Documentation for using AuthMemCookie Apache Module with SimpleSAMLPhP
251 views
Skip to first unread message
PACS AT
Oct 23, 2018, 4:50:14 PM10/23/18
to SimpleSAMLphp
What are you trying to do?
I have multiple applications on our server spanning php, ruby, and python. I'd like to use SimpleSAMLPhP as the SSO provider for all of them, and I've read this can be done with
But the page I saw this on says the documentation is to come, meaning not ready yet. I'd like any help or advice anyone could give me on getting this set up.
I have installed all the prereqs, built the mod_auth_memcookie.so apache module and got it installed, but I have no idea how to use it in conjunction with SimpleSAML.
I have no interest in resource level authorization. I'd simple like it so that when a user goes to any application, if they are not logged in apache and SimpleSAML will redirect them to our university SSO portal and redirect them back. Once I get this working I can program further authorization levels via the AD groups that our IDP provides inside each application as needed. But for now all or nothing is fine.
I have SimpleSAMLPhP installed on our development server, connected to our IDP, and the tests work great. I'm at the next step where I'm trying to incorporate it into my applications, and I'd rather not have to mess with the programming on each in order to get it to work. I'd rather the authentication happen at the apache webserver level.
Thanks guys! Any help is much appreciated!
Will Poillion
College of Professional and Continuing Studies
University of Oklahoma
Peter Schober
Oct 23, 2018, 6:09:36 PM10/23/18
to SimpleSAMLphp
* PACS AT <ouc...@gmail.com> [2018-10-23 22:50]:
https://simplesamlphp.org/docs/stable/
-> "Advanced Features":
https://simplesamlphp.org/docs/stable/simplesamlphp-advancedfeatures
-> "Auth MemCookie":
https://simplesamlphp.org/docs/stable/simplesamlphp-advancedfeatures#section_6
-> "Please use the new memcookie module instead":
https://github.com/simplesamlphp/simplesamlphp-module-memcookie
> I'd rather the authentication happen at the apache webserver level.
I usually use the Shibboleth SP for these use-cases, e.g. together
with UWSI as application server for Python/WSGI or Perl/PSGI
applications, there's also Ruby/Rack support. You'd reverse proxy all
these using mod_proxy_uwsgi, avoiding HTTP proxying (and reliance on
HTTP request headers in downstream applications/servers completely).
But likely that's all possible using mod_auth_memcookie, too.
HTH,
-peter
> I have multiple applications on our server spanning php, ruby, and
> python. I'd like to use SimpleSAMLPhP as the SSO provider for all
> of them, and I've read this can be done with
> https://zenprojects.github.io/Apache-Authmemcookie-Module/
>
> But the page I saw this on says the documentation is to come, meaning not
> ready yet. I'd like any help or advice anyone could give me on getting this
> set up.
>
> I have installed all the prereqs, built the mod_auth_memcookie.so apache
> module and got it installed, but I have no idea how to use it in
> conjunction with SimpleSAML.
Documentation for SimpleSAMLphp:
> python. I'd like to use SimpleSAMLPhP as the SSO provider for all
> of them, and I've read this can be done with
> https://zenprojects.github.io/Apache-Authmemcookie-Module/
>
> But the page I saw this on says the documentation is to come, meaning not
> ready yet. I'd like any help or advice anyone could give me on getting this
> set up.
>
> I have installed all the prereqs, built the mod_auth_memcookie.so apache
> module and got it installed, but I have no idea how to use it in
> conjunction with SimpleSAML.
https://simplesamlphp.org/docs/stable/
-> "Advanced Features":
https://simplesamlphp.org/docs/stable/simplesamlphp-advancedfeatures
-> "Auth MemCookie":
https://simplesamlphp.org/docs/stable/simplesamlphp-advancedfeatures#section_6
-> "Please use the new memcookie module instead":
https://github.com/simplesamlphp/simplesamlphp-module-memcookie
> I'd rather the authentication happen at the apache webserver level.
with UWSI as application server for Python/WSGI or Perl/PSGI
applications, there's also Ruby/Rack support. You'd reverse proxy all
these using mod_proxy_uwsgi, avoiding HTTP proxying (and reliance on
HTTP request headers in downstream applications/servers completely).
But likely that's all possible using mod_auth_memcookie, too.
