-
Titel
Incorrect port in the SAML metadata when Foglight is behind a load balancer -
Beschreibung
Foglight SAML metadata uses the wrong port when Foglight is behind a proxy or load balancer.
For example, Foglight and the load balancer are configured to listen for HTTPS on port 8443.
When accessing Foglight via the load balancer URL (E.g.: https://foglight.yourdomain.com:8443/console/saml2/metadata.xml), the metadata uses the default HTTPS port (443) which can cause problems with SAML authentication due to a mismatch in the ports.
<?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="YYYY-MM-DDThh:mm:ssZ" cacheDuration="PT604800S" entityID="https://foglight.yourdomain.com:443/console/saml2/metadata.xml" ...
The port is correct when accessing via the Foglight server URL instead of the load balancer.
-
Ursache
CAUSE 1
The default port for the protocol is being used because the port is not specified in the
Hostheader of the request.Refer to Host - HTTP | MDN for additional information on the HTTP header.
CAUSE 2The default port for the protocol is being used when headers
x-forwarded-proto: httpsorx-forwarded-proto: httpare present in the request. -
Lösung
WORKAROUND 1
If using a non-default HTTP or HTTPS port, the load balancer must be configured to include the port in the
Hostheader.
Update the configuration on the load balancer and Foglight to use the default port for HTTP or HTTPS.
WORKAROUND 2
To update the port in Foglight, refer to How to change Foglight Management Server port after installation? (4271559).
STATUSThis issue has been logged as defect Id. FOG-9645 and it is waiting for a fix in a future release of Foglight.
-
Fehler-ID
FOG-9645