I was configuring Foreman to use SAML (with ipsilon). The only location that needs authentication is /users/extlogin, while the saml-sp can be left the default (/saml2). When specifying only --saml-auth as /users/extlogin, the whole / configuration is set, which is not needed or wanted. On the other hand, specifying both --saml-base and --saml-auth to /users/extlogin gives back an error about --saml-sp not being a subpath of --saml-base.
By rewriting the created configuration, SAML authentication works as expected.
<Location /users/extlogin> MellonEnable "auth" MellonSPPrivateKeyFile "/etc/httpd/saml2/ibm-x3650m4-01-vm-16.lab.eng.bos.redhat.com/certificate.key" MellonSPCertFile "/etc/httpd/saml2/ibm-x3650m4-01-vm-16.lab.eng.bos.redhat.com/certificate.pem" MellonSPMetadataFile "/etc/httpd/saml2/ibm-x3650m4-01-vm-16.lab.eng.bos.redhat.com/metadata.xml" MellonIdPMetadataFile "/etc/httpd/saml2/ibm-x3650m4-01-vm-16.lab.eng.bos.redhat.com/idp-metadata.xml" MellonEndpointPath /saml2 MellonVariable "saml-sesion-cookie" # Comment out the next two lines if you want to allow logins on bare HTTP MellonsecureCookie On SSLRequireSSL MellonUser "NAME_ID" MellonIdP "IDP" MellonSessionLength 3600 # MellonNoCookieErrorPage "https://idp.example.com/no-cookie-error.html" # MellonPostDirectory "/var/lib/ipsilon/post_cache" # MellonPostReplay On </Location> <Location /saml2> MellonEnable "info" MellonSPPrivateKeyFile "/etc/httpd/saml2/ibm-x3650m4-01-vm-16.lab.eng.bos.redhat.com/certificate.key" MellonSPCertFile "/etc/httpd/saml2/ibm-x3650m4-01-vm-16.lab.eng.bos.redhat.com/certificate.pem" MellonSPMetadataFile "/etc/httpd/saml2/ibm-x3650m4-01-vm-16.lab.eng.bos.redhat.com/metadata.xml" MellonIdPMetadataFile "/etc/httpd/saml2/ibm-x3650m4-01-vm-16.lab.eng.bos.redhat.com/idp-metadata.xml" MellonEndpointPath /saml2 MellonVariable "saml-sesion-cookie" MellonIdP "IDP" </Location>
It would be nice to be able to tell ipsilon not to create any / location configuration if it's not desired, and work only with the --saml-auth and --saml-sp configuration.
Fields changed
cc: => jpazdziora@redhat.com
milestone: => 1.2
milestone: 1.2 => Backlog
Metadata Update from @nkinder: - Issue set to the milestone: Backlog
Log in to comment on this ticket.