RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1414021 - Incorrect Content-Type header in ECP PAOS response, should be application/vnd.paos+xml
Summary: Incorrect Content-Type header in ECP PAOS response, should be application/vnd...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: mod_auth_mellon
Version: 7.4
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: John Dennis
QA Contact: Scott Poore
URL:
Whiteboard:
: 1414024 (view as bug list)
Depends On: 1414019 1414024
Blocks: 1414020 1419456
TreeView+ depends on / blocked
 
Reported: 2017-01-17 14:44 UTC by John Dennis
Modified: 2017-08-01 20:29 UTC (History)
12 users (show)

Fixed In Version: mod_auth_mellon-0.11.0-4.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1414019
: 1419456 (view as bug list)
Environment:
Last Closed: 2017-08-01 20:29:02 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github https://github.com/UNINETT mod_auth_mellon issues 108 0 None None None 2017-01-17 14:44:41 UTC
Red Hat Product Errata RHBA-2017:1895 0 normal SHIPPED_LIVE mod_auth_mellon bug fix update 2017-08-01 18:25:32 UTC

Description John Dennis 2017-01-17 14:44:41 UTC 
+++ This bug was initially created as a clone of Bug #1414019 +++

When an ECP client signals it is ECP capable and authentication is required for the protected resource it is trying to access mellon responds with PAOS content that wraps the SAML AuthnRequest. The HTTP Content-Type header must be "application/vnd.paos+xml". However in some versions of Apache the returned Content-Type header is "text/html" which breaks the ECP flow because the ECP client does not expect it.

The problem arises because mellon was using the wrong Apache call to set the Content-Type header. In some versions of Apache this worked but in others it did not.

Upstream bug: https://github.com/UNINETT/mod_auth_mellon/issues/108

Upstream git commit: 040a1ae5cb2aab38b2bc716cc3d0d6fa7b998a7a
Comment 2 John Dennis 2017-01-23 16:22:16 UTC 
*** Bug 1414024 has been marked as a duplicate of this bug. ***
Comment 13 Scott Poore 2017-05-03 20:37:47 UTC 
Verified.

Version ::

mod_auth_mellon-0.11.0-4.el7.x86_64


Results ::

[root@rhel7-2 ~]# yum -y install httpd mod_auth_mellon mod_ssl openssl
...

[root@rhel7-2 ~]# cat > /etc/httpd/conf.d/mellon.conf <<EOF
> <Location /mroot >
>     MellonEnable info
>     MellonEndpointPath /mroot/mellon/
>     MellonSPMetadataFile /etc/httpd/saml2/mellon_metadata.xml
>     MellonSPPrivateKeyFile /etc/httpd/saml2/mellon.key
>     MellonSPCertFile /etc/httpd/saml2/mellon.crt
>     MellonIdPMetadataFile /etc/httpd/saml2/idp_metadata.xml
> </Location>
> 
> <Location /mroot/private >
>     AuthType Mellon
>     MellonEnable auth
>     Require valid-user
> </Location>
> 
> <Directory /var/www/html/mroot/private>
>     Options +Includes
>     AddOutputFilter INCLUDES .html
> </Directory>
> EOF

[root@rhel7-2 ~]# mkdir -p /var/www/html/mroot/private

[root@rhel7-2 ~]# echo "KEEP OUT" >> /var/www/html/mroot/private/index.html

[root@rhel7-2 ~]# fqdn=`hostname`

[root@rhel7-2 ~]# mellon_endpoint_url="https://${fqdn}/mroot/mellon"

[root@rhel7-2 ~]# mellon_entity_id="${mellon_endpoint_url}/metadata"

[root@rhel7-2 ~]# file_prefix="$(echo "$mellon_entity_id" | sed 's/[^A-Za-z.]/_/g' | sed 's/__*/_/g')"

[root@rhel7-2 ~]# /usr/libexec/mod_auth_mellon/mellon_create_metadata.sh $mellon_entity_id $mellon_endpoint_url
Output files:
Private key:                              https_rhel_.example.com_mroot_mellon_metadata.key
Certificate:                              https_rhel_.example.com_mroot_mellon_metadata.cert
Metadata:                                 https_rhel_.example.com_mroot_mellon_metadata.xml
Host:                                     rhel7-2.example.com

