First tests were done in a LAN type environment; unfortunately life is not so simple: targeted solution should support users outside organization as well as Service Providers hosted in third party data centres. Since we do not want our IdP to be published directly on the Internet we have to use a reverse proxy which breaks our working solution. This might be particular (in terms of lack of out of the box solution-it might exist but I was unable to figure one) to ISA server but it looks (after google-ing a little bit) that a lot of people faced the same problem.
The Problem
Let's suppose our proxy has the public FQDN of proxy.mycompany.com while the internal FQDN of our Shibboleth IdP is idp.mycompany.local.
As a consequence external SP will have IdP metadata configured with URLs like https://proxy.mycompany.com/ipd/profile/SAML2/Redirect/SSO
. When a request comes, the SAMLRequest will have AuthnRequest tag the attribute Destination set to this address while the proxy will forward (under default configuration) in relayed request's Host header the value of idp.mycompany.local:8443.
This behaviour will lead to the failure of the request with this error message logged (sort of...) "SAML message intended destination endpoint 'https://proxy.mycompany.com/ipd/profile/SAML2/Redirect/SSO' did not match the recipient endpoint '{https://idp.mycompany.local:8443/ipd/profile/SAML2/Redirect/SSO'".
The error is generated in class org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler
, method checkEndpointURI
.
We have two issues that make finding a solution non trivial:
- We want to use HTTPS also for accessing our internal IdP (dropping this requirement will not actually lead to a working solution due to second issue)
- Port translation from default 443 (not specified in external URL) to 8443
Usage of HTTPS for internal IdP
Initially Jetty was configured to use for SSL a certificate with common name of idp.mycompany.local with matches the URL configured in ISA publishing rule.
First solution to try was to change the default ISA behaviour in terms of Host header: check the option to forward the original header but another problem popped up: Jetty was refusing the connection since the Host header did not match any valid certificates in terms of common name.
Second solution tried was to generate a trusted (internally) certificate with common name of proxy.mycompany.com. Now ISA would reject it because it attempted a SSL connection on idp.mycompany.local and received a certificate on proxy.mycompany.com.
Third solution (I haven't tried because it would not solve the problem anyway due to port translation) would be:
- The certificate installed on ISA should be wild card type
- We have control on both external and internal DNS
- Add an external DNS alias of idp.mycompany.com resolving to the ip of the external interface of ISA
- Add an internal DNS alias of idp.mycompany.com resolving to the ip of the internal interface of ISA
- Generate a trusted certificate for idp.mycompany.com and configure Jetty to use it
- Add a publish rule for idp.mycompany.com that forwards requests to the IP of idp.mycompany.local and has filled in "This rule appliest to this published site:" idp.mycompany.com so that header Host will contain this value.
Now we should have circumvented our first problem but it will be of no help since the checkEndpointURI
(through calling compareEndpointURIs
, etc) will do a string comparison which will obviously fail due to the additional substring ":8443" in the actual receiverEndpoint.
8443 Port
Looking at Jetty documentation we quickly find four solutions to overcome this problem:
- Start Jetty as root and change HTPPS port to 443; we do not want to do that (would we?)
- Solutions based on ipchains/iptable which is not actually what we need: there will be an internal kernel routing from 443 to 8443 and at the end of the day we will get into the same problem as mentioned earlier
- Configuring SetUID Jetty feature; this looks like solving our problem but needs some additional know how which I was not willing to acquire (native compiling, running the service as root...)
The Solution
The solution was to use Jetty rewrite handler capabilities (http://www.eclipse.org/jetty/documentation/current/rewrite-handler.html).
Unfortunately, none of the out of the box handlers provided the required functionality so I quickly wrote one.
Before going into into writing/deploying the custom handler we have to perform some prerequisites:
- Check to see if
org.eclipse.jetty.server.Request
supports updating hots and port properties (since standard HttpServletRequest does not)
- Check how to specify updated port so that it will not be included in receiverEndpoint string
- Check how rewrite handler is activated
First create a maven project having jetty-rewrite dependency and download sources...
