[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Issue with mod_auth_saml and Apache 2.2



Hello.

I've been integrating mod_auth_saml with PingFederate and wanted to pass
along some feedback on that experience. So far it has been positive with 2
exceptions. I thought I would post these separately to assist in the
discussion.

We have the DEFAULTQS directive specified in the mod_auth_saml config as we
do not want the IDP selection page shown. We always want the module to
redirect to the configured IDP if the user does not have a session. The
problem is that on the 9th hit to the page, the IDP page is shown. I've
tracked this down to when the module hook chkuid is run, the value of
DEFAULTQS directive from the config is truncated which causes the module to
show the IDP selection page as it's not able to parse out the IDP (d
argument) to use.

On my two test boxes, which are a RHEL 6.3/Apache 2.2.15 and CentOS
5.8/Apache 2.2.3, the problem consistently occurs on the 9th attempts.
Essentially the repo steps are:
1) Restart Apache
2) Use curl to retrieve the protected resource page. Example: curl -v
http://XXX.XXX.XXX/secret
Results: The 1st through 8th attempt will shown the redirection to the IDP.
On the 9th attempt the IDP selection page is shown.

Since I am using curl I'm not actually going to the IDP and logging in and
then getting redirected back to the SP (mod_auth_saml).

Here is a snippet of the log for 1st time I retrieve the the page:

t2b4ace642940 mod_auth_saml.c:312 chkuid                mas d ===== START
1.11 req=0x12604420 uri(/secret) args((null)) pid=26785
t2b4ace642940 mod_auth_saml.c:435 chkuid                mas I chkuid: other
page uri(/secret) qs((null)) cf->url(http://XXX.XXX.XXX/secret/saml)
uri_len=7 url_len=41
t2b4ace642940 mod_auth_saml.c:446 chkuid                mas d chkuid:
uri(/secret) args((null)) rs(/secret)
t2b4ace642940   zxutil.c:944 zxid_deflate_safe_b64_raw  mas d chkuid: z
input(/secret) len=7
t2b4ace642940 mod_auth_saml.c:451 chkuid                mas I chkuid:
DEFAULTQS(10http://XXX.XXX.XXX/secret/saml?e=&d=myidp.com&l0= Login
&fc=1&fn=prstnt&fq=&fy=&fa=&fm=&fp=0&ff=0)
t2b4ace642940  zxidcgi.c:262 zxid_parse_cgi     mas d chkuid: Unknown CGI
field(10http://XXX.XXX.XXX/secret/saml?e) val()
t2b4ace642940  zxidcgi.c:163 zxid_parse_cgi     mas d chkuid: cgi: login
eid=0x11c7c4fb eid(myidp.com)
t2b4ace642940  zxidcgi.c:183 zxid_parse_cgi     mas d chkuid: allow_create=1
t2b4ace642940  zxidcgi.c:189 zxid_parse_cgi     mas d chkuid: nid_fmt=prstnt
t2b4ace642940  zxidcgi.c:182 zxid_parse_cgi     mas d chkuid: authn_ctx=
t2b4ace642940  zxidcgi.c:190 zxid_parse_cgi     mas d chkuid: ispassive=0
t2b4ace642940  zxidcgi.c:184 zxid_parse_cgi     mas d chkuid: force_authn=0


This is a snippet of the log from the 9th attempt:

t2b4ac2636940 mod_auth_saml.c:312 chkuid                mas d ===== START
1.11 req=0x12636250 uri(/secret) args((null)) pid=26785
t2b4ac2636940 mod_auth_saml.c:435 chkuid                mas I chkuid: other
page uri(/secret) qs((null)) cf->url(http://XXX.XXX.XXX/secret/saml)
uri_len=7 url_len=41
t2b4ac2636940 mod_auth_saml.c:446 chkuid                mas d chkuid:
uri(/secret) args((null)) rs(/secret)
t2b4ac2636940   zxutil.c:944 zxid_deflate_safe_b64_raw  mas d chkuid: z
input(/secret) len=7
t2b4ac2636940 mod_auth_saml.c:451 chkuid                mas I chkuid:
DEFAULTQS(10http://XXX.XXX.XXX/secret/saml?e)
t2b4ac2636940 mod_auth_saml.c:459 chkuid                mas d chkuid: No
session() active op(E)
t2b4ac2636940 mod_auth_saml.c:461 chkuid                mas d chkuid: other
page: no_ses uri(/secret) templ((null)) tf(idpsel.html)
t2b4ac2636940  zxidecp.c:141 zxid_lecp_check    mas d chkuid: Neither ECP
nor LECP request 0
t2b4ac2636940 zxidsimp.c:1418 zxid_simple_no_ses_cf     mas d chkuid: LECP
check: ss(?)
t2b4ac2636940 zxidsimp.c:1429 zxid_simple_no_ses_cf     mas d chkuid: NOT
CDC 0


As you can see the DEFAULTQS is truncated at the e. I did notice the
"Unknown CGI field" so I ended up changing the DEFAULTQS to just
d=myidp.com&l0=
Login &fc=1&fn=prstnt&fq=&fy=&fa=&fm=&fp=0&ff=0. Also in the config file I
have %26 instead of &. The "Unknown CGI field" error went away but it still
consistently failed on the 9th attempt.

I tried to figure this out on my own but seem to have hit a brick wall. I
see that the configuration comes from the dir_cf() macro which calls the
Apache ap_get_module_config() function. The cf->defaultqs field is modified
by the zxid_parse_cgi() function call around line 450 (I've added logging
so the line number might not line up) inside chkuid(). Since teh zxid_conf
structure that comes out of ap_get_module_config() is a void*, the only
thing that I can think of is that the modifications made instead chkuid are
making their way back up in to Apache's cache of the configuration object.
Why it takes 8 attempts I'm not sure.

Any thoughts on this are greatly appreciated.

Thanks,

Aaron



------
The information contained in this email message and any attachment may be privileged, confidential, proprietary or otherwise protected from disclosure. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, copying or use of this message and any attachment is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and permanently delete it from your computer and destroy any printout thereof.