Skip to main content
M
milehighjustin
Participant
June 29, 2021
Answered

CF2021 SAML Response Error

  • June 29, 2021
  • 1 reply
  • 1753 views

Hello, I am attempting to set up SAML integration, and have been receiving an error during ProcessSAMLResponse:

coldfusion.saml.SamlResponseHandler$SamlResponseException: The response was received at http://…….. instead of https://……….. at coldfusion.saml.SamlResponseHandler.handleLoginResponse(SamlResponseHandler.java:218) at coldfusion.saml.SamlResponseHandler.handleResponse(SamlResponseHandler.java:127) at coldfusion.saml.SAMLServiceImpl.ProcessSAMLResponse(SAMLServiceImpl.java:502) at coldfusion.runtime.CFPage.ProcessSAMLResponse(CFPage.java:17502)

Everything is happening over HTTPS, and the ACS url is definitely https on the IDP side (Okta) and I have tried this on two different ColdFusion servers. Does anyone know what might be causing this? One server uses Apache to proxy over to CF and the other uses nginx. Im pretty sure that neither use https during the proxy. Could this be the reason?

    This topic has been closed for replies.
    Correct answer pete_freitag

    Yes, I can point you in a few directions, not sure which is best.

     

    Take a look at the tomcat server.xml file for the <Connector> tag that serves the http port your proxy uses (eg port 8500?). You can try adding secure="true" and/or scheme="https" 

    https://tomcat.apache.org/tomcat-8.5-doc/config/http.html

     

    Another option to look at is the SSLValve: org.apache.catalina.valves.SSLValve 

    1 reply

    pete_freitag
    pete_freitag
    Participating Frequently
    June 29, 2021

    Yes, it could very well be the cause of that. I have run into similar issues with the java-saml library (which is what CF 2021 appears to be using under the hood), it uses httpServletRequest.getRequestURL() to determine the current URL. So a quick way you can check this is in CFML is like this:

    <cfoutput>#getPageContext().getRequest().getRequestURL()#</cfoutput>

    That will output the URL that the SAML library thinks is the current url, so if the scheme doesn't match, or the URL doesn't match exactally it will fail. There are some ways that you can configure tomcat to think it is serving https even though you are on http (only do this if the network between your webserver and CF is secure or is localhost), or you can setup tomcat to use https in your proxy.

     

    Hope that helps!

    Pete Freitag

    Foundeo Inc.

    M
    milehighjustinAuthor
    Participant
    June 29, 2021

    Yeah, it is saying http when I run that one line. You mentioned a way to configure tomcat to make it think it is serving over https instead of http (it is localhost). Could you point me in that direction? Thank you!

    pete_freitag
    pete_freitagCorrect answer
    Participating Frequently
    June 29, 2021

    Yes, I can point you in a few directions, not sure which is best.

     

    Take a look at the tomcat server.xml file for the <Connector> tag that serves the http port your proxy uses (eg port 8500?). You can try adding secure="true" and/or scheme="https" 

    https://tomcat.apache.org/tomcat-8.5-doc/config/http.html

     

    Another option to look at is the SSLValve: org.apache.catalina.valves.SSLValve 

      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices