settingsLogin | Registersettings

[openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

0 votes

Today I discovered that we need to modify the HA proxy config to tell it
to rewrite redirects. Otherwise, I get a link to

http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse

Which should be https, not http.

I mimicked the lines in the horizon config so that the keystone section
looks like this:

listen keystonepublic
bind 10.0.0.4:13000 transparent ssl crt
/etc/pki/tls/private/overcloud
endpoint.pem
bind 172.16.2.5:5000 transparent
mode http
redirect scheme https code 301 if { hdr(host) -i 10.0.0.4 } !{ sslfc }
rsprep ^Location:\ http://(.*) Location:\ https://\1
http-request set-header X-Forwarded-Proto https if { ssl
fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
server overcloud-controller-0 172.16.2.8:5000 check fall 5 inter 2000
rise 2
server overcloud-controller-1 172.16.2.6:5000 check fall 5 inter 2000
rise 2
server overcloud-controller-2 172.16.2.9:5000 check fall 5 inter 2000
rise 2

And.. it seemed to work the first time, but not the second. Now I get

"Secure Connection Failed

The connection to openstack.ayoung-dell-t1700.test:5000 was interrupted
while the page was loading."

Guessing the first success was actually a transient error.

So it looks like my change was necessary but not sufficient.

This is needed to make modauthmellon work when loaded into Apache, and
Apache is running behind HA proxy (Tripleo setup).

There is no SSL setup inside the Keystone server, it is just doing
straight HTTP. While I'd like to change this long term, I'd like to get
things working this way first, but am willing to make whatever changes
are needed to get SAML and Federation working soonest.


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
asked Aug 5, 2016 in openstack-dev by Adam_Young (19,940 points)   2 7 9
retagged Jan 26, 2017 by admin

8 Responses

0 votes

On 08/05/2016 04:52 PM, Adam Young wrote:
Today I discovered that we need to modify the HA proxy config to tell
it to rewrite redirects. Otherwise, I get a link to

http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse

Which should be https, not http.

I mimicked the lines in the horizon config so that the keystone
section looks like this:

listen keystonepublic
bind 10.0.0.4:13000 transparent ssl crt
/etc/pki/tls/private/overcloud
endpoint.pem
bind 172.16.2.5:5000 transparent
mode http
redirect scheme https code 301 if { hdr(host) -i 10.0.0.4 } !{ sslfc }
rsprep ^Location:\ http://(.*) Location:\ https://\1
http-request set-header X-Forwarded-Proto https if { ssl
fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
server overcloud-controller-0 172.16.2.8:5000 check fall 5 inter
2000 rise 2
server overcloud-controller-1 172.16.2.6:5000 check fall 5 inter
2000 rise 2
server overcloud-controller-2 172.16.2.9:5000 check fall 5 inter
2000 rise 2

And.. it seemed to work the first time, but not the second. Now I get

"Secure Connection Failed

The connection to openstack.ayoung-dell-t1700.test:5000 was
interrupted while the page was loading."

Guessing the first success was actually a transient error.

So it looks like my change was necessary but not sufficient.

This is needed to make modauthmellon work when loaded into Apache,
and Apache is running behind HA proxy (Tripleo setup).

There is no SSL setup inside the Keystone server, it is just doing
straight HTTP. While I'd like to change this long term, I'd like to
get things working this way first, but am willing to make whatever
changes are needed to get SAML and Federation working soonest.

Ah...just noticed the redirect is to :5000, not port :13000 which is the
HA Proxy port.


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Aug 5, 2016 by Adam_Young (19,940 points)   2 7 9
0 votes

On 08/05/2016 04:54 PM, Adam Young wrote:
On 08/05/2016 04:52 PM, Adam Young wrote:

Today I discovered that we need to modify the HA proxy config to tell
it to rewrite redirects. Otherwise, I get a link to

http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse

Which should be https, not http.

I mimicked the lines in the horizon config so that the keystone
section looks like this:

listen keystonepublic
bind 10.0.0.4:13000 transparent ssl crt
/etc/pki/tls/private/overcloud
endpoint.pem
bind 172.16.2.5:5000 transparent
mode http
redirect scheme https code 301 if { hdr(host) -i 10.0.0.4 } !{
sslfc }
rsprep ^Location:\ http://(.*) Location:\ https://\1
http-request set-header X-Forwarded-Proto https if { ssl
fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
server overcloud-controller-0 172.16.2.8:5000 check fall 5 inter
2000 rise 2
server overcloud-controller-1 172.16.2.6:5000 check fall 5 inter
2000 rise 2
server overcloud-controller-2 172.16.2.9:5000 check fall 5 inter
2000 rise 2

And.. it seemed to work the first time, but not the second. Now I get

"Secure Connection Failed

The connection to openstack.ayoung-dell-t1700.test:5000 was
interrupted while the page was loading."

Guessing the first success was actually a transient error.

So it looks like my change was necessary but not sufficient.

This is needed to make modauthmellon work when loaded into Apache,
and Apache is running behind HA proxy (Tripleo setup).

There is no SSL setup inside the Keystone server, it is just doing
straight HTTP. While I'd like to change this long term, I'd like to
get things working this way first, but am willing to make whatever
changes are needed to get SAML and Federation working soonest.

Ah...just noticed the redirect is to :5000, not port :13000 which is
the HA Proxy port.

OK, this is due to the SAML request:

 <saml:Issuer>https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata</saml:Issuer>

My guess is HA proxy is not passing on the proper, and the
modauthmellon does not know to rewrite it from 5000 to 13000


OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Aug 5, 2016 by Adam_Young (19,940 points)   2 7 9
0 votes

rewriting is more expensive then getting the web server to return the right prefix. Is that an option? Usually its just a bug that needs a minor patch to fix.

Thanks,
Kevin


From: Adam Young [ayoung@redhat.com]
Sent: Friday, August 05, 2016 3:06 PM
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

On 08/05/2016 04:54 PM, Adam Young wrote:
On 08/05/2016 04:52 PM, Adam Young wrote:
Today I discovered that we need to modify the HA proxy config to tell it to rewrite redirects. Otherwise, I get a link to

http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse

Which should be https, not http.

I mimicked the lines in the horizon config so that the keystone section looks like this:

listen keystonepublic
bind 10.0.0.4:13000 transparent ssl crt /etc/pki/tls/private/overcloud
endpoint.pem
bind 172.16.2.5:5000 transparent
mode http
redirect scheme https code 301 if { hdr(host) -i 10.0.0.4 } !{ sslfc }
rsprep ^Location:\ http://(.*)<UrlBlockedError.aspx Location:\ https://\1
http-request set-header X-Forwarded-Proto https if { ssl
fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
server overcloud-controller-0 172.16.2.8:5000 check fall 5 inter 2000 rise 2
server overcloud-controller-1 172.16.2.6:5000 check fall 5 inter 2000 rise 2
server overcloud-controller-2 172.16.2.9:5000 check fall 5 inter 2000 rise 2

And.. it seemed to work the first time, but not the second. Now I get

"Secure Connection Failed

The connection to openstack.ayoung-dell-t1700.test:5000 was interrupted while the page was loading."

Guessing the first success was actually a transient error.

So it looks like my change was necessary but not sufficient.

This is needed to make modauthmellon work when loaded into Apache, and Apache is running behind HA proxy (Tripleo setup).

There is no SSL setup inside the Keystone server, it is just doing straight HTTP. While I'd like to change this long term, I'd like to get things working this way first, but am willing to make whatever changes are needed to get SAML and Federation working soonest.

Ah...just noticed the redirect is to :5000, not port :13000 which is the HA Proxy port.

OK, this is due to the SAML request:

                Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit"
                ForceAuthn="false"
                IsPassive="false"
                AssertionConsumerServiceURL="https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse"<https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse>
                >
<saml:Issuer>https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata</saml:Issuer>

My guess is HA proxy is not passing on the proper, and the modauthmellon does not know to rewrite it from 5000 to 13000


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Aug 5, 2016 by Fox,_Kevin_M (29,360 points)   1 3 4
0 votes

On 08/05/2016 06:40 PM, Fox, Kevin M wrote:

From: Adam Young [ayoung@redhat.com]
Sent: Friday, August 05, 2016 3:06 PM
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [keystone][tripleo] Federation,
mod_mellon, and HA Proxy

On 08/05/2016 04:54 PM, Adam Young wrote:

On 08/05/2016 04:52 PM, Adam Young wrote:

Today I discovered that we need to modify the HA proxy config to
tell it to rewrite redirects. Otherwise, I get a link to

http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse

Which should be https, not http.

I mimicked the lines in the horizon config so that the keystone
section looks like this:

listen keystonepublic
bind 10.0.0.4:13000 transparent ssl crt
/etc/pki/tls/private/overcloud
endpoint.pem
bind 172.16.2.5:5000 transparent
mode http
redirect scheme https code 301 if { hdr(host) -i 10.0.0.4 } !{
sslfc }
rsprep ^Location:\ http://(.*) Location:\ https://\1
http-request set-header X-Forwarded-Proto https if { ssl
fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
server overcloud-controller-0 172.16.2.8:5000 check fall 5 inter
2000 rise 2
server overcloud-controller-1 172.16.2.6:5000 check fall 5 inter
2000 rise 2
server overcloud-controller-2 172.16.2.9:5000 check fall 5 inter
2000 rise 2

And.. it seemed to work the first time, but not the second. Now I get

"Secure Connection Failed

The connection to openstack.ayoung-dell-t1700.test:5000 was
interrupted while the page was loading."

Guessing the first success was actually a transient error.

So it looks like my change was necessary but not sufficient.

This is needed to make modauthmellon work when loaded into Apache,
and Apache is running behind HA proxy (Tripleo setup).

There is no SSL setup inside the Keystone server, it is just doing
straight HTTP. While I'd like to change this long term, I'd like to
get things working this way first, but am willing to make whatever
changes are needed to get SAML and Federation working soonest.

Ah...just noticed the redirect is to :5000, not port :13000 which is
the HA Proxy port.

OK, this is due to the SAML request:


https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata

My guess is HA proxy is not passing on the proper, and the
modauthmellon does not know to rewrite it from 5000 to 13000

"rewriting is more expensive then getting the web server to return the
right prefix. Is that an option? Usually its just a bug that needs a
minor patch to fix.

Thanks,
Kevin"

Well, I think in this case, the expense is not something to worry
about: SAML is way more chatty than normal traffic, and the rewrite
won't be a drop a in the bucket.

I think the right thing to do is to get HA proxy top pass on the correct
URL, including the port, to the backend, but I don't think it is done in
the rsprep directive. As John Dennis pointed out to me, the
modauthmellon code uses the apache apconstructurl(r->pool,
cfg->endpoint_path, r) where r is the current request record. And that
has to be passed from HA proxy to Apache.

HA proxy is terminating SSL, and then calling Apache via

server overcloud-controller-0 172.16.2.8:5000 check fall 5 inter 2000 rise 2
and two others. Everything appears to be properly translated except the
port.


OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Aug 6, 2016 by Adam_Young (19,940 points)   2 7 9
0 votes

Adam, that should be fixed by https://review.openstack.org/#/c/341354/
which merged not too many days ago. Before that commit we had another
configuration which was already deprecated in keystone upstream.

On 6 Aug 2016 05:04, "Adam Young" ayoung@redhat.com wrote:

On 08/05/2016 06:40 PM, Fox, Kevin M wrote:


From: Adam Young [ayoung@redhat.com]
Sent: Friday, August 05, 2016 3:06 PM
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [keystone][tripleo] Federation,
mod_mellon, and HA Proxy

On 08/05/2016 04:54 PM, Adam Young wrote:

On 08/05/2016 04:52 PM, Adam Young wrote:

Today I discovered that we need to modify the HA proxy config to tell it
to rewrite redirects. Otherwise, I get a link to

http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse

Which should be https, not http.

