search

Uninett / mod_auth_mellon

An Apache module with a simple SAML 2.0 service provider
207 stars 182 forks source link

Secured location returns 401 instead of triggering IDP login #144

Closed zoltancsoka closed 6 years ago

zoltancsoka commented 6 years ago

I have configured IDP and SP and I can perform login manually calling /mellon/login?ReturnTo=/auth1/index.html. Following a successful authentication the content is served. I can also call the logout function manually, it logs me out and also returns to the ReturnTo address. The issue is, that if I just browse to the protected url, Apache sends me back a 401 instead of redirecting me to the IDP. I have tried different versions of the module and also many different kind of configs from different sources, but I always had the same behavior. Please find my anonymized config below:

<VirtualHost *:443> ServerName my.server.local DocumentRoot /var/www/wiki/ SSLEngine On SSLCertificateFile /etc/httpd/conf/my-server.pem SSLCertificateKeyFile /etc/httpd/conf/my-server.pem

Require valid-user AuthType "Mellon" MellonEnable "info" MellonSPentityId "https://my.server.local/mellon/metadata" MellonSPPrivateKeyFile /etc/httpd/mellon/sp.key MellonSPCertFile /etc/httpd/mellon/sp.crt MellonSPMetadataFile /etc/httpd/mellon/sp.xml MellonIdPMetadataFile /etc/httpd/mellon/idp.xml MellonEndpointPath "/mellon/"

<Location /auth1>

This location will trigger an authentication request to the IdP.

AuthType "Mellon"
MellonEnable "auth"
Require valid-user

Do you have an idea what I am doing wrong? Or does it have anything to do with the virtualhost? Error logs do not have any information and unfortunately the module does not work with diagnostics enabled.

zoltancsoka commented 6 years ago

Greetings,

I have downloaded the latest version and enabled diagnostics. Now I see in the logfile:

[APLOG_DEBUG auth_mellon_handler.c:278] loaded IdP "https://sts.windows.net/anonymised/" from "/etc/httpd/mellon/idp.xml". [APLOG_DEBUG auth_mellon_handler.c:3576] Redirecting to login URL: https://santized.domain.local/mellon/login?ReturnTo=https%3A%2F%2Fsanitized.domain.local%2Fauth1%2Findex.html&IdP=https%3A%2F%2Fsts.windows.net%2anonymized enter function am_check_uid am_check_uid no session, return HTTP_UNAUTHORIZED

Although the log writes, that it is redirecting, the browser does not get any redirect requests, instead it will get a 401. If I take the login URL from the logfile and paste it into the browser, the login works fine and I get authenticated.

Could you please help me to find out why the redirect is not taking place?

olavmrk commented 6 years ago

Hi,

I don't have a direct answer for you; once it has logged the message about the redirect, all it should be doing is to actually redirect. No further authentication or authorization should be attempted.

One thing that is somewhat strange in your code is this block:

Require valid-user
AuthType "Mellon"
MellonEnable "info"

Here you are mixing MellonEnable "info", which does not trigger authentication, with Require valid-user, which causes Apache to reject unauthenticated requests. I don't see how it should create the exact error you are describing, but I suggest trying to remove require valid-user in that location.

zoltancsoka commented 6 years ago

Hi,

Many thanks for your reply. The issue was not in your module, but in our server configuration. An admin has put in a configuration which for whatever reason blocked the redirect. I have Tried it with a new installation and the redirect worked fine, the authentication was successful.

Sorry for the inconveniences caused,

Kind Regards,

Zoltan