Endpoints:
SingleLogoutService (SOAP):               https://rhel7-2.example.com/mroot/mellon/logout
SingleLogoutService (HTTP-Redirect):      https://rhel7-2.example.com/mroot/mellon/logout
AssertionConsumerService (HTTP-POST):     https://rhel7-2.example.com/mroot/mellon/postResponse
AssertionConsumerService (HTTP-Artifact): https://rhel7-2.example.com/mroot/mellon/artifactResponse
AssertionConsumerService (PAOS):          https://rhel7-2.example.com/mroot/mellon/paosResponse

[root@rhel7-2 ~]# mkdir /etc/httpd/saml2

[root@rhel7-2 ~]# mv ${file_prefix}.cert /etc/httpd/saml2/mellon.crt

[root@rhel7-2 ~]# mv ${file_prefix}.key /etc/httpd/saml2/mellon.key

[root@rhel7-2 ~]# mv ${file_prefix}.xml /etc/httpd/saml2/mellon_metadata.xml

# Here I'm actually using the IDP Metadata file from bug #1447770

[root@rhel7-2 ~]# wget https://bugzilla.redhat.com/attachment.cgi?id=1275970
--2017-05-03 15:18:54--  https://bugzilla.redhat.com/attachment.cgi?id=1275970
Resolving bugzilla.redhat.com (bugzilla.redhat.com)... 10.4.205.4
Connecting to bugzilla.redhat.com (bugzilla.redhat.com)|10.4.205.4|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3695 (3.6K) [application/xml]
Saving to: ‘attachment.cgi?id=1275970’

100%[=============================================================>] 3,695       --.-K/s   in 0s      

2017-05-03 15:18:54 (586 MB/s) - ‘attachment.cgi?id=1275970’ saved [3695/3695]

[root@rhel7-2 ~]# mv attachment.cgi\?id\=1275970 /etc/httpd/saml2/idp_metadata.xml


