BasicAuth and SSO through OpenAM

StackOverflow https://stackoverflow.com/questions/8039415

Question

Is it possible to use BasicAuth protection and SSO (Single Sign-On) at the same time? We use cross domain single sign-on (CDSSO), want to hide our staging server from the public through BasicAuth, and would like to enable login through SSO. Everytime we put in the corresponding VHost entry to protect the server, the SSO no longer works. Our virtual host entry for Apache looks like this 

<Directory /home/my_user/sites/my_site>
  Options -MultiViews
  AllowOverride All
  Order deny,allow
  Deny from all
  Allow from 192.168.0.0/16
  AuthType Basic
  AuthBasicProvider file
  AuthName "MyBasicAuth"
  AuthUserFile /home/my_user/etc/htpasswd
  Require valid-user
  Satisfy Any
</Directory>

The log file of the web policy agent for OpenAM suggests that there is some kind of authorization failure during the dsame_check (possibly a kind of heartbeat message to see if the agent is alive ?):

2011-11-04 16:48:16.069    Info 27773:7fb5259550e0 all: 
dsame_check_access(): starting...
2011-11-04 16:48:16.069   Debug 27773:7fb5259550e0 all: 
get_request_url(): ..
..
2011-11-04 16:48:16.069   Debug 27773:7fb5259550e0 all: 
get_request_url(): Returning request URL = 
http://..:80/error/HTTP_UNAUTHORIZED.html.var.

In the Apache access log for the computer with the policy agent we get the following 401 Unauthorized HTTP errors (192.168.1.1 is the local IP of the OpenAM server):

192.168.1.1 - "" [07/Nov/2011:12:42:58 +0100] 
"POST /UpdateAgentCacheServlet?shortcircuit=false HTTP/1.1" 401 - "-" "Java/1.6"

How can we change the configuration to enable BasicAuth and SSO? Or is it not possible at all? If we remove the protection for the Apache web server, the dsame check and the SSO work again.

Was it helpful?

Solution

It is possible to add BasicAuth protectiont at a higher level through the Rails framework itself by the HttpAuthentication module.

This solved the problem for me, since Apache and the Apache agent are not aware of the protection at this level.

class ApplicationController
http_basic_authenticate_with :name => "..", :password => ".."

One can add if Rails.env.staging? to enable this protection only for a certain environment.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top