This repository has been archived by the owner on Jan 28, 2020. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Modify am_handler setup to run before mod_proxy
The way the ECP flow works is that when a client initiates the flow, the SP's response is HTTP 200, but not the requested content, but a signed XML document that contains the "samlp:AuthnRequest" element. The idea is that the ECP client would then determine the IDP and send the document to the IDP, get a samlp:Response and convey that to the SP to get access to the protected resource. Internally, the auth check which is normally done with am_check_uid() set to apache's ap_hook_check_user_id() hook, just responds with OK, so it pretends to authenticate the user. Then in the usual flow, the request reaches the ap_hook_handler which handles the request. There in the pipeline, mellon registers functions am_handler() which should run first (APR_HOOK_FIRST), determine that this request is an ECP one and return the ECP AuthnRequest document. But in case the proxy module is also in the picture, the proxy module "races" for who gets to be the first to handle the request in the pipeline and wins. Therefore, the request reaches the protected resource via mod_proxy and returns it. This fix modifies the ap_hook_handler() call to explicitly run before handlers from mod_proxy.c To reproduce the bug: 0) Have a SP with mellon connected to a Keycloak IDP (or any other IDP I guess). In the example below, my SAML SP is saml.federation.test 1) Set a Location protected by mellon that proxies requests to another URL. For example: ProxyPass /sp-proxy http://app.federation.test/example_app/ <Location /sp-proxy> AuthType Mellon MellonEnable auth Require valid-user </Location> 2) call: curl -L -H "Accept: application/vnd.paos+xml" \ -H 'PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' \ http://saml.federation.test/sp-proxy Before the patch, you would see whatever is served from the proxied page. With the patch, you should get back a XML document with a samlp:AuthnRequest.
- Loading branch information