diff options
author | Nathan Kinder <nkinder@redhat.com> | 2015-03-09 20:28:47 -0700 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2015-03-10 18:24:01 -0400 |
commit | 42700be962e245243f10c30a29c41fcda1f3f712 (patch) | |
tree | 08c2fb51959ad9f59866695517247963abda1a1f /templates/install/saml2/sp.conf | |
parent | e0aa4f23846fa9f6bb0fb9eb021e930b035100eb (diff) | |
download | ipsilon-42700be962e245243f10c30a29c41fcda1f3f712.tar.gz ipsilon-42700be962e245243f10c30a29c41fcda1f3f712.tar.xz ipsilon-42700be962e245243f10c30a29c41fcda1f3f712.zip |
Require SSL on SP when using --saml-secure-setup
If ipsilon-client-install is used with the --saml-secure-setup
option (which is set by default), only https connections will
work for authentication. We are not setting the SSLRequireSSL
directive though, so we set mellon up to fail.
This patch adds the SSLRequireSSL directive to the SP config
when --saml-secure-setup is specified. In addition, we add a
rewrite rule to rewrite http requests to https for the SP.
https://fedorahosted.org/ipsilon/ticket/80
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'templates/install/saml2/sp.conf')
-rw-r--r-- | templates/install/saml2/sp.conf | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/templates/install/saml2/sp.conf b/templates/install/saml2/sp.conf index 73e6417..d7872cc 100644 --- a/templates/install/saml2/sp.conf +++ b/templates/install/saml2/sp.conf @@ -8,8 +8,9 @@ MellonIdPMetadataFile "${saml_idp_meta}" MellonEndpointPath ${saml_sp} MellonVariable "saml-sesion-cookie" - # Comment out the next line if you want to allow logins on bare HTTP + # Comment out the next two lines if you want to allow logins on bare HTTP MellonsecureCookie ${saml_secure_on} + ${ssl_require}SSLRequireSSL MellonUser "NAME_ID" MellonIdP "IDP" MellonSessionLength 3600 @@ -26,3 +27,8 @@ ${sp}<Directory /usr/share/ipsilon/ui/saml2sp> ${sp} SSLRequireSSL ${sp} Require all granted ${sp}</Directory> + +# Redirect requests to the secure port +${ssl_rewrite}RewriteEngine on +${ssl_rewrite}RewriteCond %{SERVER_PORT} !^443$$ +${ssl_rewrite}RewriteRule ^${saml_base}(.*) https://${sp_hostname}${saml_base}$$1 [L,R=301,NC] |