Univention Bugzilla – Bug 56229
SAML SP in UMC cannot be forced to use https (behind ssl offloading proxy)
Last modified: 2023-07-14 16:59:18 CEST
The SAML SP in UMC figures out the protocol (http/https) for the URL used as `AssertionConsumerServiceURL` in the AuthNRequest of an SP initiated SAML SSO based on the currently used protocol scheme. Quote from the code (5.0-4): ``` Tries to preserve the current scheme (HTTP/HTTPS) ``` See https://github.com/univention/univention-corporate-server/blob/7397c6aad0fe7ba2db82ae958581954c4f372c5f/management/univention-management-console/src/univention/management/console/saml.py#L383 When UCS is running behind a ssl offloading reverse proxy "http" is used, when in fact a "https" based link in AssertionConsumerServiceURL is required. An ucr option enforcing https could be a solution?
(In reply to Thorsten from comment #0) > When UCS is running behind a ssl offloading reverse proxy "http" is used, > when in fact a "https" based link in AssertionConsumerServiceURL is required. So you have a reverse proxy which proxies to http://$UCS/univention/saml/… !?! > An ucr option enforcing https could be a solution? Jeah, is imaginable. A current workaround is to set a request header "X-UMC-HTTPS: on" in your reverse procy. But expect it to break somewhen™. I want to change this to use more official headers so that we can use the original handling of Tornado.