Bug 1691894

Summary: [RFE] Config option to change mod_auth_mellon prefix
Product: Red Hat Enterprise Linux 8 Reporter: David Mulford <dmulford>
Component: mod_auth_mellonAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: low Docs Contact:
Priority: unspecified    
Version: 8.1CC: spoore
Target Milestone: rcKeywords: FutureFeature
Target Release: 8.2   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: mod_auth_mellon-0.14.0-8.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 21:09:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Mulford 2019-03-22 18:55:18 UTC
mod_auth_mellon-0.14.0-2.el7 forces a prefix of 'MELLON_' for all environment variables.  It would be nice to change the prefix in the config file from 'MELLON_' to something else to make migrating from another Service Provider easier.

Using MellonSetEnvNoPrefix is a workaround, but with a few dozen environment variables set by the identity provider this is a very tedious process.

Comment 3 Jakub Hrozek 2019-04-10 11:03:48 UTC
Proposed a PR: https://github.com/Uninett/mod_auth_mellon/pull/200

Comment 8 Scott Poore 2019-06-11 18:48:33 UTC
Verified.

Version ::

mod_auth_mellon-0.14.0-8.el8.x86_64

Results ::

[root@sp2 ~]# cat /etc/httpd/conf.d/example_app_mellon_keycloak_master.conf
<Location /example_app>
    MellonEnable info
    MellonEndpointPath /example_app/mellon/
    MellonSPMetadataFile /etc/httpd/saml2/example_app_sp_metadata.xml
    MellonSPPrivateKeyFile /etc/httpd/saml2/example_app.key
    MellonSPCertFile /etc/httpd/saml2/example_app.cert
    MellonIdPMetadataFile /etc/httpd/saml2/example_app_keycloak_master_idp_metadata.xml
    MellonIdP IDP
</Location>

<Location /example_app/private>
    AuthType Mellon
    MellonEnable auth
    MellonPostReplay On
    Require valid-user
    MellonEnvPrefix "NOLLEM_"
</Location>

MellonPostDirectory /var/cache/example_app_post_directory


[root@sp2 ~]# cat /var/www/html/example_app/private/index.html 
<html><title>Secure</title>Hello there...from SP ...<br>
<a href="https://sp2.keycloak.test:8443/example_app/mellon/logout?ReturnTo=https://sp2.keycloak.test:8443/example_app/logged_out.html">Log out</a>
<hr>
<pre><!--#printenv --></pre>


[root@sp2 conf.d]# echo Secret123 |keycloak-httpd-client-install --client-originate-method registration --keycloak-server-url https://idp.keycloak.test:8443 --keycloak-admin-username admin --keycloak-admin-password-file -  --app-name example_app --keycloak-realm master --mellon-root example_app --mellon-https-port 8443 --mellon-protected-locations "/example_app/private" --force
[Step  1] Connect to Keycloak Server
[Step  2] Create Directories
[Step  3] Set up template environment
[Step  4] Set up Service Provider X509 Certificiates
[Step  5] Build Mellon httpd config file
[Step  6] Build Mellon SP metadata file
[Step  7] Query realms from Keycloak server
[Step  8] Use existing realm on Keycloak server
[Step  9] Query realm clients from Keycloak server
[Step 10] Get new initial access token
[Step 11] Creating new client using registration service
[Step 12] Enable saml.force.post.binding
[Step 13] Add group attribute mapper to client
[Step 14] Add Redirect URIs to client
[Step 15] Retrieve IdP metadata from Keycloak server
[Step 16] Completed Successfully


Then accessed https://sp2.keycloak.test:8443/example_app/private as ipauser1 and see this:

...
NOLLEM_NAME_ID=G-7a28d52b-deae-4e29-a78f-d6c3168b2b19
NOLLEM_NAME_ID_0=G-7a28d52b-deae-4e29-a78f-d6c3168b2b19
NOLLEM_groups=ipausers
NOLLEM_groups_0=ipausers
NOLLEM_Role=offline_access
NOLLEM_Role_0=offline_access
NOLLEM_Role_1=manage-account
NOLLEM_Role_2=uma_authorization
NOLLEM_Role_3=manage-account-links
NOLLEM_Role_4=view-profile
NOLLEM_IDP=https://idp.keycloak.test:8443/auth/realms/master
NOLLEM_IDP_0=https://idp.keycloak.test:8443/auth/realms/master
...

Comment 10 errata-xmlrpc 2019-11-05 21:09:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3421