Skip to Content.
Sympa Menu

shibboleth-users - [Shib-Users] shibboleth-sp behind an HAproxy

Subject: Shibboleth Users

List archive

[Shib-Users] shibboleth-sp behind an HAproxy


Chronological Thread 
  • From: daniel rahmeh <>
  • To: shibboleth-users <>
  • Subject: [Shib-Users] shibboleth-sp behind an HAproxy
  • Date: Tue, 25 Jan 2011 20:30:44 +0100
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=crFuQgmGbvbqSGgcKNJPh6zYCzbodjYdFMNkOHvrYscO7H02bXyt3LQ0YKOHYK/iQM RDhZY9/t/I8qBm81J7Z17D9ya1pKGohqiPxF/W4nYve2n/i9SwX29zI0iat2ObaiIbTA pad8wrpnrN3OzEe6V2n4eGp6pp0k4o2vWfHhU=

Hello,

i have an Apache webserver running behind an HAproxy load-balancer.
The HAproxy is configured, with stunnel on it, to relay client request
to the webserver on http(80), exemple:

https://Myapplication.com/
-------------https----------------->(HAProxy:443+Stunnel)
------------http----------------> (ApacheWeberserver:80)
(in fact the stream between HAproxy ans the webserver is not encrypted)

I installed an SP on my webserver and configured it to talk with my
idp (all in https). Then i got two problems:

1. the first one is after the user get authenticated, the idp tries to
find an HTTP endpoint
(http://Myapplication.com/Shibboleth.sso/SAML2/POST) and not an HTTPS
endpoint. Thus returning an error saying:'No peer endpoint available
to which to send SAML response'

2. to fix the problem i forced the SP to request the response on https
by setting the handlerssl option to true. Indeed, the idp sends the
SAML response this time to the https endpoint
(https://Myapplication.com//Shibboleth.sso/SAML2/POST), but when the
request hits the SP i get a redirect loop.

i can understand the behavior but i want to know if there is a
work-around or something i can do to make it work

Sorry for making it long and thank you



Archive powered by MHonArc 2.6.16.

Top of Page