Some SSL load balancers and accelerators can cause errors by changing the scheme used when assertions are POST'ed to assertion consumer services. This is because a request for https://sptest.tut.fi/path/to/Shibboleth.sso/SAML/POST
would be intercepted and handled by the SSL accelerator/load balancer, and the resulting query will then be passed on to the web servers hosting information behind it as http://sptest.tut.fi/path/to/Shibboleth.sso/SAML/POST
. The result is that the Shibboleth module can't handle the request properly even though the metadata and configuration are correct because the web server doesn't have an adequate understanding of its environment.
The Shibboleth module needs to be informed that the information it's receiving from the web server has been altered by the deployment environment to handle SSL load balancers/accelerators properly.
- Apache httpd: For older versions of Apache httpd (up to 2.0) you can specify
ShibURLScheme https
within the appropriate<VirtualHost>
inhttpd.conf
. From Apache httpd Version 2.1 on the scheme (and port) is given as part of theServerName
directive, e.g.ServerName https://sptest.tut.fi:443 UseCanonicalName On
- For IIS, this must be specified directly in
shibboleth.xml
by modifying the<Site>
element:<Implementation> <ISAPI normalizeRequest="true"> <Site id="1" name="sptest.tut.fi" scheme="https"/> </ISAPI> </Implementation>