Using SAML behind a Load balancer with SSL Termination


I’ve set up tutor 11.2.5 behind a load balancer that handles SSL termination, and so I’m running tutor with caddy disabled and SSL/TLS set to NO during tutor local quickstart

And so tutor is running behind my loadbalancer in http mode, as it should.

After configuring SAML on the running instance and click the SSO login button, my IdP throws the below error:

The reply URL specified in the request does not match the reply URLs configured for the application

This seems to be due to the fact that tutor is running in http mode, and so the SAML response going from tutor to my IdP has the AssertionConsumerServiceURL in http as opposed to https.

See logs from lms when I enable SAML debug mode on (AssertionConsumerServiceURL should be https and not http):

lms_1            | 2021-04-08 08:58:26,513 INFO 6 [common.djangoapps.third_party_auth.saml] [user None] [ip] - SAML login request for IdP default. Data: <QueryDict: {'auth_entry': ['login'], 'next': ['/'], 'idp': ['default']}>. Next url /. XML is:
lms_1            |   AssertionConsumerServiceURL="">
lms_1            |         <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
lms_1            |     </samlp:RequestedAuthnContext>
lms_1            | </samlp:AuthnRequest>

Is there any workaround to set tutors base url to https rather than http ?

Thanks in advance!

When the url at which you access the LMS is https://..., you MUST answer “yes” to the “Activate SSL/TLS certificates for HTTPS access?” question – even if you run your own load balancer. Otherwise incorrect lms/cms urls will be generated. This is described here: Local deployment — Tutor documentation

I have no idea how to enable SAML but you should definitely address this issue before anything else.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.