1

Folks,

sometimes our users get an exception presented by SimpleSAMLphp about "URL not allowed". The error is not reproducable for me. Wetherthe in development-environment or in production-environment I can force the system into this error. But it happens.

Investigating, I found in our syslog:

Feb 01 19:55:51 pweb simplesamlphp[25416]: 3 [061b91b3c6] Caused by: SimpleSAML\Error\Exception: URL not allowed: https://10.1.2.102/
Feb 01 22:22:53 pweb simplesamlphp[26347]: 3 [be1715d03f] Caused by: SimpleSAML\Error\Exception: URL not allowed: https://10.1.2.102/

The IP 10.1.2.102 is the IP of the webserver. In front of our webserver we have a reverse proxy (apache2), which passes all request from the internet to https://10.1.2.102 .

All I found about this error was to put the IP into config.php "trusted.url.domains". But this doesn't look correct to me. "trusted.url.domains" is for IDP-addresses only, I think.

Do you have a hint for me?

Johannes C. Schulz
  • 460
  • 4
  • 19

1 Answers1

0

trusted.url.domains is for any redirects that SimpleSAML may perform. So it's really indeed about URL domains, not limited e.g. to IdPs.

The question is whether it works fine in your setup if SimpleSAML would redirect the user to https://10.1.2.102/ - that private IP will not work for them. But maybe your reverse proxy translates it back? If that is the case, you should be fine with adding the IP to trusted.url.domains.

Thijs Kinkhorst
  • 61
  • 3