Uninett/mod_auth_mellon

How to do both SAML with mod_auth_mellon and preemptive Basic auth at same path

nneul opened this issue · 2 comments

nneul commented

This may be more of an apache question, but seems like it would be something useful to have as an example in docs for this module.

I'd like to be able to have a path on the server that is protected by both mod_auth_mellon for SAML AND standard apache basic auth (using either ldap or krb5 auth modules). The key is though - I only want the basic auth to function if the basic auth creds are already passed in the request - I don't want it sending back an authorization response triggering the browser to throw up the basic auth dialog. If the authentication fails or is missing, redirecting to the saml idp is appropriate.

Reason for this in case it clarifies, most of my existing environment is using basic auth right now. I'd like to move a subset of the user driven activities over to SAML auth, but we have a lot of legacy code (that is not all visible to me) that does REST requests (or even simple scraping/spidering/etc.) that is coded to hard send auth details via basic auth. I'd rather not set up a new URL for the apps themselves for end users, and it's infeasible to change all the legacy references.

Is this possible, and if so, could you add an example of it?

olavmrk commented

I'm sorry, but I'm not familiar enough with Apache configuration to tell whether it is possible or not. It may be possible, but my impression is that Apache wants one authentication method at a time.

As a workaround it may be possible to push the basic authentication into the application. Basically run mod_auth_mellon in "info"-mode, where it allow through unauthenticated requests, and then have the application look at the request to determine the authentication method. I.e.:

  • REMOTE_USER set => user authenticated through mod_auth_mellon
  • Authorization-header set => parse that header, validate username & password
  • Otherwise: Trigger mod_auth_mellon authentication by redirecting to the login endpoint (/mellon/login)
nneul commented

Your response reminded me of this, and dug into it some more... Posted something on ServerFault but I think I wound up answering my own question. Here: https://serverfault.com/questions/884484/combine-apache-auth-providers-of-different-types-with-basic-auth-only-if-proacti/884517#884517

and came up with this:

<Location />
<If "-n req('Authorization')">
	AuthName "Active Directory"
	AuthBasicProvider ldap
	AuthType basic
	AuthLDAPMaxSubGroupDepth 0
	AuthLDAPBindAuthoritative off
	AuthLDAPRemoteUserAttribute sAMAccountName
	AuthLDAPInitialBindPattern (.+) $1@yyyyy
	AuthLDAPInitialBindAsUser on
	AuthLDAPSearchAsUser on
	AuthLDAPCompareAsUser on
	AuthLDAPUrl "ldaps://xxx,dc=com?sAMAccountName,memberOf?sub"
	LDAPReferrals Off

	require valid-user
</If>
<Else>
	Require valid-user
	AuthType "Mellon"
	MellonEnable "auth"
	MellonVariable "cookie"
	MellonEndpointPath "/sso"
	MellonDefaultLoginPath "/"
	MellonSubjectConfirmationDataAddressCheck Off
	MellonSessionLength 86400
	MellonSPPrivateKeyFile /...../sp-private-key.pem
	MellonIdPMetadataFile /...../idp-metadata.xml
	MellonDoNotVerifyLogoutSignature https://........
</Else>
</Location>

Any downside you can see?