0

Our Apache uses both mod_shib_24 (SAML-SP) and mod_auth_openidc (OIDC-RP), which both are connected to a Shibboleth IdP (acts as both SAML-IDP and OIDC-OP).

Furthermore we have 2 protected locations, one protected by SAML, the other one protected by OIDC:

  ShibCompatValidUser On

  <Location "/">
    Require shib-session
    AuthType Shibboleth
    ShibRequestSetting requireSession 1
    ShibUseHeaders On
  </Location>


  <Location "/oidctest">
    Require valid-user
    AuthType openid-connect
  </Location>

Now comes the confusing part:

If I access anything other than /oidctest/, I have to Login using SAML (mod_shib_24 gets involved, as expected), but after a successful authentication I can also access /oidctest/ without having to authenticate with OIDC.

This also works the other way around. If I access /oidctest/ first (new private window), I have to authenticate using OIDC (mod_auth_openidc gets involved, as expected), and after a successfull auth I can also access all other Locations (other than /oidctest/).

So how does Apache handle valid-user directives? How is a "valid-user" defined in Apache?

Is a user valid for everything once he has logged in, no matter the auth-type, no matter the module, no matter the protocol?

Or is this an unexpected behaviour?

brzler
  • 1

1 Answers1

0

It is my understanding from the Shibboleth wiki that the ShibCompatValidUser On settings is expressly intended to be compatible with require valid-user statements.

Prior to V2.5.2, and when ShibCompatValidUser is Off (the default), this is equivalent to the shib-session rule above. When the ShibCompatValidUser option is enabled, this rule is implemented compatibly with the rule implemented by Apache itself and requires a non-null REMOTE_USER value be set for the request. This restores the ability to deploy Shibboleth along with other modules and rules. A future version of the SP may remove the "special" definition and such rules should be changed to rely on shib-session.

See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPhtaccess

To differentiate between modules you could also use tests with Require env to look for enviroment variables set by the module. Shibboleth by default sets a Shib-Session-ID for example.

See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess

Gerrit
  • 1,347
  • 7
  • 8
  • this answers the question why the SAML-protected content is working with an OIDC-authenticated user, so there must be something similar in the OIDC module to accept a SAML-authenticated user, right? – brzler Jan 30 '20 at 10:02
  • Actually I am confused, do you really use a 2.4 shibboleth module? Because the configuration contains directives from the 2.5 version. In 2.5 you should do a **** section with require shib-session and require shib-user to only take shibboleth authenticated users. If you want both providers to authenticate you have to use a **** section with nested **** sections. – Gerrit Jan 30 '20 at 12:33