Bug 1253821
Summary: | ipsilon client redirect not working with custom saml paths | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> |
Component: | ipsilon | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.2 | CC: | ksiddiqu, nkinder, puiterwijk, spoore |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipsilon-1.0.0-9.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-11-19 10:50:26 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Scott Poore
2015-08-14 19:36:56 UTC
Everything needs to be under the same base, including the protected site. So if you use --saml-auth /base1/secure1 instead of --saml-auth /secure1 it will work. Yes, that worked: [root@client2 secure]# ipsilon-client-install --saml-idp-url https://idp.testrelm.test/idp --saml-sp-name $(hostname -s) --saml-auth /base1/secure --saml-base /base1 --saml-sp /base1/saml2 --saml-sp-logout /base1/saml2/logout --saml-sp-post /base1/saml2/postResponse Generating a 2048 bit RSA private key ............................+++ ...........................................................................+++ writing new private key to '/etc/httpd/saml2/client2.testrelm.test/certificate.key' ----- admin password: [root@client2 secure]# systemctl restart httpd [root@client2 secure]# curl https://$(hostname)/base1/secure <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>303 See Other</title> </head><body> <h1>See Other</h1> <p>The answer to your request is located <a href="https://client2.testrelm.test/base1/saml2/login?ReturnTo=https%3A%2F%2Fclient2.testrelm.test%2Fbase1%2Fsecure&IdP=https%3A%2F%2Fidp.testrelm.test%2Fidp%2Fsaml2%2Fmetadata">here</a>.</p> </body></html> So this too works as expected. Should this be checked on the command line if paths don't match for those settings? And warn/fail if mismatched? Yes. Some checking is done and even that is not exactly adequate. This is at least tangentially related to upstream ticket https://fedorahosted.org/ipsilon/ticket/145 Upstream ticket: https://fedorahosted.org/ipsilon/ticket/163 Merged upstream: 3b079b3735ea98b3b36b22b0f0353cb56f023dad Verified. Version :; ipsilon-client-1.0.0-9.el7.noarch Results :: [root@client1 ~]# ipsilon-client-install --saml-auth /secure1 --saml-idp-url https://idp.testrelm.test/idp --saml-sp-name $(hostname -s) --saml-base /base1 --saml-sp /base1/saml2 --saml-sp-logout /base1/saml2/logout --saml-sp-post /base1/saml2/postResponse --saml-auth must be a subpath of --saml-base. [root@client1 ~]# ipsilon-client-install --saml-auth /base1/secure1 --saml-idp-url https://idp.testrelm.test/idp --saml-sp-name $(hostname -s) --saml-base /base1 --saml-sp /base2/saml2 --saml-sp-logout /base2/saml2/logout --saml-sp-post /base1/saml2/postResponse --saml-sp must be a subpath of --saml-base. [root@client1 ~]# ipsilon-client-install --saml-auth /base1/secure1 --saml-idp-url https://idp.testrelm.test/idp --saml-sp-name $(hostname -s) --saml-base /base1 --saml-sp /base1/saml2 --saml-sp-logout /base2/saml2/logout --saml-sp-post /base2/saml2/postResponse --saml-sp-logout must be a subpath of --saml-sp Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-2319.html |