BasicAuth and SSO through OpenAM
-
23-02-2021 - |
Question
Is it possible to use BasicAuth protection and SSO (Single Sign-On) at the same time? We use cross domain single sign-on (CDSSO), want to hide our staging server from the public through BasicAuth, and would like to enable login through SSO. Everytime we put in the corresponding VHost entry to protect the server, the SSO no longer works. Our virtual host entry for Apache looks like this
<Directory /home/my_user/sites/my_site>
Options -MultiViews
AllowOverride All
Order deny,allow
Deny from all
Allow from 192.168.0.0/16
AuthType Basic
AuthBasicProvider file
AuthName "MyBasicAuth"
AuthUserFile /home/my_user/etc/htpasswd
Require valid-user
Satisfy Any
</Directory>
The log file of the web policy agent for OpenAM suggests that there is some kind of authorization failure during the dsame_check (possibly a kind of heartbeat message to see if the agent is alive ?):
2011-11-04 16:48:16.069 Info 27773:7fb5259550e0 all:
dsame_check_access(): starting...
2011-11-04 16:48:16.069 Debug 27773:7fb5259550e0 all:
get_request_url(): ..
..
2011-11-04 16:48:16.069 Debug 27773:7fb5259550e0 all:
get_request_url(): Returning request URL =
http://..:80/error/HTTP_UNAUTHORIZED.html.var.
In the Apache access log for the computer with the policy agent we get the following 401 Unauthorized
HTTP errors (192.168.1.1 is the local IP of the OpenAM server):
192.168.1.1 - "" [07/Nov/2011:12:42:58 +0100]
"POST /UpdateAgentCacheServlet?shortcircuit=false HTTP/1.1" 401 - "-" "Java/1.6"
How can we change the configuration to enable BasicAuth and SSO? Or is it not possible at all? If we remove the protection for the Apache web server, the dsame check and the SSO work again.
Solution
It is possible to add BasicAuth protectiont at a higher level through the Rails framework itself by the HttpAuthentication module.
This solved the problem for me, since Apache and the Apache agent are not aware of the protection at this level.
class ApplicationController
http_basic_authenticate_with :name => "..", :password => ".."
One can add if Rails.env.staging?
to enable this protection only for a certain environment.