Help with Single Sign On using mellon

penelopec · May 1, 2018, 4:16pm

Dear indico administrators,

We are trying to setup SSO to work with “mellon” . We are able to access our SSO login page but after entering the login information it just spins and it seems that indico does not recognize the information.
The following is the indico.conf setup:

# SSO
AUTH_PROVIDERS = {
    'shib-sso': {
        'type': 'shibboleth',
        'title': 'Fermilab SSO',
        'attrs_prefix': 'SSO_',
        'callback_uri': '/login/shib-sso/shibboleth'
        #, 'logout_uri': 'https://indicodev.fnal.gov/mellon/logout'
    }
}
IDENTITY_PROVIDERS = {
    'shib-sso': {
        'type': 'shibboleth',
        'title': 'Fermilab SSO',
        'identifier_field': 'SSO_USERID',
        'mapping': {
                     'email': 'SSO_EMAIL',
                     'login': 'SSO_USERID',
                     'personId': 'SSO_USERID',
                     'last_name': 'SSO_NAME_LAST',
                     'first_name': 'SSO_NAME_FIRST'
                    },
        'trusted_email': True
        }
    }

The apache access.log has the following entries:

131.225.80.21 - - [01/May/2018:09:30:49 -0500] "GET /login/ HTTP/1.1" 200 15765 "https://indicodev.fnal.gov/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029  .110 Safari/537.36"
131.225.80.21 - - [01/May/2018:09:30:49 -0500] "GET /images/logo_indico.png HTTP/1.1" 200 12586 "https://indicodev.fnal.gov/login/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
131.225.80.21 - - [01/May/2018:09:30:52 -0500] "GET /login/shib-sso/ HTTP/1.1" 302 259 "https://indicodev.fnal.gov/login/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
131.225.80.21 - - [01/May/2018:09:30:52 -0500] "GET /login/shib-sso/shibboleth HTTP/1.1" 303 376 "https://indicodev.fnal.gov/login/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like   Gecko) Chrome/58.0.3029.110 Safari/537.36"
131.225.80.21 - - [01/May/2018:09:30:52 -0500] "GET /mellon/login?ReturnTo=https%3A%2F%2Findicodev.fnal.gov%2Flogin%2Fshib%2Dsso%2Fshibboleth&IdP=https%3A%2F%2Fidp.fnal.gov%2Fidp%2Fshibboleth HTTP/1  .1" 303 1285 "https://indicodev.fnal.gov/login/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
131.225.80.21 - - [01/May/2018:09:30:52 -0500] "GET /login/shib-sso/shibboleth HTTP/1.1" 303 376 "https://pingprod.fnal.gov:9031/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
131.225.80.21 - - [01/May/2018:09:30:52 -0500] "GET /mellon/login?ReturnTo=https%3A%2F%2Findicodev.fnal.gov%2Flogin%2Fshib%2Dsso%2Fshibboleth&IdP=https%3A%2F%2Fidp.fnal.gov%2Fidp%2Fshibboleth HTTP/1  .1" 303 1315 "https://pingprod.fnal.gov:9031/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
131.225.80.21 - - [01/May/2018:09:30:53 -0500] "GET /login/shib-sso/shibboleth HTTP/1.1" 303 376 "https://pingprod.fnal.gov:9031/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
131.225.80.21 - - [01/May/2018:09:30:53 -0500] "GET /mellon/login?ReturnTo=https%3A%2F%2Findicodev.fnal.gov%2Flogin%2Fshib%2Dsso%2Fshibboleth&IdP=https%3A%2F%2Fidp.fnal.gov%2Fidp%2Fshibboleth HTTP/1  .1" 303 1293 "https://pingprod.fnal.gov:9031/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
131.225.80.21 - - [01/May/2018:09:30:53 -0500] "GET /login/shib-sso/shibboleth HTTP/1.1" 303 376 "https://pingprod.fnal.gov:9031/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
131.225.80.21 - - [01/May/2018:09:30:53 -0500] "GET /mellon/login?ReturnTo=https%3A%2F%2Findicodev.fnal.gov%2Flogin%2Fshib%2Dsso%2Fshibboleth&IdP=https%3A%2F%2Fidp.fnal.gov%2Fidp%2Fshibboleth HTTP/1  .1" 303 1275 "https://pingprod.fnal.gov:9031/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
131.225.80.21 - - [01/May/2018:09:30:53 -0500] "GET /login/shib-sso/shibboleth HTTP/1.1" 303 376 "https://pingprod.fnal.gov:9031/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
131.225.80.21 - - [01/May/2018:09:30:53 -0500] "GET /mellon/login?ReturnTo=https%3A%2F%2Findicodev.fnal.gov%2Flogin%2Fshib%2Dsso%2Fshibboleth&IdP=https%3A%2F%2Fidp.fnal.gov%2Fidp%2Fshibboleth HTTP/1  .1" 303 1297 "https://pingprod.fnal.gov:9031/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
131.225.80.21 - - [01/May/2018:09:30:54 -0500] "GET /login/shib-sso/shibboleth HTTP/1.1" 303 376 "https://pingprod.fnal.gov:9031/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
131.225.80.21 - - [01/May/2018:09:30:54 -0500] "GET /mellon/login?ReturnTo=https%3A%2F%2Findicodev.fnal.gov%2Flogin%2Fshib%2Dsso%2Fshibboleth&IdP=https%3A%2F%2Fidp.fnal.gov%2Fidp%2Fshibboleth HTTP/1  .1" 303 1295 "https://pingprod.fnal.gov:9031/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
.....
.....

