Splunk SAML SSO from an IdP with Apache mod_mellon fails

samlsingle-sign-onsplunk

I am trying to configure SSO from an IdP to Apache with mod_mellon and mod proxy to splunk.

Environment: Ubuntu 14.04; Apache 2.4.7; mod-auth-mellon 0.7.0.

Apache configured with the mellon-generated key / cert on default ssl site. mod proxy is being used to proxy to splunk locally on port 8000.

auth_mellon.conf:

MellonCacheSize 100
MellonLockFile "/var/lock/mod_auth_mellon.lock"
MellonPostDirectory "/var/cache/apache2/mod_auth_mellon/"

ProxyRequests Off
ProxyPass /secret/ !
ProxyPassInterpolateEnv On
<Location />
        MellonEnable "info"
        Require valid-user
        AuthType "Mellon"
        MellonVariable "cookie"
        MellonSamlResponseDump On
        MellonSPPrivateKeyFile /etc/apache2/mellon/urn_splunk.key
        MellonSPCertFile /etc/apache2/mellon/urn_splunk.cert
        MellonSPMetadataFile /etc/apache2/mellon/urn_splunk.xml
        MellonIdpMetadataFile /etc/apache2/mellon/idp-meta.xml
        MellonEndpointPath /secret/endpoint
        MellonUser "NAME_ID"
        MellonDefaultLoginPath /en-US/
        RequestHeader set SplunkWebUser %{MELLON_NAME_ID}e
        MellonSamlResponseDump On

        ProxyPass http://127.0.0.1:8000/
        ProxyPassReverse http://127.0.0.1:8000/
        ProxyPassInterpolateEnv On
</Location>

idp-meta.xml contains the metadata from the IDP (including the IDP x509 cert and HTTP Post / HTTP Redirect parameters). the urn_service.* files are generated from a mellon_create_metadata.sh script that creates an x509 cert and key on the SP and xml config file.

When I try access the splunk from the IdP, I see errors in the apache log file, and get a 500 / internal server error response:

[authz_core:debug] mod_authz_core.c(802): AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[authz_core:debug] mod_authz_core.c(802): AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[core:error] AH00027: No authentication done but request not allowed without authentication for /secret/endpoint/login. Authentication not configured?

It seems like the SAML authentication is failing. I am following this guide: http://blogs.splunk.com/2013/10/09/splunk-sso-using-saml-through-okta/

Splunk is configured to authenticate with LDAP, and is authenticating correctly. Does apache also need to be configured with ldap authentication to identify valid-users too? (not sure about how users are authenticated in apache/mellon, assumed that's all handled by the payload from IdP and mellon just knows about the identity

Best Answer

It looks like a number of things were wrong. Firstly, I didn't realize that the metadata needed to be recopied from my IdP back to the apache configs when I modified the SAML settings that side. Anyway, after making sure the IdP and SP xml files were configured correctly in Apache, I was able to move on (I think I had changed the entity ID)

I was still getting an error around requiring a valid user in the error logs. It turns out that MellonEnable "auth" takes care of ensuring there's a valid user, while for some reason, Require valid-user and AuthType "Mellon" parameters were triggering errors and 500 server responses.

After removing these 2 directives, I was still getting errors, this time Could not find metadata for the IdP "(null)" - after a quick search, it turns out that latest version of lasso available on Ubuntu 14.04 LTS (2.4.0) does not work with the SHA256 signatures that the IdP was defaulting to. Lasso 2.5 support SHA256. After updating the IdP config with a compatible algorithm, identification was taking place correctly.

However, I was then faced with redirect loops because of the context. I found another post that suggested moving the web root of splunk to a /splunk context instead of at root (/), and by updating this, I am now able to authenticate to Splunk via mellon from the IdP. Here's the relevant working configs:

MellonLockFile "/var/lock/mod_auth_mellon.lock"
MellonPostDirectory "/var/cache/apache2/mod_auth_mellon/"

ProxyRequests Off
ProxyPassInterpolateEnv On
# Move the proxy directives out of <location> and specify the context / mapping
ProxyPass /splunk http://127.0.0.1:8000/splunk
ProxyPassReverse /splunk http://127.0.0.1:8000/splunk

