Switching between multiple authentication types on same URL

apache-2.2google-search-appliancehttp-basic-authenticationshibbolethweb-crawler

I have a secure SSO site that uses Shibboleth authentication and SAML identity provider. I need to allow a Google Search Appliance crawler to come index the URL's. I have a requirement to change on HTTP request from SAML to Basic authentication for GSA user-agent only without rewriting URL's. How can I configure Apache or Shibboleth to handle this?

On another thread I saw a suggestion to configure different subdirectories for different Auth Types. How do accept multiple authentication options in Apache? Unfortunately this approach does satisfy my requirement because it alters the URL's — GSA would index an extra token prepended to the URL and output it in the search results instead of canonical URL's.

My shibboleth2.xml is configured for SAML 2.0. Here is a snippet of vhost in Apache. Is there a way to add conditional logic for authentication type in virtual host in either Apache 2.2 or 2.4? Or is there a way to solve this using Shib configuration?

<VirtualHost *:443>
DocumentRoot    "/var/dispatcher/cache/www"
# Wish I could make use of this variable to toggle AuthTypes
SetEnvIfNoCase User-Agent ^gsa-crawler is_gsa_crawler

<Location />
    # for end users
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    ShibUseHeaders On
    Require valid-user
</Location>

<Location />
    # for gsa
    AuthType Basic
    AuthName "Secure"
    AuthBasicProvider file
    AuthUserFile path_to/basic_pw_file
    Require valid-user
</Location>

<Directory "/var/dispatcher/cache/www">
    Order allow,deny
    Allow from all
</Directory>
</VirtualHost>

Best Answer

I'm not sure you could do this with mod_access -- it doesn't support selectively choosing auth mechanisms as far as I know, it only allows a list of mechanisms it can fall through until it fails them all or one succeeds. And the problem is that you can't 'attempt SAML' without redirecting the user off site.

If you did this in a programming language, with passive auth, I think it would be trivial (if statements and redirects). But using 'require valid-user' and other mod_access things won't get you where I think you're trying to go.

My answer mostly applies to Apache < 2.4.x, as I'm not 100% confident that 2.4 is missing your feature set (they changed a lot).

Related Topic