On 08/05/2016 06:06 PM, Adam Young wrote:
Ah...just noticed the redirect is to :5000, not port :13000 which is the HA Proxy port.OK, this is due to the SAML request: <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_5089011BEBD0F6B82074F67E904F598D" Version="2.0" IssueInstant="2016-08-05T21:55:18Z" Destination="https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml"; Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" ForceAuthn="false" IsPassive="false" AssertionConsumerServiceURL="https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse"; > <saml:Issuer>https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata</saml:Issuer> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true" /> </samlp:AuthnRequest> My guess is HA proxy is not passing on the proper, and the mod_auth_mellon does not know to rewrite it from 5000 to 13000
You can't change the contents of a SAML AuthnRequest, often they are signed. Also, the AssertionConsumerServiceURL's and other URL's in SAML messages are validated to assure they match the metadata associated with EntityID (issuer). The addresses used inbound and outbound have to be correctly handled by the proxy configuration without modifying the content of the message being passed on the transport.
-- John __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
