带有 mod_auth_mellon 的 SAML 导致错误:处理身份验证响应时出错。Lasso 错误:

tag-icon tag-icon httpd adfs saml
带有 mod_auth_mellon 的 SAML 导致错误:处理身份验证响应时出错。Lasso 错误:

我在使用 mod_auth_mellon 实现 Apache HTTPD Web 服务器的 ADFS SSO 时遇到问题。身份验证成功后我收到的错误是:

Apache HTTPD 返回 HTTP 401

(未经授权:此服务器无法验证您是否有权访问所请求的文档。您提供了错误的凭据(例如,错误的密码),或者您的浏览器不了解如何提供所需的凭据。)

但在服务器日志中我可以找到以下内容:

Error processing authn response. Lasso error: [-432] Status code is not success, SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Responder", StatusCode2="(null)", StatusMessage="(null)", referer: https://adfs.example.com/adfs/ls/wia?SAMLRequest=nZJNb9swDIb%2FiqG7...

配置(几乎标准)

<Location />
  MellonEnable info
  MellonEndpointPath /mellon/endpoint
  MellonSPMetadataFile /path/to/medatada.xml
  MellonIdPMetadataFile /path/to/FederationMetadata.xml
  MellonSPPrivateKeyFile /path/to/mellon.key
  MellonSPCertFile /path/to/mellon.crt
  MellonSignatureMethod rsa-sha1
</Location>

<Location /admin>
  AuthType Mellon
  MellonEnable auth
  Require valid-user
  MellonSamlResponseDump On
</Location>

元数据也是标准的。唯一的问题是,自从我读到与 lasso 错误代码 -432 相关的签名问题后,我尝试更改参数 SignatureMethod 并禁用签名/加密(并要求 Windows Guy 更新依赖方(=我的)元数据)。所以最后我的元数据中目前有以下非标准设置。但是,无论我做什么,我总是得到 lasso -432 错误。

AuthnRequestsSigned="false" WantAssertionsSigned="false"

版本

运行 RHEL 7.8 的 Docker-Container

mod_auth_mellon:v0.14.2(最新)

套索:v2.5.99

日志

 [Thu Jul 16 14:55:42.150952 2020] [authz_core:debug] [pid 470] mod_authz_core.c(820): [client 192.168.1.1:49870] AH01626: authorization result of <RequireAny>: granted
 [Thu Jul 16 14:55:42.151021 2020] [auth_mellon:debug] [pid 470] auth_mellon_util.c(54): [client 192.168.1.1:49870] reconstruct_url: url=="https://webservice.example.com/mellon/endpoint/login?ReturnTo=https%3A%2F%2Fwebserver.example.com%2Fadmin%2F&IdP=http%3A%2F%2Fadfs.example.com%2Fadfs%2Fservices%2Ftrust", unparsed_uri=="/mellon/endpoint/login?ReturnTo=https%3A%2F%2Fwebservice.example.com%2Fadmin%2F&IdP=http%3A%2F%2Fadfs.example.com%2Fadfs%2Fservices%2Ftrust"
 [Thu Jul 16 14:55:42.151037 2020] [auth_mellon:debug] [pid 470] auth_mellon_cookie.c(77): MELLON_DISABLE_SAMESITE : (null)
 [Thu Jul 16 14:55:42.151040 2020] [auth_mellon:debug] [pid 470] auth_mellon_cookie.c(227): cookie_set: mellon-cookie=cookietest; Version=1; Path=/; Domain=webservice.example.com
 [Thu Jul 16 14:55:42.178426 2020] [auth_mellon:debug] [pid 470] auth_mellon_handler.c(278): [client 192.168.1.1:49870] loaded IdP "http://adfs.example.com/adfs/services/trust" from "/opt/rh/httpd24/root/etc/httpd/conf.d/mellon/FederationMetadata.xml".
 192.168.1.1 - - [16/Jul/2020:14:55:42 +0200] "GET /mellon/endpoint/login?ReturnTo=https%3A%2F%2Fwebservice.example.com%2Fadmin%2F&IdP=http%3A%2F%2Fadfs.example.com%2Fadfs%2Fservices%2Ftrust HTTP/1.1" 303 888 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
 [Thu Jul 16 14:55:42.476510 2020] [ssl:debug] [pid 470] ssl_engine_kernel.c(377): [client 192.168.1.1:49870] AH02034: Subsequent (No.3) HTTPS request received for child 3 (server webservice.example.com:443), referer: https://adfs.example.com/adfs/ls/wia?SAMLRequest=SAML_REQUEST_TOKENtptps%SAML_TOKEN_XXXRelayState=https%3A%2F%2Fwebservice.example.com%2Fadmin%2F&client-request-id=CLIENT_REQUEST_ID
 [Thu Jul 16 14:55:42.478651 2020] [authz_core:debug] [pid 470] mod_authz_core.c(820): [client 192.168.1.1:49870] AH01626: authorization result of Require all granted: granted, referer: https://adfs.example.com/adfs/ls/wia?SAMLRequest=SAML_REQUEST_TOKENtptps%SAML_TOKEN_XXXRelayState=https%3A%2F%2Fwebservice.example.com%2Fadmin%2F&client-request-id=CLIENT_REQUEST_ID
 [Thu Jul 16 14:55:42.478686 2020] [authz_core:debug] [pid 470] mod_authz_core.c(820): [client 192.168.1.1:49870] AH01626: authorization result of <RequireAny>: granted, referer: https://adfs.example.com/adfs/ls/wia?SAMLRequest=SAML_REQUEST_TOKENtptps%SAML_TOKEN_XXXRelayState=https%3A%2F%2Fwebservice.example.com%2Fadmin%2F&client-request-id=CLIENT_REQUEST_ID
 [Thu Jul 16 14:55:42.513884 2020] [auth_mellon:debug] [pid 470] auth_mellon_handler.c(278): [client 192.168.1.1:49870] loaded IdP "http://adfs.example.com/adfs/services/trust" from "/opt/rh/httpd24/root/etc/httpd/conf.d/mellon/FederationMetadata.xml"., referer: https://adfs.example.com/adfs/ls/wia?SAMLRequest=SAML_REQUEST_TOKENtptps%SAML_TOKEN_XXXRelayState=https%3A%2F%2Fwebservice.example.com%2Fadmin%2F&client-request-id=CLIENT_REQUEST_ID
 [Thu Jul 16 14:55:42.514805 2020] [auth_mellon:error] [pid 470] [client 192.168.1.1:49870] Error processing authn response. Lasso error: [-432] Status code is not success, SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Responder", StatusCode2="(null)", StatusMessage="(null)", referer: https://adfs.example.com/adfs/ls/wia?SAMLRequest=SAML_REQUEST_TOKENtptps%SAML_TOKEN_XXXRelayState=https%3A%2F%2Fwebservice.example.com%2Fadmin%2F&client-request-id=CLIENT_REQUEST_ID
 192.168.1.1 - - [16/Jul/2020:14:55:42 +0200] "POST /mellon/endpoint/postResponse HTTP/1.1" 401 381 "https://adfs.example.com/adfs/ls/wia?SAMLRequest=SAML_REQUEST_TOKENtptps%SAML_TOKEN_XXXRelayState=https%3A%2F%2Fwebservice.example.com%2Fadmin%2F&client-request-id=CLIENT_REQUEST_ID" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"

问题

为了解决这个问题,我应该分析,测试或更改我的设置吗?

相关内容