CMS Version
3.1.0
Issue
This is related to the issue reported by Ben Brown in SAML response received at http instead of https.
When the key “strict” is set to “true” in the samlSettings array in settings.php, SAML authentication does not go through because the cms inside the container receives the assertion as http instead of https. We have a reverse proxy correctly serving https, but of course the Xibo container only serves http on the back end.
Onelogin’s documentation says the following about the strict setting:
// Also it will reject the messages if the SAML standard is not strictly // followed: Destination, NameId, Conditions ... are validated too.
Our IDP will only send assertions over https. The reverse proxy is forwarding it to the container as http, which seems to be the only thing available from the server in the container. I’ve tried telling the proxy to forward as https without success, although it’s possible I’ve missed something here.
So the SAML library is apparently rejecting the logon when strict is set because the assertion not coming in over https, which is not possible because of the way the server in the container is set up. Therefore, it seems impossible to strictly enforce SAML with Xibo in our environment.
Has anybody else experienced this issue and identified a solution other then the workaround of disabling strict enforcement?
Is there any chance that in a future release, Xibo for Docker will support https, even in some limited capacity (e.g. using a self-signed cert)? This would likely address this issue.