I mimicked the lines in the horizon config so that the keystone section
looks like this:

listen keystonepublic
bind 10.0.0.4:13000 transparent ssl crt
/etc/pki/tls/private/overcloud
endpoint.pem
bind 172.16.2.5:5000 transparent
mode http
redirect scheme https code 301 if { hdr(host) -i 10.0.0.4 } !{ sslfc }
rsprep ^Location:\ http://(.*) Location:\
https://\1
http-request set-header X-Forwarded-Proto https if { ssl
fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
server overcloud-controller-0 172.16.2.8:5000 check fall 5 inter 2000
rise 2
server overcloud-controller-1 172.16.2.6:5000 check fall 5 inter 2000
rise 2
server overcloud-controller-2 172.16.2.9:5000 check fall 5 inter 2000
rise 2

And.. it seemed to work the first time, but not the second. Now I get

"Secure Connection Failed

The connection to openstack.ayoung-dell-t1700.test:5000 was interrupted
while the page was loading."

Guessing the first success was actually a transient error.

So it looks like my change was necessary but not sufficient.

This is needed to make modauthmellon work when loaded into Apache, and
Apache is running behind HA proxy (Tripleo setup).

There is no SSL setup inside the Keystone server, it is just doing
straight HTTP. While I'd like to change this long term, I'd like to get
things working this way first, but am willing to make whatever changes are
needed to get SAML and Federation working soonest.

Ah...just noticed the redirect is to :5000, not port :13000 which is the
HA Proxy port.

OK, this is due to the SAML request:


Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit"
ForceAuthn="false"
IsPassive="false"
AssertionConsumerServiceURL="https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse" https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse
>
https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata

My guess is HA proxy is not passing on the proper, and the modauthmellon
does not know to rewrite it from 5000 to 13000

"rewriting is more expensive then getting the web server to return the
right prefix. Is that an option? Usually its just a bug that needs a minor
patch to fix.

Thanks,
Kevin"

Well, I think in this case, the expense is not something to worry about:
SAML is way more chatty than normal traffic, and the rewrite won't be a
drop a in the bucket.

I think the right thing to do is to get HA proxy top pass on the correct
URL, including the port, to the backend, but I don't think it is done in
the rsprep directive. As John Dennis pointed out to me, the
modauthmellon code uses the apache apconstructurl(r->pool,
cfg->endpoint_path, r) where r is the current request record. And that has
to be passed from HA proxy to Apache.

HA proxy is terminating SSL, and then calling Apache via

server overcloud-controller-0 172.16.2.8:5000 check fall 5 inter 2000
rise 2
and two others. Everything appears to be properly translated except the
port.


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribehttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Aug 6, 2016 by Juan_Antonio_Osorio (2,900 points)   1 2
0 votes

On 08/05/2016 06:06 PM, Adam Young wrote:

Ah...just noticed the redirect is to :5000, not port :13000 which is
the HA Proxy port.

OK, this is due to the SAML request:


https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata

My guess is HA proxy is not passing on the proper, and the
modauthmellon does not know to rewrite it from 5000 to 13000

You can't change the contents of a SAML AuthnRequest, often they are
signed. Also, the AssertionConsumerServiceURL's and other URL's in SAML
messages are validated to assure they match the metadata associated with
EntityID (issuer). The addresses used inbound and outbound have to be
correctly handled by the proxy configuration without modifying the
content of the message being passed on the transport.

--
John


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Aug 6, 2016 by John_Dennis (1,880 points)   1 3
0 votes

On 08/06/2016 08:44 AM, John Dennis wrote:
On 08/05/2016 06:06 PM, Adam Young wrote:

Ah...just noticed the redirect is to :5000, not port :13000 which is
the HA Proxy port.

