From 42700be962e245243f10c30a29c41fcda1f3f712 Mon Sep 17 00:00:00 2001 From: Nathan Kinder Date: Mon, 9 Mar 2015 20:28:47 -0700 Subject: Require SSL on SP when using --saml-secure-setup If ipsilon-client-install is used with the --saml-secure-setup option (which is set by default), only https connections will work for authentication. We are not setting the SSLRequireSSL directive though, so we set mellon up to fail. This patch adds the SSLRequireSSL directive to the SP config when --saml-secure-setup is specified. In addition, we add a rewrite rule to rewrite http requests to https for the SP. https://fedorahosted.org/ipsilon/ticket/80 Signed-off-by: Nathan Kinder Reviewed-by: Rob Crittenden --- ipsilon/install/ipsilon-client-install | 7 +++++++ templates/install/saml2/sp.conf | 8 +++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/ipsilon/install/ipsilon-client-install b/ipsilon/install/ipsilon-client-install index 484c462..9ed2a6f 100755 --- a/ipsilon/install/ipsilon-client-install +++ b/ipsilon/install/ipsilon-client-install @@ -123,8 +123,12 @@ def saml2(): psp = '' saml_secure = 'Off' + ssl_require = '#' + ssl_rewrite = '#' if args['saml_secure_setup']: saml_secure = 'On' + ssl_require = '' + ssl_rewrite = '' samlopts = {'saml_base': args['saml_base'], 'saml_protect': saml_protect, @@ -135,6 +139,9 @@ def saml2(): 'saml_sp': args['saml_sp'], 'saml_secure_on': saml_secure, 'saml_auth': saml_auth, + 'ssl_require': ssl_require, + 'ssl_rewrite': ssl_rewrite, + 'sp_hostname': args['hostname'], 'sp': psp} files.write_from_template(SAML2_CONFFILE, SAML2_TEMPLATE, samlopts) diff --git a/templates/install/saml2/sp.conf b/templates/install/saml2/sp.conf index 73e6417..d7872cc 100644 --- a/templates/install/saml2/sp.conf +++ b/templates/install/saml2/sp.conf @@ -8,8 +8,9 @@ MellonIdPMetadataFile "${saml_idp_meta}" MellonEndpointPath ${saml_sp} MellonVariable "saml-sesion-cookie" - # Comment out the next line if you want to allow logins on bare HTTP + # Comment out the next two lines if you want to allow logins on bare HTTP MellonsecureCookie ${saml_secure_on} + ${ssl_require}SSLRequireSSL MellonUser "NAME_ID" MellonIdP "IDP" MellonSessionLength 3600 @@ -26,3 +27,8 @@ ${sp} ${sp} SSLRequireSSL ${sp} Require all granted ${sp} + +# Redirect requests to the secure port +${ssl_rewrite}RewriteEngine on +${ssl_rewrite}RewriteCond %{SERVER_PORT} !^443$$ +${ssl_rewrite}RewriteRule ^${saml_base}(.*) https://${sp_hostname}${saml_base}$$1 [L,R=301,NC] -- cgit