[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

mod_auth_saml: DEFAULTQS being ignored



Hi all,

I have compiled the latest version 1.22 of mod_auth_saml for an
apache instance on SLES11.
I can already authenticate against an Idp. Now I would like to get rid
of the Idp selection page. I thought using the DEFAULTQS directive
should do the trick.
However, it appears this directive is completely ignored.
No matter what I use as the DEFAULTQS I'm still redirected
to the Idp selection page.

Feel free to test, here's the URL:
https://fiori-00017-1001272-emea.sapdemocloud.com/

And this is the relevant part of my apache config:

  <Location /protected>
       Require valid-user
       AuthType "saml"
ZXIDConf "URL=https://fiori-00017-1001272-emea.sapdemocloud.com/protected/saml";
       ZXIDConf "ANON_OK=/pers/"
       ZXIDConf "REDIR_TO_CONTENT=1"
     </Location>


     <Location /sap>
       Require valid-user
       AuthType "saml"
ZXIDConf "URL=https://fiori-00017-1001272-emea.sapdemocloud.com/protected/saml"; ZXIDConf "DEFAULTQS=https://fiori-00017-1001272-emea.sapdemocloud.com/protected/saml?e=&d=accounts.sap.com&l0=+Login+&fc=1&fn=prstnt&fr=%2Fsap%2Fbc%2Fui5_ui5%2Fui2%2Fushell%2Fshells%2Fabap%2FFioriLaunchpad.html&fq=&fy=&fa=&fm=&fp=0&ff=0";
     </Location>



If I enter the QS directly into the browser it works like a charm.


Here's the debug log:


4965.7ff9a2995700 mod_auth_saml.c:341 chkuid mas d ===== START 1.22 req=0x7ff9a3b193d8 uri(/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html) args((null)) pid=4965 cwd(/)

4965.7ff9a2995700 mod_auth_saml.c:497 chkuid mas d chkuid: No active session() op(-)

4965.7ff9a2995700 mod_auth_saml.c:508 chkuid mas d chkuid: other page: no_ses uri(/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html) templ((null)) tf(idpsel.html) k((null))

4965.7ff9a2995700 zxidsimp.c:1485 zxid_simple_no_ses_cf mas d chkuid: op(E) cf=0x7ff9a3030b08 cgi=0x7fff50153e20 ses=0x7fff50153cb0 auto=6ea8 wd(-)

4965.7ff9a2995700 zxidecp.c:141 zxid_lecp_check mas d chkuid: Neither ECP nor LECP request 0

4965.7ff9a2995700 zxidsimp.c:1524 zxid_simple_no_ses_cf mas d chkuid: LECP check: ss(?)

4965.7ff9a2995700 zxidsimp.c:1536 zxid_simple_no_ses_cf mas d chkuid: NOT CDC 0

4965.7ff9a2995700 zxidsso.c:158 zxid_sso_set_relay_state_to_return_to_this_url mas d chkuid: Previous rs(-)

4965.7ff9a2995700 zxutil.c:951 zxid_deflate_safe_b64_raw mas d chkuid: z input(/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html) len=58

4965.7ff9a2995700 zxidsso.c:168 zxid_sso_set_relay_state_to_return_to_this_url mas d chkuid: rs(0y9OLNBPStYvzTSNB2IgbaRfWpyRmpOjDyaL9ROTgCrcMvOLMn0SS_OSMwoSU_QySnJzAA==) from(/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html) uri_path(/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html) qs(-)

4965.7ff9a2995700 zxidsimp.c:844 zxid_simple_show_idp_sel mas d chkuid: cf=0x7ff9a3030b08 cgi=0x7fff50153e20 templ(?)

4965.7ff9a2995700 zxidsimp.c:630 zxid_idp_select_zxstr_cf_cgi mas d chkuid: HERE tf(idpsel.html) k((null)) t(<title>SP SSO: Choose IdP</title><link type="text/css" rel=stylesheet href="idpsel.css"><body bgcolor=white><h1 class=zxtop>SP Federated SSO (user NOT logged in, no session)</h1><form method=get action="!!URL"><div class=zxerr>!!ERR</div><div class=zxmsg>!!MSG</div><div class=zxdbg>!!DBG</div><h3>Login Using New IdP</h3><i>A new IdP is one whose metadata we do not have yet. We need to know the IdP URL (aka Entity ID) in order to fetch the metadata using the well known location method. You will need to ask the adminstrator of the IdP to tell you what the EntityID is.</i><p>IdP URL <input name=e size=60><input type=submit name=l0 value=" Login "><br>Entity ID of this SP (click on the link to fetch the SP metadata): <a href="!!EID">!!EID</a><p>!!IDP_LIST<h3>Technical options</h3><input type=hidden name=fc value=1><input type=hidden name=fn value=prstnt><!-- built-in defaults, see IDP_SEL_TEMPL in zxidconf.h and zxid-conf.pd for explanation --><input type=hidden name=fr value="!!FR"><input type=hidden name=fq value=""><input type=hidden name=fy value=""><input type=hidden name=fa value=""><input type=hidden name=fm value=""><input type=hidden name=fp value=0><input type=hidden name=ff value=0></form><div class=zxbot>!!VERSION (builtin)</div>) cgi=0x7fff50153e20

