Attribute mismatch Error when Federation Web Services Behind Proxy Server

Document ID : KB000051307
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

If Federation Web Services is running behind a proxy server you might get the following error message when first trying to setup federation:

"The 'Destination' attribute in the response (https://example.com) does not match the local Assertion Consumer Service URL (http://example.com)."

This occurs because when the identity provider creates the <Response> SAML element it embeds in the destination attribute where the SAML response is going.

Solution:

For example:

<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://example.com/affwebservices/public/saml2assertionconsumer">

This is correct as the endpoint is protected by SSL (hence the HTTPS).

The issues arises when the SAML assertions gets to the service provider. A common configuration is to have the service provider URL fronted by an SSL accelerator or proxy. This effectively terminates the SSL connection. As such the assertion consumer only knows that assertions should come in via HTTP (which they are).

However, when SiteMinder checks the assertion the Destination attribute does not match what it believes to be the local Assertion Consumer Service URL.

In order to fix this ambiguity a setting is provided to overload the local Assertion Consumer Service protocol and port. This is specified in the Proxy Group Box:

Proxy Group Box

Server

If your network has a proxy server between the client and the system where Federation Web Services is running (that is, the system where Web Agent Option Pack is installed) specify the scheme and authority portions of the URL, such as protocol:authority. The scheme is http: or https: and the authority is //host.domain.com or //host.domain.com:port. For example, http://example.ca.com.

In the above example we would put in the box, https://example.com/.