Error Endpoint mismatch from fronting Tomcat with Apache

[patch_78]

Hi,

I have a web app running in Tomcat which is behind Apache. I set in Apache configuration that any requests to "http://xxx.cbu.uib.no/yyy" will be forwarded to "http://test.abcd.uib.no:7070" which is my web app.

The problem is: when IDP using HTTP-POST sends response back to the wep app, this error is thrown

ERROR o.o.c.b.d.BaseSAMLMessageDecoder - SAML message intended destination endpoint 'http://xxx.cbu.uib.no/yyy/saml/SSO/alias/defaultAlias' did not match the recipient endpoint 'http://test.abcd.uib.no:7070//saml/SSO/alias/defaultAlias'

I think it is because my setup (Tomcat is behind Apache).

I would like to ask if anyone has the same setup and how to get rid of this problem?

Best,
patch

[rcc]

I am running the same configuration (HTTP to port 9080 on Tomcat) and ran into the same issue.

To fix the problem, I had to do the following:

1. On Apache side, set the directive:
ProxyPreserveHost On

2. On Tomcat side, add the following attributes to your Connector element in server.xml:
secure="true"
scheme="https"
proxyPort="443"

[vsch]

Hi,

One solution is described in chapter 4.14 of the manual. You provide an alternative version of the SAMLContextProvider and tell it what is the public URL. This approach should work for all load balancers and reverse proxies.

Vladi