SAML authentication (mod_auth_mellon) continuation

[pepe_carlos]

Hello again,

This post is continuation to post https://support.nagios.com/forum/viewto ... =7&t=54310 which is locked

I achieve configured the mod_mellon to get MFA authentication in a simple page (not in nagios), but when I try this configuration for nagios process it does not recognice the user, I need to understand how nagios process get the user authentication once apache validate it.

I think that the authentication trougth mod mellon does work by cookie validation and nagios does not understand it, Can you help me?

Thanks

[scottwilkerson]

Nagios isn't going to be able to read a cookie, but when you set it up do you have some apache configuration that you use on the page you setup authentication for?

[pepe_carlos]

Hi, Thanks for you reply.

The "standard" apache configuration for nagios work without problems:

Code: Select all

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">

   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from all
   AuthType Basic
   AuthName "Nagios"
   AuthBasicProvider file
   AuthUserFile /usr/local/nagios/etc/htpasswd.users
   Require valid-user

</Directory>


Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
   AllowOverride None
   Order allow,deny
   Allow from all
   AuthType Basic
   AuthName "Nagios"
   AuthBasicProvider file
   AuthUserFile /usr/local/nagios/etc/htpasswd.users
   Require valid-u

The mod_auth_mellon configuration does not work:

Code: Select all

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
	Options ExecCGI
	AllowOverride None
	Order allow,deny
	Allow from all
	AuthType "Mellon"
	MellonEndpointPath /nagios
	MellonVariable "cookie"
	MellonEnable "auth"
	MellonSPMetadataFile /etc/apache2/mellon/https_nagios.testing.xml
	MellonIdPCAFile /etc/apache2/mellon/testing.cer
	MellonSPPrivateKeyFile /etc/ssl/private/nagios_key.pem
	MellonSPCertFile /etc/ssl/certs/nagios_testing.pem
	MellonIdPMetadataFile /etc/apache2/mellon/federationmetada.xml
	Require valid-user
</Directory>


Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
	Options None
	AllowOverride None
	Order allow,deny
	Allow from all
	AuthType "Mellon"
	MellonEndpointPath /nagios
	MellonVariable "cookie"
	MellonEnable "auth"
	MellonSPMetadataFile /etc/apache2/mellon/https_nagios.testing.xml
	MellonIdPCAFile /etc/apache2/mellon/testing.cer
	MellonSPPrivateKeyFile /etc/ssl/private/nagios_key.pem
	MellonSPCertFile /etc/ssl/certs/nagios_testing.pem
	MellonIdPMetadataFile /etc/apache2/mellon/federationmetada.xml
	MellonSamlResponseDump On
	Require valid-user
</Directory>

Could you tell me if my configuration is wrong?

Thanks.

[scottwilkerson]

As stated in the other thread I'm not sure we are going to be very much help as we aren't familiar with Mellon, but Nagios isn't going to be able to read a cookie, and is going to need the authentication to somehow translate to a REMOTE_USER username that is typically set with basic auth

[pepe_carlos]

Do you know another way to integrate nagios with multi factor authentication? (ADFS Azure)

Thanks.

[scottwilkerson]

Do you know another way to integrate nagios with multi factor authentication? (ADFS Azure)

Thanks.

I do not, but did do a little reading on Mellon and it appears you are missing what may be the key attrubute that would be required by Nagios, setting the username from an attribute

From their docs:

Code: Select all

# MellonUser selects which attribute we should use for the username.
# The username is passed on to other apache modules and to the web
# page the user visits. NAME_ID is an attribute which we set to
# the id we get from the IdP.
# Note: If MellonUser refers to a multi-valued attribute, any single
# value from that attribute may be used. Do not rely on it selecting a
# specific value.
# Default: MellonUser "NAME_ID"
MellonUser "NAME_ID"

It would appear you would need to add this directive, replacing NAME_ID with the field that would correspond to the nagios contact name

Code: Select all

MellonUser "NAME_ID"

[scottwilkerson]

Ohhhh and this, REMOTE_USER is what I was stating earlier was required

Code: Select all

MellonSetEnvNoPrefix REMOTE_USER NAME_ID

https://github.com/Uninett/mod_auth_mel ... emote_user

[pepe_carlos]

Thank you for your reply, but still not work (sorry but I have no idea that how i must configure it).

