[HTTPS] /saml/login and the redirect URL after /saml/login_check are accessed using HTTP instead of HTTPS

[Oliboy50]

👋 we're running a (complex and huge) Symfony3.4 based website which requires "lightsaml/sp-bundle": "1.2.0"

this website run over HTTPS which is a hard requirement for us, we even have an automatic redirection to HTTPS when we try to make a HTTP request

(not sure if this information is useful, but we use Okta as our identity provider)

the problem is that during authentication process we see the following HTTP requests:

GET https://example.com/secured_url
GET http://example.com/saml/login
GET https://example.com/saml/login
GET https://example.com/saml/discovery
GET https://example.com/saml/login?idp=my_idp_entity_id
GET https://my-okta.com/app/my_app/my_id/sso/saml
POST https://example.com/saml/login_check
GET http://example.com/secured_url
GET https://example.com/secured_url

as you can see in these request logs (seen while using the SAML Tracer browser extension and trying to access a secured_url of our website), we have 2 requests (GET http://example.com/saml/login and GET http://example.com/secured_url) which are made against HTTP instead of HTTPS...

Is it a known issue or is it something that we should fix on our side? (I've already tried too many things, I couldn't fix it myself)

Here is our relevant configuration:

# routing.yaml

lightsaml_sp:
    resource: "@LightSamlSpBundle/Resources/config/routing.yml"
    prefix: /saml

logout:
    path: /logout

security:
  # ...
  firewalls:
    saml:
      pattern: ^/saml/
      security: false
    secured:
      pattern: ^/
      anonymous: false
      light_saml_sp:
        provider: db_provider
        user_creator: app.saml_user_creator
        attribute_mapper: app.saml_attribute_mapper
        login_path: /saml/login
        check_path: /saml/login_check
        default_target_path: /
        require_previous_session: true
      logout:
        path: /logout

# config.yaml

light_saml_symfony_bridge:
    own:
        entity_id: 'https://example.com/blabla'
        entity_descriptor_provider:
            # we use the service found here => https://github.com/lightSAML/SpBundle/issues/58#issuecomment-475561803
            id: app_entity_descriptor
        credentials:
            -
                certificate: "%kernel.root_dir%/../vendor/lightsaml/lightsaml/web/sp/saml.crt"
                key:         "%kernel.root_dir%/../vendor/lightsaml/lightsaml/web/sp/saml.key"
                password:    ~
    party:
        idp:
            files:
                - '%kernel.root_dir%/../saml/okta.xml'
    store:
        id_state: app.saml_id_store

🙏

[frostieDE]

Did you check the ACS URL in your IdP? How do you provide information about your SP to your IdP? Is it entered manually or do you use metadata.xml?

[Oliboy50]

it looks like the issue wasn't directly related to lightSAML

it seems that lightSAML leverages Symfony\Component\HttpFoundation\Request::isSecure() method to check if the login_path URL should be generated using http or https protocol

so one of the possible solutions is to define the following environment variable: HTTPS=on (which is understood by the "isSecure" method)

sorry for the noise 🙏

[drjnet]

@Oliboy50 hi, did you actually resolve this issue ?

[Oliboy50]

@drjnet I don't remember but, after reading my previous comment, it seems that I fixed my issue using the HTTPS environment variable (i.e. HTTPS=on)

[drjnet]

@Oliboy50 Thanks we're doing that in nginx conf e.g. fastcgi_param HTTPS on; but still no joy. This is 'one of those' issues, thanks for the reply we'll keep hacking at it.