Saml2 trouble behind haproxy - 502
If I go to the server direct with https://server.example.com:5001 it authenticates fine but when I go through haproxy such as https://example.com:443 PSU returns 502 bad gateway. Any idea why that would be?
I was trying both with direct port with :5001 and with the proxy from :443 to :5001
802da9172f5681f057295378eee9f1b9866669ec.png
fadc6ac6eb201a9e64d43115fbdcaea2ffbcfa78.png
All Comments (9)
Whenever I get a 502 bad gateway, it is usually not the gateway and I have broken PSU in some way (I do that a lot )
2 thoughts on this…
- For the sake of testing, are you able to get access using HTTP?
- On line 5 of your 1st image is SVRNAME defined anywhere?
- Everything works except for SAML2 auth. If I just use forms, there is no issues. However, if I turn on SAML2, it redirects to the Microsoft Login and then fails with 502 on return to /Saml2/Acs through HA Proxy but if I do it using the server alias it works fine.
- The SVRNAME works as expected with the cookie
Are you using the community version of HAProxy or the enterprise version?
Community
According to the manual, SAML is not included in Community:
HAProxy Technologies
It looks like you may have to buy a licence to get this to work.
b181c529647ba67dbbbf9b44015351ae68bff4ae.png
I was hoping a see if SAML passthrough was possible without having it terminated at haproxy but that may not be the case.
I wonder if a KeyCloak container could handle the layer 7 stuff and allow you to have a HAProxy layer 4 gateway?
keycloak.org
I might give it a shot whenever I get time. Maybe in a couple years Thanks!
I know that feeling all too well!