SSL error during Process SAML Response
Hello, I am attempting to set up SAML integration, and have been receiving an error during ProcessSAMLResponse:
coldfusion.saml.SamlResponseHandler$SamlResponseException: The response was received at http://…….. instead of https://……….. at coldfusion.saml.SamlResponseHandler.handleLoginResponse(SamlResponseHandler.java:218) at coldfusion.saml.SamlResponseHandler.handleResponse(SamlResponseHandler.java:127) at coldfusion.saml.SAMLServiceImpl.ProcessSAMLResponse(SAMLServiceImpl.java:502) at coldfusion.runtime.CFPage.ProcessSAMLResponse(CFPage.java:17502)
Everything is happening over HTTPS, and the ACS url is definitely https on the IDP side (Okta) and I have tried this on two different ColdFusion servers. Does anyone know what might be causing this? One server uses Apache to proxy over to CF and the other uses nginx. Im pretty sure that neither use https during the proxy. Could this be the reason?
Newbie
1 posts
OK… We now have this working correctly (we think anyway).
So, we ensured that NGINX was passing the headers we need:
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
That ensured we got the http://my-domain is not https://my-domain error.
So we replaced the server.xml file in /opt/coldfusion/cfusion/runtime/conf with our own ensuring we had
<Valve className=”org.apache.catalina.valves.RemoteIpValve” protocolHeader=”X-Forwarded-Proto” remoteIpHeader=”X-Forwarded-For” protocolHeaderHttpsValue=”https” requestAttributesEnabled=”true” />
In there… that is the bit that told CF that it WAS running securely…
Did anyone find a solution to this, we’re seeing this at the moment. As far as I can see I have NGINX sending all the relevant headers but it’s still coming up with this?
Alternatively, does anyone know how ColdFusion builds the URL to check against?
Great advice Charlie. Found this link that did help.
https://stackoverflow.com/questions/39781715/saml-and-forced-ssl
Justin, did you ever resolve things? It would help for folks to hear, either way.
I’d not seen this before, but in searching just a portion of that error, “The response was received at HTTP”, I find this issue has been raised by many not using CF but as wider issue about saml processing, whether with okta or not, and and seemingly specific to any web server.
If you look at this discussion in github with many different people raising the issue, it sure feels like the issue for you would be related to something outside of CF either changing the port for the request (as it gets to CF), or something changing (or failing to set) expected forwarding headers, like X-Forwarded-For. Take a look at that thread and see if any ideas jump out at you. (And look closely at what you have removed above with the …, as you may see a port in one and not in the other, which may help you if it’s indeed the port issue.)
If those are not it, just search for that string, quoted: “The response was received at HTTP”, and you will find the many other discussions of this on the wider web.
Sorry it’s not “the answer”, but maybe someone else who has experienced the problem may chime in with more specifics. If you do resolve it, I hope you will write back here to let future readers learn from your experience.
You must be logged in to post a comment.
23 Nov
10AM Pacific
Online
