I've configured RStudio Connect with SAML.
After user has been authenticated with IdP, the redirect from IdP to RStudio fails with the error:
{"code":97,"error":"Changing host or scheme in redirect is forbidden.","payload":null}
Typing the RStudio login URL in the browser, user can access to RStudio correctly.
Any ideas about hot to resolve this?
Best regards
Andrea
Hi @andret889 and welcome to the RStudio Community!!
Apologies for the delay getting back to you here! Are you still running into issues? For a more expedited response, it may be worth shooting an email to support@rstudio.com so that our Professional Support team can get you sorted!
In the meantime, this looks a lot like the protocol or host that is getting forwarded to RStudio Connect (by a load balancer or proxy) is not getting set properly.
For this purpose, we use the X-Forwarded-Host and X-Forwarded-Proto headers. There are a handful of problems that can crop up if these are not set properly, and there is an "escape hatch" header (X-RSC-Request) that can be used. (This is one such problem, and they often give this same feeling of "everything else works," which makes debugging subtly challenging! You are not alone!)
We talk more about the process here: Running with a Proxy - RStudio Connect: Admin Guide
Can you say a bit more about how traffic reaches your Connect host / cluster? Is there a load balancer or proxy in play? Is it listening at the root path (/) or are you rewriting paths? Do users access with TLS/SSL/https? Does Connect also listen in TLS/SSL/https, or does the proxy terminate the TLS connection?
Hi @cole, thank you for the detailed response!
I'm still running into the issue.
We set a Load Balancer, an httpd and a Nginx Reverse Proxy in front of RStudio Connect.
LB --> httpd:80 --> ngnix:3939
We have followed the official guide, in particular the section related to Nginx with Path rewriting configuration. It seems correct. It acts as TLS terminator.
This is our configuration for nginx:
# this takes care of redirecting /shiny to /shiny/
rewrite ^/shiny$ $scheme://$http_host/shiny/;
# Proxy RStudio Connect at /shiny/
location /shiny/ {
rewrite ^/shiny/(.*)$ /$1 break;
proxy_set_header X-RSC-Request $scheme://$http_host:$server_port$request_uri;
proxy_pass http://localhost:3939;
proxy_redirect / $scheme://$http_host/shiny/;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_http_version 1.1;
proxy_buffering off;
}
Apache httpd has been configured for reverse proxy/path rewriting too.
Any advice? Maybe the key point is the Apache httpd.
Thank you in advance, best regards
Update: the same configuration has been validated with PAM authentication.
The problem could be the request obtained from the authentication provider (Oracle Access Manager) and the response to Rstudio. Only the redirect fails; the user is correctly authenticated.
Interesting! It definitely could be! One thing that you could do is enable SAML debug logging to see if that helps provide any pointers?
[SAML]
Logging = true
It may be best to pivot this to a support ticket so that we can exchange more confidential information and possibly arrange a call. Redirect behavior is difficult to reason about, in general, so text-based communication is often tricky!
Would you mind opening a support ticket, sending a diagnostic bundle and mentioning me / this community thread in the ticket?
Also, it may be helpful to capture a HAR file and share that in the ticket as well. A HAR is basically opening browser devtools, open the networking tab, reproducing the behavior, and then clicking "export" on the network traffic so that we can review what exactly is happening. 
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
If you have a query related to it or one of the replies, start a new topic and refer back with a link.