HTH,
-peter
PACS AT
Oct 26, 2018, 11:08:07 AM10/26/18
to SimpleSAMLphp
Thank you very much Peter. This was very helpful. I'm knew to memcached in general, so all of this has been a big learning experience. But I got it installed, running as a service, and after installing all the other prerequisites I installed the auth_memcookie apache module and got it running. (Using the new one you pointed out) . I have it almost working. My application redirects and comes back, just working on some kinks with these errors:
PHP Fatal error: Class 'Memcache'
not found in /home/simplesamlphp/modules/memcookie/lib/AuthMemCookie.php on line 118
[Fri Oct 26 09:56:44.627434 2018] [:error] [pid 4966] [client 172.31.2.171:59608] Auth_memCookie: memcached_get call
failed: SUCCESS
[Fri Oct 26 09:56:44.627512 2018] [:warn] [pid 4966] [client 172.31.2.171:59608] Auth_memCookie: AuthSession _4c42613
97940573644fa3fd3c0fbf272dddc8733b1 not found: /home/syllabusTracker_project/syllabusTracker/
[Fri Oct 26 09:56:44.628411 2018] [:error] [pid 4966] [client 172.31.2.171:59608] Auth_memCookie: memcached_get call
failed: SUCCESS
[Fri Oct 26 09:56:44.628451 2018] [:warn] [pid 4966] [client 172.31.2.171:59608] Auth_memCookie: AuthSession _4c42613
97940573644fa3fd3c0fbf272dddc8733b1 not found: /home/syllabusTracker_project/syllabusTracker/memcookie
I see the obvious issue is the memcache class isn't installed for php, which I'm doing now, but I'm just trying to think through if I will have to do similar things for python/ruby.
Most of what you said about reverse proxy and using mod_proxy_uwsgi went over my head. But if it's something I'll need to learn for my python applications to work right then I'll need to learn that as well.
Again, thanks for your help Peter this definitely set me in the right direction.
Cheers!
Will
Peter Schober
Oct 29, 2018, 10:02:21 AM10/29/18
to SimpleSAMLphp
* PACS AT <ouc...@gmail.com> [2018-10-26 17:08]:
composer? https://github.com/simplesamlphp/simplesamlphp-module-memcookie
I guess something needs to pull in the memcached code, and I'm
assuming that'd need to be done by composer (if the code is not
included in the SimpleSAMLphp module referenced above).
> I see the obvious issue is the memcache class isn't installed for
> php, which I'm doing now
If only following the documentation does not get you a working system
then the docs may be incomplete. E.g. if you would have to install
software not mentioned in the docs that would be a bug.
> but I'm just trying to think through if I will have to do similar
> things for python/ruby.
No. The point of mod_auth_memcookie is to protect applications from
the web server (with the help of httpd modules), not using native
APIs.
This fact is made less clear since you're using SimpleSAMLphp (and
therefore, PHP) as SAML Service Provider to establish a session with
mod_auth_memcookie.
> Most of what you said about reverse proxy and using mod_proxy_uwsgi
> went over my head. But if it's something I'll need to learn for my
> python applications to work right then I'll need to learn that as
> well.
Trying to give a bit of context:
There are reasons to avoid API-level integration with applications for
SSO / Identity Federation, mostly because over time applications
and/or their SSO integration APIs change, breaking the integration.
(Others still prefer this approach and then native SSO implementations
would be the tool of choice, e.g. integrating PHP applications with
SimpleSAMLphp, integrating Python applications using pysaml2, Ruby
probably with Omniauth or whatever, Java with pac4j or whatever you're
stuck with using, etc.pp.)
Protecting resources using the web server avoids such breakage, as the
application only needs to be able to run in a web server and consume
environment variables, which is a very stable interface.
It also means you don't have to learn/secure one SSO implemenation per
language/API/framework.
Now, mod_auth_memcookie is one approach for doing just that, and
mod_mellon or mod_shib (Shibboleth SP) would be alternatives that
directly implement SAML2 without a need for PHP support in the web
server (as SimpleSAMLphp provids the SSO integration for
mod_auth_memcookie here, not mod_auth_memcookie).
(Personally I'd only ever add PHP to a web server if the purpose of
that server would be to run PHP applications, not merely to provide
SSO to mod_auth_memcookie.)
As for your Python etc. applications themselfs: I generally avoid HTTP
proxying (i.e., one web server proxying for another full webserver)
and instead use differnt approaches that provide better fidelity and
security compared to relying on HTTP Request Headers as only their
means of communication between those servers.
