Problem with mod_authmemcookie

[Stein Vråle]

Hello simpleSAML people,

been lurking on this list for a while, as both SAML SSO and
simplesamlphp seems ideal for our internal organization (lots of home
made web services and tools, many running on apache with mod_ldap
auth).

For now we are just playing around to figure out the what tools and
setups would fit us best, and we have setup a test environment with
different SAML software.

Right now I'm trying to get get the simplesaml authmemcookie setup to
work, been following the instructions and think most of it is correct,
but still struggle with a problem - the apache module never finds the
session key in the memcache. So I get error messages like this
(including a bunch of repeated redirects to the "secret" section):

[Wed Mar 30 12:24:01 2011] [warn] [client 10.20.18.88] Auth_memCookie:
AuthSession _daa77aaeb588a45f0e8d29923daf7abcdaf886d988 not
found: /var/www/sp1/secret, referer: https://(sp site)/

Manual auth (from simplesaml install page) with the Service Provider
works ok.

SP seems to put some data into the memcache, as the number of objects
keeps growing. But haven't found a way to see exactly what key it uses
when it stores it into the memcache, and wonder if it's something else
than the module will look for.

When I'm not logged in, I also get this:

[Wed Mar 30 15:08:47 2011] [error] [client 10.20.18.88] PHP Notice:
MemcachePool::delete(): Server 127.0.0.1 (tcp 11211, udp 0) failed
with: CLIENT_ERROR bad command line format. Usage: delete <key>
[noreply]\r\n (0)
in /var/simplesamlphp-1.8.0-rc1/lib/SimpleSAML/AuthMemCookie.php on
line 153, referer:
https://(sp site)/simplesaml/module.php/core/authenticate.php?
as=opera-memcookie

Auth_memCookie_CookieName AuthMemCookie is the same both in module and
SP.

The SP use a remote IDP for the auth itself - do I need to setup the
IDP to store sessions in the memcache, instead (or in addition) to the
SP?

Anyone seen this problem before, or have some tips?

I understand it's recommended to use memcookie from mod_perl or php
instead of the apache module, but the apache module would fit best for
some of our servers (where we don't want to enable mod_perl/php).

But I think the problem is with the SP setup, not the module.

Sorry if I've overlooked something obvious, but the SAML technology is
a bit new for me, and it's still a bit confusing to understand how
all of the service roles fits together ;)

cheers,

/Stein

--
Stein Vråle
Senior System Administrator
Opera Software ASA

[Peter Schober]

* Stein Vr�le <st...@opera.com> [2011-03-30 16:49]:

> been lurking on this list for a while, as both SAML SSO and
> simplesamlphp seems ideal for our internal organization (lots of home
> made web services and tools, many running on apache with mod_ldap
> auth).

You might also want to check out the Shibboleth SP, then, as it's
designed to run as a module for Apache httpd.
-peter

[Stein Vråle]

On Wed, 30 Mar 2011 17:16:35 +0200
Peter Schober <peter....@univie.ac.at> wrote:

> You might also want to check out the Shibboleth SP, then, as it's
> designed to run as a module for Apache httpd.
> -peter

wow, thanks for the tip Peter - that actually worked pretty well!

Used the libapache2-mod-shib2 package from Debian, had to fiddle a bit
to make it work with the simplesaml idp we had running, but so far so
good - perhaps this is a good solution for our non-perl/php servers.

But would still be cool to figure out what's wrong with our simplesaml
memcookie SP, so open for more ideas there.

[Søren Grønning Iversen]

Hi Peter,

Perhaps you'd like to share information on what sort of fiddling you had
to do to make libapache2-mod-shib2 work for you?

-I'm interested in using it for authenticating users to a WebDAV server
if possible, thus hooking it up to the SSO environment I'm working on
setting up.

Best regards,

S�ren

[Peter Schober]

* S�ren Gr�nning Iversen <s.gro...@gmail.com> [2011-03-30 19:03]:

> Hi Peter,
>
> Perhaps you'd like to share information on what sort of fiddling you
> had to do to make libapache2-mod-shib2 work for you?

