Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

Sun, 07 Aug 2016 20:19:56 -0700 

On 08/06/2016 08:44 AM, John Dennis wrote:

On 08/05/2016 06:06 PM, Adam Young wrote:

Ah...just noticed the redirect is to :5000, not port :13000 which is
the HA Proxy port.


OK, this is due to the SAML request:


<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="_5089011BEBD0F6B82074F67E904F598D"
                    Version="2.0"
                    IssueInstant="2016-08-05T21:55:18Z"
Destination="https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml";
Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit"
                    ForceAuthn="false"
                    IsPassive="false"
AssertionConsumerServiceURL="https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse";
                    >
<saml:Issuer>https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata</saml:Issuer>

    <samlp:NameIDPolicy 
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"

                        AllowCreate="true"
                        />
</samlp:AuthnRequest>


My guess is HA proxy is not passing on the proper, and the
mod_auth_mellon does not know to rewrite it from 5000 to 13000



You can't change the contents of a SAML AuthnRequest, often they are 
signed. Also, the AssertionConsumerServiceURL's and other URL's in 
SAML messages are validated to assure they match the metadata 
associated with EntityID (issuer). The addresses used inbound and 
outbound have to be correctly handled by the proxy configuration 
without modifying the content of the message being passed on the 
transport.



Got a a little further by twerking HA proxy settings.  Added in

  redirect scheme https code 301 if { hdr(host) -i 10.0.0.4 } !{ ssl_fc }
  rsprep ^Location:\ http://(.*) Location:\ https://\1


whicxh tells HA proxy to translate Location headers (used in redirects) 
from http to https.




As of now, it looks good up until the response comes back from the IdP 
and mod mellon rejects it.  I think this is due to Mellon issuing a 
request for http://<hostname>:<port>  but it gets translated through the 
proxy as https://<hostname>:<port>.



mod_auth_mellon is failing the following check in auth_mellon_handler.c


  url = am_reconstruct_url(r);

  ...

  if (response->parent.Destination) {

        if (strcmp(response->parent.Destination, url)) {
            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,

                          "Invalid Destination on Response. Should be: 
%s",

                          url);
            lasso_login_destroy(login);
            return HTTP_BAD_REQUEST;
        }
    }


It does not spit out the parent.Destination value, but considering I am 
seeing http and not https in the error message, I assume that at least 
the protocol does not match.  Full error message at the bottom.



Assuming the problem is just that the URL is http and not https, I have 
an approach that should work.  I need to test it out, but want to record 
it here, and also get feedback:



I can clone the current 10-keystone_wsgi_main.conf which listens for 
straight http on port 5000.  If I make a file 
11-keystone_wsgi_main.conf  that listens on port 13000 (not on the 
external VIP)  but that enables SSL, I should be able to make HA proxy 
talk to that port and re-encrypt traffic, maintaining the 'https://' 
protocol.




However, I am not certain that Destination means the SP URL.  It seems 
like it should mean the IdP.  Further on in auth_mellon_handler.c


  destination_url = lasso_provider_get_metadata_one(
        provider, "SingleSignOnService HTTP-Redirect");
    if (destination_url == NULL) {
        /* HTTP-Redirect unsupported - try HTTP-POST. */
        http_method = LASSO_HTTP_METHOD_POST;
        destination_url = lasso_provider_get_metadata_one(
            provider, "SingleSignOnService HTTP-POST");
    }

Looking in the metadata, it seems that this value should be:

 <SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"

Location="https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml"; 
/>


So maybe something has rewritten the value used as the url ?


Here is the full error message



Invalid Destination on Response. Should be: 
http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse, 
referer: 
https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml?SAMLRequest=nZJba%2BMwEEb%2FitG7I%2BXi1Igk4OYCge5S0m4f%2BlKEM2lFLcmrGWc3%2F35HDu22D22hIDCMZ%2FTpHGmGxjWtrjp68jv43QFS9tc1HnX%2FYy666HUwaFF74wA11fqm%2BnGlRwOl2xgo1KERb0Y%2BnzCIEMkGL7Ltai4e1LoYq%2FFoXapJWU2GhSouN5vhelpNyqIcX2xEdgcRuX8ueJyHEDvYeiTjiUtqOM1VmavprRppXkVxL7IVM1hvqJ96ImpRS2n34MnSaWBOofOP%2BR6aJqfhhVID4n5pWICMYBqHMrSQEupn%2BQIoE5nIlsEjpODPEOtzk667GPmbW9c2trYksk2INfSm5%2BJgGoTEc81K7BFeK9WLoRTWOYg3EI%2B2hl%2B7q%2F80ryf8AEcXSil5HEvH9eBlG5B2gG06mljMEo3uVcbFd7d0QGZvyMzk291m5%2Bf0k61sV9eBwU8J25kvpKWK3eeHvlVTNB4ty2MdHPZnyRdDrIhiB0IuzpHvH%2B3iHw%3D%3D&RelayState=http%3A%2F%2Fopenstack.ayoung-dell-t1700.test%3A5000%2Fv3%2Fauth%2FOS-FEDERATION%2Fwebsso%2Fsaml2%3Forigin%3Dhttp%3A%2F%2Fopenstack.ayoung-dell-t1700.test%2Fdashboard%2Fauth%2Fwebsso%2F&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=oJzAwE7ma3m0gZtO%2FvPQKCnk18u4OsjKcRQ3wiDu7txUGiPr4Cc9XIzKIGwzSGPSaWi8j1qbN76XwdNICOk! 

HI5RsTdeS2Yeufw5Q5Ahol5cJHGEQOKa84iMzxkW9OtWgoYZnnXH3n2SCZkhLebabvJ72wfxskZ9iJ9JlVogHO8V%2BXUZ891sX1Rpm3UKHEn1fpW7tlGkJsWmnQoa3H8n%2Fr5%2BdiZR1g8iDTZVQs7A4wUEA0Ph%2FayS6MnSF%2BrSCRfgcqXGReKbIM6RxTznbV%2BO2U%2FXfuf%2FXT5x5h9accEv2Dsy8jej0uWEPJLGB3NfKUuwQmZCU5UkR%2BIqVHboUK6K8lg%3D%3D 




__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev






















					Reply via email to