OK, this is due to the SAML request:


https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata

My guess is HA proxy is not passing on the proper, and the
modauthmellon does not know to rewrite it from 5000 to 13000

You can't change the contents of a SAML AuthnRequest, often they are
signed. Also, the AssertionConsumerServiceURL's and other URL's in
SAML messages are validated to assure they match the metadata
associated with EntityID (issuer). The addresses used inbound and
outbound have to be correctly handled by the proxy configuration
without modifying the content of the message being passed on the
transport.

Got a a little further by twerking HA proxy settings. Added in

redirect scheme https code 301 if { hdr(host) -i 10.0.0.4 } !{ ssl_fc }
rsprep ^Location:\ http://(.*) Location:\ https://\1

whicxh tells HA proxy to translate Location headers (used in redirects)
from http to https.

As of now, it looks good up until the response comes back from the IdP
and mod mellon rejects it. I think this is due to Mellon issuing a
request for http://: but it gets translated through the
proxy as https://:.

modauthmellon is failing the following check in authmellonhandler.c

url = amreconstructurl(r);

...

if (response->parent.Destination) {

     if (strcmp(response->parent.Destination, url)) {
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                       "Invalid Destination on Response. Should be: 

%s",
url);
lassologindestroy(login);
return HTTPBADREQUEST;
}
}

It does not spit out the parent.Destination value, but considering I am
seeing http and not https in the error message, I assume that at least
the protocol does not match. Full error message at the bottom.

Assuming the problem is just that the URL is http and not https, I have
an approach that should work. I need to test it out, but want to record
it here, and also get feedback:

I can clone the current 10-keystonewsgimain.conf which listens for
straight http on port 5000. If I make a file
11-keystonewsgimain.conf that listens on port 13000 (not on the
external VIP) but that enables SSL, I should be able to make HA proxy
talk to that port and re-encrypt traffic, maintaining the 'https://'
protocol.

However, I am not certain that Destination means the SP URL. It seems
like it should mean the IdP. Further on in authmellonhandler.c

destinationurl = lassoprovidergetmetadataone(
provider, "SingleSignOnService HTTP-Redirect");
if (destination
url == NULL) {
/* HTTP-Redirect unsupported - try HTTP-POST. */
http_method = LASSO_HTTP_METHOD_POST;
destination_url = lasso_provider_get_metadata_one(
provider, "SingleSignOnService HTTP-POST");
}

Looking in the metadata, it seems that this value should be:

So maybe something has rewritten the value used as the url ?

Here is the full error message

Invalid Destination on Response. Should be:
http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse,
referer:
https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml?SAMLRequest=nZJba%2BMwEEb%2FitG7I%2BXi1Igk4OYCge5S0m4f%2BlKEM2lFLcmrGWc3%2F35HDu22D22hIDCMZ%2FTpHGmGxjWtrjp68jv43QFS9tc1HnX%2FYy666HUwaFF74wA11fqm%2BnGlRwOl2xgo1KERb0Y%2BnzCIEMkGL7Ltai4e1LoYq%2FFoXapJWU2GhSouN5vhelpNyqIcX2xEdgcRuX8ueJyHEDvYeiTjiUtqOM1VmavprRppXkVxL7IVM1hvqJ96ImpRS2n34MnSaWBOofOP%2BR6aJqfhhVID4n5pWICMYBqHMrSQEupn%2BQIoE5nIlsEjpODPEOtzk667GPmbW9c2trYksk2INfSm5%2BJgGoTEc81K7BFeK9WLoRTWOYg3EI%2B2hl%2B7q%2F80ryf8AEcXSil5HEvH9eBlG5B2gG06mljMEo3uVcbFd7d0QGZvyMzk291m5%2Bf0k61sV9eBwU8J25kvpKWK3eeHvlVTNB4ty2MdHPZnyRdDrIhiB0IuzpHvH%2B3iHw%3D%3D&RelayState=http%3A%2F%2Fopenstack.ayoung-dell-t1700.test%3A5000%2Fv3%2Fauth%2FOS-FEDERATION%2Fwebsso%2Fsaml2%3Forigin%3Dhttp%3A%2F%2Fopenstack.ayoung-dell-t1700.test%2Fdashboard%2Fauth%2Fwebsso%2F&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=oJzAwE7ma3m0gZtO%2FvPQKCnk18u4OsjKcRQ3wiDu7txUGiPr4Cc9XIzKIGwzSGPSaWi8j1qbN76XwdNICOk!

