0

我创建了一个 Azure AD 帐户来测试 SSO。我能够让 Apache 使用 SSO 对站点进行身份验证,并将经过身份验证的用户的电子邮件地址作为标头传递。我无法让“团体”声明通过。

我的 Apache 配置如下所示:

LoadModule auth_openidc_module /usr/lib64/httpd/modules/mod_auth_openidc.so

<IfModule mod_auth_openidc.c>
    OIDCProviderMetadataURL https://sts.windows.net/<removed>/.well-known/openid-configuration

    OIDCClientID <removed>
    OIDCClientSecret <removed>

    OIDCRedirectURI https://<removed>/redirect_uri
    OIDCResponseType code

    OIDCScope "openid email profile groups family_name given_name"
    OIDCSSLValidateServer Off

    OIDCCryptoPassphrase <removed>

    OIDCPassClaimsAs headers
    OIDCClaimPrefix USERINFO_

    OIDCRemoteUserClaim email
    OIDCPassUserInfoAs claims
    OIDCAuthNHeader USER

    OIDCPassIDTokenAs claims
    OIDCPassRefreshToken On
</IfModule>

我在 Azure AD 中的可选声明如下所示:

在此处输入图像描述

此外,我在 AD 中创建了一个名为“Users”的组,并将自己添加到该组中。所以我希望看到“用户”作为标题中的某种属性传递。

如果我在服务器上打印 HTTP 标头,我会看到...

CONTEXT_DOCUMENT_ROOT: /var/httpd/cgi-bin/
CONTEXT_PREFIX: /cgi-bin/
DOCUMENT_ROOT: /var/SP/httpd/htdocs/docs
GATEWAY_INTERFACE: CGI/1.1
HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
HTTP_ACCEPT_ENCODING: gzip, deflate, br
HTTP_ACCEPT_LANGUAGE: en-GB,en-US;q=0.9,en;q=0.8
HTTP_CACHE_CONTROL: max-age=0
HTTP_COOKIE: _ga=GA1.2.601634409.1596125029; mod_auth_openidc_session=c186c9d6-eebe-11ea-8429-7982f43b32a7
HTTP_HOST: <removed>
HTTP_SEC_FETCH_DEST: document
HTTP_SEC_FETCH_MODE: navigate
HTTP_SEC_FETCH_SITE: none
HTTP_SEC_FETCH_USER: ?1
HTTP_UPGRADE_INSECURE_REQUESTS: 1
HTTP_USER: <removed>
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36
HTTP_X_AMZN_TRACE_ID: Root=1-5f52559a-6b8b464ec338a6097565fce0
HTTP_X_FORWARDED_FOR: <removed>
HTTP_X_FORWARDED_PORT: 443
HTTP_X_FORWARDED_PROTO: https
LD_LIBRARY_PATH: /opt/apache-2.4/lib64
PATH: /sbin:/usr/sbin:/bin:/usr/bin
QUERY_STRING:
REMOTE_ADDR: <removed>
REMOTE_PORT: 45364
REMOTE_USER: <removed>
REQUEST_METHOD: GET
REQUEST_SCHEME: http
REQUEST_URI: /cgi-bin/headers.cgi
SCRIPT_FILENAME: /var/httpd/cgi-bin/headers.cgi
SCRIPT_NAME: /cgi-bin/headers.cgi
SCRIPT_URI: http://<removed>/cgi-bin/headers.cgi
SCRIPT_URL: /cgi-bin/headers.cgi
SERVER_ADDR: <removed>
SERVER_ADMIN: <removed>
SERVER_NAME: <removed>
SERVER_PORT: 80
SERVER_PROTOCOL: HTTP/1.1
SERVER_SIGNATURE:
SERVER_SOFTWARE: Apache/2.4.46 (Unix) OpenSSL/1.1.1c
X_REMOTE_USER: <removed>

REMOTE_USER、X_REMOTE_USER 和 HTTP_USER 都显示正确的经过身份验证的用户电子邮件。

我没有看到任何与“groups”、“USERINFO_”、“family_name”、“given_name”相关的内容。甚至没有空白占位符。

我有点卡住了,因为据我所知,Apache 配置看起来还不错,而且从我读过的内容来看,Azure 配置也不错。

任何想法为什么没有通过索赔?

4

1 回答 1

0

我变了:

OIDCPassClaimsAs headers

至:

OIDCPassClaimsAs both

......它奏效了!

于 2020-09-04T16:30:18.583 回答