CH
Hi,
I have the following problem:
- My ARIS server is in the Intranet on server intranet.xyz.net . The loadbalancer is configured like this.
- I need to make ARIS Connect available to the Internet through a reverse proxy in the DMZ named internet.xyz.com using SAML using federation provider fed.xyz.com
- I configured https://fed.xyz.com/idp/SSO.saml2 as SSO Url and all other required SAML fields in UMC
- Now the user connects to internet.xyz.com which is given through to the ARIS server intranet.xyz.net (intransparent to the user).
- The ARIS Server does not know the user and starts the SAML process
- It redirects the user to https://internet.xyz.com/umc/rest/saml/initsso?tenant=default&url=https%3A%2F%2Finternet.xyz.com%2F
- This page is a html form containing the Base64 encoded SAML Request that is forwarded to https://fed.xyz.com/idp/SSO.saml2 using JavaScript directly after loading the page.
- The problem is: The SAML Request (if decoded or also visible in the umc logs) contains as AssertionConsumerServiceURL the value https://intranet.xyz.net/umc/rest/saml/initsso/ and not https://internet.xyz.com/umc/rest/saml/initsso/ so the user after being authenticated on https://fed.xyz.com/idp/SSO.saml2 is sent back to https://intranet.xyz.net/umc/rest/saml/initsso/ via browser and that address is not accessible by the user because it's in the Intranet
Is there a solution to the problem?
Two additions:
- We use ARIS 9.8.7
- A potential could be the use of mod_substitute but I couldn't get it working on the ARIS Apache web server. Uncommenting the LoadModule line and adding the Substitute command (in several variations) did not work (also with a very simple Substitute String). Any ideas on that?