External auth and director api

Icinga Web 2
,
1

Hello all,

we have Icinga Web 2 now partially running with Shibboleth: Authentication runs via Shibboleth, authorization via an attached LDAP. The login works, users are authenticated and also authorized accordingly. But now I run into a problem with the Director API: As soon as I have activated Shibboleth (SAML2), I can no longer make an API call to the Director API. I am always redirected to the Shibboleth login. I seem to be missing a setting in the Apache configuration, so I wanted to ask if any of you are already running External Auth + Director API.

Apache Settings:

<VirtualHost *:443>

    ServerName icinga.example.com

    SSLEngine on
    SSLCertificateFile      /etc/pki/tls/certs/icinga.example.com.crt
    SSLCertificateChainFile /etc/pki/tls/certs/chain.txt
    SSLCertificateKeyFile   /etc/pki/tls/private/icinga.example.com.key

    # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
    Header always set Strict-Transport-Security "max-age=63072000"

    # intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder     on

    ErrorLog /var/log/httpd/icinga.example.com_error.log
    CustomLog /var/log/httpd/icinga.example.com.log common

    Alias /icingaweb2 "/usr/share/icingaweb2/public"

    <Location /icingaweb2/Shibboleth.sso>
        AuthType None
        Require all granted
    </Location>

    <Location /icingaweb2/director>
      AuthType shibboleth
      ShibRequestSetting requireSession false
      Require shibboleth
    </Location>

    <Location /icingaweb2>
      AuthType shibboleth
      ShibRequestSetting requireSession 1
      require valid-user
    </Location>

    <Directory "/usr/share/icingaweb2/public">
        Options SymLinksIfOwnerMatch
        AllowOverride All

        DirectoryIndex index.php

        SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"

        EnableSendfile Off

        <IfModule mod_rewrite.c>
            RewriteEngine on
            RewriteBase /icingaweb2/
            RewriteCond %{REQUEST_FILENAME} -s [OR]
            RewriteCond %{REQUEST_FILENAME} -l [OR]
            RewriteCond %{REQUEST_FILENAME} -d
            RewriteRule ^.*$ - [NC,L]
            RewriteRule ^.*$ index.php [NC,L]
        </IfModule>

        <IfModule !mod_rewrite.c>
            DirectoryIndex error_norewrite.html
            ErrorDocument 404 /icingaweb2/error_norewrite.html
        </IfModule>

        <IfVersion >= 2.4>
            # Forward PHP requests to FPM
            SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
            <FilesMatch "\.php$">
                SetHandler "proxy:fcgi://127.0.0.1:9000"
                ErrorDocument 503 /icingaweb2/error_unavailable.html
            </FilesMatch>
        </IfVersion>
    </Directory>

</VirtualHost>
1 Like
2

I now have a solution that might interest others:

I now check if the Authorization Header exists. If yes, then Apache should ignore SSO, if no, then it should do SSO.

My code:

<VirtualHost *:443>

    ServerName icinga.example.com

    SSLEngine on
    SSLCertificateFile      /etc/pki/tls/certs/icinga.example.com.crt
    SSLCertificateChainFile /etc/pki/tls/certs/chain.txt
    SSLCertificateKeyFile   /etc/pki/tls/private/icinga.example.com.key

    # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
    Header always set Strict-Transport-Security "max-age=63072000"

    # intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder     on

    ErrorLog /var/log/httpd/icinga.example.com_error.log
    CustomLog /var/log/httpd/icinga.example.com.log common

    Alias /icingaweb2 "/usr/share/icingaweb2/public"

    <Directory "/usr/share/icingaweb2/public">
        Options SymLinksIfOwnerMatch
        AllowOverride All

        DirectoryIndex index.php

        <If "-n req('Authorization')">
          AuthType shibboleth
          ShibRequestSetting requireSession false
          Require shibboleth
        </If>
        <Else>
          AuthType shibboleth
          ShibRequestSetting requireSession true
          Require valid-user
        </Else>

        SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"

        EnableSendfile Off

        <IfModule mod_rewrite.c>
            RewriteEngine on
            RewriteBase /icingaweb2/
            RewriteCond %{REQUEST_FILENAME} -s [OR]
            RewriteCond %{REQUEST_FILENAME} -l [OR]
            RewriteCond %{REQUEST_FILENAME} -d
            RewriteRule ^.*$ - [NC,L]
            RewriteRule ^.*$ index.php [NC,L]
        </IfModule>

        <IfModule !mod_rewrite.c>
            DirectoryIndex error_norewrite.html
            ErrorDocument 404 /icingaweb2/error_norewrite.html
        </IfModule>

        <IfVersion >= 2.4>
            # Forward PHP requests to FPM
            SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
            <FilesMatch "\.php$">
                SetHandler "proxy:fcgi://127.0.0.1:9000"
                ErrorDocument 503 /icingaweb2/error_unavailable.html
            </FilesMatch>
        </IfVersion>
    </Directory>

</VirtualHost>