Authentication using SAML SSO and custom login page

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Authentication using SAML SSO and custom login page

oskar.wetterstein.jr
Hi everyone,

We have a custom Java Web application running in Tomcat.
This application is configured with SAML SSO, and so far everything is working fine.
The application also has a custom login.jsp where users can authenticate without SAML.
This login page is not yet used, but the customer now wants to allow non-SSO users to login to the application, using this login.jsp page.
This is where the problems start.

I'm using following setup in Apache:

<Location /myapp>
  AuthType Shibboleth
  ShibRequestSetting requireSession false
  Require shibboleth
</Location>

<Location /myapp/ssoauth>
  AuthType Shibboleth
  ShibRequestSetting requireSession true
  Require shib-session
  Redirect /myapp/ssoauth /myapp
</Location>

ProxyPass "/myapp" "ajp://localhost:8009/myapp"

- Case 1:
   When I access https://host.domain/myapp/ssoauth I'm redirected to the IDP for authentication, and I can successfully access my application.
   This is working as expected.
   The user credentials are passed to our application through the REMOTE_USER variable.
  
- Case 2:
   When I access https://host.domain/myapp/login.jsp my custom login.jsp page is displayed, but when I submit my credentials I receive an HTTP-401 unauthorized error.

   On submitting the credentials on the login.jsp page, a POST request is done for /myapp/login_do servlet.
   The credentials are valid, and the login servlet redirects the browser to an entry page in our application.
   It is the access to this entry page that responds with the HTTP-401.
  
   Strangely, the HTTP-401 response includes a WWW-Authenticate header, which seems to indicate that it is expecting that the user authenticates with basic auth:
   WWW-Authenticate: Basic realm="mydomain"

   If mod_shib is disabled, users can successfully authenticate using the custom login page.

Any thoughts on how to fix the issue ?
Or maybe is there a better approach than the one I am using here ?


Environment:
  • Apache 2.4 and Shibboleth SP 2.5 on Linux
  • mod_proxy_ajp to proxy requests to Tomcat
  • Apache Tomcat 8.5

I also tested Shibboleth SP 2.6.1 using unicon/shibboleth-sp:2.6.1 docker image with the same results.
I'm currently trying unicon/shibboleth-sp:3.0.4 but I'm still having some problems with the Shibboleth setup.

Thanks in advance
Oskar.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]