1447770 – mellon Error adding IdP to lasso server object

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1447770 - mellon Error adding IdP to lasso server object

Summary: mellon Error adding IdP to lasso server object

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	mod_auth_mellon
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	John Dennis
QA Contact:	John Dennis
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-05-03 18:49 UTC by Scott Poore
Modified:	2023-07-20 21:50 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-06-16 16:15:26 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
idp metadata file from rhsso 7.1 (3.61 KB, application/xml) 2017-05-03 19:23 UTC, Scott Poore	no flags	Details
mellon config file generated by keycloak-httpd-client-install (510 bytes, text/plain) 2017-05-03 19:23 UTC, Scott Poore	no flags	Details
View All

Description Scott Poore 2017-05-03 18:49:16 UTC

Description of problem:

Trying to setup a SAML SP with an RHSSO 7.1.0 IDP, I'm seeing the following after an error 500 trying to access a protected space:

[Wed May 03 13:23:16.992807 2017] [:error] [pid 13338] [client 192.168.122.1:41236] Error adding IdP to lasso server object. Please verify the following configuration directives: MellonIdPMetadataFile and MellonIdPPublicKeyFile.


Version-Release number of selected component (if applicable):
keycloak-httpd-client-install-0.6-1.el7.noarch
mod_auth_mellon-0.11.0-4.el7.x86_64
httpd-2.4.6-65.el7.x86_64

How reproducible:
Unknown.

Steps to Reproduce:
1.  Setup RH-SSO 7.1.0 IDP server
2.  Install mod_auth_mellon
3.  use keycloak-httpd-client-install to setup mod_auth_mellon and register SP with RH-SSO.

[root@sp1 ~]# keycloak-httpd-client-install   \
>     --client-originate-method registration \
>     --keycloak-server-url https://idp.keycloak.test:8443 \
>     --keycloak-admin-username admin \
>     --keycloak-admin-password Secret1230 \
>     --app-name testapp \
>     --keycloak-realm test_realm \
>     --mellon-protected-locations "/private" \
>     --mellon-root mellon_root \
>     --force

4.  Try to access proteted space from web browser ro curl

Actual results:
[root@sp1 conf.d]# curl -k -v -H 'Accept:text/html, application/vnd.paos+xml' -H 'PAOS:ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' https://$(hostname)/private/index.html
* About to connect() to sp1.keycloak.test port 443 (#0)
*   Trying 192.168.122.192...
* Connected to sp1.keycloak.test (192.168.122.192) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* 	subject: E=root.test,CN=sp1.keycloak.test,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--
* 	start date: May 03 18:11:04 2017 GMT
* 	expire date: May 03 18:11:04 2018 GMT
* 	common name: sp1.keycloak.test
* 	issuer: E=root.test,CN=sp1.keycloak.test,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--
> GET /private/index.html HTTP/1.1
> User-Agent: curl/7.29.0
> Host: sp1.keycloak.test
> Accept:text/html, application/vnd.paos+xml
> PAOS:ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
> 
< HTTP/1.1 500 Internal Server Error
< Date: Wed, 03 May 2017 18:48:04 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips
< Cache-Control: private, max-age=0, must-revalidate
< Content-Length: 527
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at 
 root@localhost to inform them of the time this error occurred,
 and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>
* Closing connection 0

[root@sp1 conf.d]# tail -1 /var/log/httpd/ssl_error_log
[Wed May 03 13:48:29.579876 2017] [:error] [pid 13342] [client 192.168.122.192:60752] Error adding IdP to lasso server object. Please verify the following configuration directives: MellonIdPMetadataFile and MellonIdPPublicKeyFile.



Expected results:

From browser, should be prompted for login.

Additional info:

Comment 2 Scott Poore 2017-05-03 18:50:48 UTC

[root@sp1 conf.d]# cat testapp_mellon_keycloak_test_realm.conf 
<Location /mellon_root>
    MellonEnable info
    MellonEndpointPath /mellon_root/mellon/
    MellonSPMetadataFile /etc/httpd/saml2/testapp_sp_metadata.xml
    MellonSPPrivateKeyFile /etc/httpd/saml2/testapp.key
    MellonSPCertFile /etc/httpd/saml2/testapp.cert
    MellonIdPMetadataFile /etc/httpd/saml2/testapp_keycloak_test_realm_idp_metadata.xml
    MellonIdP IDP
    MellonMergeEnvVars On ";"
</Location>

<Location /private>
    AuthType Mellon
    MellonEnable auth
    Require valid-user
</Location>

