Saml2 trouble behind haproxy - 502

If I go to the server direct with it authenticates fine but when I go through haproxy such as PSU returns 502 bad gateway. Any idea why that would be?

I was trying both with direct port with :5001 and with the proxy from :443 to :5001

Whenever I get a 502 bad gateway, it is usually not the gateway and I have broken PSU in some way (I do that a lot :frowning: )

2 thoughts on this…

  1. For the sake of testing, are you able to get access using HTTP?
  2. On line 5 of your 1st image is SVRNAME defined anywhere?
  1. Everything works except for SAML2 auth. If I just use forms, there is no issues. However, if I turn on SAML2, it redirects to the Microsoft Login and then fails with 502 on return to /Saml2/Acs through HA Proxy but if I do it using the server alias it works fine.
  2. The SVRNAME works as expected with the cookie

Are you using the community version of HAProxy or the enterprise version?


According to the manual, SAML is not included in Community:

It looks like you may have to buy a licence to get this to work.

I was hoping a see if SAML passthrough was possible without having it terminated at haproxy but that may not be the case.

I wonder if a KeyCloak container could handle the layer 7 stuff and allow you to have a HAProxy layer 4 gateway?

I might give it a shot whenever I get time. Maybe in a couple years :slight_smile: Thanks!

I know that feeling all too well!