support, but I've been trying to get an implementation up and running for a customer and haven't had luck finding a solution elsewhere.
I have most of the configuration working; I'm able to redirect to our customer's IdP. The problem I'm running into is that the metadata we've given them (that we've generated) specifies an HTTPS ACS URL and I am seeing in the shibd.log a samlp auth request but the url in that object is showing http.
One way I was able to get past this was to set handlerSSL to true. They customer was able to login and, presumably, authenticate. But the SAML assertion failed because when I set handlerSSL to true, for some reason, it disables /Shibboleth.sso/ endpoints. They all 404, even if I were to hit them locally.
So handlerSSL=true lets customers autheticate but Shibboleth.sso endpoints 404
handlerSSL=false auth fails because there is a mismatch between the samlp auth request I mentioned, and the metadata we provide.
We definitely want this over https, so I don't want to just change the sp metadata we provide to http, even though that would seemingly solve this issue.
This is a site migration to AWS so I'm wondering if this is a config issue with how we are handling SSL Offload. We are using Apache and terminating SSL at the load balancer. This is the first problem we've run into though and other routing seems fine.
I can provide any additional snippets, if those will help. I appreciate any and all advice. Thanks in advance!
Re: ACS URL mismatch with http and https with SSL Offloading in AWS
The issue was caused from the SSL Offload we were doing with the AWS load balancer. We needed to explicitly set the Apache ServerName to https://website.com and then shibboleth started setting that ACS URL correctly.