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-rewrite</artifactId>
<version>9.3.5.v20151012</version>
</dependency>
First item check passed since looks like we could use
Request jettyRequest=(Request) request;
jettyRequest.getMetaData().getURI().setAuthority(host, port);
Second item check was also quick: org.eclipse.jetty.util.appendSchemeHostPort
shows that if specifying default ports (depending on schema) or 0 they will not be included.
Last item requires the following steps:
Add
--module=rewrite
etc/rewrite-rules.xml
in $JETTY_BASE/start.ini
, where rewrite-rules.xml
contains the actual rules and should be located in $JETTY_BASE/etc/rewrite-rules.xml
:
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">
<!-- =============================================================== -->
<!-- Configure the demos -->
<!-- =============================================================== -->
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<!-- ============================================================= -->
<!-- Add rewrite rules -->
<!-- ============================================================= -->
<Ref refid="Rewrite">
<!-- protect favicon handling -->
<Call name="addRule">
<Arg>
<New class="ro.totalsoft.jetty.hostheaderrewriter.HostHeaderRewriter">
<Set name="header">Host</Set>
<Set name="host">proxy.mycompany.com</Set>
<Set name="port">0</Set>
<Set name="terminating">true</Set>
</New>
</Arg>
</Call>
</Ref>
</Configure>
In order to be selective (if we host also other applications in the same Jetty instance) we should also add the filtering condition
<Set name="headerValue">idp.mycompany.local:8443</Set>
The actual rewrite handler definition is located in $JETTY_HOME/etc/jetty-rewrite.xml
as can be seen by inspection the $JETTY_HOME/module/rewrite.mod
module definition file.
Remark: looking (as a newbie) in jetty-rewrite.xml
might raise a question: what is oldhandler
about? The naming is misleading, it should be something like firsthandler
since it refers to the first handler in the chain of Jetty handlers. After Jetty applies the rewrite handler definition this will become the first handler in chain.
Now (supposing we have written our own header rule) we have to deploy it in the classpath known by Jetty. To do this we have to add the ext module:
--module=ext
--module=ext
The ext module will enable the lib/ext/*.jar logic.
If this module is activated, then all jar files found in the lib/ext/ paths will be automatically added to the Jetty Server Classpath.
Afterwards we can copy our jar to $JETTY_BASE/lib/ext/ and restart Jetty
**Important remark **: due to a bug (omission) in the logic that activates rules inside the rewrite handler if there is no rule defined a NullPointerException will be thrown in class org.eclipse.jetty.rewrite.handler.RuleContainer
, method apply
:
protected String apply(String target, HttpServletRequest request, HttpServletResponse response) throws IOException
{
boolean original_set=_originalPathAttribute==null;
for (Rule rule : _rules)
{
String applied=rule.matchAndApply(target,request, response);
if (applied!=null)
{
If no rules are defined we will land here with _rules
being null...
Epilogue
Ww are not done yet but have made significant progress having IdP side working. As we can assume, we will face same problem on SP side (we do not really want web sites exposed directly on the Internet).
So, next post about Kentor SSO. I would expect to apply the solution with external/internal DNS and using 443 default port (Windows/IIS looks more permissive in this area)
The Code
package com.mycompany.jetty.hostheaderrewriter;
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.jetty.rewrite.handler.HeaderRule;
import org.eclipse.jetty.server.Request;
public class HostHeaderRewriter extends HeaderRule{
String host;
int port=0;
public String getHost() {
return host;
}
public void setHost(String host) {
this.host = host;
}
public int getPort() {
return port;
}
public void setPort(int port) {
this.port = port;
}
@Override
protected String apply(String target, String value, HttpServletRequest request, HttpServletResponse response) throws IOException {
Request jettyRequest=(Request) request;
jettyRequest.getMetaData().getURI().setAuthority(host, port);
return target;
}
}
