SAML setup - MR and SAML server redirecting to each other after login
23 views
Skip to first unread message
David Nelson
Aug 26, 2022, 12:55:25 PM8/26/22
to munki...@googlegroups.com
Disclaimer: I am not a SAML expert but this isn't my first time working with it. This is probably my fault. :)
I visit MR while unauthenticated. It takes me to the RapidIdentity login page. I authenticate. But then MR and RapidIdentity redirect me back and forth indefinitely.
I'm trying to set up SAML auth against RapidIdentity. On the back end I think it's using Shibboleth, but gets configured via a custom web interface.
Using the SAML-tracer Chrome plugin I see the following series of requests repeating endlessly.
GET https://[my-rapididentity-host]/idp/profile/SAML2/Redirect/SSO
POST https://[my-munkireport-server]/index.php?%2Fauth%2Fsaml%2Facs
GET https://[my-munkireport-server]/index.php?/auth/login
GET https://[my-munkireport-server]/index.php?/auth/saml/sso
GET https://[my-rapididentity-host]/idp/profile/SAML2/Redirect/SSO?SAMLRequest=[redacted]
GET https://[my-rapididentity-host]/idp/AuthnEngine
POST https://[my-munkireport-server]/index.php?%2Fauth%2Fsaml%2Facs
GET https://[my-munkireport-server]/index.php?/auth/login
GET https://[my-munkireport-server]/index.php?/auth/saml/sso
GET https://[my-rapididentity-host]/idp/profile/SAML2/Redirect/SSO?SAMLRequest=[redacted]
GET https://[my-rapididentity-host]/idp/AuthnEngine
When viewing the SAML details of the POST entry I see <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> so it seems like it's telling MR my authentication is good. But I'm not enough of a SAML expert to decipher what's going on beyond that. I can post more of that message if needed.
My MR install is on 5.7.1.4264
Thanks!
David
David Nelson
Aug 31, 2022, 5:31:43 PM8/31/22
to munki...@googlegroups.com
In retrospect I think this is where the problem lies:
POST https://[my-munkireport-server]/index.php?%2Fauth%2Fsaml%2Facs
Note the slashes are being replaced by %2F when my SAML server sends me back to MR.
When I try the SAML test site at https://samltest.id it is successful and posts to the URL ending in /index.php?/auth/saml/acs
So this may be something particular to RapidIdentity (or Shibboleth on their back end.) It seems like they are urlencoding the stuff that come after the question mark. Which seems sensible but problematic.
Short of getting the vendor to change this behavior, is there any hack or workaround anyone can think of to make MunkiReport answer to this encoded version of the ACS URL and log me in? Some trickery I can pull with Apache or nginx?
Thanks
Reply all
Reply to author
Forward
0 new messages