FastCGI responder issue with absolute handlerURL

[confusedmatrix]

Description of Issue/Question

My shibboleth SP is sitting being a reverse proxy and in order to avoid the issue of mismatched assertion consumer service URLs, I have set the handlerURL on Sessions directive to the absolute URL of the shibresponder route using the proxy hostname.

Setup

I am using the basic nginx config given in https://github.com/nginx-shib/nginx-http-shibboleth/blob/master/CONFIG.rst

My Sessions directive in shibboleth2.xml start with:

<Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https" handlerURL="https://proxy-hostname.com/Shibboleth.sso">

The error I receive is "FastCGI Shibboleth responder should only be used for Shibboleth protocol requests."

Any ideas on what I might try to resolve this issue?

[davidjb]

Absolute handlerURLs are fine for use; this issue is probably related to #22 (or your location /Shibboleth.sso {} block needs checking to ensure you're passing the correct params though).

I'd suggest taking a look at the conversation at #22 -- in particular, my comments about checking config and then the other users' later comments about port configuration (especially since you are reverse proxying). In particular, the current Shibboleth SP code determines your scheme (eg http or https) based upon your SERVER_PORT and it's limited to 443/8443. If that's the source of your problem, try https://github.com/nginx-shib/cpp-sp/commit/c63f1ca437cb2090cc5e5fb6c8bd961c0345bb51 and see if that solves the issue.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.