So that also informs my choices of web application servers, i.e.,
how to run Python or Ruby or Perl web applications: I don't use their
packaged or recommended application servers (e.g. Perl's Starman) that
would expose an HTTP or FCGI server to proxy to, but instead run the
applications using appropriate httpd modules:
While for Python mod_proxy_wsgi exists, or Phusion Passenger for
Ruby/Rack, or mod_perl or mod_psgi for Perl, etc. I find that uwsgi is
able to handle those just fine, allowing me to only a single
application server for running pretty much everything that's not PHP
(php-fpm and mod_proxy_fcgi suffices, I feel) or Java (mod_proxy_ajp
to Tomcat works OK). UWSGI is not for the faint-hearted, though.
That way authentication (and sometimes authorisation) is done with
httpd modules in the web server, and likewise httpd calls out to
proper application servers (not using HTTP proxying) using other httpd
modules, allowing me to rely on environment variables set by the httpd
modules (used for auth) and avoiding multiple steps of HTTP
parsing/proxying.
How/whether that relates to your applications and deployment
preferences and deployment targets and deployment platforms etc. I
couldn't say. It all depends, I guess.
-peter
> Thank you very much Peter. This was very helpful. I'm knew to memcached in
> general, so all of this has been a big learning experience. But I got it
> installed, running as a service, and after installing all the other
> prerequisites I installed the auth_memcookie apache module and got it
> running. (Using the new one you pointed out) . I have it almost working. My
> application redirects and comes back, just working on some kinks with these
> errors:
>
> PHP Fatal error: Class 'Memcache'
> not found in /home/simplesamlphp/modules/memcookie/lib/AuthMemCookie.php on line 118
Did you follow the instructions for that module, installing it using
> general, so all of this has been a big learning experience. But I got it
> installed, running as a service, and after installing all the other
> prerequisites I installed the auth_memcookie apache module and got it
> running. (Using the new one you pointed out) . I have it almost working. My
> application redirects and comes back, just working on some kinks with these
> errors:
>
> PHP Fatal error: Class 'Memcache'
> not found in /home/simplesamlphp/modules/memcookie/lib/AuthMemCookie.php on line 118
composer? https://github.com/simplesamlphp/simplesamlphp-module-memcookie
I guess something needs to pull in the memcached code, and I'm
assuming that'd need to be done by composer (if the code is not
included in the SimpleSAMLphp module referenced above).
> I see the obvious issue is the memcache class isn't installed for
> php, which I'm doing now
then the docs may be incomplete. E.g. if you would have to install
software not mentioned in the docs that would be a bug.
> but I'm just trying to think through if I will have to do similar
> things for python/ruby.
the web server (with the help of httpd modules), not using native
APIs.
This fact is made less clear since you're using SimpleSAMLphp (and
therefore, PHP) as SAML Service Provider to establish a session with
mod_auth_memcookie.
> Most of what you said about reverse proxy and using mod_proxy_uwsgi
> went over my head. But if it's something I'll need to learn for my
> python applications to work right then I'll need to learn that as
> well.
There are reasons to avoid API-level integration with applications for
SSO / Identity Federation, mostly because over time applications
and/or their SSO integration APIs change, breaking the integration.
(Others still prefer this approach and then native SSO implementations
would be the tool of choice, e.g. integrating PHP applications with
SimpleSAMLphp, integrating Python applications using pysaml2, Ruby
probably with Omniauth or whatever, Java with pac4j or whatever you're
stuck with using, etc.pp.)
Protecting resources using the web server avoids such breakage, as the
application only needs to be able to run in a web server and consume
environment variables, which is a very stable interface.
It also means you don't have to learn/secure one SSO implemenation per
language/API/framework.
Now, mod_auth_memcookie is one approach for doing just that, and
mod_mellon or mod_shib (Shibboleth SP) would be alternatives that
directly implement SAML2 without a need for PHP support in the web
server (as SimpleSAMLphp provids the SSO integration for
mod_auth_memcookie here, not mod_auth_memcookie).
(Personally I'd only ever add PHP to a web server if the purpose of
that server would be to run PHP applications, not merely to provide
SSO to mod_auth_memcookie.)
