diff options
| author | Nathan Kinder <nkinder@redhat.com> | 2015-03-09 20:28:47 -0700 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2015-03-10 18:24:01 -0400 |
| commit | 42700be962e245243f10c30a29c41fcda1f3f712 (patch) | |
| tree | 08c2fb51959ad9f59866695517247963abda1a1f | |
| parent | e0aa4f23846fa9f6bb0fb9eb021e930b035100eb (diff) | |
| download | ipsilon-42700be962e245243f10c30a29c41fcda1f3f712.tar.gz ipsilon-42700be962e245243f10c30a29c41fcda1f3f712.tar.xz ipsilon-42700be962e245243f10c30a29c41fcda1f3f712.zip | |
Require SSL on SP when using --saml-secure-setup
If ipsilon-client-install is used with the --saml-secure-setup
option (which is set by default), only https connections will
work for authentication. We are not setting the SSLRequireSSL
directive though, so we set mellon up to fail.
This patch adds the SSLRequireSSL directive to the SP config
when --saml-secure-setup is specified. In addition, we add a
rewrite rule to rewrite http requests to https for the SP.
https://fedorahosted.org/ipsilon/ticket/80
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
| -rwxr-xr-x | ipsilon/install/ipsilon-client-install | 7 | ||||
| -rw-r--r-- | templates/install/saml2/sp.conf | 8 |
2 files changed, 14 insertions, 1 deletions
diff --git a/ipsilon/install/ipsilon-client-install b/ipsilon/install/ipsilon-client-install index 484c462..9ed2a6f 100755 --- a/ipsilon/install/ipsilon-client-install +++ b/ipsilon/install/ipsilon-client-install @@ -123,8 +123,12 @@ def saml2(): psp = '' saml_secure = 'Off' + ssl_require = '#' + ssl_rewrite = '#' if args['saml_secure_setup']: saml_secure = 'On' + ssl_require = '' + ssl_rewrite = '' samlopts = {'saml_base': args['saml_base'], 'saml_protect': saml_protect, @@ -135,6 +139,9 @@ def saml2(): 'saml_sp': args['saml_sp'], 'saml_secure_on': saml_secure, 'saml_auth': saml_auth, + 'ssl_require': ssl_require, + 'ssl_rewrite': ssl_rewrite, + 'sp_hostname': args['hostname'], 'sp': psp} files.write_from_template(SAML2_CONFFILE, SAML2_TEMPLATE, samlopts) diff --git a/templates/install/saml2/sp.conf b/templates/install/saml2/sp.conf index 73e6417..d7872cc 100644 --- a/templates/install/saml2/sp.conf +++ b/templates/install/saml2/sp.conf @@ -8,8 +8,9 @@ MellonIdPMetadataFile "${saml_idp_meta}" MellonEndpointPath ${saml_sp} MellonVariable "saml-sesion-cookie" - # Comment out the next line if you want to allow logins on bare HTTP + # Comment out the next two lines if you want to allow logins on bare HTTP MellonsecureCookie ${saml_secure_on} + ${ssl_require}SSLRequireSSL MellonUser "NAME_ID" MellonIdP "IDP" MellonSessionLength 3600 @@ -26,3 +27,8 @@ ${sp}<Directory /usr/share/ipsilon/ui/saml2sp> ${sp} SSLRequireSSL ${sp} Require all granted ${sp}</Directory> + +# Redirect requests to the secure port +${ssl_rewrite}RewriteEngine on +${ssl_rewrite}RewriteCond %{SERVER_PORT} !^443$$ +${ssl_rewrite}RewriteRule ^${saml_base}(.*) https://${sp_hostname}${saml_base}$$1 [L,R=301,NC] |