Trouble Getting Apache/mod_shib to Apply Headers
Ben Geels
ben.geels019 at gmail.com
Thu Oct 29 04:40:10 UTC 2020
Hi All,
I'm attempting to get CORs working with some shibboleth protected resources
and am running into an issue.
My setup is as follows:
server-a ( web application )
server-b ( web service api )
server-c ( shibboleth idp )
Server A is configured to use the following binding as recommended by this
document.
Document:
https://wiki.shibboleth.net/confluence/display/KB/Cross-origin+AJAX+requests+for+Shib-protected+resources
Binding:
outgoingBindings="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Apache's mod_headers is able to correctly apply the CORs related headers on
server-b and server-c once cookies have been retrieved. However, on the
first request before I've received a cookie for server-b, it seems that
mod_shib intercepts the request since no valid cookie was sent ( as
expected ) but does not apply any headers to the response containing the
auth form ( sourced from "/etc/shibboleth/bindingTemplate.html" ) causing
the request to fail in the browser due to no matching
"Access-Control-Allow-Origin" header being present.
Does anyone have this working configuration for this or have any tips to
get mod_shib to apply headers here?
I've tried to apply these headers both narrowly scoped to the specific
Shibboleth.SSO <Location>s or as broadly as the whole <VirtualHost> but
they never seem to get applied to the response for the intercepted requests.
SetEnvIf Origin "^http(s)?://(.*\.my\.super\.domain)(:\d+)?$"
AccessControlAllowOrigin=$0
Header always set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e
env=AccessControlAllowOrigin
Header always set Access-Control-Allow-Credentials true
env=AccessControlAllowOrigin
Header always set Access-Control-Allow-Headers "X-Requested-With,
Content-Type, Origin, Authorization, Accept, Client-Security-Token,
Accept-Encoding"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE,
PUT"
I was actually able to get this to work in Google Chrome using,
(outgoingBindings="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect) on
the service provider but wasn't able to recreate that success in Safari,
Firefox, or Edge due to differences in the way each browser handles the 302
redirects, applies "Origin" header, interprets CORs policy, etc. I was able
to get this to work in chrome with that binding by applying the following
config in apache.
( The gist is that on some of the redirects "Origin" isn't sent in the
request headers. "Referer" on the other hand is set and we can use it to
check if the source is from a trusted domain as we do when "Origin" is set.
But in the case that "Referer" matches our rule and "Origin" is undefined,
we return "null" for the value of "Access-Control-Allow-Origin", Doing this
causes the CORs policy evaluation to succeed in chrome, we're able to get
our cookie back and successfully make cross origin requests to server b
both initially and on subsequent requests. )
SetEnvIf Referer "^http(s)?://(.*\.my\.super\.domain)(:\d+)?/?.*?$"
AccessControlAllowReferer=null
Header always set Access-Control-Allow-Origin %{AccessControlAllowReferer}e
env=AccessControlAllowReferer
Header always set Access-Control-Allow-Credentials true
env=AccessControlAllowReferer
SetEnvIf Origin "^http(s)?://(.*\.my\.super\.domain)(:\d+)?$"
AccessControlAllowOrigin=$0
Header always set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e
env=AccessControlAllowOrigin
Header always set Access-Control-Allow-Credentials true
env=AccessControlAllowOrigin
Header always set Access-Control-Allow-Headers "X-Requested-With,
Content-Type, Origin, Authorization, Accept, Client-Security-Token,
Accept-Encoding"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE,
PUT"
This is the javascript code that works with chrome:
https://gist.github.com/bgeels/f7e109e2372142c9faea99ef489db0b5
Despite this working in chrome, I think if I can figure out a way to apply
the headers to the first request to server b that's intercepted by mod_shib
using the "HTTP-POST" binding, the javascript implementation for the
shibboleth auth handshake would be much more straightforward and would have
a higher success rate across browsers.
Any assistance would be greatly appreciated.
Thanks!
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201029/d5434e43/attachment.htm>
More information about the users
mailing list