V5 SAML token validation fails when Snipe-it is behind a reverse proxy

[fstorz]

Please confirm you have done the following before posting your bug report:

• I have enabled debug mode
• I have read checked the Common Issues page

Describe the bug
After configuring SAML and attempt to login via SAML, the following error is displayed on the login screen.

I used the following SAML configuration:
Entity-ID: https://asstes.example.com
ACS-URL: https://asstes.example.com/saml/acs
Logout-URL: https://asstes.example.com/saml/sls

A token from debug logs states, that the SAML response was ok.

<samlp:Response ID=_1234567890" Version="2.0" IssueInstant="2020-10-21T00:00:00.000Z" Destination="https://assets.example.com/saml/acs" InResponseTo="ONELOGIN_1234567890"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
...

Reverse Proxy settings are working fine, since all resources and links are generated using https://assets.example.com as base url and IP of proxy is set properly (APP-URL & APP_TRUSTED_PROXIES env parameters are set acccordingly).

To Reproduce
Steps to reproduce the behavior:

1. Configure reverse proxy with env parameters
2. Configure SAML Provider with the given URLs above and use IDP Matadata URL to configure Snipe-IT
3. Login with SAML
4. See error

Expected behavior
The SAML login mechanism uses the correct "frontend" URL (in this case using https) to validate SAML tokens

Server (please complete the following information):

• Snipe-IT Version: v5.0.1
• Official Docker Image: v5.0.1

Desktop (please complete the following information):

• OS: MacOS 10.15
• Browser: Chrome
• Version: 86

Error Messages
The debug bar displays the following messages:

LOG.debug: There was an error with SAML ACS: invalid_response
LOG.debug: Reason: The response was received at http://assets.example.com/saml/acs instead of https://assets.example.com/saml/acs

The error message was created by the OneLogin SAML response validation of the Destination value (see OneLogin_Saml2_Response).

Additional context

• Is this a fresh install or an upgrade?
  It's an upgrade from 4.9.5 to 5.0.1
• What method you used to install Snipe-IT (install.sh, manual installation, docker, etc)?
  It is a docker installation (in combination with docker-compose & mariadb)
• Include what you've done so far in the installation, and if you got any error messages along the way.
  No errors so far
• Indicate whether or not you've manually edited any data directly in the database?
  Database was not touched at all

[welcome]

👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. We get a lot of issues on this repo, so please be patient and we will get back to you as soon as we can.

[fstorz]

After some research I was able to resolve the problem by myself :)
The solution was to do 2 things

1. add a "custom" property on the SAML configuration screen
   SAML Custom Settings:

   baseurl=https://assets.example.com/saml
   

2. Set the username of the relevant users to their email address. This is because the identity value of the SAML token is an Email (at our IDP -> AzureAD)