[root@rhel7-2 ~]# cd /etc/httpd/conf.d/

[root@rhel7-2 conf.d]# restorecon -R /etc/httpd/saml2

[root@rhel7-2 conf.d]# systemctl restart httpd

[root@rhel7-2 conf.d]# curl -k -v -H 'Accept:text/html, application/vnd.paos+xml' -H 'PAOS:ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' https://$(hostname)/mroot/private/index.html
* About to connect() to rhel7-2.example.com port 443 (#0)
*   Trying 192.168.122.72...
* Connected to rhel7-2.example.com (192.168.122.72) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* 	subject: E=root.com,CN=rhel7-2.example.com,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--
* 	start date: May 03 20:06:16 2017 GMT
* 	expire date: May 03 20:06:16 2018 GMT
* 	common name: rhel7-2.example.com
* 	issuer: E=root.com,CN=rhel7-2.example.com,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--
> GET /mroot/private/index.html HTTP/1.1
> User-Agent: curl/7.29.0
> Host: rhel7-2.example.com
> Accept:text/html, application/vnd.paos+xml
> PAOS:ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
> 
< HTTP/1.1 200 OK
< Date: Wed, 03 May 2017 20:30:45 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips
< Cache-Control: private, max-age=0, must-revalidate
< Content-Length: 3513
< Content-Type: application/vnd.paos+xml
< 
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:paos="urn:liberty:paos:2003-08" xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><s:Header><paos:Request responseConsumerURL="https://rhel7-2.example.com/mroot/mellon/paosResponse" service="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" messageID="_D12FE1AB1DF8C79D18D3EFECE89599A3" s:mustUnderstand="true" actor="http://schemas.xmlsoap.org/soap/actor/next"/><ecp:Request s:mustUnderstand="true" actor="http://schemas.xmlsoap.org/soap/actor/next" IsPassive="false"><saml:Issuer>https://rhel7-2.example.com/mroot/mellon/metadata</saml:Issuer></ecp:Request><ecp:RelayState s:mustUnderstand="true" actor="http://schemas.xmlsoap.org/soap/actor/next">https://rhel7-2.example.com/mroot/private/index.html</ecp:RelayState></s:Header><s:Body><samlp:AuthnRequest ID="_232D92D80D25E0B8C9BF94861B53FB79" Version="2.0" IssueInstant="2017-05-03T20:30:46Z" Destination="https://rhel7-2.example.com/mroot/mellon/paosResponse" Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" ForceAuthn="false" IsPassive="false" AssertionConsumerServiceURL="https://rhel7-2.example.com/mroot/mellon/paosResponse"><saml:Issuer>https://rhel7-2.example.com/mroot/mellon/metadata</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_232D92D80D25E0B8C9BF94861B53FB79">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>cJAvFqm7RUyR+0UYazv4GoAF9g4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>W8EDMeU/0DRydRfPMDWKTvmj02f0r64aaWUxgVVgAfO1U/QADkAa7kiWmmKObksC
XDXDMmDYGgABc1mBvtn9aiSricTAKkkJmfOoUU8mRW26j7aMJ6jW/HGv2ix5bqqJ
A0c0URnnVkXwHj9AQPF9hdXfYaDrPhtXfkHazHybwwXk98M4fFGQs6NLDdwxEnXw
iz1+l+oSVhCQaDT3zGbXNdObgXkVSvsHNTDotXTIf746X1+Kkh5SOnheOM3+LU5w
LcFUPr1bHfzhB7MF5RN2w9v242eDMDjoeRCV6hgJ/uiz8IRx+GFAGGd4xJ29pjqi
ObwiFDA2g+3yo0Cem1zziQ==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIICuDCCAaACCQDDskLgEkCyCTANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDDBNy
aGVsNy0yLmV4YW1wbGUuY29tMB4XDTE3MDUwMzIwMTY1MloXDTI3MDUwMzIwMTY1
MlowHjEcMBoGA1UEAwwTcmhlbDctMi5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMQzdj/sTM2MzrKFy0dTLiySzbZMCzSH1byIJ0sf
eHv2UgXXJ3FSidwewRMf2gOwLhKTOKM641bWz7r4mQQgbuOD1XTnvurJ7E3i8zNq
Cvt8PMFPAYyzBUjgHyY+K6AeAlT5NqXcZYf/CKuRVBWpJcDxK0ydwhQu4J1L4Rox
tvBtZQjmtLiTSUpb+ytQVmKDvpQWAob5fh7YG0LDMXQ9jKjSt1K8XR6tIqCq0ntf
sQLKYzuJFcdggns+Td7MPGAIMlXlNk/7+BmX9TFv4W7slitLC1QK/64zXqAyFCjo
Dm19E/W6kvzcOeUOL21+C1XYQJWJttz394ZMATreokSQG8UCAwEAATANBgkqhkiG
9w0BAQsFAAOCAQEAXX7CaEXhjbjzTQBt9VE0KYGijUsrWiBkGQsADoYwZDhO60Vc
G3Ckspq0nT/JZWfrimMpJtnmfh9uD8q+s2tBjef17+jyXJnKu0zDAUc+1YmAPOUX
6ORooBvVtIiK2BWaeiuKBXm7ZfaX9p8nGw4MYHbRRmsyJlENgorjAZpwDfzOO60e
uARfzP1UAa0IV0hYpCwQRcu6CiISSdKgAwmeb5R4VYJzphxyQq3Q+0GWaQM39snP
kdiUZ6ip0KU21fkXU61ngYX8tuHTzoWDO7/rmyI3mgW6Ni/KVetpjgzogIpjozJt
rWOF2ObiWft1ABc7VdQrM+SK9b+6w7+esNzQWw==</X509Certificate>
</X509Data>
</KeyInfo>
* Connection #0 to host rhel7-2.example.com left intact
</Signature><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/></samlp:AuthnRequest></s:Body></s:Envelope>

[root@rhel7-2 conf.d]# 


And the short answer is:

[root@rhel7-2 conf.d]# curl -k -v -H 'Accept:text/html, application/vnd.paos+xml' -H 'PAOS:ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' https://$(hostname)/mroot/private/index.html 2>&1|grep Content-Type
< Content-Type: application/vnd.paos+xml
Comment 15 errata-xmlrpc 2017-08-01 20:29:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1895
Note You need to log in before you can comment on or make changes to this bug.