Shibboleth/SAML Authentication
1,165 views
Skip to first unread message
Geoff Webster
Apr 3, 2015, 2:49:57 PM4/3/15
to rundeck...@googlegroups.com
Has anyone set up Rundeck to use Shibboleth/SAML for authentication of users?
We have a server setup with Apache acting as a reverse SSL proxy for rundeck (Web <HTTPS> apache <HTTP> Rundeck) currently and have shibboleth set up inside Apache. We have it configured so that any apache apps or websites (Zabbix mainly) are protected by Shibboleth but we are unsure how to pass the login information from Shibboleth into the rundeck jetty container to JAAS.
danifr
Apr 7, 2015, 3:47:07 AM4/7/15
to rundeck...@googlegroups.com
Hi,
I'm also interested in this.
Cheers,
Daniel.
I'm also interested in this.
Cheers,
Daniel.
danifr
Apr 15, 2015, 9:14:25 AM4/15/15
to rundeck...@googlegroups.com
Alex, Greg,
any comments on this?
Thanks!
any comments on this?
Thanks!
Greg Schueler
Apr 16, 2015, 12:57:12 PM4/16/15
to rundeck...@googlegroups.com
Hi Daniel,
I’m not familiar with Shibboleth/SAML. In the upcoming Rundeck 2.5.0 we have a “pre authenticated” configuration, allowing your proxy (e.g. apache) to tell the container Rundeck is running in (such as Tomcat) the user name and user roles. See https://github.com/rundeck/rundeck/blob/development/docs/en/administration/09-authentication.md#preauthenticated-mode
This was added primarily for Apache/Tomcat, so I’m unsure if or how it would work with Jetty.
--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Geoff Webster
May 7, 2015, 4:45:05 PM5/7/15
to rundeck...@googlegroups.com
Hi Greg,
So we have been trying to get this PreAuthenticated mode working with the Jetty container but we have been getting this error when we go to the url:
getAuthContextForSubject: Cannot get AuthContext without subject
Any idea which part we broke that would cause this? We have the 3 preauthenticated lines added and we removed the JAAS-loginmodule.conf file from the profile launcher. Would anyone know if this would indicate an issue with our Rundeck configuration or with our Apache config and how it is passing the attributes?
Greg Schueler
May 7, 2015, 4:55:44 PM5/7/15
to rundeck...@googlegroups.com
Hi Geoff,
that error occurs if a page on Rundeck is accessed without the necessary authorization data to construct a valid “subject”, which is used to test ACL policy access levels.
Normally the container (jetty/tomcat) sets up the authorization role info after authentication, e.g. via JAAS or Tomcat’s realm, and before Rundeck loads a protected page. Using the “preauthenticated” mode necessarily disables the container auth protection, which would cause a rundeck page to load without getting that info from the container. The way it is meant to work is that Apache sits as a proxy, and includes the authorization information in each request proxied forward to Rundeck.
So however you set up the proxy, it is not sending user authorization data to Rundeck in the way Rundeck expects. The result is Rundeck is failing to properly setup the “subject” it needs for acl checks. Using Apache/Tomcat, mod_proxy in Apache can set “environment” data to send to Tomcat, which is exposed to webapps as request “attributes”. The preauthenticated/preauthorized mode for Rundeck expects the role information in the request attributes.
How did you set up the proxy, and how are you passing authorization (role) data to Rundeck?
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/809a3719-435b-43fa-94fb-9c978670b62e%40googlegroups.com.
Geoff Webster
May 7, 2015, 5:25:38 PM5/7/15
to rundeck...@googlegroups.com
We have set up Apache with mod_proxy.
Shibboleth is passing headers around as we have other apps using them on the server, however I am not sure what the attribute is called that it is passing (trying to figure that out). I am guessing that the attribute that Rundeck is expecting for the username is not what is being provided. Does that attribute that rundeck is expecting for the username need to be named REMOTE_USER?
We have this set in rundeck-config.properties
rundeck.security.authorization.preauthenticated.enabled=true
rundeck.security.authorization.preauthenticated.attributeName=REMOTE_USER_GROUPS
rundeck.security.authorization.preauthenticated.delimiter=:And then our apache conf is setting
ShibUseHeaders On
SetEnv REMOTE_USER_GROUPS "labsvcs-rundeck"
Which labsvcs-rundeck is the group in my web.xml file instead of users and it is also what is defined for my admin.aclpolicy.
Dennis Klein
May 8, 2015, 10:09:06 AM5/8/15
to rundeck...@googlegroups.com
Hi,
I believe you can only pass the REMOTE_USER variable via AJP at the moment, because it is not an http header, but a CGI environment variable. So, if we want to make this work, we need to modify the rundeck server to look out for a preferrably configurable HTTP header in the proxy request and set this as the REMOTE_USER variable. The same is true for the REMOTE_USER_GROUPS environment variable, this works only in combination with AJP. Problem is also, that the packaged rundeck-jetty-server does not provide an AJP connector :(
Best regards,
Dennis
I believe you can only pass the REMOTE_USER variable via AJP at the moment, because it is not an http header, but a CGI environment variable. So, if we want to make this work, we need to modify the rundeck server to look out for a preferrably configurable HTTP header in the proxy request and set this as the REMOTE_USER variable. The same is true for the REMOTE_USER_GROUPS environment variable, this works only in combination with AJP. Problem is also, that the packaged rundeck-jetty-server does not provide an AJP connector :(
Best regards,
Dennis
Dennis Klein
May 8, 2015, 11:03:00 AM5/8/15
to rundeck...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages