SAML authentication (mod_auth_mellon) continuation
-
- Posts: 43
- Joined: Wed Aug 17, 2011 9:09 am
- Location: Madrid, Spain
SAML authentication (mod_auth_mellon) continuation
Hello again,
This post is continuation to post https://support.nagios.com/forum/viewto ... =7&t=54310 which is locked
I achieve configured the mod_mellon to get MFA authentication in a simple page (not in nagios), but when I try this configuration for nagios process it does not recognice the user, I need to understand how nagios process get the user authentication once apache validate it.
I think that the authentication trougth mod mellon does work by cookie validation and nagios does not understand it, Can you help me?
Thanks
This post is continuation to post https://support.nagios.com/forum/viewto ... =7&t=54310 which is locked
I achieve configured the mod_mellon to get MFA authentication in a simple page (not in nagios), but when I try this configuration for nagios process it does not recognice the user, I need to understand how nagios process get the user authentication once apache validate it.
I think that the authentication trougth mod mellon does work by cookie validation and nagios does not understand it, Can you help me?
Thanks
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: SAML authentication (mod_auth_mellon) continuation
Nagios isn't going to be able to read a cookie, but when you set it up do you have some apache configuration that you use on the page you setup authentication for?
-
- Posts: 43
- Joined: Wed Aug 17, 2011 9:09 am
- Location: Madrid, Spain
Re: SAML authentication (mod_auth_mellon) continuation
Hi, Thanks for you reply.
The "standard" apache configuration for nagios work without problems:
The mod_auth_mellon configuration does not work:
Could you tell me if my configuration is wrong?
Thanks.
The "standard" apache configuration for nagios work without problems:
Code: Select all
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
<Directory "/usr/local/nagios/sbin">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "Nagios"
AuthBasicProvider file
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
</Directory>
Alias /nagios "/usr/local/nagios/share"
<Directory "/usr/local/nagios/share">
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "Nagios"
AuthBasicProvider file
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-u
Code: Select all
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
<Directory "/usr/local/nagios/sbin">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthType "Mellon"
MellonEndpointPath /nagios
MellonVariable "cookie"
MellonEnable "auth"
MellonSPMetadataFile /etc/apache2/mellon/https_nagios.testing.xml
MellonIdPCAFile /etc/apache2/mellon/testing.cer
MellonSPPrivateKeyFile /etc/ssl/private/nagios_key.pem
MellonSPCertFile /etc/ssl/certs/nagios_testing.pem
MellonIdPMetadataFile /etc/apache2/mellon/federationmetada.xml
Require valid-user
</Directory>
Alias /nagios "/usr/local/nagios/share"
<Directory "/usr/local/nagios/share">
Options None
AllowOverride None
Order allow,deny
Allow from all
AuthType "Mellon"
MellonEndpointPath /nagios
MellonVariable "cookie"
MellonEnable "auth"
MellonSPMetadataFile /etc/apache2/mellon/https_nagios.testing.xml
MellonIdPCAFile /etc/apache2/mellon/testing.cer
MellonSPPrivateKeyFile /etc/ssl/private/nagios_key.pem
MellonSPCertFile /etc/ssl/certs/nagios_testing.pem
MellonIdPMetadataFile /etc/apache2/mellon/federationmetada.xml
MellonSamlResponseDump On
Require valid-user
</Directory>
Thanks.
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: SAML authentication (mod_auth_mellon) continuation
As stated in the other thread I'm not sure we are going to be very much help as we aren't familiar with Mellon, but Nagios isn't going to be able to read a cookie, and is going to need the authentication to somehow translate to a REMOTE_USER username that is typically set with basic auth
-
- Posts: 43
- Joined: Wed Aug 17, 2011 9:09 am
- Location: Madrid, Spain
Re: SAML authentication (mod_auth_mellon) continuation
Do you know another way to integrate nagios with multi factor authentication? (ADFS Azure)
Thanks.
Thanks.
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: SAML authentication (mod_auth_mellon) continuation
I do not, but did do a little reading on Mellon and it appears you are missing what may be the key attrubute that would be required by Nagios, setting the username from an attributepepe_carlos wrote:Do you know another way to integrate nagios with multi factor authentication? (ADFS Azure)
Thanks.
From their docs:
Code: Select all
# MellonUser selects which attribute we should use for the username.
# The username is passed on to other apache modules and to the web
# page the user visits. NAME_ID is an attribute which we set to
# the id we get from the IdP.
# Note: If MellonUser refers to a multi-valued attribute, any single
# value from that attribute may be used. Do not rely on it selecting a
# specific value.
# Default: MellonUser "NAME_ID"
MellonUser "NAME_ID"
Code: Select all
MellonUser "NAME_ID"
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: SAML authentication (mod_auth_mellon) continuation
Ohhhh and this, REMOTE_USER is what I was stating earlier was required
https://github.com/Uninett/mod_auth_mel ... emote_user
Code: Select all
MellonSetEnvNoPrefix REMOTE_USER NAME_ID
-
- Posts: 43
- Joined: Wed Aug 17, 2011 9:09 am
- Location: Madrid, Spain
Re: SAML authentication (mod_auth_mellon) continuation
Thank you for your reply, but still not work (sorry but I have no idea that how i must configure it).
