Contrib.social

ACS URL is incorrect when using a Reverse Proxy

Open on Drupal.org β†’
Created on 21 July 2025, 3 months ago

Problem/Motivation

I am running Drupal 10 in an App Service in Microsoft Azure using Application Gateway as a Reverse Proxy. When accessing the SAML login from the client domain, it forwards me back to the home page and error states that:

RuntimeException encountered during processing SAML authentication response: Error(s) encountered during processing of authentication response. Type(s): invalid_response; reason given for last error: The response was received at https://**********.appserviceenvironment.com/*****/saml/acs instead of https://*********/*****/saml/acs in Drupal\samlauth\SamlService->processLoginResponse() (line 449 of /home/site/wwwroot/*****/modules/contrib/samlauth/src/SamlService.php).

This is showing that the ACS is only responding on the internal URL and not the client URL. I have tried enabling Session Affinity Proxy settings, but it doesn't make a difference.

All of my other non-Drupal App Services are working fine, so it seems to be specific to how this Drupal module is handling the ACS URLs.

Steps to reproduce

attempting SAML login.

Proposed resolution

Set the ACS URL for the expected domain. Or any suggestions to resolve.

πŸ’¬ Support request
Status

Active

Version

3.0

Component

Miscellaneous

Created by

πŸ‡ΊπŸ‡ΈUnited States chad.hembrock

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @chad.hembrock
  • Comment 2 months ago β†’
    πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    As a first hack (if you're in a hurry) you can add the following line to SamlService::processLoginResponse() - e.g. on line 438 of SamlService.php:
    SamlUtils::setSelfHost('[YOUR-EXTERNAL-HOSTNAME]');

    In /admin/config/people/saml/saml ... what is the "Assertion Consumer Service" URL shown as? (The *.appserviceenvironment.com hostname of your externally-visible hostname?)

    That'll inform where we need to go from here.

  • Comment about 2 months ago β†’
    πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    For completeness:

    I'll consider adding the above line to the module (first as an option to make sure existing sites don't break; then remove the option in v4.x because all sites should work with it). Because -- in short: the SAML PHP Toolkit library and Drupal use different ways of determining the hostname. That may be a problem. And I think we can fix it in a generic easy way.

    However, this is the first ever report of such a case. So I'd like some confirmation before changing code, and the question from #2 is still outstanding (with followup questions planned, based on what the answer is).

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024