open (vopen_fd_from_path): No such file or directory

4965.7ff9a2995700 zxutil.c:122 vopen_fd_from_path mas E chkuid: templ: File(idpsel.html) not found errno=2 err(No such file or directory). flags=0x0 0, euid=30 egid=8 cwd(/)

4965.7ff9a2995700 zxidsimp.c:392 zxid_template_page_cf mas d chkuid: Template at path(idpsel.html) not found. Using default template.

4965.7ff9a2995700 zxidmeta.c:846 zxid_my_ent_id_cstr mas d chkuid: my_entity_id(https://fiori-00017-1001272-emea.sapdemocloud.com/protected/saml?o=B)

4965.7ff9a2995700 zxidmeta.c:846 zxid_my_ent_id_cstr mas d chkuid: my_entity_id(https://fiori-00017-1001272-emea.sapdemocloud.com/protected/saml?o=B)

4965.7ff9a2995700 zxutil.c:128 vopen_fd_from_path mas d chkuid: get_ent_by_sha1_name: Opened(/var/zxid/cot/aIHZ78Ex8smJDvnZ3rPkp3Kw1vs) flags=0x0

4965.7ff9a2995700 zxns.c:187 zx_xmlns_decl mas d chkuid: New prefix(ns3) known URL(urn:oasis:names:tc:SAML:2.0:metadata)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <Transform> tok(0x3c0d04) as 1. child of <Transforms> tok(0x3c0a7b) (0,0)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <Transform> tok(0x3c0d04) as 2. child of <Transforms> tok(0x3c0a7b) (0,0)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <Transforms> tok(0x3c0a7b) as 1. child of <Reference> tok(0x3c0982) (0,0)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <DigestMethod> tok(0x3c045d) as 2. child of <Reference> tok(0x3c0982) (0,1)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <DigestValue> tok(0x3c0a33) as 3. child of <Reference> tok(0x3c0982) (1,2)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <CanonicalizationMethod> tok(0x3c05fc) as 1. child of <SignedInfo> tok(0x3c09b0) (0,0)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <SignatureMethod> tok(0x3c02e4) as 2. child of <SignedInfo> tok(0x3c09b0) (0,1)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <Reference> tok(0x3c0982) as 3. child of <SignedInfo> tok(0x3c09b0) (1,2)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <X509Certificate> tok(0x3c0154) as 1. child of <X509Data> tok(0x3c02c4) (0,3)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <Modulus> tok(0x3c01b0) as 1. child of <RSAKeyValue> tok(0x3c10bb) (0,0)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <Exponent> tok(0x3c0f26) as 2. child of <RSAKeyValue> tok(0x3c10bb) (0,1)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <RSAKeyValue> tok(0x3c10bb) as 1. child of <KeyValue> tok(0x3c108b) (0,1)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <X509Data> tok(0x3c02c4) as 1. child of <KeyInfo> tok(0x3c1071) (0,3)

4965.7ff9a2995700 zxlibdec.c:228 zx_chk_el_ord mas E chkuid: WRONG: Known <KeyValue> tok(0x3c108b) in wrong place as 2. child of <KeyInfo> tok(0x3c1071) (3,8)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <SignedInfo> tok(0x3c09b0) as 1. child of <Signature> tok(0x3c02de) (0,0)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <SignatureValue> tok(0x3c02fc) as 2. child of <Signature> tok(0x3c02de) (0,1)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <KeyInfo> tok(0x3c1071) as 3. child of <Signature> tok(0x3c02de) (1,2)