HI5RsTdeS2Yeufw5Q5Ahol5cJHGEQOKa84iMzxkW9OtWgoYZnnXH3n2SCZkhLebabvJ72wfxskZ9iJ9JlVogHO8V%2BXUZ891sX1Rpm3UKHEn1fpW7tlGkJsWmnQoa3H8n%2Fr5%2BdiZR1g8iDTZVQs7A4wUEA0Ph%2FayS6MnSF%2BrSCRfgcqXGReKbIM6RxTznbV%2BO2U%2FXfuf%2FXT5x5h9accEv2Dsy8jej0uWEPJLGB3NfKUuwQmZCU5UkR%2BIqVHboUK6K8lg%3D%3D


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Aug 8, 2016 by Adam_Young (19,940 points)   2 7 9
0 votes

On 08/07/2016 11:16 PM, Adam Young wrote:
On 08/06/2016 08:44 AM, John Dennis wrote:

On 08/05/2016 06:06 PM, Adam Young wrote:

Ah...just noticed the redirect is to :5000, not port :13000 which is
the HA Proxy port.

OK, this is due to the SAML request:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_5089011BEBD0F6B82074F67E904F598D"
Version="2.0"
IssueInstant="2016-08-05T21:55:18Z"

Destination="https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml"

Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit"
ForceAuthn="false"
IsPassive="false"

AssertionConsumerServiceURL="https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse"
>

https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata

My guess is HA proxy is not passing on the proper, and the
modauthmellon does not know to rewrite it from 5000 to 13000

You can't change the contents of a SAML AuthnRequest, often they are
signed. Also, the AssertionConsumerServiceURL's and other URL's in
SAML messages are validated to assure they match the metadata
associated with EntityID (issuer). The addresses used inbound and
outbound have to be correctly handled by the proxy configuration
without modifying the content of the message being passed on the
transport.

Got a a little further by twerking HA proxy settings. Added in

redirect scheme https code 301 if { hdr(host) -i 10.0.0.4 } !{ ssl_fc }
rsprep ^Location:\ http://(.*) Location:\ https://\1

whicxh tells HA proxy to translate Location headers (used in redirects)
from http to https.

As of now, it looks good up until the response comes back from the IdP
and mod mellon rejects it. I think this is due to Mellon issuing a
request for http://: but it gets translated through the
proxy as https://:.

modauthmellon is failing the following check in authmellonhandler.c

url = amreconstructurl(r);

...

if (response->parent.Destination) {

    if (strcmp(response->parent.Destination, url)) {
        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                      "Invalid Destination on Response. Should be: %s",
                      url);
        lasso_login_destroy(login);
        return HTTP_BAD_REQUEST;
    }
}

It does not spit out the parent.Destination value, but considering I am
seeing http and not https in the error message, I assume that at least
the protocol does not match. Full error message at the bottom.

Assuming the problem is just that the URL is http and not https, I
have an approach that should work. I need to test it out, but want to
record it here, and also get feedback:

I can clone the current 10-keystonewsgimain.conf which listens for
straight http on port 5000. If I make a file
11-keystonewsgimain.conf that listens on port 13000 (not on the
external VIP) but that enables SSL, I should be able to make HA proxy
talk to that port and re-encrypt traffic, maintaining the 'https://'
protocol.

However, I am not certain that Destination means the SP URL. It seems
like it should mean the IdP. Further on in authmellonhandler.c

destinationurl = lassoprovidergetmetadataone(
provider, "SingleSignOnService HTTP-Redirect");
if (destination
url == NULL) {
/* HTTP-Redirect unsupported - try HTTP-POST. */
http_method = LASSO_HTTP_METHOD_POST;
destination_url = lasso_provider_get_metadata_one(
provider, "SingleSignOnService HTTP-POST");
}

Looking in the metadata, it seems that this value should be:

So maybe something has rewritten the value used as the url ?

Here is the full error message

Invalid Destination on Response. Should be:
http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse,
referer:
https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml?SAMLRequest=nZJba%2BMwEEb%2FitG7I%2BXi1Igk4OYCge5S0m4f%2BlKEM2lFLcmrGWc3%2F35HDu22D22hIDCMZ%2FTpHGmGxjWtrjp68jv43QFS9tc1HnX%2FYy666HUwaFF74wA11fqm%2BnGlRwOl2xgo1KERb0Y%2BnzCIEMkGL7Ltai4e1LoYq%2FFoXapJWU2GhSouN5vhelpNyqIcX2xEdgcRuX8ueJyHEDvYeiTjiUtqOM1VmavprRppXkVxL7IVM1hvqJ96ImpRS2n34MnSaWBOofOP%2BR6aJqfhhVID4n5pWICMYBqHMrSQEupn%2BQIoE5nIlsEjpODPEOtzk667GPmbW9c2trYksk2INfSm5%2BJgGoTEc81K7BFeK9WLoRTWOYg3EI%2B2hl%2B7q%2F80ryf8AEcXSil5HEvH9eBlG5B2gG06mljMEo3uVcbFd7d0QGZvyMzk291m5%2Bf0k61sV9eBwU8J25kvpKWK3eeHvlVTNB4ty2MdHPZnyRdDrIhiB0IuzpHvH%2B3iHw%3D%3D&RelayState=http%3A%2F%2Fopenstack.ayoung-dell-t1700.test%3A5000%2Fv3%2Fauth%2FOS-FEDERATION%2Fwebsso%2Fsaml2%3Forigin%3Dhttp%3A%2F%2Fopenstack.ayoung-dell-t1700.test%2Fdashboard%2Fauth%2Fwebsso%2F&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=oJzAwE7ma3m0gZtO%2FvPQKCnk18u4OsjKcRQ3wiDu7txUGiPr4Cc9XIzKIGwzSGPSaWi8j1qbN76XwdNICOk!

HI5RsTdeS2Yeufw5Q5Ahol5cJHGEQOKa84iMzxkW9OtWgoYZnnXH3n2SCZkhLebabvJ72wfxskZ9iJ9JlVogHO8V%2BXUZ891sX1Rpm3UKHEn1fpW7tlGkJsWmnQoa3H8n%2Fr5%2BdiZR1g8iDTZVQs7A4wUEA0Ph%2FayS6MnSF%2BrSCRfgcqXGReKbIM6RxTznbV%2BO2U%2FXfuf%2FXT5x5h9accEv2Dsy8jej0uWEPJLGB3NfKUuwQmZCU5UkR%2BIqVHboUK6K8lg%3D%3D

The Destination attribute in the root SAML XML message is a security
check to assure only the intended recipient processes the message. It's
only meaningful (and required) when the message is signed (as it should
be). Destination attributes occur in both message directions, e.g.
requests and responses.

First of all recall that both the SP and IdP know about each other
because they've exchanged metadata. Inside that metadata are URL's which
are valid endpoints for specific messages.

When one side of the pair (SP, IdP) wants to send a message they lookup
the appropriate URL in the metadata. That URL is set as the Destination
attribute in the message. The receiver of the message is required to
verify the endpoint the message was received on matches the Destination
attribute, in other words it is the intended recipient. If they do not
match the message must be discarded.

It's a shame Mellon does not log the Destination and the endpoint it was
received on, that's something I can fix.

In lieu of that I would look at the SP metadata and see what the
Location attribute is for the AssertionConsumerService using the
HTTP-POST binding because that is what the IdP should be setting as the
Destination attribute. The URL the SP (Mellon) received the message on
should be logged in the access log, this is what Mellon is comparing to
the Destination. I suspect something in the proxy configuration is
modifying the URL of the Idp -> SP message.

--
John


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Aug 8, 2016 by John_Dennis (1,880 points)   1 3
...