===================================================================

[root@sp1 conf.d]# cat /etc/httpd/saml2/testapp_keycloak_test_realm_idp_metadata.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
  ~ Copyright 2016 Red Hat, Inc. and/or its affiliates
  ~ and other contributors as indicated by the @author tags.
  ~
  ~ Licensed under the Apache License, Version 2.0 (the "License");
  ~ you may not use this file except in compliance with the License.
  ~ You may obtain a copy of the License at
  ~
  ~ http://www.apache.org/licenses/LICENSE-2.0
  ~
  ~ Unless required by applicable law or agreed to in writing, software
  ~ distributed under the License is distributed on an "AS IS" BASIS,
  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  ~ See the License for the specific language governing permissions and
  ~ limitations under the License.
  -->

<EntitiesDescriptor Name="urn:keycloak" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
					xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
	<EntityDescriptor entityID="https://idp.keycloak.test:8443/auth/realms/test_realm">
		<IDPSSODescriptor WantAuthnRequestsSigned="true"
			protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
                        <KeyDescriptor use="signing">
                          <dsig:KeyInfo>
                            <dsig:KeyName>rnXIknR-5n2yyCRyp6DlUjAGaSSSvjXppnHM9CF7TI8</dsig:KeyName>
                            <dsig:X509Data>
                              <dsig:X509Certificate>MIICozCCAYsCBgFbz35pVjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDAp0ZXN0X3JlYWxtMB4XDTE3MDUwMzE4MDUxOVoXDTI3MDUwMzE4MDY1OVowFTETMBEGA1UEAwwKdGVzdF9yZWFsbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMMQvoJNVAyYJaVoUiAHVPFUiPJsjirPDlskLdDceDEG73iRWgy4fKfivpR/W4215rK4c6kpN2LUZkIUYG7620EMOybIp88jway75kCSm4PiEOtx+tb1WWMshPQHq1Xf9z00xBMO08Kem5O5Z7xc9dzConmj6p6Hst6Cvzns+n61IfXrNFf5QrA242fuiL3iP9pjYfSNfeVlbj4hskaYpDwduvoIKaqXRSbv+LJza0N4xSmVzi6r31l/Piqep6oQ0Gjh+uFFwAGFo5d+nfa/Wh9Qa43MuYu/WcGYjVTn3F/hiikdWqCJZfeFlVAMBX0kqGOKOPsdI9KtfDK/yFbP9g0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEArEwB6sGNeKzl+2Gvccic0LIhsjptD9QIMliZCG9JSGCvFSYkcVcXTXhOb7AwM+CbJKonDZ8xyuVtATEZcId+jMfoPQtBBXzYxLD6ltg08j7Gn4NPBNpul5dl/wEdcl/2mDrJ3SHLLqXLIbE6nYqiM2c4bnt9Oh1g9TQw1lhGmFrODUJna1EJj04rXYcDCTGVGLQWRmdYzRyIZ3dHvWlX+YMpkrbT7qif1TACwZboWEDg6YeYjbqYKFfPJY/ESj3IIQuc7MtX3Fwju6Cr9GepkoswVp4Gwwdk+wF085Zwcow1k4pmnILLbdal3re3T45NTudEUyz42O7oXsqzfmymnQ==</dsig:X509Certificate>
                            </dsig:X509Data>
                          </dsig:KeyInfo>
                        </KeyDescriptor>

			<SingleLogoutService
					Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
					Location="https://idp.keycloak.test:8443/auth/realms/test_realm/protocol/saml" />
			<SingleLogoutService
					Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
					Location="https://idp.keycloak.test:8443/auth/realms/test_realm/protocol/saml" />
			<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
			<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
			<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
			<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
			<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
				Location="https://idp.keycloak.test:8443/auth/realms/test_realm/protocol/saml" />
			<SingleSignOnService
				Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
				Location="https://idp.keycloak.test:8443/auth/realms/test_realm/protocol/saml" />
			<SingleSignOnService
				Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
				Location="https://idp.keycloak.test:8443/auth/realms/test_realm/protocol/saml" />
		</IDPSSODescriptor>
	</EntityDescriptor>
</EntitiesDescriptor>