4965.7ff9a2995700 zxns.c:187 zx_xmlns_decl mas d chkuid: New prefix() known URL(http://www.w3.org/2000/09/xmldsig#)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <X509Certificate> tok(0x3c0154) as 1. child of <X509Data> tok(0x3c02c4) (0,3)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <KeyName> tok(0x3c0b12) as 1. child of <KeyInfo> tok(0x3c1071) (0,0)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <X509Data> tok(0x3c02c4) as 2. child of <KeyInfo> tok(0x3c1071) (0,3)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <KeyInfo> tok(0x3c1071) as 1. child of <KeyDescriptor> tok(0x240ae6) (0,0)

4965.7ff9a2995700 zxns.c:187 zx_xmlns_decl mas d chkuid: New prefix() known URL(http://www.w3.org/2000/09/xmldsig#)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <X509Certificate> tok(0x3c0154) as 1. child of <X509Data> tok(0x3c02c4) (0,3)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <KeyName> tok(0x3c0b12) as 1. child of <KeyInfo> tok(0x3c1071) (0,0)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <X509Data> tok(0x3c02c4) as 2. child of <KeyInfo> tok(0x3c1071) (0,3)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <KeyInfo> tok(0x3c1071) as 1. child of <KeyDescriptor> tok(0x240ae6) (0,0)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <KeyDescriptor> tok(0x240ae6) as 1. child of <IDPSSODescriptor> tok(0x240d44) (0,2)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <KeyDescriptor> tok(0x240ae6) as 2. child of <IDPSSODescriptor> tok(0x240d44) (2,2)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <SingleLogoutService> tok(0x2408f6) as 3. child of <IDPSSODescriptor> tok(0x240d44) (2,6)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <SingleLogoutService> tok(0x2408f6) as 4. child of <IDPSSODescriptor> tok(0x240d44) (6,6)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <SingleSignOnService> tok(0x240978) as 5. child of <IDPSSODescriptor> tok(0x240d44) (6,9)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <SingleSignOnService> tok(0x240978) as 6. child of <IDPSSODescriptor> tok(0x240d44) (9,9)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <Signature> tok(0x3c02de) as 1. child of <EntityDescriptor> tok(0x24056f) (0,0)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <IDPSSODescriptor> tok(0x240d44) as 2. child of <EntityDescriptor> tok(0x24056f) (0,3)

4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord mas d chkuid: Right: Known <EntityDescriptor> tok(0x24056f) as 1. child of <root> tok(0x000054) (0,14)

4965.7ff9a2995700 zxidmeta.c:302 zxid_get_ent_file mas d chkuid: GOT META sha1_name(aIHZ78Ex8smJDvnZ3rPkp3Kw1vs) eid(?)

4965.7ff9a2995700 zxidsimp.c:469 zxid_idp_list_cf_cgi mas d chkuid: Starting IdP list processing... 0x7ff9a3b1ed10

4965.7ff9a2995700 zxidsimp.c:553 zxid_idp_list_cf_cgi mas d chkuid: IdP list(<select name=d>

<option class=zxidplistopt value="accounts.sap.com">  (accounts.sap.com)

</select><input type=submit id=zxidplistlogin class=zxidplistbut name="l0" value=" Login "><br>

)

4965.7ff9a2995700 zxutil.c:1063 zxid_unbase64_inflate mas d chkuid: in(0y9OLNBPStYvzTSNB2IgbaRfWpyRmpOjDyaL9ROTgCrcMvOLMn0SS_OSMwoSU_QySnJzAA==) len=72 pessimistic_len=54

4965.7ff9a2995700 mod_auth_saml.c:341 chkuid mas d ===== START 1.22 req=0x7ff9a3b04c58 uri(/sap/bc/ui5_ui5/ui2/ushell/shells/abap/idpsel.css) args((null)) pid=4965 cwd(/)

4965.7ff9a2995700 mod_auth_saml.c:497 chkuid mas d chkuid: No active session() op(-)

4965.7ff9a2995700 mod_auth_saml.c:508 chkuid mas d chkuid: other page: no_ses uri(/sap/bc/ui5_ui5/ui2/ushell/shells/abap/idpsel.css) templ((null)) tf(idpsel.html) k((null))

4965.7ff9a2995700 zxidsimp.c:1485 zxid_simple_no_ses_cf mas d chkuid: op(E) cf=0x7ff9a3030b08 cgi=0x7fff50153e20 ses=0x7fff50153cb0 auto=6ea8 wd(-)

4965.7ff9a2995700 zxidecp.c:141 zxid_lecp_check mas d chkuid: Neither ECP nor LECP request 0

4965.7ff9a2995700 zxidsimp.c:1524 zxid_simple_no_ses_cf mas d chkuid: LECP check: ss(?)

