Having a bit of a problem getting Shibboleth (SSO) working with ADFS and Pound.
The main problem seems to be that:
- The website address will be https://website.domain.com
- Pound will then terminate the SSL and forward the traffic to the webserver on a different port (http://server.domain.com:8888)
I have set up Shibboleth to protect the address http://server.domain.com:8888, which allows me to retrieve metadata and it all seems to be working fine. However the problem seems to be that ADFS is configured to protect the https website, so when Shibboleth attempts to recieve information from ADFS I get nothing except the following error:
A token request was received for a relying party identified by the key
'https://msstagrevproxy.cwpintranet.com/shibboleth', but the request could not
be fulfilled because the key does not identify any known relying party trust.
Key: https://msstagrevproxy.cwpintranet.com/shibboleth
I am not really sure how I can work around this as to retrieve the metadata from Shibboleth I have to use the https address but this does not actually exist in Shibboleth or IIS.
Has anyone had any experience with this before or using any other SSO with a reverse proxy that works?
You need to look at the RP trust configured on the AD FS server for Shibboleth. Make sure you have the correct identifier for Shibboleth SP configured on AD FS. Note that this is a URI and its case sensitive.