Bug 1253821
| Summary: | ipsilon client redirect not working with custom saml paths | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> |
| Component: | ipsilon | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | ksiddiqu, nkinder, puiterwijk, spoore |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipsilon-1.0.0-9.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-19 10:50:26 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Scott Poore
2015-08-14 19:36:56 UTC
Everything needs to be under the same base, including the protected site. So if you use --saml-auth /base1/secure1 instead of --saml-auth /secure1 it will work. Yes, that worked: [root@client2 secure]# ipsilon-client-install --saml-idp-url https://idp.testrelm.test/idp --saml-sp-name $(hostname -s) --saml-auth /base1/secure --saml-base /base1 --saml-sp /base1/saml2 --saml-sp-logout /base1/saml2/logout --saml-sp-post /base1/saml2/postResponse Generating a 2048 bit RSA private key ............................+++ ...........................................................................+++ writing new private key to '/etc/httpd/saml2/client2.testrelm.test/certificate.key' ----- admin password: [root@client2 secure]# systemctl restart httpd [root@client2 secure]# curl https://$(hostname)/base1/secure <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>303 See Other</title> </head><body> <h1>See Other</h1> <p>The answer to your request is located <a href="https://client2.testrelm.test/base1/saml2/login?ReturnTo=https%3A%2F%2Fclient2.testrelm.test%2Fbase1%2Fsecure&IdP=https%3A%2F%2Fidp.testrelm.test%2Fidp%2Fsaml2%2Fmetadata">here</a>.</p> </body></html> So this too works as expected. Should this be checked on the command line if paths don't match for those settings? And warn/fail if mismatched? Yes. Some checking is done and even that is not exactly adequate. This is at least tangentially related to upstream ticket https://fedorahosted.org/ipsilon/ticket/145 Upstream ticket: https://fedorahosted.org/ipsilon/ticket/163 Merged upstream: 3b079b3735ea98b3b36b22b0f0353cb56f023dad Verified. Version :; ipsilon-client-1.0.0-9.el7.noarch Results :: [root@client1 ~]# ipsilon-client-install --saml-auth /secure1 --saml-idp-url https://idp.testrelm.test/idp --saml-sp-name $(hostname -s) --saml-base /base1 --saml-sp /base1/saml2 --saml-sp-logout /base1/saml2/logout --saml-sp-post /base1/saml2/postResponse --saml-auth must be a subpath of --saml-base. [root@client1 ~]# ipsilon-client-install --saml-auth /base1/secure1 --saml-idp-url https://idp.testrelm.test/idp --saml-sp-name $(hostname -s) --saml-base /base1 --saml-sp /base2/saml2 --saml-sp-logout /base2/saml2/logout --saml-sp-post /base1/saml2/postResponse --saml-sp must be a subpath of --saml-base. [root@client1 ~]# ipsilon-client-install --saml-auth /base1/secure1 --saml-idp-url https://idp.testrelm.test/idp --saml-sp-name $(hostname -s) --saml-base /base1 --saml-sp /base1/saml2 --saml-sp-logout /base2/saml2/logout --saml-sp-post /base2/saml2/postResponse --saml-sp-logout must be a subpath of --saml-sp Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-2319.html |