Hi,
in official documentation, https://documentation.bonitasoft.com/bonita/2021.1/single-sign-on-with-saml#_configure_bonita_bundle_for_saml
we don't have any information about SAML configuration (keycloak) when Bonita runtime is behind a https load balancer, and how to configure the load balancer, in case specific configuration is required for SAML
Thanks,
Laurent
Hi Laurent,
To complete Unai's comment when you get a 403 error with a message like http://your.bonita.external.url.host/saml does not match SAML request destination https://your.bonita.internal.server.host/saml , you need to make sure that your load balancer / reverse proxy properly sets the following HTTP headers :
X-Forwarded-Proto: httpsX-Forwarded-Host: your.bonita.external.url.hostHi Laurent,
These links may help you in configuring your load balancer properly:
Please read the above links. You will see that they say things like:
"(...) you need to make sure the reverse proxy is configured to include correct headers and application server is configured to use the headers. This is required so HttpServletRequest.getRequestURL returns the URL used by the user and not the internal URL used by the proxy."
"Is your portal behind a load balance?
If so, and you setup the ssl on load balance and use http to portal system, this error may happen because protocol info is missing.
You can try to add wdisp/add_clientprotocol_header = 1 if you are using webdispatch or set a header field named ClientProtocol for reverse proxy like Apache. "
I hope this helps.
Unai
Thanks Anthony!