0

I have a secure SSO site that uses Shibboleth authentication and SAML identity provider. I need to allow a Google Search Appliance crawler to come index the URL's. I have a requirement to change on HTTP request from SAML to Basic authentication for GSA user-agent only without rewriting URL's. How can I configure Apache or Shibboleth to handle this?

On another thread I saw a suggestion to configure different subdirectories for different Auth Types. How do accept multiple authentication options in Apache? Unfortunately this approach does satisfy my requirement because it alters the URL's -- GSA would index an extra token prepended to the URL and output it in the search results instead of canonical URL's.

My shibboleth2.xml is configured for SAML 2.0. Here is a snippet of vhost in Apache. Is there a way to add conditional logic for authentication type in virtual host in either Apache 2.2 or 2.4? Or is there a way to solve this using Shib configuration?

<VirtualHost *:443> DocumentRoot "/var/dispatcher/cache/www" # Wish I could make use of this variable to toggle AuthTypes SetEnvIfNoCase User-Agent ^gsa-crawler is_gsa_crawler <Location /> # for end users AuthType shibboleth ShibRequestSetting requireSession 1 ShibUseHeaders On Require valid-user </Location> <Location /> # for gsa AuthType Basic AuthName "Secure" AuthBasicProvider file AuthUserFile path_to/basic_pw_file Require valid-user </Location> <Directory "/var/dispatcher/cache/www"> Order allow,deny Allow from all </Directory> </VirtualHost>
Improve this question
1
  • BTW, it sounds like you're going to index private content while still allowing it to be protected for the rest of the world. This doesn't answer your question directly, but why don't you simply whitelist the IPs for the GSA boxes? You can do a list of Allow from <IP> with require valid-user and satisfy any and get the same behavior you're looking for, but based on IP instead of user-agent. Commented Nov 28, 2014 at 16:12

2 Answers 2

Reset to default
0

I'm not sure you could do this with mod_access -- it doesn't support selectively choosing auth mechanisms as far as I know, it only allows a list of mechanisms it can fall through until it fails them all or one succeeds. And the problem is that you can't 'attempt SAML' without redirecting the user off site.

If you did this in a programming language, with passive auth, I think it would be trivial (if statements and redirects). But using 'require valid-user' and other mod_access things won't get you where I think you're trying to go.

My answer mostly applies to Apache < 2.4.x, as I'm not 100% confident that 2.4 is missing your feature set (they changed a lot).

Improve this answer
0

I just asked something similar and found a possible solution that may be relevant for this entry as well:

Combine apache auth providers of different types with basic auth only if proactively provided by client

You basically use an <If></If><Else></Else> check wrapped around two sets of authorization directives.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.