Combine Apache Auth Providers with Basic Auth

apache-2.4authenticationhttp-basic-authenticationsamlsingle-sign-on

I'd like to be able to have a path on an apache server (2.4.18+ on ub16) that primarily authenticates using SAML (using the mod_auth_mellon plugin) for interactive use, but also supports having the caller pre-emptively send Basic auth credentials. (Think REST api endpoint that normally triggers an interactive form login, but will allow bypass if you pre-send basic auth credentials.)

Essentially I'm looking for this behavior:

If creds are sent with request:
- Try them, and if they work, allow the request
If above creds fail, or none were provided
- Trigger the preferred authentication plugin.

Is such a thing possible? I'd prefer to NOT push this back into the application itself.

What I do NOT want to happen is for the apache server to send back the response triggering the basic auth dialog.

Best Answer

Answering my own question.... dug around on this some more and came up with the following which seems to work:

<Location />
<If "-n req('Authorization')">
    AuthName "Active Directory"
    AuthBasicProvider ldap
    AuthType basic
    AuthLDAPMaxSubGroupDepth 0
    AuthLDAPBindAuthoritative off
    AuthLDAPRemoteUserAttribute sAMAccountName
    AuthLDAPInitialBindPattern (.+) $1@yyyyy
    AuthLDAPInitialBindAsUser on
    AuthLDAPSearchAsUser on
    AuthLDAPCompareAsUser on
    AuthLDAPUrl "ldaps://xxx,dc=com?sAMAccountName,memberOf?sub"
    LDAPReferrals Off

    require valid-user
</If>
<Else>
    Require valid-user
    AuthType "Mellon"
    MellonEnable "auth"
    MellonVariable "cookie"
    MellonEndpointPath "/sso"
    MellonDefaultLoginPath "/"
    MellonSubjectConfirmationDataAddressCheck Off
    MellonSessionLength 86400
    MellonSPPrivateKeyFile /...../sp-private-key.pem
    MellonIdPMetadataFile /...../idp-metadata.xml
    MellonDoNotVerifyLogoutSignature https://........
</Else>
</Location>

Anyone see anything wrong with this approach?

Related Solutions

Php – apache2: Require valid-user AND allow all

You'll need to be tricky :) To make the server ask for authentication you'll need to require a valid user. But that could go inside a Location block. So I'm thinking, you could then alias (or redirect) that location to the normal location. I think something like this will work:

<location "/try-auth-first">
require valid-user
satisfy all

alias /try-auth-first /the-real-one
#redirect /try-auth-first /the/real/one
</location>

You might need to fiddle a bit, but something like that should work. If the authentication fails, your script can pick up the 401 result and then retry directly to the real location (which needs to be set to allow from all).

Switching between multiple authentication types on same URL

I'm not sure you could do this with mod_access -- it doesn't support selectively choosing auth mechanisms as far as I know, it only allows a list of mechanisms it can fall through until it fails them all or one succeeds. And the problem is that you can't 'attempt SAML' without redirecting the user off site.

If you did this in a programming language, with passive auth, I think it would be trivial (if statements and redirects). But using 'require valid-user' and other mod_access things won't get you where I think you're trying to go.

My answer mostly applies to Apache < 2.4.x, as I'm not 100% confident that 2.4 is missing your feature set (they changed a lot).

Best Answer

Related Solutions

Php – apache2: Require valid-user AND allow all

Switching between multiple authentication types on same URL

Related Topic