Some SSL load balancers and accelerators can cause errors by changing the scheme used when assertions are POST'ed to assertion consumer services. This is because a request for https://sptest.tut.fi/path/to/Shibboleth.sso/SAML/POST would be intercepted and handled by the SSL accelerator/load balancer, and the resulting query will then be passed on to the web servers hosting information behind it as http://sptest.tut.fi/path/to/Shibboleth.sso/SAML/POST. The result is that the Shibboleth module can't handle the request properly even though the metadata and configuration are correct because the web server doesn't have an adequate understanding of its environment.
The Shibboleth module needs to be informed that the information it's receiving from the web server has been altered by the deployment environment to handle SSL load balancers/accelerators properly. This can be done for Apache by specifying ShibURLScheme https within the appropriate <VirtualHost> in httpd.conf. For IIS, this must be specified directly in shibboleth.xml by modifying the <Site> element:
<Implementation> <ISAPI normalizeRequest="true"> <Site id="1" name="sptest.tut.fi" scheme="https"/> </ISAPI> </Implementation>