mod_auth_mellon不填充环境变量 [英] mod_auth_mellon not populating environment variables

问题描述

我为使用SAML 2.0的外部身份验证设置了mod_auth_mellon.我使用外部IdP进行了身份验证，但是mod_auth_mellon不会填充环境变量，并且我无法获取用户名以继续授权保护的资源.

I have setup mod_auth_mellon for external authentication using SAML 2.0. I get authenticated using an external IdP, but mod_auth_mellon does not populate the environment variables and I am not able to get the username to proceed with the authorization of the resources I want to protect.

工作流程如下: 1)用户尝试访问/test/info.php 2)用户被重定向到外部IDP 3)用户针对外部IdP进行身份验证，然后重定向到/auth/info.php

The workflow is as follows: 1) user tries to access /test/info.php 2) user gets redirected to external IdP 3) user authenticates against external IdP and gets redirected to /auth/info.php

我的mellon配置如下:

My mellon configuration is as follows:

<Location />
    MellonSPPrivateKeyFile /etc/apache2/mellon-config/http_ec2_54_86_69_246.compute_1.amazonaws.com.key

    MellonSPCertFile /etc/apache2/mellon-config/http_ec2_54_86_69_246.compute_1.amazonaws.com.cert
    MellonSPMetadataFile /etc/apache2/mellon-config/http_ec2_54_86_69_246.compute_1.amazonaws.com.xml

</Location>
<Location /auth/info.php>
    MellonEnable "info"
    MellonSetEnv "email" "email"
    MellonSetEnv "username" "username"
    MellonUser "email"
    MellonSamlResponseDump On
    MellonSessionDump On
    MellonVariable "cookie"

</Location>
<Location /test/info.php>
    # This location will trigger an authentication request to the IdP.
    MellonEnable "auth"
    AuthType "Mellon"
    MellonVariable "cookie"
    MellonSetEnv "email" "email"
    MellonSetEnv "username" "username"
    MellonUser "email"
    MellonSamlResponseDump On
    MellonSessionDump On
    MellonEndpointPath /mellon
    Require valid-user

</Location>

在auth/info.php中，我尝试打印$ SERVER变量:

In auth/info.php, I try to print the $SERVER variable:

<?php
  var_dump($_SERVER);
?>

我正在获取mellon cookie，但是在任何地方都看不到我设置的环境变量的值.

I am getting a mellon-cookie but nowhere can I see the values of the environment variables I set.

我缺少什么配置?

推荐答案

我遇到了这个问题，使用apache作为我希望受mod_auth_mellon保护的应用程序的反向代理.看来apache不会自动传递内部模块生成的标头.我必须启用mod_headers并添加以下内容:

I had this issue using apache as a reverse proxy for an app I wanted protected by mod_auth_mellon. It appears apache doesn't automatically pass headers generated by internal modules. I had to enable mod_headers and add this:

RequestHeader set Mellon-NameID %{MELLON_NAME_ID}e

这将使用MELLON_NAME_ID标头，并将其作为Mellon-NameID传递给应用程序.您必须为要传递的每个标头添加类似的行，例如MELLON_SESSION.

This takes the MELLON_NAME_ID header and passes it to the application as Mellon-NameID. You'll have to add similar lines for each header you want passed along, such as MELLON_SESSION.

这篇关于mod_auth_mellon不填充环境变量的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！