S�ren, it wasn't me writing about the fiddling. Also I can't think of
any fiddling necessary to interop the Shibboleth SP with an
SimpleSAMLphp IdP (but then I fiddle with the SSP IdP so all
attributes conform to the MACE-Dir SAML Attribute profile, which
simply leaves no fiddling for the Shib SP side ;)

> -I'm interested in using it for authenticating users to a WebDAV
> server if possible, thus hooking it up to the SSO environment I'm
> working on setting up.

That needs some attention, many WebDAV clients don't support enough of
the HTTP specs for this to work. So that's not really a SimpleSAMLphp
issue, and neither a Shibboleth one. Once you get plain HTTP running,
this is purely a WebDAV/HTTP client issue.
-peter

[Peter Schober]

Since I've sidetracked this thread already hopelessly... ;)

* Stein Vr�le <st...@opera.com> [2011-03-30 18:57]:

> perhaps this is a good solution for our non-perl/php servers.

Non-perl? What SAML implementation do you use with Perl?
-peter

[Søren Grønning Iversen]

Ahhh - I guess I'm getting tired ;)

-A shame to hear of the WebDAV trouble it seems I'm out for with my wish
to couple SSP IdP with a WebDAV server through libapache2-mod-shib2 ...

I guess I'll end up constructing an upload service for our internal use
based on JQuery and Uploadify instead, since it's primarily for upload
of documents to a digital asset management system I'm implementing
alongside SSP IdP :)

Thanks a bunch, Peter!

-S�ren

[Peter Schober]

* S�ren Gr�nning Iversen <s.gro...@gmail.com> [2011-03-30 19:16]:

> -A shame to hear of the WebDAV trouble it seems I'm out for with my
> wish to couple SSP IdP with a WebDAV server through
> libapache2-mod-shib2 ...
>
> I guess I'll end up constructing an upload service for our internal
> use based on JQuery and Uploadify instead, since it's primarily for
> upload of documents to a digital asset management system I'm
> implementing alongside SSP IdP :)

There was a project in France for building a SAML-protected uPortal
component to access WebDAV (and FTP) resources, but that's from 2008
and was based on a discontinued WebDAV implementation (and it still
wouldn't allow the use generic WebDAV clients, AFAIK).
Anyway, here's the link:
http://www.terena.org/mail-archives/tf-emc2/msg00792.html

I also faintly recall a more recent statement from someone (Chad?)
that some (native M$?) WebDAV client could be tuned enough to allow
SAML WebSSO, but can't find it right now. (Probably hidden in some
thread with a different topic, like this one here ;)
-peter

[Stein Vråle]

On Wed, 30 Mar 2011 19:08:56 +0200
Peter Schober <peter....@univie.ac.at> wrote:

> * Søren Grønning Iversen <s.gro...@gmail.com> [2011-03-30 19:03]:

> > Hi Peter,
> >
> > Perhaps you'd like to share information on what sort of fiddling you
> > had to do to make libapache2-mod-shib2 work for you?
>

> Søren, it wasn't me writing about the fiddling. Also I can't think of

> any fiddling necessary to interop the Shibboleth SP with an
> SimpleSAMLphp IdP (but then I fiddle with the SSP IdP so all
> attributes conform to the MACE-Dir SAML Attribute profile, which
> simply leaves no fiddling for the Shib SP side ;)

hehe yeah that was me, and it wasn't *that* much fiddling - only
struggled a bit with the config files, especially how to configure it
for our own idp and not the default one.

