search

Uninett / mod_auth_mellon

An Apache module with a simple SAML 2.0 service provider
207 stars 182 forks source link

Signature and SigAlg missing From Response Header #179

Closed szaluk closed 6 years ago

szaluk commented 6 years ago

For some reason we are missing the Signature and SigAlg query parameters from the location in the response from a GET to /mellon/login.

Here is the call that is being made:

Request

Request URL: https://servername/mellon/login?ReturnTo=https%3A%2F%2Fservername%2F&IdP=https%3A%2F%2Faccount.idpserver.com%3A443%2Fsso
Request Method: GET
Status Code: 303 
Remote Address: ipaddress:443
Referrer Policy: no-referrer-when-downgrade

Response:

cache-control: private, max-age=0, must-revalidate
content-length: 972
content-type: text/html; charset=iso-8859-1
date: Thu, 16 Aug 2018 13:37:12 GMT
location: https://account.idpserver.com:443/sso/SSORedirect/metaAlias/idp?SAMLRequest=[saml request value]&RelayState=https%3A%2F%2Fservername%2F
server: Apache/2.4.18 (Ubuntu)
set-cookie: AWSALB=[aws alb value]; Expires=Thu, 23 Aug 2018 13:37:12 GMT; Path=/
set-cookie: mellon-cookie=cookietest; Version=1; Path=/; Domain=servername;
status: 303

Apache Server version: Apache/2.4.18 (Ubuntu) is running on port 80 on an EC2 instance that is fronted by an AWS ALB. I see the redirect being made to our IDP server but it's failing because these values are missing from the request

Here is my config file:

<VirtualHost *:80>
    ServerName https://servername

    UseCanonicalName On

    ProxyRequests Off

    # Start SSO - This is if you want Single sign on with Account Manager
    ProxyPass /mellon/ !

    RewriteEngine On
    RewriteCond %{HTTP:X-Forwarded-Proto} =http
    RewriteRule . https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]

    <Location />
        # Require authenticated user
        MellonEnable "auth"

        # Configure the SP metadata
        # This should be the files which were created when creating SP metadata.
        MellonSPPrivateKeyFile /conf/server.key
        MellonSPCertFile /conf/server.cert
        MellonSPMetadataFile /conf/server.xml

        # IdP metadata. This should be the metadata file you got from the IdP.
        MellonIdPMetadataFile /conf/idpserver.xml

        # Require Documentation User role
        MellonRequire "roles" "ROLE"

        # The location all endpoints should be located under.
        # This path is relative to the root of the web server.
        MellonEndpointPath /mellon

        #this is the property coming on the SAML assertion set as REMOTE_USER
        MellonUser "uid"

        RewriteEngine on
        RewriteRule .* - [E=RU:%{REMOTE_USER}]
        RequestHeader set X_REMOTE_USER %{RU}e

        MellonSamlResponseDump On
        MellonSessionDump On
    </Location>
</VirtualHost>

We have an identical setup on another server where it's working fine so not sure why the Signature and SigAlg values are not being added to the location. Any idea what could be causing this?

Thanks, Steve

szaluk commented 6 years ago

I got it to work. It seems like it's an issue with the version of Apache I was running on Ubuntu 16.04.04. I built a new instance using 14.04 and worked right away

--Steve