Hi folks,
I am trying to implement SSO in my network. As I understood things, I need to have the saml service reachable from the outside - which is the UCS server. To achieve this, I configured my nginx reverse proxy like this:
upstream ucs {
server 1.2.3.4:443;
}
server {
listen 443 ssl http2;
include /etc/nginx/brotli_params;
ssl_certificate /path/to/cert
ssl_certificate_key /path/to/key
proxy_ssl_trusted_certificate ucs-root-ca.crt;
ssl_dhparam ssl/dhparam-sso.pem;
server_name login.example.com;
access_log /var/log/nginx/sso_access_log main_ext;
error_log /var/log/nginx/sso_error_log warn;
location / {
proxy_pass https://ucs;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
### Set headers ####
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
proxy_redirect off;
}
}
As I found out, the SSO webservice seems to use SNI, my first guess was to add this to my config
proxy_ssl_name ucs-sso.ucs.internal-domain;
proxy_ssl_server_name on;
which resulted in a Misdirected Request error…
By now I’m running out of ideas - could someone point me into the right direction?