Page 1 of 2
SAML authentication (mod_auth_mellon) continuation
Posted: Tue Sep 03, 2019 6:55 am
by pepe_carlos
Hello again,
This post is continuation to post
https://support.nagios.com/forum/viewto ... =7&t=54310 which is locked
I achieve configured the mod_mellon to get MFA authentication in a simple page (not in nagios), but when I try this configuration for nagios process it does not recognice the user, I need to understand how nagios process get the user authentication once apache validate it.
I think that the authentication trougth mod mellon does work by cookie validation and nagios does not understand it, Can you help me?
Thanks
Re: SAML authentication (mod_auth_mellon) continuation
Posted: Tue Sep 03, 2019 5:00 pm
by scottwilkerson
Nagios isn't going to be able to read a cookie, but when you set it up do you have some apache configuration that you use on the page you setup authentication for?
Re: SAML authentication (mod_auth_mellon) continuation
Posted: Wed Sep 04, 2019 1:55 am
by pepe_carlos
Hi, Thanks for you reply.
The "standard" apache configuration for nagios work without problems:
Code: Select all
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
<Directory "/usr/local/nagios/sbin">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "Nagios"
AuthBasicProvider file
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
</Directory>
Alias /nagios "/usr/local/nagios/share"
<Directory "/usr/local/nagios/share">
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "Nagios"
AuthBasicProvider file
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-u
The mod_auth_mellon configuration does not work:
Code: Select all
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
<Directory "/usr/local/nagios/sbin">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthType "Mellon"
MellonEndpointPath /nagios
MellonVariable "cookie"
MellonEnable "auth"
MellonSPMetadataFile /etc/apache2/mellon/https_nagios.testing.xml
MellonIdPCAFile /etc/apache2/mellon/testing.cer
MellonSPPrivateKeyFile /etc/ssl/private/nagios_key.pem
MellonSPCertFile /etc/ssl/certs/nagios_testing.pem
MellonIdPMetadataFile /etc/apache2/mellon/federationmetada.xml
Require valid-user
</Directory>
Alias /nagios "/usr/local/nagios/share"
<Directory "/usr/local/nagios/share">
Options None
AllowOverride None
Order allow,deny
Allow from all
AuthType "Mellon"
MellonEndpointPath /nagios
MellonVariable "cookie"
MellonEnable "auth"
MellonSPMetadataFile /etc/apache2/mellon/https_nagios.testing.xml
MellonIdPCAFile /etc/apache2/mellon/testing.cer
MellonSPPrivateKeyFile /etc/ssl/private/nagios_key.pem
MellonSPCertFile /etc/ssl/certs/nagios_testing.pem
MellonIdPMetadataFile /etc/apache2/mellon/federationmetada.xml
MellonSamlResponseDump On
Require valid-user
</Directory>
Could you tell me if my configuration is wrong?
Thanks.
Re: SAML authentication (mod_auth_mellon) continuation
Posted: Wed Sep 04, 2019 6:33 am
by scottwilkerson
As stated in the other thread I'm not sure we are going to be very much help as we aren't familiar with Mellon, but Nagios isn't going to be able to read a cookie, and is going to need the authentication to somehow translate to a REMOTE_USER username that is typically set with basic auth
Re: SAML authentication (mod_auth_mellon) continuation
Posted: Wed Sep 04, 2019 7:14 am
by pepe_carlos
Do you know another way to integrate nagios with multi factor authentication? (ADFS Azure)
Thanks.
Re: SAML authentication (mod_auth_mellon) continuation
Posted: Wed Sep 04, 2019 7:40 am
by scottwilkerson
pepe_carlos wrote:Do you know another way to integrate nagios with multi factor authentication? (ADFS Azure)
Thanks.
I do not, but did do a little reading on Mellon and it appears you are missing what may be the key attrubute that would be required by Nagios, setting the username from an attribute
From their docs:
Code: Select all
# MellonUser selects which attribute we should use for the username.
# The username is passed on to other apache modules and to the web
# page the user visits. NAME_ID is an attribute which we set to
# the id we get from the IdP.
# Note: If MellonUser refers to a multi-valued attribute, any single
# value from that attribute may be used. Do not rely on it selecting a
# specific value.
# Default: MellonUser "NAME_ID"
MellonUser "NAME_ID"
It would appear you would need to add this directive, replacing
NAME_ID with the field that would correspond to the nagios contact name
Re: SAML authentication (mod_auth_mellon) continuation
Posted: Wed Sep 04, 2019 7:43 am
by scottwilkerson
Ohhhh and this,
REMOTE_USER is what I was stating earlier was required
Code: Select all
MellonSetEnvNoPrefix REMOTE_USER NAME_ID
Re: SAML authentication (mod_auth_mellon) continuation
Posted: Thu Sep 05, 2019 2:58 am
by pepe_carlos
Thank you for your reply, but still not work (sorry but I have no idea that how i must configure it).
