在Apache中使用mod_auth_mellon配置多个SAML应用程序？

Question

我们需要支持SSO (Okta和Google)的SAML。我已经能够在Google中建立自己的自定义SAML应用程序，并在apache中配置mellon。但是，我们需要在Okta中为客户配置SAML，在Google中为我们的内部用户配置SAML。

#################################################################################

# Global configuration for mod_auth_mellon.

# This configuration is shared by every virtual server and location in this instance of apache.

#################################################################################

# MellonCacheSize sets the maximum number of sessions which can be active at once. When mod_auth_mellon reaches this limit, it will begin removing # the least recently used sessions. The server must be restarted before any changes to this option takes effect.

# Default: MellonCacheSize 100

MellonCacheSize 100


# MellonLockFile is the full path to a file used for synchronizing access to the session data. The path should only be used by one instance of apache at a time.The server must be restarted before any changes to this option takes effect.

# Default: MellonLockFile "/var/run/mod_auth_mellon.lock"

MellonLockFile "/var/run/mod_auth_mellon.lock"


# MellonPostCount is the maximum amount of saved POST requests

# Default: MellonPostCount 100

MellonPostCount 100

###########################################################################

# End of global configuration for mod_auth_mellon.

###########################################################################

<Location />
        MellonEnable "info"
        Require valid-user
        AuthType "Mellon"
        MellonVariable "cookie"
        MellonSamlResponseDump On
        MellonSPPrivateKeyFile /etc/apache2/googlesaml/mellon.key
        MellonSPCertFile /etc/apache2/googlesaml/mellon.crt
        MellonSPMetadataFile /etc/apache2/googlesaml/mellon_metadata.xml
        MellonIdPMetadataFile /etc/apache2/googlesaml/GoogleIDPMetadata.xml
        MellonEndpointPath /mellon
        MellonDefaultLoginPath /
        RequestHeader set MELLON_NAME_ID %{MELLON_NAME_ID}e
</Location>

<VirtualHost *:443>
   ServerName host_name
   DocumentRoot /var/www/html
   SSLEngine on
   SSLCertificateFile  /etc/ssl/certs/server.pem
   SSLCertificateKeyFile /etc/ssl/private/private.key

 <Location />
          AuthType Mellon
          MellonEnable auth
            Require valid-user
 </Location>
 <Location /protected>
     AuthType Mellon
      MellonEnable auth
      Require valid-user
 </Location>
</VirtualHost>

如何在Okta和Google ( SAML )之间区分传入的请求，因为位置/>指令只能由SAML提供程序中的任何一个进行配置。

Answer 1

mod_auth_mellon模块只将SAML应用于特定的<Location />...</Location>，因此您必须为每个idP提供者配置一个位置。

<VirtualHost *:443>
   ServerName host_name
   DocumentRoot /var/www/html
   SSLEngine on
   SSLCertificateFile  /etc/ssl/certs/server.pem
   SSLCertificateKeyFile /etc/ssl/private/private.key

 # GoogleSaml
 <Location />
    MellonEnable "info"
    Require valid-user
    AuthType "GoogleSaml"
    MellonVariable "cookie"
    MellonSamlResponseDump On
    MellonSPPrivateKeyFile /etc/apache2/googlesaml/mellon.key
    MellonSPCertFile /etc/apache2/googlesaml/mellon.crt
    MellonSPMetadataFile /etc/apache2/googlesaml/mellon_metadata.xml
    MellonIdPMetadataFile /etc/apache2/googlesaml/GoogleIDPMetadata.xml
    MellonEndpointPath /mellon
    MellonDefaultLoginPath /
    RequestHeader set MELLON_NAME_ID %{MELLON_NAME_ID}e
 </Location>
 
 # Okta
 <Location /protected>
    Require valid-user
    AuthType "OktaSaml"
    MellonEnable "auth"
    MellonDecoder "none"
    MellonVariable "cookie"
    MellonSecureCookie On
    MellonUser "NAME_ID"
    MellonSetEnv "e-mail" "mail"
    MellonEndpointPath "/endpoint"
    MellonDefaultLoginPath "/"
    MellonSessionLength 300
    MellonSPPrivateKeyFile /etc/apache2/mellon/http_192.168.14.130_okta.key
    MellonSPCertFile /etc/apache2/mellon/http_192.168.14.130_okta.cert
    MellonIdPMetadataFile /etc/apache2/mellon/metadata
    MellonSamlResponseDump On
    MellonSessionDump On
 </Location>
</VirtualHost>

如果您想根据用户的头动态地执行此操作，我不建议使用mod_auth_mellon，让您的应用程序提供身份验证将更有意义。

希望这能有所帮助。

Answer 2

我已经尝试了下面的配置，它适用于openidc和mellon。显然，这个场景对于那些愿意为内部IDP配置Okta (mellon)和google的人是有帮助的。

<Location />
         MellonEndpointPath /mellon/
         MellonSPMetadataFile /etc/apache2/saml/mellon_metadata.xml
         MellonSPPrivateKeyFile /etc/apache2/saml/mellon.key
         MellonSPCertFile /etc/apache2/saml/mellon.crt
         MellonIdPMetadataFile /etc/apache2/saml/idp_metadata.xml
         MellonVariable "mellon_cookie"
         MellonDefaultLoginPath /
         MellonSecureCookie on
</Location>
<VirtualHost *:443>
   ServerName zzz.xxxx.com
   SSLEngine on
   SSLCertificateFile  /etc/ssl/certs/xxxxx_prod.pem
   SSLCertificateKeyFile /etc/ssl/private/xxxxx.com.key
   OIDCResponseType "id_token"
   OIDCScope "openid email profile"
   OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
   OIDCRedirectURI "https://zzz.xxxx..com/openidc_callback"
   OIDCDiscoverURL https://zzz.xxxx.com/idp-discovery.html
   <Location /uliya>
         AuthType "mellon"
         Require valid-user
         MellonEnable "auth"
    </Location>
   <Location /transport>
      AuthType openid-connect
      Require valid-user
      OIDCUnAuthAction auth
   </Location>
   <Location "/idp-page.html">
      Require all granted
   </Location>
</VirtualHost>