Subject: Shibboleth Users
- From: daniel rahmeh <>
- To: shibboleth-users <>
- Subject: [Shib-Users] shibboleth-sp behind an HAproxy
- Date: Tue, 25 Jan 2011 20:30:44 +0100
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=crFuQgmGbvbqSGgcKNJPh6zYCzbodjYdFMNkOHvrYscO7H02bXyt3LQ0YKOHYK/iQM RDhZY9/t/I8qBm81J7Z17D9ya1pKGohqiPxF/W4nYve2n/i9SwX29zI0iat2ObaiIbTA pad8wrpnrN3OzEe6V2n4eGp6pp0k4o2vWfHhU=
i have an Apache webserver running behind an HAproxy load-balancer.
The HAproxy is configured, with stunnel on it, to relay client request
to the webserver on http(80), exemple:
(in fact the stream between HAproxy ans the webserver is not encrypted)
I installed an SP on my webserver and configured it to talk with my
idp (all in https). Then i got two problems:
1. the first one is after the user get authenticated, the idp tries to
find an HTTP endpoint
(http://Myapplication.com/Shibboleth.sso/SAML2/POST) and not an HTTPS
endpoint. Thus returning an error saying:'No peer endpoint available
to which to send SAML response'
2. to fix the problem i forced the SP to request the response on https
by setting the handlerssl option to true. Indeed, the idp sends the
SAML response this time to the https endpoint
(https://Myapplication.com//Shibboleth.sso/SAML2/POST), but when the
request hits the SP i get a redirect loop.
i can understand the behavior but i want to know if there is a
work-around or something i can do to make it work
Sorry for making it long and thank you
- [Shib-Users] shibboleth-sp behind an HAproxy, daniel rahmeh, 01/25/2011
Archive powered by MHonArc 2.6.16.