From 42700be962e245243f10c30a29c41fcda1f3f712 Mon Sep 17 00:00:00 2001 From: Nathan Kinder Date: Mon, 9 Mar 2015 20:28:47 -0700 Subject: Require SSL on SP when using --saml-secure-setup If ipsilon-client-install is used with the --saml-secure-setup option (which is set by default), only https connections will work for authentication. We are not setting the SSLRequireSSL directive though, so we set mellon up to fail. This patch adds the SSLRequireSSL directive to the SP config when --saml-secure-setup is specified. In addition, we add a rewrite rule to rewrite http requests to https for the SP. https://fedorahosted.org/ipsilon/ticket/80 Signed-off-by: Nathan Kinder Reviewed-by: Rob Crittenden --- ipsilon/install/ipsilon-client-install | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'ipsilon') diff --git a/ipsilon/install/ipsilon-client-install b/ipsilon/install/ipsilon-client-install index 484c462..9ed2a6f 100755 --- a/ipsilon/install/ipsilon-client-install +++ b/ipsilon/install/ipsilon-client-install @@ -123,8 +123,12 @@ def saml2(): psp = '' saml_secure = 'Off' + ssl_require = '#' + ssl_rewrite = '#' if args['saml_secure_setup']: saml_secure = 'On' + ssl_require = '' + ssl_rewrite = '' samlopts = {'saml_base': args['saml_base'], 'saml_protect': saml_protect, @@ -135,6 +139,9 @@ def saml2(): 'saml_sp': args['saml_sp'], 'saml_secure_on': saml_secure, 'saml_auth': saml_auth, + 'ssl_require': ssl_require, + 'ssl_rewrite': ssl_rewrite, + 'sp_hostname': args['hostname'], 'sp': psp} files.write_from_template(SAML2_CONFFILE, SAML2_TEMPLATE, samlopts) -- cgit