entityID is http instead of https
nspaul opened this issue · 4 comments
When I go to my http(s)://{laravel_url}/{idpName}/metadata
URL, what would cause the entityID to use http://
instead of https://
?
When I configure the site in a similar way, but host it in different places (one is on an old school LAMP stack, one is running locally in Valet, and one is in a Docker/Kubernetes cluster. The details of which environment is doing what is irrelevant here... For now I am just wondering where it gathers that information. I have tried to follow the code to trace it to where it generates that entityID from the SAML2_mytestidp1_SP_entityID
environment variable.
I can provide more info if necessary.
I think this has something to do with the container that is running the app. There are a lot of layers of abstraction, but at the end of it all, the actual app is running in a container on port 80, and that is where the http is coming from (vs https)
Any Solution for this issue? How to make it https://{laravel_url}:9443/{idpName}/metadata
My exposed webserver port is 9443 but app server is running on 80 behind proxy. Please advise
If your SP entityId and/or SP assertionConsumerService and/or SP singleLogoutService are empty in your config, loadOneLoginAuthFromIpdConfig in Saml2Auth class will generate them from the URL method/facade.
For example:
if (empty($config['sp']['entityId'])) {
$config['sp']['entityId'] = URL::route('saml2_metadata', $idpName);
}
So the problem will be from the URL method ,if like me you are under a load balancer (I am using Kubernetes), it will return http instead of https. OneLogin mainly manage this by looking at the Server env variable HTTP_X_FORWARDED_PORT (when SP entityId, SP assertionConsumerService and SP singleLogoutService are not empty) and replace http by https
One solution is to add this
/**
* Define your route model bindings, pattern filters, etc.
*
* @return void
*/
public function boot()
{
resolve(\Illuminate\Routing\UrlGenerator::class)->forceScheme('https');
parent::boot();
}
in app/providers/RouteServiceProvider.php
This will force laravel URL method to generate url with https instead of http.
Hope this helps...