Bug 1564573 - mod_auth_mellon not working with SHA-256 ADFS [rhel-7.5.z]
Summary: mod_auth_mellon not working with SHA-256 ADFS [rhel-7.5.z]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: mod_auth_mellon
Version: 7.2
Hardware: x86_64
OS: Linux
high
urgent
Target Milestone: rc
: ---
Assignee: John Dennis
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On: 1295472
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-06 16:20 UTC by Oneata Mircea Teodor
Modified: 2018-05-14 16:11 UTC (History)
15 users (show)

Fixed In Version: mod_auth_mellon-0.13.1-2.el7_5
Doc Type: Enhancement
Doc Text:
The MellonSignatureMethod option has been added to mod_auth_mellon, which enables users to configure the signature method that the module uses to sign SAML messages. Currently supported algorithms include RSA-SHA256, RSA-SHA384, and RSA-SHA512.
Clone Of: 1295472
Environment:
Last Closed: 2018-05-14 16:10:50 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2018:1387 0 None None None 2018-05-14 16:11:01 UTC

Description Oneata Mircea Teodor 2018-04-06 16:20:04 UTC
This bug has been copied from bug #1295472 and has been proposed to be backported to 7.5 z-stream (EUS).

Comment 2 John Dennis 2018-04-11 15:16:35 UTC
Fixed in mod_auth_mellon-0.13.1-2.el7_5 by the addition of the MellonSignatureMethod config directive.

Comment 5 Scott Poore 2018-04-21 00:02:47 UTC
Verified.

Version::
mod_auth_mellon-0.13.1-2.el7_5.x86_64

Results:

* Setup ADFS on my ADDC which is also my ADCS.

# generate cert for Service Provider



[root@sp1 adfs]# openssl req -new -newkey rsa:2048 -keyout mellon.key -nodes -out mellon.csr -subj '/CN=sp1.keycloak.test'
Generating a 2048 bit RSA private key
.+++
...................................................................+++
writing new private key to 'mellon.key'
-----

[root@sp1 adfs]# scp mellon.csr Administrator@win1.ad.test:/cygdrive/c/certs
Administrator@win1.ad.test's password: 
mellon.csr                                                  100%  903   219.8KB/s   00:00    


# Sign the request with AD CS and copy back to SP

[root@sp1 adfs]# scp Administrator@win1.ad.test:/cygdrive/c/certs/mellon.crt .
Administrator@win1.ad.test's password: 
mellon.crt                                                  100% 1786   329.4KB/s   00:00    

[root@sp1 adfs]# cp mellon.crt /etc/pki/tls/certs
[root@sp1 adfs]# cp mellon.key /etc/pki/tls/private
[root@sp1 adfs]# vim /etc/httpd/conf.d/ssl.conf 
# Set following:
ServerName sp1.keycloak.test
...
SSLCertificateFile /etc/pki/tls/certs/mellon.crt
...
SSLCertificateKeyFile /etc/pki/tls/private/mellon.key


# Prep Apache for SAML

[root@sp1 ~]# mkdir /var/www/html/{mellon,private}
[root@sp1 ~]# mkdir /etc/httpd/saml2
[root@sp1 ~]# cd /etc/httpd/saml2

# create metadata file and cert/key

[root@sp1 saml2]# /usr/libexec/mod_auth_mellon/mellon_create_metadata.sh "https://sp1.keycloak.test" "https://sp1.keycloak.test/mellon"
Output files:
Private key:                              https_sp_.keycloak.test.key
Certificate:                              https_sp_.keycloak.test.cert
Metadata:                                 https_sp_.keycloak.test.xml
Host:                                     sp1.keycloak.test

Endpoints:
SingleLogoutService (SOAP):               https://sp1.keycloak.test/mellon/logout
SingleLogoutService (HTTP-Redirect):      https://sp1.keycloak.test/mellon/logout
AssertionConsumerService (HTTP-POST):     https://sp1.keycloak.test/mellon/postResponse
AssertionConsumerService (HTTP-Artifact): https://sp1.keycloak.test/mellon/artifactResponse
AssertionConsumerService (PAOS):          https://sp1.keycloak.test/mellon/paosResponse

# Download ADFS metadata

[root@sp1 saml2]# curl -kL -o https_win1.ad.test.xml https://win1.ad.test/FederationMetadata/2007-06/FederationMetadata.xml
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 71029    0 71029    0     0   500k      0 --:--:-- --:--:-- --:--:--  502k

[root@sp1 saml2]# vim /etc/httpd/conf.d/auth_mellon.conf
[root@sp1 ~]# cat /etc/httpd/conf.d/auth_mellon.conf
MellonCacheSize 100
MellonLockFile "/run/mod_auth_mellon/lock"


<Location />
  MellonEnable info
  MellonEndpointPath /mellon/

  MellonSignatureMethod rsa-sha256

  # The mellon metadata
  MellonSPMetadataFile /etc/httpd/saml2/https_sp_.keycloak.test.xml
  MellonSPPrivateKeyFile /etc/httpd/saml2/https_sp_.keycloak.test.key
  MellonSPCertFile /etc/httpd/saml2/https_sp_.keycloak.test.cert

  # The ADFS metadata
  MellonIdPMetadataFile /etc/httpd/saml2/https_win1.ad.test.xml
</Location>

<Location /private>
  AuthType Mellon
  MellonEnable auth
  Require valid-user
</Location>

[root@sp1 conf.d]# systemctl start httpd.service 


# Note MellonSignatureMethod above is set to rsa-sha256.  

# ADFS Relying Party Trust Signature Algorithm set to SHA-256 by default.

# testing by accessing https://sp1.keycloak.test/private/.  If it works, I will see login and be able to sign in with an AD user account in the domain.

# logout with https://sp1.keycloak.test/mellon/logout?ReturnTo=https://sp1.keycloak.test/


So, testing with:

* Mellon=SHA-256 ADFS=SHA-256 ::  PASS
* Mellon=SHA-256 ADFS=SHA-1 :: PASS
* Mellon=SHA-1 ADFS=SHA-1 :: PASS
* Mellon=SHA-1 ADFS=SHA-256 :: FAIL (expected)


Note to change mellon to SHA-1 I changed this line in /etc/httpd/conf.d/auth_mellon.conf:

  MellonSignatureMethod rsa-sha1


As noted above, it is currently expected that the scenario where ADFS is using SHA-256 and mod_auth_mellon is using rsa-sha1 will not work.  The important thing is that Mellon does work when the signing algorithm matches and that it can match SHA256 now.

Comment 8 errata-xmlrpc 2018-05-14 16:10:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:1387


Note You need to log in before you can comment on or make changes to this bug.