<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 08/06/2016 08:44 AM, John Dennis
wrote:<br>
</div>
<blockquote
cite="mid:a607b3a2-6e05-317f-9e20-2c998255de55@redhat.com"
type="cite">On 08/05/2016 06:06 PM, Adam Young wrote:
<br>
<blockquote type="cite">
<blockquote type="cite">Ah...just noticed the redirect is to
:5000, not port :13000 which is
<br>
the HA Proxy port.
<br>
</blockquote>
<br>
OK, this is due to the SAML request:
<br>
<br>
<br>
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
<br>
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
<br>
ID="_5089011BEBD0F6B82074F67E904F598D"
<br>
Version="2.0"
<br>
IssueInstant="2016-08-05T21:55:18Z"
<br>
Destination=<a class="moz-txt-link-rfc2396E" href="https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml">"https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml"</a><br>
Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit"
<br>
ForceAuthn="false"
<br>
IsPassive="false"
<br>
AssertionConsumerServiceURL=<a class="moz-txt-link-rfc2396E" href="https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse">"https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse"</a><br>
>
<br>
<saml:Issuer><a class="moz-txt-link-freetext" href="https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata">https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata</a></saml:Issuer><br>
<samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
<br>
AllowCreate="true"
<br>
/>
<br>
</samlp:AuthnRequest>
<br>
<br>
<br>
My guess is HA proxy is not passing on the proper, and the
<br>
mod_auth_mellon does not know to rewrite it from 5000 to 13000
<br>
</blockquote>
<br>
You can't change the contents of a SAML AuthnRequest, often they
are signed. Also, the AssertionConsumerServiceURL's and other
URL's in SAML messages are validated to assure they match the
metadata associated with EntityID (issuer). The addresses used
inbound and outbound have to be correctly handled by the proxy
configuration without modifying the content of the message being
passed on the transport.
<br>
<br>
</blockquote>
Got a a little further by twerking HA proxy settings. Added in <br>
<br>
redirect scheme https code 301 if { hdr(host) -i 10.0.0.4 } !{
ssl_fc }<br>
rsprep ^Location:\ <a class="moz-txt-link-freetext" href="http://(.*)">http://(.*)</a> Location:\ https://\1<br>
<br>
whicxh tells HA proxy to translate Location headers (used in
redirects) from http to https.<br>
<br>
<br>
As of now, it looks good up until the response comes back from the
IdP and mod mellon rejects it. I think this is due to Mellon
issuing a request for <a class="moz-txt-link-freetext" href="http://">http://</a><hostname>:<port> but it
gets translated through the proxy as
<a class="moz-txt-link-freetext" href="https://">https://</a><hostname>:<port>.<br>
<br>
<p><br>
</p>
<p>mod_auth_mellon is failing the following check in
auth_mellon_handler.c
<br>
<br>
<br>
url = am_reconstruct_url(r);
<br>
<br>
...
<br>
<br>
if (response->parent.Destination) {
<br>
<br>
if (strcmp(response->parent.Destination, url)) {
<br>
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
<br>
"Invalid Destination on Response. Should
be: %s",
<br>
url);
<br>
lasso_login_destroy(login);
<br>
return HTTP_BAD_REQUEST;
<br>
}
<br>
}
<br>
<br>
It does not spit out the parent.Destination value, but considering
I am seeing http and not https in the error message, I assume that
at least the protocol does not match. Full error message at the
bottom.
<br>
<br>
Assuming the problem is just that the URL is http and not https,
I have an approach that should work. I need to test it out, but
want to record it here, and also get feedback:<br>
<br>
I can clone the current 10-keystone_wsgi_main.conf which listens
for straight http on port 5000. If I make a file
11-keystone_wsgi_main.conf that listens on port 13000 (not on the
external VIP) but that enables SSL, I should be able to make HA
proxy talk to that port and re-encrypt traffic, maintaining the '<a
class="moz-txt-link-freetext" href="https://">https://</a>'
protocol.
<br>
<br>
<br>
However, I am not certain that Destination means the SP URL. It
seems like it should mean the IdP. Further on in
auth_mellon_handler.c
<br>
<br>
destination_url = lasso_provider_get_metadata_one(
<br>
provider, "SingleSignOnService HTTP-Redirect");
<br>
if (destination_url == NULL) {
<br>
/* HTTP-Redirect unsupported - try HTTP-POST. */
<br>
http_method = LASSO_HTTP_METHOD_POST;
<br>
destination_url = lasso_provider_get_metadata_one(
<br>
provider, "SingleSignOnService HTTP-POST");
<br>
}
<br>
<br>
Looking in the metadata, it seems that this value should be:
<br>
<br>
<SingleSignOnService
<br>
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
<br>
Location=<a class="moz-txt-link-rfc2396E"
href="https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml">"https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml"</a>
/>
<br>
<br>
So maybe something has rewritten the value used as the url ?
<br>
<br>
<br>
Here is the full error message
<br>
<br>
<br>
Invalid Destination on Response. Should be: <a
class="moz-txt-link-freetext"
href="http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse">http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse</a>,
referer: <a class="moz-txt-link-freetext"
href="https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml?SAMLRequest=nZJba%2BMwEEb%2FitG7I%2BXi1Igk4OYCge5S0m4f%2BlKEM2lFLcmrGWc3%2F35HDu22D22hIDCMZ%2FTpHGmGxjWtrjp68jv43QFS9tc1HnX%2FYy666HUwaFF74wA11fqm%2BnGlRwOl2xgo1KERb0Y%2BnzCIEMkGL7Ltai4e1LoYq%2FFoXapJWU2GhSouN5vhelpNyqIcX2xEdgcRuX8ueJyHEDvYeiTjiUtqOM1VmavprRppXkVxL7IVM1hvqJ96ImpRS2n34MnSaWBOofOP%2BR6aJqfhhVID4n5pWICMYBqHMrSQEupn%2BQIoE5nIlsEjpODPEOtzk667GPmbW9c2trYksk2INfSm5%2BJgGoTEc81K7BFeK9WLoRTWOYg3EI%2B2hl%2B7q%2F80ryf8AEcXSil5HEvH9eBlG5B2gG06mljMEo3uVcbFd7d0QGZvyMzk291m5%2Bf0k61sV9eBwU8J25kvpKWK3eeHvlVTNB4ty2MdHPZnyRdDrIhiB0IuzpHvH%2B3iHw%3D%3D&RelayState=http%3A%2F%2Fopenstack.ayoung-dell-t1700.test%3A5000%2Fv3%2Fauth%2FOS-FEDERATION%2Fwebsso%2Fsaml2%3Forigin%3Dhttp%3A%2F%2Fopenstack.ayoung-dell-t1700.test%2Fdashboard%2Fauth%2Fwebsso%2F&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=oJzAwE7ma3m0gZtO%2FvPQKCnk18u4OsjKcRQ3wiDu7txUGiPr4Cc9XIzKIGwzSGPSaWi8j1qbN76XwdNICOk">https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml?SAMLRequest=nZJba%2BMwEEb%2FitG7I%2BXi1Igk4OYCge5S0m4f%2BlKEM2lFLcmrGWc3%2F35HDu22D22hIDCMZ%2FTpHGmGxjWtrjp68jv43QFS9tc1HnX%2FYy666HUwaFF74wA11fqm%2BnGlRwOl2xgo1KERb0Y%2BnzCIEMkGL7Ltai4e1LoYq%2FFoXapJWU2GhSouN5vhelpNyqIcX2xEdgcRuX8ueJyHEDvYeiTjiUtqOM1VmavprRppXkVxL7IVM1hvqJ96ImpRS2n34MnSaWBOofOP%2BR6aJqfhhVID4n5pWICMYBqHMrSQEupn%2BQIoE5nIlsEjpODPEOtzk667GPmbW9c2trYksk2INfSm5%2BJgGoTEc81K7BFeK9WLoRTWOYg3EI%2B2hl%2B7q%2F80ryf8AEcXSil5HEvH9eBlG5B2gG06mljMEo3uVcbFd7d0QGZvyMzk291m5%2Bf0k61sV9eBwU8J25kvpKWK3eeHvlVTNB4ty2MdHPZnyRdDrIhiB0IuzpHvH%2B3iHw%3D%3D&RelayState=http%3A%2F%2Fopenstack.ayoung-dell-t1700.test%3A5000%2Fv3%2Fauth%2FOS-FEDERATION%2Fwebsso%2Fsaml2%3Forigin%3Dhttp%3A%2F%2Fopenstack.ayoung-dell-t1700.test%2Fdashboard%2Fauth%2Fwebsso%2F&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=oJzAwE7ma3m0gZtO%2FvPQKCnk18u4OsjKcRQ3wiDu7txUGiPr4Cc9XIzKIGwzSGPSaWi8j1qbN76XwdNICOk</a>!
<br>
HI5RsTdeS2Yeufw5Q5Ahol5cJHGEQOKa84iMzxkW9OtWgoYZnnXH3n2SCZkhLebabvJ72wfxskZ9iJ9JlVogHO8V%2BXUZ891sX1Rpm3UKHEn1fpW7tlGkJsWmnQoa3H8n%2Fr5%2BdiZR1g8iDTZVQs7A4wUEA0Ph%2FayS6MnSF%2BrSCRfgcqXGReKbIM6RxTznbV%2BO2U%2FXfuf%2FXT5x5h9accEv2Dsy8jej0uWEPJLGB3NfKUuwQmZCU5UkR%2BIqVHboUK6K8lg%3D%3D
</p>
</body>
</html>