Closed chrsin closed 3 years ago
morincer
commented
3 years ago Hi @chrsin , sorry for delay with response - I was on vacation :)
The issue is known when working behind LB/proxy and it's not a bug of a plugin - please check https://github.com/onelogin/java-saml#working-behind-load-balancer You have two options:
chrsin
commented
3 years ago No worries. Hope you had a good one. Ill see if I can get it working. Not too Impressed with using IIS as Reverse proxy so far though. :D Thanks for your response
chrsin
commented
3 years ago Is disabling Strict mode only disabling the hostname check? Or does it effect anything else? I'm having a hard time understanding the repercussions of disabling it. :)
morincer
commented
3 years ago Well, these guys at https://github.com/onelogin/java-saml#properties-file are not very detailed in what the strict mode does but it definitely not only checking the hostname.
chrsin
commented
3 years ago Dang not sure I wanna turn it off then. Have tried with both nginx and IIS. But I keep getting:
ERROR - The response was received at http://myhostname.tld/app/saml/callback/ instead of https://myhostname.tld/app/saml/callback/ ERROR - processResponse error. invalid_response
Do you know if the TeamCity instance needs to be running on https for this to work? Cause part of the reason for having the reverse proxy in front for us is not having to deal with tomcat configurations. :D
When using TeamCity behind a reverse proxy I find the following in the log:
The reverse proxy should be setting the X-FORWARDED-HOST header on the request. So I'm thinking there is a check somewhere that should include a check against the X-FORWARDED-HOST (In case it is set).
I've setup the saml settings to point to the public hostname for the callback since it is the only public facing website the browser can access.
I'm using version 1.3.2-20210112083822 of your excellent plugin! 🥇