Thanks.
That's an interesting idea, and I'm quite sure that we could make that work, if only as a
proof of concept.
The main issue I see with it, is that it would basically double a lot of our configuration
sections - of which we have many - and make our configuration even more obscure than what
it already is. My application developers and support people would not be so keen on that.
Does anyone have an idea how I could do the equivalent of a "pop the 'require shibboleth'
but just for this request" ?
(from within my mod_perl handler of course)
Or is that simply impossible, given the current mod_perl API ?
(Note: It doesn't have to be a guaranteed thing. Whatever idea there is, I'll try it, and
if it causes a segfault or other nasty things, I'll drop it. The only requirement for me
is that it has to be perl code..)
On 06.03.2020 21:14, Paul B. Henson wrote:
Generally in SAML apps that want to convert the SSO auth into their own
token and not require a SAML session to be established every time they
have a different URL for the auth case.
For example, you could have /esearchs-sso/ have both shibboleth and your
auth type enabled. When someone hits that, you generate your own
session state and then redirect them to /esearchs/, which only has your
auth enabled.
If someone hits /esearchs/ without your auth session, it sends them to
/esearchs-sso/ to do auth, which then sends them back to /esearchs/ with
the proper session.
--
Signet - The Art of Access
https://www.signet.id/
On Fri, Mar 06, 2020 at 04:26:06PM +0100, André Warnier (tomcat/perl) wrote:
Hi experts.
In our Apache 2.4(+mod_perl) setups, we use the following kind of thing :
...
PerlAddAuthzProvider UMA-user AUTH::UMA2->authz_user
...
<Location "/esearchs/">
AuthName ALUtop
AuthType shibboleth
PerlSetVar UMA_AuthType "SAML2"
ShibRequestSetting requireSession 1
ShibRequestMapperAuthz Off
ShibUseHeaders On
ShibUseEnvironment Off
PerlSetVar UMA_Debug 3
<RequireAll>
Require UMA-user valid-user
Require shibboleth
</RequireAll>
...
</Location>
which basically means :
we combine 2 AAA methods :
- one is our own (AUTH::UMA2 above, mod_perl based)
- the other is SAML, via Shibboleth (and all the directives above with
"shib" in them, correspond to the Shibboleth installation instructions)
(The reason being : the corporate user authentication happens via SAML, but
it does not provide us enough information about the user. So we run another
additional scheme, which supplements the user information, in order to feed
more complete data to our applications.)
Our own AAA method is such, that once the user has been authenticated once,
we set a token, such that for subsequent requests we do not need to
re-authenticate the user.
But no matter what we do at that level, the Shibboleth authentication runs
anyway.(*)
And my question is : considering the above setup, would mod_perl provide a
way, through some mod_perl API, to disable the Shibboleth authentication (on
a request-by-request base), when our own authz module determines that we do
not need it to run anymore for the current request ?
(replace Shibboleth by any other authentication that would be configured in
addition to our own; I'm looking for some "generic" mechanism, not only for
Shibboleth).
Or is it so that different authentication methods/modules don't insert
themselves in any standard way which can easily be interfaced with in order
to dynamically disable them ?
Note: Shibboleth itself does caching of its prior authentication, and it is
not really a big performance hit to re-run it each time, and we can live
with it as it is. But in the absolute, it is unnecessary for 90% of the
accesses to the applications, so it just sounds like disabling it would be a
nice/efficient thing to do.
I thought of dynamically removing the "Require shibboleth" e.g., but there
does not seem to be an API to do that.
