Hey!!
I’m working on integrating our jupyterhub with our idP, Our setup is:
Nginx proxy doing https and forwarding to localhost, where jupyterhub is listening on http. The problem I have is that the SAML2 authenticator is giving the idP a http address for the acs url to return the authenticated connection. two problems the idP must match the url and we do not listen on port 80 on the public interface.
is there a config option to force this to be a https connection?
Which SAML2 authenticator are you using? JupyterHub doesn’t include one by default.
You have to enable tls termination on nginx and then forward the traffic from your proxy down to the http. On top, you have to have an IdP configured so that you nginx configuration looks for OAuth 2.0(forget SAML 2.0) and if there is authentication validated header JWT token it passes on the request with TLS termination. Else it redirects for authentication to the IdP. I have done that wtih Keycloak + nginx + jupyter. Mostly the configuration between keycloak and nginx is the tricky part and configuring that there is a TLS termination on the nginx side, so you don’t have that error that the proxied service doesn’t run on https.