2

We use simplesamlphp as a service provider. We've integrated with a number of Idp's. Everything works fine.

Now we want to change our server architecture to load balancer -> webserver -> database server. The problem comes up when we put the load balancer in front of the webserver. The idp's get an error.

The load balancer terminates https, which I believe is where the problem is happening. So when the load balancer sends the request to the webserver it is a regular http request.

When I log the initial happenings I get

I'm gonna simplify the xml a bit and put the parts that were different

with load balancer

Session: 'idp-name' not valid because we are not authenticated.
Saved state: '_somelongstringofnumbersandletters'
Sending SAML 2 AuthnRequest to '{{their info}}'
Sending message:
    <samlp:AuthnRequest ... AssertionConsumerServiceURL="http://{{our-info}}">
        <saml:Issuer>http://{{our-info}}</saml:Issuer>
        <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>
    </samlp:AuthnRequest>

So above the only parts that are different between pointing to load balancer and webserver is the http and https, respectively.

Wasn't sure if there was a way to have simplesamlphp just return https. Or will it always check the current state of the request and assume http.

Just to make sure I'm giving all the data. The process is initialized by the SP. So they just go to a url like https://oursite.com/idp-name. And we are always using https.

Let me know if I need to clarify something.

UPDATE

We solved the problem by NOT terminating the HTTPS request at the load balancer, and allowing the request to pass through to the servers. So our SSL certificates are directly on our Web servers and not the load balancer.

I couldn't get the solution given to work, but that could just be my own fault. We needed a solution quick, and not decrypting SSL on the load balancer was the easiest way.

Community
  • 1
  • 1
James
  • 1,562
  • 15
  • 23
  • Did your problem solve? I am facing the similar kind of problem, it would be great if you can update what solution worked for you. Thanks!! – wanjarisushil May 26 '17 at 05:34
  • @wanjarisushil I made an update to the question. Not sure if it will help though. – James May 26 '17 at 17:41

1 Answers1

3

James!

I believe you are using load balancer as a reverse proxy, so make sure, that in your config/config.php of phpsimplesaml you set the correct variables, especially pay attention to baseurlpath

$config = array(

/**
 * Setup the following parameters to match the directory of your installation.
 * See the user manual for more details.
 *
 * Valid format for baseurlpath is:
 * [(http|https)://(hostname|fqdn)[:port]]/[path/to/simplesaml/]
 * (note that it must end with a '/')
 *
 * The full url format is useful if your simpleSAMLphp setup is hosted behind
 * a reverse proxy. In that case you can specify the external url here.
 *
 * Please note that simpleSAMLphp will then redirect all queries to the
 * external url, no matter where you come from (direct access or via the
 * reverse proxy).
 */
'baseurlpath' => 'https://sso.yourcompanyname.com/simplesaml/',
...

...

As well make sure, that the reply that goes back to the SP return the correct protocol ( https )

In fact, the error log would be grateful to understand if my assumption is correct

Artjoman
  • 286
  • 1
  • 9