Shibboleth ignores the ServerName in my AssertionConsumerServiceURL

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Shibboleth ignores the ServerName in my AssertionConsumerServiceURL

I had a shibboleth SP installation that was working great on a Suse installed with apache 2.2 and shibboleth 2.5.3.

Now we had to migrate to a different server where we have an Ubuntu 14, apache 2.4 and shibboleth 2.5.3.

We are behind a Netscaler that executes the SSL offloading for us so when the message arrives on the server where shibboleth is installed we use just http.

I added the following configuration to my apache2.conf file:

ServerName https://<server-name>:443
UseCanonicalName On

But shibboleth seems to ignore this and use http in the AuthnRequest:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://<server-name>/Shibboleth.sso/SAML2/POST" Destination="" ID="_a10c33a000f094990c134fc8d55ed70f" IssueInstant="2016-10-03T09:47:51Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"></saml:Issuer>
   <samlp:NameIDPolicy AllowCreate="1" />

This gives a mismatch with the URL configured at the IDP, which causes following error:

StatusCode urn:oasis:names:tc:SAML:2.0:status:Responder
StatusMessage No peer endpoint available to which to send SAML response

Now I already tried to alter my Sessions attributes (putting handlerSSL to "true" then it generates the correct URL in the AuthnRequest, but then the shibboleth expects incoming messages over https, but the netscaler already did the SSL offloading...

Is there a way to force shibboleth to use the https in the AuthnRequest?
Before it was possible and he took the value from the ServerName property of Apache, but it seems like he doesn't want this anymore...