4965.7ff9a2995700 zxidsimp.c:1536 zxid_simple_no_ses_cf mas d chkuid: NOT CDC 0

4965.7ff9a2995700 zxidsso.c:158 zxid_sso_set_relay_state_to_return_to_this_url mas d chkuid: Previous rs(-)

4965.7ff9a2995700 zxutil.c:951 zxid_deflate_safe_b64_raw mas d chkuid: z input(/sap/bc/ui5_ui5/ui2/ushell/shells/abap/idpsel.css) len=49

4965.7ff9a2995700 zxidsso.c:168 zxid_sso_set_relay_state_to_return_to_this_url mas d chkuid: rs(0y9OLNBPStYvzTSNB2IgbaRfWpyRmpOjDyaL9ROTgCoyUwqKU3P0kouLAQ==) from(/sap/bc/ui5_ui5/ui2/ushell/shells/abap/idpsel.css) uri_path(/sap/bc/ui5_ui5/ui2/ushell/shells/abap/idpsel.css) qs(-)

4965.7ff9a2995700 zxidsimp.c:844 zxid_simple_show_idp_sel mas d chkuid: cf=0x7ff9a3030b08 cgi=0x7fff50153e20 templ(?)

4965.7ff9a2995700 zxidsimp.c:630 zxid_idp_select_zxstr_cf_cgi mas d chkuid: HERE tf(idpsel.html) k((null)) t(<title>SP SSO: Choose IdP</title><link type="text/css" rel=stylesheet href="idpsel.css"><body bgcolor=white><h1 class=zxtop>SP Federated SSO (user NOT logged in, no session)</h1><form method=get action="!!URL"><div class=zxerr>!!ERR</div><div class=zxmsg>!!MSG</div><div class=zxdbg>!!DBG</div><h3>Login Using New IdP</h3><i>A new IdP is one whose metadata we do not have yet. We need to know the IdP URL (aka Entity ID) in order to fetch the metadata using the well known location method. You will need to ask the adminstrator of the IdP to tell you what the EntityID is.</i><p>IdP URL <input name=e size=60><input type=submit name=l0 value=" Login "><br>Entity ID of this SP (click on the link to fetch the SP metadata): <a href="!!EID">!!EID</a><p>!!IDP_LIST<h3>Technical options</h3><input type=hidden name=fc value=1><input type=hidden name=fn value=prstnt><!-- built-in defaults, see IDP_SEL_TEMPL in zxidconf.h and zxid-conf.pd for explanation --><input type=hidden name=fr value="!!FR"><input type=hidden name=fq value=""><input type=hidden name=fy value=""><input type=hidden name=fa value=""><input type=hidden name=fm value=""><input type=hidden name=fp value=0><input type=hidden name=ff value=0></form><div class=zxbot>!!VERSION (builtin)</div>) cgi=0x7fff50153e20

open (vopen_fd_from_path): No such file or directory

4965.7ff9a2995700 zxutil.c:122 vopen_fd_from_path mas E chkuid: templ: File(idpsel.html) not found errno=2 err(No such file or directory). flags=0x0 0, euid=30 egid=8 cwd(/)

4965.7ff9a2995700 zxidsimp.c:392 zxid_template_page_cf mas d chkuid: Template at path(idpsel.html) not found. Using default template.

4965.7ff9a2995700 zxidmeta.c:846 zxid_my_ent_id_cstr mas d chkuid: my_entity_id(https://fiori-00017-1001272-emea.sapdemocloud.com/protected/saml?o=B)

4965.7ff9a2995700 zxidmeta.c:846 zxid_my_ent_id_cstr mas d chkuid: my_entity_id(https://fiori-00017-1001272-emea.sapdemocloud.com/protected/saml?o=B)

4965.7ff9a2995700 zxidsimp.c:469 zxid_idp_list_cf_cgi mas d chkuid: Starting IdP list processing... 0x7ff9a3b1ed10

4965.7ff9a2995700 zxidsimp.c:553 zxid_idp_list_cf_cgi mas d chkuid: IdP list(<select name=d>

<option class=zxidplistopt value="accounts.sap.com">  (accounts.sap.com)

</select><input type=submit id=zxidplistlogin class=zxidplistbut name="l0" value=" Login "><br>

)

4965.7ff9a2995700 zxutil.c:1063 zxid_unbase64_inflate mas d chkuid: in(0y9OLNBPStYvzTSNB2IgbaRfWpyRmpOjDyaL9ROTgCoyUwqKU3P0kouLAQ==) len=60 pessimistic_len=45