Spring Security how to force saml2login to direct to https://{baseUrl}/saml2/authenticate/{registrationId}

Describe the bug Am working on migrating a project from saml extension to saml2login Here is my code snipet .saml2Login(saml -> { saml.relyingPartyRegistrationRepository(rpRepo) .authenticationConverter(authenticationConverter) .loginProcessingUrl("/saml/SSO"); });

          `protected RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
    RelyingPartyRegistration registration = RelyingPartyRegistrations
            .fromMetadata(new URL(metadataUrl).openStream())
            .registrationId(registrationId)
            .entityId(this.serviceProviderId)
            .assertionConsumerServiceLocation(this.assertionConsumerUrl)
            .signingX509Credentials(creds -> creds.add(createSigningCredentials()))
            .assertingPartyDetails(apd ->
                    apd.wantAuthnRequestsSigned(true)
            )
            .build();

    return new InMemoryRelyingPartyRegistrationRepository(registration);
}`

The problem is that when I hit the app, I get redirected to http://{baseUrl}/saml2/authenticate/{registrationId} instead of the https://{baseUrl}/saml2/authenticate/{registrationId}

The application is running on elastic beanstalk (docker) behind a load balancer. The only port open is https (443)

Do you have any ideas on how to fix this?

Comment From: ZIRAKrezovic

Did you enable server.forward-headers-strategy?

https://docs.spring.io/spring-security/reference/features/exploits/http.html#http-proxy-server

Comment From: sjohnr

@Oualitsen, thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.

Having said that, in addition to the link provided by @ZIRAKrezovic, take a look at discussion on gh-12307 which may be related to your issue. However, generally redirects will work correctly when forwarded headers are configured and used properly.

Comment From: Oualitsen

Did you enable server.forward-headers-strategy?

https://docs.spring.io/spring-security/reference/features/exploits/http.html#http-proxy-server

This is what worked for me. setting server.forward-headers-strategy=native worked as expected. But I had to check that the loadbalancer and the reverse proxy (nginx for my case) actually forwards the x-forward-proto header having a value of https