How apache know that SAML response is authenticated

这一生的挚爱 提交于 2019-12-20 06:37:08

问题


I am new to Apache and SAML. I have below configuration in my my_app_httpd.conf file which redirects un-authenticated request to OKTA which is working fine.

<Location />
ErrorDocument 401 "/simplesaml/module.php/core/authenticate.php?as=default-sp"
</Location>

But after authentication when SAML response is received, apache doesn't understand and it redirects again for authentication on same url. This causes indefinite loop.

Can anyone please tell me how can I setup apache configuration so that it understands that OKTA has authenticated request and it should allow access to web page.

Below is response SAML.

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
             Destination="http://10.184.10.216/nagios"
             ID="id3356034041494549348655095"
             InResponseTo="_f9c91306b7eb6162db46c5e24ed72f3632b17cc392"
             IssueInstant="2018-07-09T19:31:46.388Z"
             Version="2.0"
             xmlns:xs="http://www.w3.org/2001/XMLSchema"
             >
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
              Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
              >http://www.okta.com/exkfgc14a31f6JWtQ0h7</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
        <ds:Reference URI="#id3356034041494549348655095">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                    <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                            PrefixList="xs"
                                            />
                </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
            <ds:DigestValue>D6hXy7yCw4MpfQjE+vcACd3WedArnDr7d4jFjEt5yvw=</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>hidden</ds:SignatureValue>
    <ds:KeyInfo>
        <ds:X509Data>hidden</ds:X509Certificate>
        </ds:X509Data>
    </ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                 ID="id33560340415149882013321527"
                 IssueInstant="2018-07-09T19:31:46.388Z"
                 Version="2.0"
                 xmlns:xs="http://www.w3.org/2001/XMLSchema"
                 >
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                  xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  >http://www.okta.com/exkfgc14a31f6JWtQ0h7</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#id33560340415149882013321527">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                PrefixList="xs"
                                                />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>6dGcam+MkWY7/0LWUEoV7U40u/Qb7694fnbwERfTEhE=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>hidden</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>hiddendata</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">emailofuser</saml2:NameID>
        <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData InResponseTo="_f9c91306b7eb6162db46c5e24ed72f3632b17cc392"
                                           NotOnOrAfter="2018-07-09T19:36:46.388Z"
                                           Recipient="http://10.184.10.216/nagios"
                                           />
        </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2018-07-09T19:26:46.388Z"
                      NotOnOrAfter="2018-07-09T19:36:46.388Z"
                      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                      >
        <saml2:AudienceRestriction>
            <saml2:Audience>http://10.184.10.216/nagios/</saml2:Audience>
        </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2018-07-09T19:31:46.388Z"
                          SessionIndex="_f9c91306b7eb6162db46c5e24ed72f3632b17cc392"
                          xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                          >
        <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
        </saml2:AuthnContext>
    </saml2:AuthnStatement>
    <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:Attribute Name="FirstName"
                         NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                         >
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                  xsi:type="xs:string"
                                  >username</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="LastName"
                         NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                         >
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                  xsi:type="xs:string"
                                  >Nataliya</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="Email"
                         NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                         >
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                  xsi:type="xs:string"
                                  >emailofuser</saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>
</saml2:Assertion>


回答1:


SimpleSAMLphp is usually used as a library in your application to authenticate users - it is not an apache module. You can use SSP's AuthMemCookie module to allow Apache to make use of the session data stored by SSP.



来源:https://stackoverflow.com/questions/51253189/how-apache-know-that-saml-response-is-authenticated

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!