Using SAML behind ReverseProxy
by Christian Heimerl in Administration & User Management posted on 2018-01-26
I have the following problem:
- My ARIS server is in the Intranet on server intranet.xyz.net . The loadbalancer is configured like this.
- I need to make ARIS Connect available to the Internet through a reverse proxy in the DMZ named internet.xyz.com using SAML using federation provider fed.xyz.com
- I configured https://fed.xyz.com/idp/SSO.saml2 as SSO Url and all other required SAML fields in UMC
- Now the user connects to internet.xyz.com which is given through to the ARIS server intranet.xyz.net (intransparent to the user).
- The ARIS Server does not know the user and starts the SAML process
- It redirects the user to https://internet.xyz.com/umc/rest/saml/initsso?tenant=default&url=https%3A%2F%2Finternet.xyz.com%2F
- The problem is: The SAML Request (if decoded or also visible in the umc logs) contains as AssertionConsumerServiceURL the value https://intranet.xyz.net/umc/rest/saml/initsso/ and not https://internet.xyz.com/umc/rest/saml/initsso/ so the user after being authenticated on https://fed.xyz.com/idp/SSO.saml2 is sent back to https://intranet.xyz.net/umc/rest/saml/initsso/ via browser and that address is not accessible by the user because it's in the Intranet
Is there a solution to the problem?