Comment 3 Scott Poore 2017-05-03 18:52:11 UTC

[root@sp1 ~]# keycloak-httpd-client-install   \
>     --client-originate-method registration \
>     --keycloak-server-url https://idp.keycloak.test:8443 \
>     --keycloak-admin-username admin \
>     --keycloak-admin-password Secret1230 \
>     --app-name testapp \
>     --keycloak-realm test_realm \
>     --mellon-protected-locations "/private" \
>     --mellon-root mellon_root \
>     --force
[Step  1] Connect to Keycloak Server
/usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SecurityWarning
[Step  2] Create Directories
[Step  3] Set up template environment
[Step  4] Set up Service Provider X509 Certificiates
[Step  5] Build Mellon httpd config file
[Step  6] Build Mellon SP metadata file
[Step  7] Query realms from Keycloak server
[Step  8] Use existing realm on Keycloak server
[Step  9] Query realm clients from Keycloak server
[Step 10] Get new initial access token
[Step 11] Creating new client using registration service
[Step 12] Enable saml.force.post.binding
[Step 13] Add group attribute mapper to client
[Step 14] Add Redirect URIs to client
[Step 15] Retrieve IdP metadata from Keycloak server
[Step 16] Completed Successfully

Comment 4 John Dennis 2017-05-03 19:03:31 UTC

please attach the IdP metadata file as an attachment. I can't test reliably if I'm not loading the exact same file.

Comment 5 John Dennis 2017-05-03 19:07:24 UTC

In the past one cause has been the inability of Apache to read the file. Is SELinux enabled? Did you get an AVC denial? How about permissions on the directory and file?

Comment 6 Scott Poore 2017-05-03 19:23:23 UTC

Created attachment 1275970 [details]
idp metadata file from rhsso 7.1

Comment 7 Scott Poore 2017-05-03 19:23:56 UTC

Created attachment 1275971 [details]
mellon config file generated by keycloak-httpd-client-install

Comment 8 John Wade 2017-05-12 19:48:42 UTC

Also hit the same issue:
lasso-2.5.1-2.el7.x86_64
httpd-2.4.6-45.el7_3.4.x86_64
mod_auth_mellon-0.11.0-2.el7.x86_64

Unable to get mellon to accept any IDP metadata, although it is clearly reading and parsing the XML file.  (edits to the file to produce invalid xml or to add unsupported tags do generate different error messages in the apache logs.)

Even tried the example IDP metadata from https://jdennis.fedorapeople.org/doc/mellon-install/mellon-install-guide.html, which presumably worked at one point

Comment 9 John Dennis 2017-05-16 23:48:00 UTC

Re comment #8, using the exact same RPM versions I'm unable to reproduce the problem.

The original bug report should have been closed because it was an SELinux denial that was causing the problem.

Is SELinux enabled? (what does getenforce return?)

In what directory are you storing the metadata?

What is the SELinux label on the directory containing the metadata and the metadata file? (e.g. ls -lZ xxx)

Does the problem go away if you disable SELinux (e.g. setenforce 0) and restart httpd?

Still having problems?

Then please enable debug logging in /etc/http/conf/httpd.conf by changing the LogLevel to debug. Then restart the server and trying again. Look for any lines with "mellon" in the name. Anything interesting?

Still stuck?

Attach the log file and the IdP metadata.

Comment 10 John Dennis 2017-05-16 23:55:08 UTC

Scott, what did you do to resolve the SELinux issue?

Comment 11 Scott Poore 2017-05-17 02:31:02 UTC

John,

I'm sorry, I think there was a misunderstanding.  The SELinux issue I resolved was something with bug #1414021.  If I recall that was an issue with file context on the IDP Metadata file I had copied in manually from this bug to be able to verify that one.  I don't think I ever got a completely configured mellon client using the installer.

I ran a test again and I am seeing the same thing:

/var/log/httpd/ssl_error_log:[Tue May 16 21:19:29.064061 2017] [:error] [pid 16763] [client 192.168.122.192:38670] Error adding IdP to lasso server object. Please verify the following configuration directives: MellonIdPMetadataFile and MellonIdPPublicKeyFile.

[root@sp1 ~]# egrep "MellonIdPMetadataFile|MellonIdPPublicKeyFile" /etc/httpd/conf.d/*
/etc/httpd/conf.d/testapp_mellon_keycloak_test_realm.conf:    MellonIdPMetadataFile /etc/httpd/saml2/testapp_keycloak_test_realm_idp_metadata.xml
/etc/httpd/conf.d/testapp_mellon_keycloak_test_realm.conf.orig:    MellonIdPMetadataFile /etc/httpd/saml2/testapp_keycloak_test_realm_idp_metadata.xml

[root@sp1 ~]# ls -lZ /etc/httpd/saml2/testapp_keycloak_test_realm_idp_metadata.xml
-rw-r--r--. root root unconfined_u:object_r:httpd_config_t:s0 /etc/httpd/saml2/testapp_keycloak_test_realm_idp_metadata.xml

[root@sp1 ~]# ls -ldZ /etc/httpd/saml2/
drwxr-xr-x. root root unconfined_u:object_r:httpd_config_t:s0 /etc/httpd/saml2/

Comment 12 John Dennis 2017-05-17 16:33:45 UTC

Well, I'm baffled at the moment, I just tried loading the testapp_keycloak_test_realm_idp_metadata.xml file you attached to this bug report and it loads just fine. Here is the entry in my ssl_error_log file:

loaded IdP "https://idp.keycloak.test:8443/auth/realms/test_realm" from "/etc/httpd/saml2/testapp_keycloak_test_realm_idp_meta\
data.xml".

