User sees IdP logging such as:
2010-05-25 14:36:12 ERROR OpenSAML.SecurityPolicyRule.BearerConfirmation
: bearer confirmation failed with recipient mismatch
2010-05-25 14:36:12 WARN Shibboleth.SSO.SAML2 : detected a problem with
assertion: Unable to locate satisfiable bearer SubjectConfirmation in
This relates directly to SSL offloading via Layer 7 switches or similar.
An example subject confirmation:
<saml:SubjectConfirmationData Address="22.214.171.124" InResponseTo="_1253d4aadec1143fe542a6adfbd06206" NotOnOrAfter="2010-05-25T06:09:49.050Z" Recipient="https://mysqp.example.com.au/Shibboleth.sso/SAML2/Artifact"/>
The recipient the IDP is sending an enityID of 'https://mysqp.example.com.au'. Due to offloading the local shibboleth daemon is generating a comparison string of 'http://mysqp.example.com.au' (note the lack of S). This doesn't match up obviously and the assertion is discarded.
So how to fix?