SAML error: SAML message intended destination endpoint did not match the recipient endpoint

[jat255]

I am fairly naive about SAML and the spring framework in general, but I am trying to configure our ShinyProxy server to use my organization's SAML server, and I'm receiving the following error after what appears to be a successful authentication:

2021-01-21 19:22:52.748 ERROR 1 --- [ XNIO-1 task-1] o.o.c.b.decoding.BaseSAMLMessageDecoder : SAML message intended destination endpoint 'https://myapphost/saml/SSO' did not match the recipient endpoint 'http://myapphost/scheduler/saml/SSO'

The issue appears to be with something related to the https/http protocol being mismatched. This app is behind an Apache reverse proxy, which from what I've read might be causing the issue. The RP redirects from https://myhostname/myapp to the exposed Docker host port 8888 (as defined in my application.yml file).

The apache config for this remote proxy is:

# Websocket stuff
# Needs the rewrite and proxy_wstunnel modules.
        RewriteEngine On
        RewriteCond %{HTTP:Upgrade} =websocket [NC]
        RewriteRule /scheduler/(.*)    ws://127.0.0.1:8888/myapp/$1 [P,L]

#
# Docker stuff for the scheduler.  Requires the proxy_http
# module to be enabled.
        ProxyPass /myapp http://127.0.0.1:8888/myapp
        ProxyPassReverse /myapp http://127.0.0.1:8888/myapp

Some related pages I've found in my search:

• Support for load balancer and maxAuthenticationAge in SAML containerproxy#32
• https://docs.spring.io/spring-security-saml/docs/2.0.x/reference/html/configuration-advanced.html#configuration-load-balancing
• https://github.com/johannestang/shinyproxy-lb
• 2.4.1 Error solved by redownloading 2.3.1: SAML message intended destination endpoint did not match recipient endpoint #247

Here is my application.yml (with some private information changed/removed):

proxy:
  authentication: saml
  title: My app
  favicon: file:///opt/shinyproxy/templates/favicon.ico
  admin-groups: admins
  logo-url: file:///opt/shinyproxy/templates/my_logo.png
  template-path: /opt/shinyproxy/templates/mytemplate
  bind-address: 0.0.0.0
  port: 8888
  # change the landing-page to restrict shinyproxy to one application:
  landing-page: /myapp/app/myapp
  saml:
    idp-metadata-url: <URL TO metadata XML>
    app-entity-id: <MY APP's DEPLOYMENT PATH>
    app-base-url: <MY APP's DEPLOYMENT PATH>
    name-attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
    roles-attribute: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
  support:
    mail-to-address: myemailaddress@me.com
  docker:
    internal-networking: true
    container-network: shinyproxy-net
  container-log-path: ./container-logs
  specs:
    - id: myapp
      display-name: My tool
      description: Description for my app
      container-cmd: ["R", "-e", "shiny::runApp('/root')"]
      container-image: my-image
      container-network: "${proxy.docker.container-network}"

# for email
spring:
  mail:
    host: my.smtp.server
    # TLS: 587 SSL: 465 Plain: 25
    port: 25

server:
  useForwardHeaders: true
  forward-headers-strategy: native
  servlet.session.timeout: 3600
  servlet:
    context-path: /myapp

logging:
  file:
    shinyproxy.log

I have tried this with ShinyProxy 2.4.3 deployed in Docker using the following Dockerfile:

FROM openjdk:8-jre

RUN mkdir -p /opt/shinyproxy/
RUN wget https://www.shinyproxy.io/downloads/shinyproxy-2.4.3.jar -O /opt/shinyproxy/shinyproxy.jar
COPY application.yml /opt/shinyproxy/application.yml
COPY templates/ /opt/shinyproxy/templates/


WORKDIR /opt/shinyproxy/
CMD ["java", "-jar", "/opt/shinyproxy/shinyproxy.jar"]

Any ideas if I can fix this issue by changing a configuration setting somewhere?

[LEDfan]

Hi @jat255

This error typically happens when you access ShinyProxy through a load balancer or reverse proxy on a different path (/URL) than that is configured in ShinyProxy. I think this is also the case here.
For example, this is the case when you access ShinyProxy using https://mydomain/scheduler and the proxy forwards these requests to https://mydomain/myapp.

There are two solutions to this:

• streamline all configuration.
  • make sure the contextpath which is configured in ShinyProxy is also the contextpath you will effectively use when accessing ShiynProxy. Let's say you access ShinyProxy at /abcd then ensure that the proxy is setup to forward requests at /abcd to /abcd on ShinyProxy and make sure you configure the contextpath in ShinyProxy to be /abcd
  • ShinyProxy should know that it is accessed over HTTPS, even if the reverse proxy accesses ShinyProxy over HTTP. This is done using the X-Forwarded-Proto and X-Forwarded-For headers. I see you already have ShinyProxy configured to check for these headers, however, I think you also have to configure apache to set the correct headers (see https://webmasters.stackexchange.com/a/107445 and https://serverfault.com/a/257643/261145 or any other resource).
• use the Spring SAMLContextProviderLB option (Support for load balancer and maxAuthenticationAge in SAML containerproxy#32). I think you already chooses for this route.

[jat255]

@LEDfan thanks for the response!

RE: your first point, I believe I have all my configuration set up correctly, not changing scheduler to myapp in my posted apache config was just an artifact of not fully redacting my config files, whoops! What I don't think I have set up is the X-Forwarded-Proto and X-Forwarded-For headers on apache. I believe I have it working using the SAMLContextProviderLB option, but I would rather be able to use the native ShinyProxy build so we have fewer things to maintain. I'll give the headers a shot and report back here if it works.

[jat255]

Ok, I've added those headers and confirmed things seem to be working properly. Thank you for your help!