Saml2 trouble behind haproxy - 502

1

If I go to the server direct with https://server.example.com:5001 it authenticates fine but when I go through haproxy such as https://example.com:443 PSU returns 502 bad gateway. Any idea why that would be?

Screenshot 2023-08-04 081441
Screenshot 2023-08-04 0814411758×319 61 KB

Screenshot 2023-08-04 081510
Screenshot 2023-08-04 0815102823×834 341 KB

I was trying both with direct port with :5001 and with the proxy from :443 to :5001

2

Whenever I get a 502 bad gateway, it is usually not the gateway and I have broken PSU in some way (I do that a lot :frowning: )

2 thoughts on this…

  1. For the sake of testing, are you able to get access using HTTP?
  2. On line 5 of your 1st image is SVRNAME defined anywhere?
3
  1. Everything works except for SAML2 auth. If I just use forms, there is no issues. However, if I turn on SAML2, it redirects to the Microsoft Login and then fails with 502 on return to /Saml2/Acs through HA Proxy but if I do it using the server alias it works fine.
  2. The SVRNAME works as expected with the cookie
4

Are you using the community version of HAProxy or the enterprise version?

5

Community

6

According to the manual, SAML is not included in Community:

2023-08-08 16_33_31-HAProxy Enterprise vs Community Edition (Complete Comparison) — Mozilla Firefox
2023-08-08 16_33_31-HAProxy Enterprise vs Community Edition (Complete Comparison) — Mozilla Firefox1080×536 19.7 KB

It looks like you may have to buy a licence to get this to work.

7

I was hoping a see if SAML passthrough was possible without having it terminated at haproxy but that may not be the case.

8

I wonder if a KeyCloak container could handle the layer 7 stuff and allow you to have a HAProxy layer 4 gateway?

9

I might give it a shot whenever I get time. Maybe in a couple years :slight_smile: Thanks!

10

I know that feeling all too well!