-->

How apache know that SAML response is authenticate

2020-05-06 09:44发布

站内文章 / 后端开发
103 0 0

问题:

I am new to Apache and SAML. I have below configuration in my my_app_httpd.conf file which redirects un-authenticated request to OKTA which is working fine.

<Location />
ErrorDocument 401 "/simplesaml/module.php/core/authenticate.php?as=default-sp"
</Location>

But after authentication when SAML response is received, apache doesn't understand and it redirects again for authentication on same url. This causes indefinite loop.

Can anyone please tell me how can I setup apache configuration so that it understands that OKTA has authenticated request and it should allow access to web page.

Below is response SAML.

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
             Destination="http://10.184.10.216/nagios"
             ID="id3356034041494549348655095"
             InResponseTo="_f9c91306b7eb6162db46c5e24ed72f3632b17cc392"
             IssueInstant="2018-07-09T19:31:46.388Z"
             Version="2.0"
             xmlns:xs="http://www.w3.org/2001/XMLSchema"
             >
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
              Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
              >http://www.okta.com/exkfgc14a31f6JWtQ0h7</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
        <ds:Reference URI="#id3356034041494549348655095">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                    <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                            PrefixList="xs"
                                            />
                </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
            <ds:DigestValue>D6hXy7yCw4MpfQjE+vcACd3WedArnDr7d4jFjEt5yvw=</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>hidden</ds:SignatureValue>
    <ds:KeyInfo>
        <ds:X509Data>hidden</ds:X509Certificate>
        </ds:X509Data>
    </ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                 ID="id33560340415149882013321527"
                 IssueInstant="2018-07-09T19:31:46.388Z"
                 Version="2.0"
                 xmlns:xs="http://www.w3.org/2001/XMLSchema"
                 >
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                  xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  >http://www.okta.com/exkfgc14a31f6JWtQ0h7</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#id33560340415149882013321527">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                PrefixList="xs"
                                                />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>6dGcam+MkWY7/0LWUEoV7U40u/Qb7694fnbwERfTEhE=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>hidden</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>hiddendata</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">emailofuser</saml2:NameID>
        <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData InResponseTo="_f9c91306b7eb6162db46c5e24ed72f3632b17cc392"
                                           NotOnOrAfter="2018-07-09T19:36:46.388Z"
                                           Recipient="http://10.184.10.216/nagios"
                                           />
        </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2018-07-09T19:26:46.388Z"
                      NotOnOrAfter="2018-07-09T19:36:46.388Z"
                      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                      >
        <saml2:AudienceRestriction>
            <saml2:Audience>http://10.184.10.216/nagios/</saml2:Audience>
        </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2018-07-09T19:31:46.388Z"
                          SessionIndex="_f9c91306b7eb6162db46c5e24ed72f3632b17cc392"
                          xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                          >
        <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
        </saml2:AuthnContext>
    </saml2:AuthnStatement>
    <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:Attribute Name="FirstName"
                         NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                         >
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                  xsi:type="xs:string"
                                  >username</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="LastName"
                         NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                         >
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                  xsi:type="xs:string"
                                  >Nataliya</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="Email"
                         NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                         >
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                  xsi:type="xs:string"
                                  >emailofuser</saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>
</saml2:Assertion>

回答1:

SimpleSAMLphp is usually used as a library in your application to authenticate users - it is not an apache module. You can use SSP's AuthMemCookie module to allow Apache to make use of the session data stored by SSP.



标签: apache saml okta simplesamlphp
举报

收藏的人(0)

Ta的文章 更多文章
登录 后发表评论
0条评论
还没有人评论过~