SAML authentication fails because of mismatching URLs

[ulysseus-eu]

Hello,

While preparing a ready made docker-compose of indigo-iam for European Universities, I stumbled upon a rather blocking issue.

I have put indigo-iam behing an nginx proxy and have http/https mismatch error at SAML authentication time:

ERROR 7 --- [io-8080-exec-10] o.o.c.b.decoding.BaseSAMLMessageDecoder  : SAML message intended destination endpoint 'https://idp.ulysseus.eu/saml/SSO' did not match the recipient endpoint 'http://idp.ulysseus.eu/saml/SSO'

Still my nginx configuration is forwarding https in headers

  location / {
    proxy_pass              http://indigo:8080;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto https;
    proxy_set_header        Host $http_host;
}

And my base URLs are all https

# The IAM web application base URL
IAM_BASE_URL=https://${IAM_HOST}

# The OpenID Connect issuer configured for this IAM instance.
# This must be equal to IAM_BASE_URL
IAM_ISSUER=https://${IAM_HOST}

Have you got any idea of how I could correct this behaviour?

[rmiccoli]

Hi,
I think this is a known problem for us.

In your configuration file, you should define two environment variables (if you haven't already set them up):
IAM_USE_FORWARDED_HEADERS=true
IAM_CLIENT_USE_FORWARDED_HEADERS=true (for the Test Client application)

They are needed to forward headers behind a reverse proxy.

FYI: In INDIGO IAM v1.8.0 the name of these two variables has changed due to the Spring update.

IAM_FORWARD_HEADERS_STRATEGY=native
IAM_CLIENT_FORWARD_HEADERS_STRATEGY=native

[ulysseus-eu]

I was on v1.8 and did use the old naming convention, that was it, thank you !