I configure the next configuration in apache (nagios.conf):
and the mellon configuration (/etc/apache2/mellon/https_nagios.testing.xml):
But enter in a continuous loop like nagios does not validate and return again to IdP the validation .
I configure the next configuration in apache (nagios.conf):
Code: Select all
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
<Directory "/usr/local/nagios/sbin">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthType "Mellon"
MellonEndpointPath /nagios
MellonVariable "cookie"
MellonEnable "auth"
MellonSPMetadataFile /etc/apache2/mellon/https_nagios.testing.xml
MellonIdPCAFile /etc/apache2/mellon/testing.cer
MellonSPPrivateKeyFile /etc/ssl/private/nagios_key.pem
MellonSPCertFile /etc/ssl/certs/nagios_testing.pem
MellonIdPMetadataFile /etc/apache2/mellon/federationmetada.xml
MellonSetEnvNoPrefix REMOTE_USER NAME_ID
Require valid-user
</Directory>
Alias /nagios "/usr/local/nagios/share"
<Directory "/usr/local/nagios/share">
Options None
AllowOverride None
Order allow,deny
Allow from all
AuthType "Mellon"
MellonEndpointPath /nagios
MellonVariable "cookie"
MellonEnable "auth"
MellonSPMetadataFile /etc/apache2/mellon/https_nagios.testing.xml
MellonIdPCAFile /etc/apache2/mellon/testing.cer
MellonSPPrivateKeyFile /etc/ssl/private/nagios_key.pem
MellonSPCertFile /etc/ssl/certs/nagios_testing.pem
MellonIdPMetadataFile /etc/apache2/mellon/federationmetada.xml
MellonSamlResponseDump On
MellonSetEnvNoPrefix REMOTE_USER NAME_ID
Require valid-user
</Directory>
Code: Select all
<EntityDescriptor entityID="https://nagios.testing" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDBTCCAe2gAwIBAgIJAM/IIk8m1dWfMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNV
BAMMDm5hZ2lvcy50ZXN0aW5nMB4XDTE5MDkwNTA3NDI0MloXDTI5MDkwMjA3NDI0
MlowGTEXMBUGA1UEAwwObmFnaW9zLnRlc3RpbmcwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQClP/1xSaFV3PHrIqFcLdxN1WkVhYfpFUVSmWW4zNIMg5ig
AbR+HKxQ2S0B6dMjDJSpy7hbPbp272csuYmiJIuZgZpUCj7MSwG8Sp2cnWvl8Nma
24jIezN602frle5cfxCByghNabhaOKErrzwyNAcMXo8llQrZqyfbf050j92jqgDY
Zbi8i4c9rjbUZ4+zZlCJMbX9IDo4uVEGn+8860MPm9oRBHZIzEclbkcNvLc/V2oc
qG8D01FeJPunjX/U3rvFFGXCUZI2uV5uhRiTOvhZP6cwfkcqrwlaeQOSdPwU/XX5
DuExzuwQixjMcranMoAxpBvsEluOarJOcQwKzKtpAgMBAAGjUDBOMB0GA1UdDgQW
BBS7AIal83mVjNc6NmTGC3+X57DtfjAfBgNVHSMEGDAWgBS7AIal83mVjNc6NmTG
C3+X57DtfjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAE2FX66MHT
D+XCWUxfAKTUBTKHD9g9LUtllWD5Z1lj6yIRB6xl+120lbAZRiIF5ZF2nOGXOpTN
Lb2DhofOFj6F9j7KOfH9wYiIs8n7Hj1Gutohu9slISPtXHprI63sErMmKJIywWbU
y6YLQsYWr4kK0cxEZsd2DSuiUv4QIe9G0VH0hCGKZdmapRQV5VO+vAwk64A3leto
wIGxsrUAn1QmvS2Eglhp/yfYftWgDafSLiYA/6BwSK7+GAVjRo5RpFdWAuGj9QTR
dRhfxU/RQB14i/pTTFM85K+AkHRw1ikWfCJY2qZK8c9tcpH+JDYeX3zQAO4ziDBV
yQUi772dJQ4a</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://nagios.testing/nagios/logout"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://nagios.testing/nagios" index="0"/>
</SPSSODescriptor>
</EntityDescriptor>
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: SAML authentication (mod_auth_mellon) continuation
At this point all I can suggest is that you reach out to the Mellon developers.
One last point, is you would want to make sure that the NAME_ID that is passed matches a Nagios contact
One last point, is you would want to make sure that the NAME_ID that is passed matches a Nagios contact
-
- Posts: 43
- Joined: Wed Aug 17, 2011 9:09 am
- Location: Madrid, Spain