how to configure a SAML SSO when Bonita platform is behind a https load balancer ?

Submitted by laurent.leseign... on Wed, 04/21/2021 - 18:30
1
0
-1

Hi,
in official documentation, https://documentation.bonitasoft.com/bonita/2021.1/single-sign-on-with-s...

we don't have any information about SAML configuration (keycloak) when Bonita runtime is behind a https load balancer, and how to configure the load balancer, in case specific configuration is required for SAML

Thanks,

Laurent

Comments

Submitted by unai.gaston.caminos on Mon, 04/26/2021 - 11:47

Hi Laurent,

These links may help you in configuring your load balancer properly:

Please read the above links. You will see that they say things like:

"(...) you need to make sure the reverse proxy is configured to include correct headers and application server is configured to use the headers. This is required so HttpServletRequest.getRequestURL returns the URL used by the user and not the internal URL used by the proxy."

"Is your portal behind a load balance?
If so, and you setup the ssl on load balance and use http to portal system, this error may happen because protocol info is missing.
You can try to add wdisp/add_clientprotocol_header = 1 if you are using webdispatch or set a header field named ClientProtocol for reverse proxy like Apache. "

I hope this helps.

Unai

Permalink
1 answer

Submitted by anthony.birembaut on Mon, 04/26/2021 - 15:18
1
0
-1

Hi Laurent,
To complete Unai's comment when you get a 403 error with a message like http://your.bonita.external.url.host/saml does not match SAML request destination https://your.bonita.internal.server.host/saml , you need to make sure that your load balancer / reverse proxy properly sets the following HTTP headers :

  • X-Forwarded-Proto: https
  • X-Forwarded-Host: your.bonita.external.url.host

Comments

Submitted by laurent.leseign... on Thu, 04/29/2021 - 11:06

Thanks Anthony!

Permalink
Notifications