So I used this howto:

http://www.ctrip.ufl.edu/shiboleth2-sp-on-debian-lenny-howto

but had to change some paths to /var/run, especially this one:

backingFilePath="/var/run/shibboleth/idp.xml"

As the default path didn't exist, shib2 couldn't store the metadata it
fetched from idp. Spent some time looking for a place to put the idp
metadata into a file somewhere (ala metadata/saml20-idp-remote.php),
until I realized it was supposed to fetch it online, but failed ;)

[Peter Schober]

* Stein Vr�le <st...@opera.com> [2011-03-30 19:53]:

> hehe yeah that was me, and it wasn't *that* much fiddling - only
> struggled a bit with the config files, especially how to configure it
> for our own idp and not the default one.
>
> So I used this howto:
>
> http://www.ctrip.ufl.edu/shiboleth2-sp-on-debian-lenny-howto

No, no, no, please, don't :)

Up until "Configure Apache2 Web Server" (where I stopped reading)
exactly *none* of the above should be necessary (or makes any sense).
Why generate keys in the directory /usr/bin/ only to move them
elsewhere? And why the special location for the files (only so you
have to change the default config to find it again? Any why replace
the default config file with some other file 'off the net?
And so on.

Instead, read the docs that come with the software (aforementioned
README.Debian.gz) and follow the documentation for the software.
The Debian packaging team has done nothing to sabotage the package in
any way so that the upstream docs wouldn't be good enough.

So install, read the Debian README, go to
https://spaces.internet2.edu/display/SHIB2/NativeSPGettingStarted

Here are my old own notes (in German, but you can just read the
command line examples) for Debian Lenny or Ubuntu 9.04 "Jaunty" (both
old!), in case you instist on unofficial documentation bound to become
unmaintained and obsolete ;)
https://aai-wiki.univie.ac.at/DebianUbuntu

cheers,
-peter

[Peter Schober]

Apologies for my continuing (but final) misuse of this thread.

* Peter Schober <peter....@univie.ac.at> [2011-03-30 19:27]:

> * S�ren Gr�nning Iversen <s.gro...@gmail.com> [2011-03-30 19:16]:
> > -A shame to hear of the WebDAV trouble it seems I'm out for with my
> > wish to couple SSP IdP with a WebDAV server through
> > libapache2-mod-shib2 ...

[...]

> I also faintly recall a more recent statement from someone (Chad?)
> that some (native M$?) WebDAV client could be tuned enough to allow
> SAML WebSSO, but can't find it right now. (Probably hidden in some
> thread with a different topic, like this one here ;)

I didn't find the thread yet but Chad confirmed that at SWITCH.ch they
(i.e., Halm Reusser, Cc'ed) got Microsoft's "web folder" WebDAV client
working via SAML2 WebSSO, as long as IdP discovery could be avoided
(i.e., with a single default IdP configured) and the IdP supported
HTTP Basic Auth for authentication (which may be some additional work
or possibly even an additional IdP, and would probably also require
changes to SimpleSAMLphp as an IdP).
While that are quite a few constraints it might still fit someone's
requirements.
-peter

[Stein Vråle]

On Wed, 30 Mar 2011 20:36:42 +0200
Peter Schober <peter....@univie.ac.at> wrote:

> https://spaces.internet2.edu/display/SHIB2/NativeSPGettingStarted

That one looks excellent, bookmarked - thanks again!

In other news, I finally figured out the problem with our simplesaml
authmemcookie problem - was missing this in the apache config:

Auth_memCookie_SessionTableSize "40"

Started with the sample config from authmemcookie homepage, so my bad
for not noticing that one was missing - sorry :/

Anyway, even if it took some more time than needed, the result is even
better - I now have 2 alternative modules to provide simple SSO apache
auth!

You asked if we had any perl SAML implementation, but for now we are
only investigating - nothing is implemented yet.

And ideally, I would like to avoid fiddling with the web applications
themselves - as we mostly use apache ldap auth in front of all apps
(plus a lot of reverse proxies), it should be much easier to migrate to
SSO if we can just deploy a new module, and replace existing ldap rules
- rather than hacking it into every app.

I want SSSO - SimpleSingleSignOn! :)

Well thanks again, and sorry for disturbing. But will probably come
back with some more simplesaml questions later ;)

Cheers!