Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-8218

SAML message intended destination endpoint {} did not match receipient {}

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 1.13.0
    • None
    • None

    Description

      When behind a proxy, NiFi will respect the X-ProxyHost header and use that value to construct the URLs in the SAML request, so that the SAML response will be sent back through the proxy.

      When processing the SAML response, there is OpenSAML code that compares the "Destination" value in the SAML response which will have the proxy host, against the host on the HttpServletRequest which comes from the Host header.

      So if the Host header is different from X-ProxyHost, which it could be, then this comparison fails.

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #4816

          Activity

            People

              bbende Bryan Bende
              bbende Bryan Bende
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m