We would appreciate your help on how to setup mellon.

Best regards
Penelope

ThiefMaster · May 1, 2018, 4:29pm

Hi, none of us has used mellon for SAML authentication, but I remember someone else (not sure if here or on IRC) mentioning it.

When clicking the login button, we redirect to the callback_uri and expect the web server to do the authentication process. Afterwards, the same URL should be accessed which will then be processed in this code, extracting the authentication data:

github.com

indico/flask-multipass/blob/master/flask_multipass/providers/shibboleth.py#L52




def initiate_external_login(self):
    return redirect(url_for(self.shibboleth_endpoint))


def process_logout(self, return_url):
    logout_uri = self.settings.get('logout_uri')
    if logout_uri:
        return redirect(logout_uri.format(return_url=urllib.quote(return_url)))


@login_view
def _shibboleth_callback(self):
    attributes = {k: _to_unicode(v)
                  for k, v in iteritems(request.environ) if k.startswith(self.settings['attrs_prefix'])}
    if not attributes:
        raise AuthenticationFailed("No valid data received", provider=self)
    return self.multipass.handle_auth_success(AuthInfo(self, **attributes))




class ShibbolethIdentityProvider(IdentityProvider):
"""Provides identity information using Shibboleth

Maybe you can add some debug code in there to see which data you get.

penelopec · May 1, 2018, 4:57pm

Dear Adrian,

Thank you for the information.
I will add my debug code and I’ll let you what we will find out.
As a side information: we had no problem authenticating using mellon in v1.2 of indico, it worked without any issues at all.

Thank you
Penelope

penelopec · May 7, 2018, 6:35pm

Hello,

We did some investigation and Andrew Duranceau found the problem is related with uWSGI he thinks that it is wiping out mod_auth_mellon’s session data and the redirect to indico never occurs.

At the moment he configured apache to use mod_wsgi and it seems to be working fine with indico.

Our question is if indico is using any features of uWSGI that mod_wsgi cannot handle. If it does not, then we could use mod_wsgi to resolve the issue.

Thank you
Penelope

ThiefMaster · May 7, 2018, 8:00pm

Using mod_wsgi should work as well.

penelopec · May 7, 2018, 8:02pm

Great that solves our mellon issue! We will try to contact apache about uWSGI and see if they can fix it.

