I have a secure SSO site that uses Shibboleth authentication and SAML identity provider. I need to allow a Google Search Appliance crawler to come index the URL's. I have a requirement to change on HTTP request from SAML to Basic authentication for GSA user-agent only without rewriting URL's. How can I configure Apache or Shibboleth to handle this?
On another thread I saw a suggestion to configure different subdirectories for different Auth Types. How do accept multiple authentication options in Apache? Unfortunately this approach does satisfy my requirement because it alters the URL's — GSA would index an extra token prepended to the URL and output it in the search results instead of canonical URL's.
My shibboleth2.xml is configured for SAML 2.0. Here is a snippet of vhost in Apache. Is there a way to add conditional logic for authentication type in virtual host in either Apache 2.2 or 2.4? Or is there a way to solve this using Shib configuration?
<VirtualHost *:443>
DocumentRoot "/var/dispatcher/cache/www"
# Wish I could make use of this variable to toggle AuthTypes
SetEnvIfNoCase User-Agent ^gsa-crawler is_gsa_crawler
<Location />
# for end users
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibUseHeaders On
Require valid-user
</Location>
<Location />
# for gsa
AuthType Basic
AuthName "Secure"
AuthBasicProvider file
AuthUserFile path_to/basic_pw_file
Require valid-user
</Location>
<Directory "/var/dispatcher/cache/www">
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
Best Answer
I'm not sure you could do this with
mod_access
-- it doesn't support selectively choosing auth mechanisms as far as I know, it only allows a list of mechanisms it can fall through until it fails them all or one succeeds. And the problem is that you can't 'attempt SAML' without redirecting the user off site.If you did this in a programming language, with passive auth, I think it would be trivial (if statements and redirects). But using 'require valid-user' and other
mod_access
things won't get you where I think you're trying to go.My answer mostly applies to Apache < 2.4.x, as I'm not 100% confident that 2.4 is missing your feature set (they changed a lot).