I configure the next configuration in apache (nagios.conf):

Code: Select all

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from all
   AuthType "Mellon"
   MellonEndpointPath /nagios
   MellonVariable "cookie"
   MellonEnable "auth"
   MellonSPMetadataFile /etc/apache2/mellon/https_nagios.testing.xml
   MellonIdPCAFile /etc/apache2/mellon/testing.cer
   MellonSPPrivateKeyFile /etc/ssl/private/nagios_key.pem
   MellonSPCertFile /etc/ssl/certs/nagios_testing.pem
   MellonIdPMetadataFile /etc/apache2/mellon/federationmetada.xml
  MellonSetEnvNoPrefix REMOTE_USER NAME_ID
   Require valid-user
</Directory>


Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
   Options None
   AllowOverride None
   Order allow,deny
   Allow from all
   AuthType "Mellon"
   MellonEndpointPath /nagios
   MellonVariable "cookie"
   MellonEnable "auth"
   MellonSPMetadataFile /etc/apache2/mellon/https_nagios.testing.xml
   MellonIdPCAFile /etc/apache2/mellon/testing.cer
   MellonSPPrivateKeyFile /etc/ssl/private/nagios_key.pem
   MellonSPCertFile /etc/ssl/certs/nagios_testing.pem
   MellonIdPMetadataFile /etc/apache2/mellon/federationmetada.xml
   MellonSamlResponseDump On
   MellonSetEnvNoPrefix REMOTE_USER NAME_ID
   Require valid-user
</Directory>

and the mellon configuration (/etc/apache2/mellon/https_nagios.testing.xml):

Code: Select all

<EntityDescriptor entityID="https://nagios.testing" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDBTCCAe2gAwIBAgIJAM/IIk8m1dWfMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNV
BAMMDm5hZ2lvcy50ZXN0aW5nMB4XDTE5MDkwNTA3NDI0MloXDTI5MDkwMjA3NDI0
MlowGTEXMBUGA1UEAwwObmFnaW9zLnRlc3RpbmcwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQClP/1xSaFV3PHrIqFcLdxN1WkVhYfpFUVSmWW4zNIMg5ig
AbR+HKxQ2S0B6dMjDJSpy7hbPbp272csuYmiJIuZgZpUCj7MSwG8Sp2cnWvl8Nma
24jIezN602frle5cfxCByghNabhaOKErrzwyNAcMXo8llQrZqyfbf050j92jqgDY
Zbi8i4c9rjbUZ4+zZlCJMbX9IDo4uVEGn+8860MPm9oRBHZIzEclbkcNvLc/V2oc
qG8D01FeJPunjX/U3rvFFGXCUZI2uV5uhRiTOvhZP6cwfkcqrwlaeQOSdPwU/XX5
DuExzuwQixjMcranMoAxpBvsEluOarJOcQwKzKtpAgMBAAGjUDBOMB0GA1UdDgQW
BBS7AIal83mVjNc6NmTGC3+X57DtfjAfBgNVHSMEGDAWgBS7AIal83mVjNc6NmTG
C3+X57DtfjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAE2FX66MHT
D+XCWUxfAKTUBTKHD9g9LUtllWD5Z1lj6yIRB6xl+120lbAZRiIF5ZF2nOGXOpTN
Lb2DhofOFj6F9j7KOfH9wYiIs8n7Hj1Gutohu9slISPtXHprI63sErMmKJIywWbU
y6YLQsYWr4kK0cxEZsd2DSuiUv4QIe9G0VH0hCGKZdmapRQV5VO+vAwk64A3leto
wIGxsrUAn1QmvS2Eglhp/yfYftWgDafSLiYA/6BwSK7+GAVjRo5RpFdWAuGj9QTR
dRhfxU/RQB14i/pTTFM85K+AkHRw1ikWfCJY2qZK8c9tcpH+JDYeX3zQAO4ziDBV
yQUi772dJQ4a</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://nagios.testing/nagios/logout"/>
   <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://nagios.testing/nagios" index="0"/>
  </SPSSODescriptor>
</EntityDescriptor>

But enter in a continuous loop like nagios does not validate and return again to IdP the validation .

[scottwilkerson]

At this point all I can suggest is that you reach out to the Mellon developers.

One last point, is you would want to make sure that the NAME_ID that is passed matches a Nagios contact

[pepe_carlos]

OK, thanks.