0

I have a secure SSO site that uses Shibboleth authentication and SAML identity provider. I need to allow a Google Search Appliance crawler to come index the URL's. I have a requirement to change on HTTP request from SAML to Basic authentication for GSA user-agent only without rewriting URL's. How can I configure Apache or Shibboleth to handle this?

On another thread I saw a suggestion to configure different subdirectories for different Auth Types. How do accept multiple authentication options in Apache? Unfortunately this approach does satisfy my requirement because it alters the URL's -- GSA would index an extra token prepended to the URL and output it in the search results instead of canonical URL's.

My shibboleth2.xml is configured for SAML 2.0. Here is a snippet of vhost in Apache. Is there a way to add conditional logic for authentication type in virtual host in either Apache 2.2 or 2.4? Or is there a way to solve this using Shib configuration?

<VirtualHost *:443>
DocumentRoot    "/var/dispatcher/cache/www"
# Wish I could make use of this variable to toggle AuthTypes
SetEnvIfNoCase User-Agent ^gsa-crawler is_gsa_crawler

<Location />
    # for end users
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    ShibUseHeaders On
    Require valid-user
</Location>

<Location />
    # for gsa
    AuthType Basic
    AuthName "Secure"
    AuthBasicProvider file
    AuthUserFile path_to/basic_pw_file
    Require valid-user
</Location>

<Directory "/var/dispatcher/cache/www">
    Order allow,deny
    Allow from all
</Directory>
</VirtualHost>
Community
  • 1
chowmojo
  • 1
  • 3
  • BTW, it sounds like you're going to index private content while still allowing it to be protected for the rest of the world. This doesn't answer your question directly, but why don't you simply whitelist the IPs for the GSA boxes? You can do a list of `Allow from ` with `require valid-user` and `satisfy any` and get the same behavior you're looking for, but based on IP instead of user-agent. – Martin Nov 28 '14 at 16:12

2 Answers2

0

I'm not sure you could do this with mod_access -- it doesn't support selectively choosing auth mechanisms as far as I know, it only allows a list of mechanisms it can fall through until it fails them all or one succeeds. And the problem is that you can't 'attempt SAML' without redirecting the user off site.

If you did this in a programming language, with passive auth, I think it would be trivial (if statements and redirects). But using 'require valid-user' and other mod_access things won't get you where I think you're trying to go.

My answer mostly applies to Apache < 2.4.x, as I'm not 100% confident that 2.4 is missing your feature set (they changed a lot).

Martin
  • 211
  • 1
  • 5
0

I just asked something similar and found a possible solution that may be relevant for this entry as well:

Combine apache auth providers of different types with basic auth only if proactively provided by client

You basically use an <If></If><Else></Else> check wrapped around two sets of authorization directives.

Nathan Neulinger
  • 597
  • 1
  • 5
  • 16