<Location />
        MellonEnable "info"
        MellonVariable "cookie"
        MellonSamlResponseDump On
        MellonSPPrivateKeyFile /etc/apache2/mellon/urn_splunkweb.key
        MellonSPCertFile /etc/apache2/mellon/urn_splunkweb.cert
        MellonSPMetadataFile /etc/apache2/mellon/urn_splunkweb.xml
        MellonIdpMetadataFile /etc/apache2/mellon/idp-metadata.xml
        MellonEndpointPath /secret/endpoint
        MellonUser "NAME_ID"
        MellonDefaultLoginPath /splunk/en-US/
        RequestHeader set SplunkWebUser %{MELLON_NAME_ID}e
        ProxyPassInterpolateEnv On
</Location>
<Location /splunk/>
        # Forces /splunk requests to be authenticated via the IdP.
        MellonEnable "auth"
</Location>

$SPLUNK_HOME/etc/system/local/web.conf:

[settings]
trustedIP=127.0.0.1
remoteUser SplunkWebUser
SSOMode=permissive
root_endpoint = /splunk

And $SPLUNK_HOME/etc/system/local/server.conf

[general]
trustedIP=127.0.0.1

This is obviously for a setup where the apache/mellon server runs on the same host as splunk. web.conf (splunk) and auth_mellon.conf (apache) need to be updated with remote IPs if not. web.conf supports a comma-separated list of trusted hosts, while server.conf doesn't and should stay as localhost.

Related Solutions

Single-Signon options for Exchange 2010

We decided that the combination of adding "ClearPass" to CAS and modifying the Exchange setup was going to be too hard to maintain, so our final solution is something like the squirrelmail solution that we didn't like.

That is, we send HTML like this to the user ($something generally means an already properly escaped variable) from a button they push in our in-house portal. This is the version where forefront is simply doing a straight pass-thru:

<html>
<body onLoad="javascript:document.forms[0].submit()">
<noscript>
 <h1>Redirecting you to $title</h1>
 <p>If you are not taken to $title within 15 seconds,<br />
    please click the button below:</p>
 </noscript>
 <form method="POST"
       action="https://$exchangehost/owa/auth/owaauth.dll" 
       name="logonForm" 
       enctype="application/x-www-form-urlencoded" autocomplete="off">
   <input type="hidden" name="destination" value="https://$exchangehost/OWA/" />
   <input type="hidden" name="flags" value="0" />
   <input type="hidden" name="forcedownlevel" value="0" />
   <input type="hidden" name="trusted" value="0" />
   <input type="hidden" name="username" value="$uid" />
   <input type="hidden" name="password" value="$password" />
   <input type="hidden" name="isUtf8" value="1" />
   <noscript>
     <input type="submit" value="$title" />
   </noscript>
 </form>
 </body>
 </html>

Mainly this is from copying the login form and making everything into hidden fields, but you need to change the URL on the action from /owa/auth.owa to /owa/auth/owaauth.dll.

We also tried having forefront do the authentication to OWA, here's the form for that (the <body onLoad=...> and the rest is basically the same):

<form method="post" action="https://$exchangehost/CookieAuth.dll?Logon">
  <input type="hidden" name="curl" value="Z2FowaZ2F" />
  <input type="hidden" name="flags" value="0" />
  <input type="forcedownlevel" value="0" />
  <input type="formdir" value="1" />
  <input type="rdoPblc" value="1" />
  <input type="username" value="$domain\$uid" />
  <input type="password" value="$password" />
</form>

SAML authentication fails with error MSIS7075

It looks like signedsamlrequests=true is configured but you are not sending a signed SAML request to AD FS.

When you run below command does it return TRUE?

(get-adfsproperties).signedsamlrequestsrequired

If yes, then use below command to turn it off and test again.

set-adfsproperties -signedsamlrequestsrequired $false

Ideally you should configure RPIdentifier app to send signed requests and then configure the RP trust with details of the certificate used by RPIdentifier to sign requests.

P.S. Your AD FS service account should not be privileged and need not be. Just a normal user account in AD will suffice. No need to be a member of any group other than domain users.

Remove the service account's membership from

•Administrators •Domain Admins •Domain Controllers •Enterprise Admins •Group Policy Creator Owners •Schema Admins

Your RP identifier only really needs to know about the token signing certificate used by AD FS. I am not sure what you meant by "Encryption". If the token signing cert is changed (by auto cert rollover or otherwise) you need to update RP identifier side with details of the new token signing cert from AD FS. Similarly if the RPIdentifier side certs change, the RP trust on AD FS must be updated.

If your app expects AD FS to send assertions encrypted then the RPIdentifier needs to supply a cert to be used for encryption. This will be configured on the RP trust at the AD FS side. Note the cert is provided by RPIdentifier.

Best Answer

Related Solutions

Single-Signon options for Exchange 2010

SAML authentication fails with error MSIS7075

Related Topic