As for your Python etc. applications themselfs: I generally avoid HTTP
proxying (i.e., one web server proxying for another full webserver)
and instead use differnt approaches that provide better fidelity and
security compared to relying on HTTP Request Headers as only their
means of communication between those servers.
So that also informs my choices of web application servers, i.e.,
how to run Python or Ruby or Perl web applications: I don't use their
packaged or recommended application servers (e.g. Perl's Starman) that
would expose an HTTP or FCGI server to proxy to, but instead run the
applications using appropriate httpd modules:
While for Python mod_proxy_wsgi exists, or Phusion Passenger for
Ruby/Rack, or mod_perl or mod_psgi for Perl, etc. I find that uwsgi is
able to handle those just fine, allowing me to only a single
application server for running pretty much everything that's not PHP
(php-fpm and mod_proxy_fcgi suffices, I feel) or Java (mod_proxy_ajp
to Tomcat works OK). UWSGI is not for the faint-hearted, though.
That way authentication (and sometimes authorisation) is done with
httpd modules in the web server, and likewise httpd calls out to
proper application servers (not using HTTP proxying) using other httpd
modules, allowing me to rely on environment variables set by the httpd
modules (used for auth) and avoiding multiple steps of HTTP
parsing/proxying.
How/whether that relates to your applications and deployment
preferences and deployment targets and deployment platforms etc. I
couldn't say. It all depends, I guess.
-peter
lore...@gmail.com
Oct 31, 2018, 1:04:17 PM10/31/18
to SimpleSAMLphp
Thank you Peter that was very thoroughly and I greatly appreciate the time you took to explain all of that.
Because my server has php, ruby, AND python applications, that's exactly what I was trying to do was simply use one SSO application for all of them instead of having to implement one for every single one.
And so far I've been successful. I got memcache running and each of the applications redirects to SSO and comes back to the application successfully. I haven't gotten to ruby/python yet, but I wrote a simple php script that spits out all the env vars as well as a var dump of memcache for the user logged in and I see all the attribute data I should be.
So for my php application at least, it pretty much works. I'm sure I'll have to install a gem for ruby and a python package to get the memcache user attribute data, but I'm optimistic I can do that.
My problem right now is logging out. I'm not sure what the logout URL should be while using auth_memcookie. I created a script that spits out the URL:
<?php
require_once('/home/simplesamlphp/lib/_autoload.php');
require_once('/home/simplesamlphp/lib/_autoload_modules.php');
$auth = new SimpleSAML_Auth_Simple('default-sp');
echo "<tr><td>".$auth->getLogoutURL()."</td></tr>";
?>
which gives me a url that makes sense:
But whenever I use it I get this error:
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace: 1 www/_include.php:17 (SimpleSAML_exception_handler) 0 [builtin] (N/A) Caused by: Exception: Logout handler is not a valid function: SimpleSAML\module\memcookie\AuthMemCookie::logoutHandler Backtrace: 4 lib/SimpleSAML/Session.php:704 (SimpleSAML_Session::callLogoutHandlers) 3 lib/SimpleSAML/Session.php:674 (SimpleSAML_Session::doLogout) 2 lib/SimpleSAML/Auth/Simple.php:209 (SimpleSAML\Auth\Simple::logout) 1 modules/core/www/as_logout.php:18 (require) 0 www/module.php:135 (N/A)
Do you have any ideas on this one? I'd much appreciate it!
Thanks again,
Will
Tim van Dijen
Nov 1, 2018, 4:15:51 AM11/1/18
to SimpleSAMLphp
Hi Will,
I think your issue here is equal to this one: https://github.com/simplesamlphp/simplesamlphp/issues/887
Let me know if that works out for you...
lore...@gmail.com
Nov 1, 2018, 11:46:09 AM11/1/18
to SimpleSAMLphp
Thanks for the response Tim. However, I think my problem is much simpler than that. Or at least it should be. The logoutHandler is being registered fine.
Within the callLogoutHandlers function, I printed them out to the log file and it contains
SimpleSAML\\module\\memcookie\\AuthMemCookie::logoutHandler
which is the method it should call for the memcache to be cleared. The error I'm getting is that when it tries to call this function it either doesn't exist or is not a valid function. My first guess is that the AuthMemCookie module is just not being loaded within the Session.php script which calls the logoutHandlers.
I'm missing some configuration for AuthMemCookie so that simplesaml has the function available.
Thanks I do appreciate it,
Will
Reply all
Reply to author
Forward
0 new messages