I have 2 sites running on the same server (for testing):
sso.example.com and
client.example.com:
<VirtualHost *:443>
ServerName sso.example.com
DocumentRoot /var/www/sso
SSLEngine On
SSLCertificateFile /var/key/sso.crt
SSLCertificateKeyFile /var/key/sso.key
</VirtualHost>
<VirtualHost *:443>
ServerName client.example.com
DocumentRoot /var/www/client
SSLEngine On
SSLCertificateFile /var/key/client.example.com/cert.pem
SSLCertificateKeyFile /var/key/client.example.com/key.pem
<Location />
AuthType mod_auth_pubtkt
Order Allow,Deny
Allow from all
TKTAuthCookieName "sso_ticket"
TKTAuthToken "ssologin"
TKTAuthLoginURL https://sso.example.com/
TKTAuthPublicKey /var/key/public_key.pem
TKTAuthRequireSSL on
TKTAuthDebug 3
require valid-user
</Location>
</VirtualHost>
"oss" generates the authentication ticket:
<?php
require_once("pubtkt.inc");
$privkey = "
/var/key/private_key.pem
";
$keytype = "RSA";
$username = "user999";
$userdata = "";
$tokens = array("ssologin");
$timeout = 5184000;
$grace = 2592000;
$ticket = pubtkt_generate(
$privkey,
$keytype,
$username,
$_SERVER['REMOTE_ADDR'],
time() + $timeout,
$grace,
join(",",$tokens),
$userdata
);
?>
and send a XHR request (from Javascript) to "client" in order to set the cookie.
<?php
header('Access-Control-Allow-Origin: https://oss.example.com');
if(isset($_GET["ticket"])) {
$tkt = base64_decode($_GET["ticket"]);
setcookie("sso_ticket
", $tkt); //Cookie with low restrictions for testing purposes.
}
?>
This is an example of the cookie set:
uid%3Duser999%3Bcip%3D192.168.0.15%3Bvaliduntil%3D1462511500%3Bgraceperiod%3D1459919500%3Btokens%3Dssologin%3Budata%3D%3Bsig%3DLpJKwgLBFXWy2FxWro%2FxdanHq%2F%2F2Maa1dR5y5IQQ3n2%2B1V5wfdklFtumpQ9h9cI8jh3sNLUFmmkDxMr44kwWZ0i1qfXlndGzaAWPg%2BBtwXlsJAgwgPTQOfJX%2FXNWAntx%2BnnutRebwZBZH2MDsd5d6AdRPXaD8rhEHzXIn8yECkM%3DI can confirm that the cookie is successfully created in "client". I also confirmed that the cookie content is correct using openssl to test the signature.
Everytime I try to open "
client.example.com" I got redirected to "
sso.example.com". There are no errors in apache and "TKTAuthDebug 3" only outputs the variables "TKT*" set in the <Location /> section.
How can I check why it is failing?
As a test, I set "
sso.example.com/restricted/" directory and set the <Location /restricted> section with the exact values listed above, in order to test everything inside the same domain, and it works fine.
I don't know what is wrong. Any ideas?
Thanks in advance.