When configuring SAML-based Single Sign-On (SSO) in ColdFusion, you might encounter an issue where the SAML response is sent over HTTP instead of HTTPS. The issue occurs in the following request flow

Request–>HTTPS–>Load Balancer–>HTTP–>Apache–>HTTP–>ColdFusion

The SAML workflow is initiated successfully using initSAMLAuthRequest. However, when the response is processed, you might see an error like this:

The response was received at http://SAMLURL/index.cfm instead of https://SAMLURL/index.cfmhttps://SAMLURL/index.cfm .

Even though the initial request was made over HTTPS, the response URL uses HTTP. This happens because ColdFusion (running on Tomcat) only sees the HTTP connection between Apache and itself, not the original HTTPS request from the client.

Solution:

We can use RemoteIPValve for Apache Tomcat.

For access logging,  it will swap the client IP with an IP address passed with the X-Forwarded-For header—automatically—if an IP address is passed in the X-Forwarded-For header.

Loading it is pretty easy. Just add the org.apache.catalina.valves.RemoteIpValve to your server.xml before your AccessLogValve declaration:

   Server.xml is located at {ColdFusion-Home}\cfusion\runtime\conf.

<Engine defaultHost=”localhost” name=”Catalina” jvmRoute=”cfusion”>
<Valve className=”org.apache.catalina.valves.RemoteIpValve” protocolHeader=”X-Forwarded-Proto” />

Save and Restart the ColdFusion. Now, the ColdFusion will correctly recognize HTTPS requests behind a load balancer. This simple but effective setup ensures your SAML responses always reflect the proper HTTPS URL, preventing protocol mismatch errors.