Apache 带mod_auth_mellon的SAML
我已将apache配置为使Grafana具有SAML auth,但“X-WEBAUTH-USER”未传输到标头:Apache 带mod_auth_mellon的SAML,apache,saml,Apache,Saml,我已将apache配置为使Grafana具有SAML auth,但“X-WEBAUTH-USER”未传输到标头: nc -l -p 9119 POST /grafana/ HTTP/1.1 Host: 127.0.0.1:9119 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0 Accept: text/html,application/xhtml+xml,app
nc -l -p 9119
POST /grafana/ HTTP/1.1
Host: 127.0.0.1:9119
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://samlidp.example.com/
Content-Type: application/x-www-form-urlencoded
Origin: https://samlidp.example.ch
DNT: 1
Cookie: mellon-cookie=cookietest
Upgrade-Insecure-Requests: 1
X-WEBAUTH-USER: (null)
这是我的配置:
ServerName.com
服务器管理员webmaster@servername.com
ServerAlias servername.com
DocumentRoot“/var/www/html”
#日志和诊断
日志级调试
斯伦金安
SSLProxyEngine打开
SSLCertificateFile/etc/apache2/ssl/server.crt
SSLCertificateKeyFile/etc/apache2/ssl/server.key
#SSLv2和v3是坏的
SSLProtocol all-SSLv2-SSLv3
SSLCipherSuite高:!SSLv2:!ADH:!阿努尔:!埃努尔:!无效的
ProxyPass/http://127.0.0.1:9119/
ProxyPassReverse/http://127.0.0.1:9119/
需要有效用户
AuthType“Mellon”
可编辑的“auth”
梅隆编码器“无”
梅隆可变“饼干”
梅隆森
Mellouser“名称\u ID”
MellonSetEnv远程用户MELLON\u名称\u ID
MellonSetEnv“远程邮件”“电子邮件”
MELLENDPOINTPATH“/端点”
MellonDefaultLoginPath“/”
MellonSessionLength 300
#梅隆需要证书,不管它是否被实际使用。
MellonsPrivateKeyFile/etc/apache2/mellon/urn\u grafana.key
MellonSPCertFile/etc/apache2/mellon/urn\u grafana.cert
MellonsMetadatafile/etc/apache2/mellon/urn\u grafana.xml
#MellonsPrivateKeyFile/etc/apache2/mellon/urn_keydape.key
#MellonsCertFile/etc/apache2/mellon/urn\u keydape.cert
#MellonsMetadatafile/etc/apache2/mellon/urn_keydape.xml
#请确保在此处复制您的IdP元数据
MellonIdPMetadataFile/etc/apache2/mellon/idp-persistent.xml
#MellonIdPMetadataFile/etc/apache2/mellon/idp-keydape.xml
MellonSamlResponseDump On
梅隆塞翁
RequestHeader集合X-WEBAUTH-USER“%{REMOTE_USER}e”
RequestHeader设置X-MAIL“%{REMOTE_MAIL}e”
可软化的“关闭”
命令拒绝,允许
通融
满足任何
有什么想法吗?
我尝试过这样做:但在这种情况下,X-WEBAUTH-USER甚至不在标题中。为什么不能将OIDC与一起使用?@JanGaraj我们将SAML SSO用于其他应用程序,因此公司选择使用SAML。即使您将OIDC/SAML Keyclope客户端组合在一起,您的SSO仍能正常工作。如果您真的需要SAML,那么我将推荐Apache+Shibboleth。@JanGaraj我会看一看,但我们不使用KeyClope。这是一个安全解决方案(不是开源)。我一定要看看希伯利斯,thanks@JanGaraj您以前配置过Shibboleth吗?我收到错误:
CRIT-Shibboleth。应用程序:生成元数据提供程序时出错:XML配置资源缺少url/path属性,并且没有内联内容
我配置了:
谢谢
ServerName servername.com
ServerAdmin webmaster@servername.com
ServerAlias servername.com
DocumentRoot "/var/www/html"
# Logs and diagnotic
LogLevel debug
SSLEngine on
SSLProxyEngine On
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
#SSLv2 and v3 are bad
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
ProxyPass / http://127.0.0.1:9119/
ProxyPassReverse / http://127.0.0.1:9119/
<Location />
Require valid-user
AuthType "Mellon"
MellonEnable "auth"
MellonDecoder "none"
MellonVariable "cookie"
MellonSecureCookie On
MellonUser "NAME_ID"
MellonSetEnv REMOTE_USER MELLON_NAME_ID
MellonSetEnv "REMOTE_MAIL" "email"
MellonEndpointPath "/endpoint"
MellonDefaultLoginPath "/"
MellonSessionLength 300
# Mellon requires a cert, regardless if it's actually being used.
MellonSPPrivateKeyFile /etc/apache2/mellon/urn_grafana.key
MellonSPCertFile /etc/apache2/mellon/urn_grafana.cert
MellonSPMetadataFile /etc/apache2/mellon/urn_grafana.xml
#MellonSPPrivateKeyFile /etc/apache2/mellon/urn_keycloak.key
#MellonSPCertFile /etc/apache2/mellon/urn_keycloak.cert
#MellonSPMetadataFile /etc/apache2/mellon/urn_keycloak.xml
# Make sure to copy your IdP metadata here
MellonIdPMetadataFile /etc/apache2/mellon/idp-persistent.xml
#MellonIdPMetadataFile /etc/apache2/mellon/idp-keycloak.xml
MellonSamlResponseDump On
MellonSessionDump On
RequestHeader set X-WEBAUTH-USER "%{REMOTE_USER}e"
RequestHeader set X-MAIL "%{REMOTE_MAIL}e"
</Location>
<Location /grafana/>
MellonEnable "off"
Order Deny,Allow
Allow from all
Satisfy Any
</Location>