#164 Configuration without hierarchical paths
Opened 3 years ago by veruu. Modified 2 years ago

I was configuring Foreman to use SAML (with ipsilon). The only location that needs authentication is /users/extlogin, while the saml-sp can be left the default (/saml2). When specifying only --saml-auth as /users/extlogin, the whole / configuration is set, which is not needed or wanted. On the other hand, specifying both --saml-base and --saml-auth to /users/extlogin gives back an error about --saml-sp not being a subpath of --saml-base.

By rewriting the created configuration, SAML authentication works as expected.

<Location /users/extlogin>
    MellonEnable "auth"
    MellonSPPrivateKeyFile "/etc/httpd/saml2/ibm-x3650m4-01-vm-16.lab.eng.bos.redhat.com/certificate.key"
    MellonSPCertFile "/etc/httpd/saml2/ibm-x3650m4-01-vm-16.lab.eng.bos.redhat.com/certificate.pem"
    MellonSPMetadataFile "/etc/httpd/saml2/ibm-x3650m4-01-vm-16.lab.eng.bos.redhat.com/metadata.xml"
    MellonIdPMetadataFile "/etc/httpd/saml2/ibm-x3650m4-01-vm-16.lab.eng.bos.redhat.com/idp-metadata.xml"
    MellonEndpointPath /saml2
    MellonVariable "saml-sesion-cookie"
    # Comment out the next two lines if you want to allow logins on bare HTTP
    MellonsecureCookie On
    SSLRequireSSL
    MellonUser "NAME_ID"
    MellonIdP "IDP"
    MellonSessionLength 3600
    # MellonNoCookieErrorPage "https://idp.example.com/no-cookie-error.html"
    # MellonPostDirectory "/var/lib/ipsilon/post_cache"
    # MellonPostReplay On
</Location>

<Location /saml2>
    MellonEnable "info"
    MellonSPPrivateKeyFile "/etc/httpd/saml2/ibm-x3650m4-01-vm-16.lab.eng.bos.redhat.com/certificate.key"
    MellonSPCertFile "/etc/httpd/saml2/ibm-x3650m4-01-vm-16.lab.eng.bos.redhat.com/certificate.pem"
    MellonSPMetadataFile "/etc/httpd/saml2/ibm-x3650m4-01-vm-16.lab.eng.bos.redhat.com/metadata.xml"
    MellonIdPMetadataFile "/etc/httpd/saml2/ibm-x3650m4-01-vm-16.lab.eng.bos.redhat.com/idp-metadata.xml"
    MellonEndpointPath /saml2
    MellonVariable "saml-sesion-cookie"
    MellonIdP "IDP"
</Location>

It would be nice to be able to tell ipsilon not to create any / location configuration if it's not desired, and work only with the --saml-auth and --saml-sp configuration.


Fields changed

cc: => jpazdziora@redhat.com

Fields changed

milestone: => 1.2

Fields changed

milestone: 1.2 => Backlog

Metadata Update from @nkinder:
- Issue set to the milestone: Backlog

2 years ago

Login to comment on this ticket.

Metadata