I have a issue with implementing SSO against ADFS with an Apache HTTPD Webserver using mod_auth_mellon. The error I get after authentication has been actually succeeded is:
Apache HTTPD returns a HTTP 401
(Unauthorized: This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.)
But in the server logs I can find the following:
Error processing authn response. Lasso error: [-432] Status code is not success, SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Responder", StatusCode2="(null)", StatusMessage="(null)", referer: https://adfs.example.com/adfs/ls/wia?SAMLRequest=nZJNb9swDIb%2FiqG7...
Configuraton (pretty much standard)
<Location />
MellonEnable info
MellonEndpointPath /mellon/endpoint
MellonSPMetadataFile /path/to/medatada.xml
MellonIdPMetadataFile /path/to/FederationMetadata.xml
MellonSPPrivateKeyFile /path/to/mellon.key
MellonSPCertFile /path/to/mellon.crt
MellonSignatureMethod rsa-sha1
</Location>
<Location /admin>
AuthType Mellon
MellonEnable auth
Require valid-user
MellonSamlResponseDump On
</Location>
The metadata is standard as well. Only thing is, since I read about Signature issues associated with lasso error code -432 I tried to changed parameter SignatureMethod and to disable Signing/Encryption (and aksed the Windows Guy to updated the relying parties (=my) metadata. So in the end I have the following nonstandard settings currently in my metadata. However, whatever I did I always get the lasso -432 error.
AuthnRequestsSigned="false" WantAssertionsSigned="false"
Versions
Docker-Container running RHEL 7.8
mod_auth_mellon: v0.14.2 (latest)
lasso: v2.5.99
Logs
[Thu Jul 16 14:55:42.150952 2020] [authz_core:debug] [pid 470] mod_authz_core.c(820): [client 192.168.1.1:49870] AH01626: authorization result of <RequireAny>: granted
[Thu Jul 16 14:55:42.151021 2020] [auth_mellon:debug] [pid 470] auth_mellon_util.c(54): [client 192.168.1.1:49870] reconstruct_url: url=="https://webservice.example.com/mellon/endpoint/login?ReturnTo=https%3A%2F%2Fwebserver.example.com%2Fadmin%2F&IdP=http%3A%2F%2Fadfs.example.com%2Fadfs%2Fservices%2Ftrust", unparsed_uri=="/mellon/endpoint/login?ReturnTo=https%3A%2F%2Fwebservice.example.com%2Fadmin%2F&IdP=http%3A%2F%2Fadfs.example.com%2Fadfs%2Fservices%2Ftrust"
[Thu Jul 16 14:55:42.151037 2020] [auth_mellon:debug] [pid 470] auth_mellon_cookie.c(77): MELLON_DISABLE_SAMESITE : (null)
[Thu Jul 16 14:55:42.151040 2020] [auth_mellon:debug] [pid 470] auth_mellon_cookie.c(227): cookie_set: mellon-cookie=cookietest; Version=1; Path=/; Domain=webservice.example.com
[Thu Jul 16 14:55:42.178426 2020] [auth_mellon:debug] [pid 470] auth_mellon_handler.c(278): [client 192.168.1.1:49870] loaded IdP "http://adfs.example.com/adfs/services/trust" from "/opt/rh/httpd24/root/etc/httpd/conf.d/mellon/FederationMetadata.xml".
192.168.1.1 - - [16/Jul/2020:14:55:42 +0200] "GET /mellon/endpoint/login?ReturnTo=https%3A%2F%2Fwebservice.example.com%2Fadmin%2F&IdP=http%3A%2F%2Fadfs.example.com%2Fadfs%2Fservices%2Ftrust HTTP/1.1" 303 888 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
[Thu Jul 16 14:55:42.476510 2020] [ssl:debug] [pid 470] ssl_engine_kernel.c(377): [client 192.168.1.1:49870] AH02034: Subsequent (No.3) HTTPS request received for child 3 (server webservice.example.com:443), referer: https://adfs.example.com/adfs/ls/wia?SAMLRequest=SAML_REQUEST_TOKENtptps%SAML_TOKEN_XXXRelayState=https%3A%2F%2Fwebservice.example.com%2Fadmin%2F&client-request-id=CLIENT_REQUEST_ID
[Thu Jul 16 14:55:42.478651 2020] [authz_core:debug] [pid 470] mod_authz_core.c(820): [client 192.168.1.1:49870] AH01626: authorization result of Require all granted: granted, referer: https://adfs.example.com/adfs/ls/wia?SAMLRequest=SAML_REQUEST_TOKENtptps%SAML_TOKEN_XXXRelayState=https%3A%2F%2Fwebservice.example.com%2Fadmin%2F&client-request-id=CLIENT_REQUEST_ID
[Thu Jul 16 14:55:42.478686 2020] [authz_core:debug] [pid 470] mod_authz_core.c(820): [client 192.168.1.1:49870] AH01626: authorization result of <RequireAny>: granted, referer: https://adfs.example.com/adfs/ls/wia?SAMLRequest=SAML_REQUEST_TOKENtptps%SAML_TOKEN_XXXRelayState=https%3A%2F%2Fwebservice.example.com%2Fadmin%2F&client-request-id=CLIENT_REQUEST_ID
[Thu Jul 16 14:55:42.513884 2020] [auth_mellon:debug] [pid 470] auth_mellon_handler.c(278): [client 192.168.1.1:49870] loaded IdP "http://adfs.example.com/adfs/services/trust" from "/opt/rh/httpd24/root/etc/httpd/conf.d/mellon/FederationMetadata.xml"., referer: https://adfs.example.com/adfs/ls/wia?SAMLRequest=SAML_REQUEST_TOKENtptps%SAML_TOKEN_XXXRelayState=https%3A%2F%2Fwebservice.example.com%2Fadmin%2F&client-request-id=CLIENT_REQUEST_ID
[Thu Jul 16 14:55:42.514805 2020] [auth_mellon:error] [pid 470] [client 192.168.1.1:49870] Error processing authn response. Lasso error: [-432] Status code is not success, SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Responder", StatusCode2="(null)", StatusMessage="(null)", referer: https://adfs.example.com/adfs/ls/wia?SAMLRequest=SAML_REQUEST_TOKENtptps%SAML_TOKEN_XXXRelayState=https%3A%2F%2Fwebservice.example.com%2Fadmin%2F&client-request-id=CLIENT_REQUEST_ID
192.168.1.1 - - [16/Jul/2020:14:55:42 +0200] "POST /mellon/endpoint/postResponse HTTP/1.1" 401 381 "https://adfs.example.com/adfs/ls/wia?SAMLRequest=SAML_REQUEST_TOKENtptps%SAML_TOKEN_XXXRelayState=https%3A%2F%2Fwebservice.example.com%2Fadmin%2F&client-request-id=CLIENT_REQUEST_ID" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
Question
What should I analyze, test or change in my setup in order to solve the issue ?
