SAML с mod_auth_mellon - PullRequest
Новая
       23

SAML с mod_auth_mellon

0 голосов
/ 17 февраля 2020

Я настроил apache, чтобы сделать аутентификацию SAML для Grafana, но «X-WEBAUTH-USER» не передается в заголовок: 

nc -l -p 9119
POST /grafana/ HTTP/1.1
Host: 127.0.0.1:9119
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://samlidp.example.com/
Content-Type: application/x-www-form-urlencoded
Origin: https://samlidp.example.ch
DNT: 1
Cookie: mellon-cookie=cookietest
Upgrade-Insecure-Requests: 1
X-WEBAUTH-USER: (null)

Вот мой конфиг: 

ServerName servername.com
ServerAdmin webmaster@servername.com
ServerAlias servername.com

DocumentRoot "/var/www/html"


# Logs and diagnotic
LogLevel debug

SSLEngine on
SSLProxyEngine On
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

#SSLv2 and v3 are bad
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

ProxyPass / http://127.0.0.1:9119/
ProxyPassReverse / http://127.0.0.1:9119/



    <Location />
            Require valid-user
            AuthType "Mellon"
            MellonEnable "auth"
            MellonDecoder "none"
            MellonVariable "cookie"
            MellonSecureCookie On
            MellonUser "NAME_ID"
            MellonSetEnv REMOTE_USER MELLON_NAME_ID
            MellonSetEnv "REMOTE_MAIL" "email"
            MellonEndpointPath "/endpoint"
            MellonDefaultLoginPath "/"
            MellonSessionLength 300

            # Mellon requires a cert, regardless if it's actually being used.
            MellonSPPrivateKeyFile /etc/apache2/mellon/urn_grafana.key
            MellonSPCertFile /etc/apache2/mellon/urn_grafana.cert
            MellonSPMetadataFile /etc/apache2/mellon/urn_grafana.xml

            #MellonSPPrivateKeyFile /etc/apache2/mellon/urn_keycloak.key
            #MellonSPCertFile /etc/apache2/mellon/urn_keycloak.cert
            #MellonSPMetadataFile /etc/apache2/mellon/urn_keycloak.xml


            # Make sure to copy your IdP metadata here
            MellonIdPMetadataFile /etc/apache2/mellon/idp-persistent.xml
            #MellonIdPMetadataFile /etc/apache2/mellon/idp-keycloak.xml
            MellonSamlResponseDump On
            MellonSessionDump On
            RequestHeader set X-WEBAUTH-USER "%{REMOTE_USER}e"
            RequestHeader set X-MAIL "%{REMOTE_MAIL}e"
    </Location>

    <Location /grafana/>
            MellonEnable "off"
            Order Deny,Allow
            Allow from all
            Satisfy Any
    </Location>

Есть идеи? Я пробовал это: Объединить графану с apache2 + mod_auth_mellon, чтобы иметь SSO с SAML , но в этом случае X-WEBAUTH-USER даже не в заголовке.

...