THANK YOU!

mohdnagfy · April 16, 2020, 3:03pm

@penelopec i am trying to setup Mellon. But my headers are not being passed. Can you share your apache and indico config

penelopec · April 16, 2020, 4:51pm

The following is my apache indico specific conf file:

        #ServerName indicodev.fnal.gov

        #ErrorLog logs/indico_http_log
        LogLevel warn

    # Moved to cluster.define.conf
    #LoadModule xsendfile_module /usr/lib64/httpd/modules/mod_xsendfile.so

    XSendFile on
    XSendFilePath /opt/indico
    CustomLog /opt/indico/log/apache/access.log combined
    ErrorLog /opt/indico/log/apache/error.log
    LogLevel warn
    ServerSignature Off

    <LocationMatch "/login/shib-sso/shibboleth">
        MellonEnable "auth"
       # Require valid-user
       # AuthType "Mellon"
       # MellonVariable "cookie"
       # MellonSecureCookie On
       # MellonEndpointPath /mellon/
    </LocationMatch>

    # v2.2
    AliasMatch "^/(images|fonts)(.*)/(.+?)(__v[0-9a-f]+)?\.([^.]+)$" "/opt/indico/web/static/$1$2/$3.$5"
    AliasMatch "^/(css|dist|images|fonts)/(.*)$" "/opt/indico/web/static/$1/$2"
    Alias /robots.txt /opt/indico/web/static/robots.txt
    
    # v2.2 From CERN Setup instructions
    #SetEnv UWSGI_SCHEME https
    #ProxyPass / uwsgi://127.0.0.1:8008/

    #<Directory /opt/indico>
    #    AllowOverride None
    #    Require all granted
    #</Directory>


    # v2.2 DO NOT use the following, it does not work with mellon.
    #SetEnv UWSGI_SCHEME https
    #ProxyPass /mellon "!"
    #ProxyPass / uwsgi://127.0.0.1:8008/

    # v2.1, v2.2 Use the following for the uwsgi
    WSGIDaemonProcess WSGIDAEMON user=indico group=apache inactivity-timeout=3600 maximum-requests=10000 python-home=/opt/indico/.venv
    WSGIScriptAlias / /opt/indico/web/indico.wsgi

    <Directory /opt/indico>
        WSGIProcessGroup WSGIDAEMON
        WSGIApplicationGroup %{GLOBAL}

        AllowOverride None
        Require all granted
    </Directory>

and this is the indico.conf file that I use:

# General settings
SQLALCHEMY_DATABASE_URI = 'postgresql://indico:xxx@cdpgsdev.fnal.gov:5435/indico_int'
SECRET_KEY = 'xxx'
BASE_URL = 'https://indicoint.fnal.gov'
CELERY_BROKER = 'redis://127.0.0.1:6379/0'
REDIS_CACHE_URL = 'redis://127.0.0.1:6379/1'
CACHE_BACKEND = 'redis'
DEFAULT_TIMEZONE = 'America/Chicago'
DEFAULT_LOCALE = 'en_GB'
ENABLE_ROOMBOOKING = True
CACHE_DIR = '/opt/indico/cache'
TEMP_DIR = '/opt/indico/tmp'
LOG_DIR = '/opt/indico/log'
STORAGE_BACKENDS = {'default': 'fs:/opt/indico/archive', 'legacy': 'fs-readonly:/opt/indico/legacy-archive'}
ATTACHMENT_STORAGE = 'default'
ROUTE_OLD_URLS = True

# Email settings
SMTP_SERVER = ('127.0.0.1', 25)
SMTP_USE_TLS = False
SMTP_LOGIN = ''
SMTP_PASSWORD = ''
SUPPORT_EMAIL = 'penelope@fnal.gov'
PUBLIC_SUPPORT_EMAIL = 'indico-support@fnal.gov'
NO_REPLY_EMAIL = 'noreply@fnal.gov'

PLUGINS = {'payment_manual', 'payment_paypal'}

# SSO
AUTH_PROVIDERS = {
    'shib-sso': {
          'type': 'shibboleth'
        , 'title': 'Fermilab SSO'
        , 'attrs_prefix': 'SSO_'
        , 'callback_uri': '/login/shib-sso/shibboleth'
    }
}
IDENTITY_PROVIDERS = {
    'shib-sso': {
        'type': 'shibboleth',
        'title': 'Fermilab SSO',
        'identifier_field': 'SSO_USERID',
        'mapping': {
                     'email': 'SSO_EMAIL',
                     'login': 'SSO_USERID',
                     'personId': 'SSO_USERID',
                     'last_name': 'SSO_NAME_LAST',
                     'first_name': 'SSO_NAME_FIRST'
                    },
        'trusted_email': True
        }
   }

STATIC_FILE_METHOD = 'xsendfile'
XELATEX_PATH = '/opt/texlive/bin/x86_64-linux/xelatex'