I configure the next configuration in apache (nagios.conf):
Code: Select all
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
<Directory "/usr/local/nagios/sbin">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthType "Mellon"
MellonEndpointPath /nagios
MellonVariable "cookie"
MellonEnable "auth"
MellonSPMetadataFile /etc/apache2/mellon/https_nagios.testing.xml
MellonIdPCAFile /etc/apache2/mellon/testing.cer
MellonSPPrivateKeyFile /etc/ssl/private/nagios_key.pem
MellonSPCertFile /etc/ssl/certs/nagios_testing.pem
MellonIdPMetadataFile /etc/apache2/mellon/federationmetada.xml
MellonSetEnvNoPrefix REMOTE_USER NAME_ID
Require valid-user
</Directory>
Alias /nagios "/usr/local/nagios/share"
<Directory "/usr/local/nagios/share">
Options None
AllowOverride None
Order allow,deny
Allow from all
AuthType "Mellon"
MellonEndpointPath /nagios
MellonVariable "cookie"
MellonEnable "auth"
MellonSPMetadataFile /etc/apache2/mellon/https_nagios.testing.xml
MellonIdPCAFile /etc/apache2/mellon/testing.cer
MellonSPPrivateKeyFile /etc/ssl/private/nagios_key.pem
MellonSPCertFile /etc/ssl/certs/nagios_testing.pem
MellonIdPMetadataFile /etc/apache2/mellon/federationmetada.xml
MellonSamlResponseDump On
MellonSetEnvNoPrefix REMOTE_USER NAME_ID
Require valid-user
</Directory>
and the mellon configuration (/etc/apache2/mellon/https_nagios.testing.xml):
Code: Select all
<EntityDescriptor entityID="https://nagios.testing" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDBTCCAe2gAwIBAgIJAM/IIk8m1dWfMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNV
BAMMDm5hZ2lvcy50ZXN0aW5nMB4XDTE5MDkwNTA3NDI0MloXDTI5MDkwMjA3NDI0
MlowGTEXMBUGA1UEAwwObmFnaW9zLnRlc3RpbmcwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQClP/1xSaFV3PHrIqFcLdxN1WkVhYfpFUVSmWW4zNIMg5ig
AbR+HKxQ2S0B6dMjDJSpy7hbPbp272csuYmiJIuZgZpUCj7MSwG8Sp2cnWvl8Nma
24jIezN602frle5cfxCByghNabhaOKErrzwyNAcMXo8llQrZqyfbf050j92jqgDY
Zbi8i4c9rjbUZ4+zZlCJMbX9IDo4uVEGn+8860MPm9oRBHZIzEclbkcNvLc/V2oc
qG8D01FeJPunjX/U3rvFFGXCUZI2uV5uhRiTOvhZP6cwfkcqrwlaeQOSdPwU/XX5
DuExzuwQixjMcranMoAxpBvsEluOarJOcQwKzKtpAgMBAAGjUDBOMB0GA1UdDgQW
BBS7AIal83mVjNc6NmTGC3+X57DtfjAfBgNVHSMEGDAWgBS7AIal83mVjNc6NmTG
C3+X57DtfjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAE2FX66MHT
D+XCWUxfAKTUBTKHD9g9LUtllWD5Z1lj6yIRB6xl+120lbAZRiIF5ZF2nOGXOpTN
Lb2DhofOFj6F9j7KOfH9wYiIs8n7Hj1Gutohu9slISPtXHprI63sErMmKJIywWbU
y6YLQsYWr4kK0cxEZsd2DSuiUv4QIe9G0VH0hCGKZdmapRQV5VO+vAwk64A3leto
wIGxsrUAn1QmvS2Eglhp/yfYftWgDafSLiYA/6BwSK7+GAVjRo5RpFdWAuGj9QTR
dRhfxU/RQB14i/pTTFM85K+AkHRw1ikWfCJY2qZK8c9tcpH+JDYeX3zQAO4ziDBV
yQUi772dJQ4a</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://nagios.testing/nagios/logout"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://nagios.testing/nagios" index="0"/>
</SPSSODescriptor>
</EntityDescriptor>
But enter in a continuous loop like nagios does not validate and return again to IdP the validation
.
Re: SAML authentication (mod_auth_mellon) continuation
Posted: Thu Sep 05, 2019 8:31 am
by scottwilkerson
At this point all I can suggest is that you reach out to the Mellon developers.
One last point, is you would want to make sure that the NAME_ID that is passed matches a Nagios contact
Re: SAML authentication (mod_auth_mellon) continuation
Posted: Fri Sep 06, 2019 7:25 am
by pepe_carlos
OK, thanks.