[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mod_auth_saml not setting the auth user

Please supply version data for zxid and platform.

Karthik Sudarshan <ksudarshan@xxxxxxxxxx> said:
> I have setup the Apache 2.4.6 web server on my Ubuntu install (built the
> Apache server from source, since the mod_auth_saml requires access to the
> various .h files in the include directory, which is not available in the
> direct package downloaded by Ubuntu).

While compiling apache yourself is certainly OK, it usually is not
necessary as most Linux distributions offer packages that have the
necessary headers, e.g.

sudo apt-get install libapr1-dev
sudo apt-get install apache2-dev

> On this I was able to compile the mod_auth_saml and generate the
> mod_auth_saml.so file.
> I was also able to configure my IDP using the zxcot tool (zxcot -g
> metadata-url).
> I configured the /protected location.
> Then I accessed the /protected/test.html file, and I was redirected to the
> IDP selection page. Here I could see the IDP I had setup using the zxcot
> tool, and I selected the same for login.
> I was promptly redirected to the IDP login page, and after successfully
> logging in there, I was redirected to the original /protected/test.html
> file, and here I got an "Internal Server Error".
> This was because the mod_authz_core module cannot recognize that there is
> an authenticated user available, and it prints the message :
> "AH00027 No authentication done but request not allowed without
> authentication for /protected/test.html. Authentication not configured?
> referrer ...."
> I checked on the browser for the cookies and the cookies were set for the
> ip address for the IDP and for the SP. Also ZXIDSES cookie was created.
> Further, in the log I could also see the message from zxid PDP as
> "PERMIT by local PDP val(<username>) nid(<username>)"
> If you can shed any light as to what I'm missing it will be extremely
> helpful.

1. Although the REDIR_TO_CONTENT option is fully supported,
   try without it and report what happens.

2. The destination of REDIR_TO_CONTENT is carried in SAML
   protocol using RelayState field, which may appear as rs
   in ZXID logs. Given the error messages you received,
   it seems probable that the REDIR_TO_CONTENT and RelayState

3. Upon successful SSO, ZXID sets REMOTE_USER in apache
   context (from where it propagates to be environment
   variable visible to CGIs, etc.). Please try to scan
   the logs for whether this variable was set.

   In my best understanding this is all that needs to be
   done for the "Require valid-user"
   condition to be satisfied, but perhaps I am missing something?
   My own testing tends to be against Apache 2.2 so this could
   be a factor, too. I still want to support 2.4, however, so
   if there is something 2.4 requires, I want to add it.

4. Doublecheck that you do not have any .htaccess file or
   other authentication related modules involved. Sometimes
   these are confusingly called authorization modules even if
   they only implement checking authentication and then
   have default policy that every authenticated user is an
   authorized user.


> Regards,
> Karthik
> PS :
> the conf settings is as follows:
> LoadModule auth_saml_module /usr/local/apache2/modules/mod_auth_saml.so
> <Location /protected>
>     Require valid-user
>     AuthType "saml"
>     ZXIDConf "URL=http://<ipaddress>/protected/saml"
> </Location>
> --