Hello all,
we have Icinga Web 2 now partially running with Shibboleth: Authentication runs via Shibboleth, authorization via an attached LDAP. The login works, users are authenticated and also authorized accordingly. But now I run into a problem with the Director API: As soon as I have activated Shibboleth (SAML2), I can no longer make an API call to the Director API. I am always redirected to the Shibboleth login. I seem to be missing a setting in the Apache configuration, so I wanted to ask if any of you are already running External Auth + Director API.
Apache Settings:
<VirtualHost *:443>
ServerName icinga.example.com
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/icinga.example.com.crt
SSLCertificateChainFile /etc/pki/tls/certs/chain.txt
SSLCertificateKeyFile /etc/pki/tls/private/icinga.example.com.key
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
Header always set Strict-Transport-Security "max-age=63072000"
# intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
ErrorLog /var/log/httpd/icinga.example.com_error.log
CustomLog /var/log/httpd/icinga.example.com.log common
Alias /icingaweb2 "/usr/share/icingaweb2/public"
<Location /icingaweb2/Shibboleth.sso>
AuthType None
Require all granted
</Location>
<Location /icingaweb2/director>
AuthType shibboleth
ShibRequestSetting requireSession false
Require shibboleth
</Location>
<Location /icingaweb2>
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
</Location>
<Directory "/usr/share/icingaweb2/public">
Options SymLinksIfOwnerMatch
AllowOverride All
DirectoryIndex index.php
SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"
EnableSendfile Off
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /icingaweb2/
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ index.php [NC,L]
</IfModule>
<IfModule !mod_rewrite.c>
DirectoryIndex error_norewrite.html
ErrorDocument 404 /icingaweb2/error_norewrite.html
</IfModule>
<IfVersion >= 2.4>
# Forward PHP requests to FPM
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
<FilesMatch "\.php$">
SetHandler "proxy:fcgi://127.0.0.1:9000"
ErrorDocument 503 /icingaweb2/error_unavailable.html
</FilesMatch>
</IfVersion>
</Directory>
</VirtualHost>