Saml ReturnUrl lost when proxy involved

Question

I am using Sustainsys.Saml2 for authentication in my environment. It has worked well until I added a proxy into the loop.

The data flow is:

1) User navigates to site via proxy server (example.mysite.com)

2) Proxy forwards to internal application (example.internal.mysite.com)

3) Saml does its thing, forwards to service for authenticate and redirect step

4) Weird part: The saml response is sent back to the original host hitting Saml2/Acs (example.mysite.com/Saml2/Acs) and responding as a 303 -- the assumption is that it should be 303'ing to example.mysite.com, but instead it's to the proxy host name at example.internal.mysite.com

Why is it doing that? It doesn't seem to be respecting the ReturnUrl (which is example.mysite.com). I see no evidence of the proxy URL from requests/responses during the auth process until #4.

Anders Abel Anders Abel · Accepted Answer · 2019-09-06T10:35:01

The Sustainsys.Saml2 library builds various URLs from what it sees in the incoming HTTP Request. When a proxy is involved, that might not be the same URL as the client sees.

There's a setting PublicOrigin that you can set to handle this, that will override any host found in the request.

However, in The AspNetCore2 handler it is assumed that this has already been fixed in the Request object, before the handler is invoked. This is usually done automatically by the hosting environment if hosting in Kestrel behind IIS or similar.

Saml ReturnUrl lost when proxy involved

1 Answers