I can think of 2 other things to try:

Run apache under strace, I usually do like this:

strace -f -o /tmp/strace.log /usr/sbin/httpd

Then look at the /tmp/strace.log file and search for the open of the testapp_keycloak_test_realm_idp_metadata.xml file and see if there are any errors opening it. The log should show the first 32 bytes of the file as it's being read. Were there any errors opening and reading the file?

Also please verify you do not have an other config files that might have a MellonIdPMetadataFile directive in it. Unfortunately the error message does not indicate the filename of the failed IdP metadata file.

The other option is give me access to the machine and let me poke around.

Comment 13 John Dennis 2017-05-26 22:55:16 UTC

I found your problem, it's a configuration problem, I should have seen this earlier but missed it myself.

You've got all your mellon config under the location /mellon_root but your
protected location is the location /private.

These two locations are siblings, thus /private cannot inherit the mellon config
from /mellon_root hence you're not loading any metadata or any other mellon
config for that matter when the /private location is hit. Unfortunately the error message is cryptic, something I'll fix in mellon soon.

Locating all your mellon config up at the root is a good strategy, that way any protected area *below* it can inherit from the ancestors above it. This provides a way to avoid duplicating the mellon config information more than once which is error prone. But for this strategy to work the locations protected by mellon *must* be descendants of the location where the "root" or "global" mellon config is located.

Comment 14 Scott Poore 2017-05-26 23:39:38 UTC

That was it.  Fixed my issue.

[root@sp1 ~]# sh -x run 
+ keycloak-httpd-client-install --client-originate-method registration --keycloak-server-url https://idp.keycloak.test:8443 --keycloak-admin-username admin --keycloak-admin-password Secret1230 --app-name testapp --keycloak-realm test_realm --mellon-protected-locations /private --mellon-root / --force

[Step  1] Connect to Keycloak Server
/usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SecurityWarning
[Step  2] Create Directories
[Step  3] Set up template environment
[Step  4] Set up Service Provider X509 Certificiates
[Step  5] Build Mellon httpd config file
[Step  6] Build Mellon SP metadata file
[Step  7] Query realms from Keycloak server
[Step  8] Use existing realm on Keycloak server
[Step  9] Query realm clients from Keycloak server
[Step 10] Get new initial access token
[Step 11] Creating new client using registration service
[Step 12] Enable saml.force.post.binding
[Step 13] Add group attribute mapper to client
[Step 14] Add Redirect URIs to client
[Step 15] Retrieve IdP metadata from Keycloak server
[Step 16] Completed Successfully

And to make it more legible:

[root@sp1 ~]# cat run 
keycloak-httpd-client-install   \
    --client-originate-method registration \
    --keycloak-server-url https://idp.keycloak.test:8443 \
    --keycloak-admin-username admin \
    --keycloak-admin-password Secret1230 \
    --app-name testapp \
    --keycloak-realm test_realm \
    --mellon-protected-locations "/private" \
    --mellon-root "/" \
    --force


All I changed was --mellon-root to "/".

After that, I'm now getting a proper login page when I access the /private url.

Comment 15 Scott Poore 2017-05-26 23:41:04 UTC

John Wade,

Can you confirm if this resolves your issue as well?  And that you're seeing the same failure in the logs?

If this fixes your issue as well, I'm going to close this bug.

Thanks,
Scott

Comment 16 Scott Poore 2017-06-16 16:15:26 UTC

John Wade,

FYI, I'm closing out this bug as NOTABUG since it was a configuration issue.  If this configuration change does not resolve your issue and this appears to still be affecting you, you can reopen this bug.

Regards,
Scott

Comment 17 John Wade 2023-07-13 13:58:18 UTC

It was a configuration issue, sorry for the delay.  Should have been closed as you did  NOTABUG

Comment 18 Scott Poore 2023-07-20 21:50:10 UTC

Hi John,  No problem on the delay.  Thanks for letting us know.

Note You need to log in before you can comment on or make changes to this bug.