How apache know that SAML response is authenticate

2020-05-06 09:44发布

问题:

I am new to Apache and SAML. I have below configuration in my my_app_httpd.conf file which redirects un-authenticated request to OKTA which is working fine.

<Location />
ErrorDocument 401 "/simplesaml/module.php/core/authenticate.php?as=default-sp"
</Location>

But after authentication when SAML response is received, apache doesn't understand and it redirects again for authentication on same url. This causes indefinite loop.

Can anyone please tell me how can I setup apache configuration so that it understands that OKTA has authenticated request and it should allow access to web page.

Below is response SAML.

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
             Destination="http://10.184.10.216/nagios"
             ID="id3356034041494549348655095"
             InResponseTo="_f9c91306b7eb6162db46c5e24ed72f3632b17cc392"
             IssueInstant="2018-07-09T19:31:46.388Z"
             Version="2.0"
             xmlns:xs="http://www.w3.org/2001/XMLSchema"
             >
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
              Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
              >http://www.okta.com/exkfgc14a31f6JWtQ0h7</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
        <ds:Reference URI="#id3356034041494549348655095">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                    <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                            PrefixList="xs"
                                            />
                </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
            <ds:DigestValue>D6hXy7yCw4MpfQjE+vcACd3WedArnDr7d4jFjEt5yvw=</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>hidden</ds:SignatureValue>
    <ds:KeyInfo>
        <ds:X509Data>hidden</ds:X509Certificate>
        </ds:X509Data>
    </ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                 ID="id33560340415149882013321527"
                 IssueInstant="2018-07-09T19:31:46.388Z"
                 Version="2.0"
                 xmlns:xs="http://www.w3.org/2001/XMLSchema"
                 >
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                  xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  >http://www.okta.com/exkfgc14a31f6JWtQ0h7</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#id33560340415149882013321527">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                PrefixList="xs"
                                                />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>6dGcam+MkWY7/0LWUEoV7U40u/Qb7694fnbwERfTEhE=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>hidden</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>hiddendata</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">emailofuser</saml2:NameID>
        <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData InResponseTo="_f9c91306b7eb6162db46c5e24ed72f3632b17cc392"
                                           NotOnOrAfter="2018-07-09T19:36:46.388Z"
                                           Recipient="http://10.184.10.216/nagios"
                                           />
        </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2018-07-09T19:26:46.388Z"
                      NotOnOrAfter="2018-07-09T19:36:46.388Z"
                      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                      >
        <saml2:AudienceRestriction>
            <saml2:Audience>http://10.184.10.216/nagios/</saml2:Audience>
        </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2018-07-09T19:31:46.388Z"
                          SessionIndex="_f9c91306b7eb6162db46c5e24ed72f3632b17cc392"
                          xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                          >
        <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
        </saml2:AuthnContext>
    </saml2:AuthnStatement>
    <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:Attribute Name="FirstName"
                         NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                         >
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                  xsi:type="xs:string"
                                  >username</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="LastName"
                         NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                         >
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                  xsi:type="xs:string"
                                  >Nataliya</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="Email"
                         NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                         >
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                  xsi:type="xs:string"
                                  >emailofuser</saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>
</saml2:Assertion>

回答1:

SimpleSAMLphp is usually used as a library in your application to authenticate users - it is not an apache module. You can use SSP's AuthMemCookie module to allow Apache to make use of the session data stored by SSP.