aacotroneo/laravel-saml2

entityID is http instead of https

nspaul opened this issue · 4 comments

When I go to my http(s)://{laravel_url}/{idpName}/metadata URL, what would cause the entityID to use http:// instead of https://?

When I configure the site in a similar way, but host it in different places (one is on an old school LAMP stack, one is running locally in Valet, and one is in a Docker/Kubernetes cluster. The details of which environment is doing what is irrelevant here... For now I am just wondering where it gathers that information. I have tried to follow the code to trace it to where it generates that entityID from the SAML2_mytestidp1_SP_entityID environment variable.

I can provide more info if necessary.

I think this has something to do with the container that is running the app. There are a lot of layers of abstraction, but at the end of it all, the actual app is running in a container on port 80, and that is where the http is coming from (vs https)

tsndp commented

Any Solution for this issue? How to make it https://{laravel_url}:9443/{idpName}/metadata

My exposed webserver port is 9443 but app server is running on 80 behind proxy. Please advise

If your SP entityId and/or SP assertionConsumerService and/or SP singleLogoutService are empty in your config, loadOneLoginAuthFromIpdConfig in Saml2Auth class will generate them from the URL method/facade.

For example:

if (empty($config['sp']['entityId'])) {
    $config['sp']['entityId'] = URL::route('saml2_metadata', $idpName);
}

So the problem will be from the URL method ,if like me you are under a load balancer (I am using Kubernetes), it will return http instead of https. OneLogin mainly manage this by looking at the Server env variable HTTP_X_FORWARDED_PORT (when SP entityId, SP assertionConsumerService and SP singleLogoutService are not empty) and replace http by https

One solution is to add this

    /**
     * Define your route model bindings, pattern filters, etc.
     *
     * @return void
     */
    public function boot()
    {
        resolve(\Illuminate\Routing\UrlGenerator::class)->forceScheme('https');

        parent::boot();
    }

in app/providers/RouteServiceProvider.php

This will force laravel URL method to generate url with https instead of http.

Hope this helps...

Thank you @jrbecart, that fixed it for me!