You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm having trouble getting SAML working in the following scenario:
Okta is the IdP
Structurizr running in a Google Kubernetes Engine cluster
Structurizr is being reverse proxied by Cloud Service Mesh (formerly known as Anthos Service Mesh)
I have been able to successfully use SAML for authentication in Structurizr with Okta running as the IdP when running Structurizr on localhost, and therefore the Okta Single Sign-On URL was set to http://localhost:8080/login/saml2/sso/structurizr
However, to get it running on the cluster I have my structurizr.properties configured with structurizr.url=https://structurizr.preprod.my-domain.com - and the Okta Single Sign-On URL configured to https://structurizr.preprod.my-domain.com/login/saml2/sso/structurizr. I have no problem getting to the Structurizr dashboard - so the reverse proxy is working that fat, however when I attempt to authenticate I end up with the error:
Invalid destination [https://structurizr.preprod.my-domain.com/login/saml2/sso/structurizr] for SAML response [<some id>]
Some avenues of enquiry:
Is there a way to increase the logging level of OpenSAML? It would be great if it would just spit out what it thinks the correct destination should be vs what the SAML response contains to guide my further configuration - for all SAML assertions that would be very useful.
Does OpenSAML receive the value of structurizr.url as part of its configuration?
Does OpenSAML look at the current hostname instead - which would be some internal cluster node.
Does OpenSAML look at the X-Forwarded-Host header of the request?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I'm having trouble getting SAML working in the following scenario:
I have been able to successfully use SAML for authentication in Structurizr with Okta running as the IdP when running Structurizr on localhost, and therefore the Okta Single Sign-On URL was set to
http://localhost:8080/login/saml2/sso/structurizrHowever, to get it running on the cluster I have my
structurizr.propertiesconfigured withstructurizr.url=https://structurizr.preprod.my-domain.com- and the Okta Single Sign-On URL configured tohttps://structurizr.preprod.my-domain.com/login/saml2/sso/structurizr. I have no problem getting to the Structurizr dashboard - so the reverse proxy is working that fat, however when I attempt to authenticate I end up with the error:Some avenues of enquiry:
structurizr.urlas part of its configuration?X-Forwarded-Hostheader of the request?Beta Was this translation helpful? Give feedback.
All reactions