BasicAuth and SSO through OpenAM

0
votes

Is it possible to use BasicAuth protection and SSO (Single Sign-On) at the same time? We use cross domain single sign-on (CDSSO), want to hide our staging server from the public through BasicAuth, and would like to enable login through SSO. Everytime we put in the corresponding VHost entry to protect the server, the SSO no longer works. Our virtual host entry for Apache looks like this 

<Directory /home/my_user/sites/my_site>
  Options -MultiViews
  AllowOverride All
  Order deny,allow
  Deny from all
  Allow from 192.168.0.0/16
  AuthType Basic
  AuthBasicProvider file
  AuthName "MyBasicAuth"
  AuthUserFile /home/my_user/etc/htpasswd
  Require valid-user
  Satisfy Any
</Directory>

The log file of the web policy agent for OpenAM suggests that there is some kind of authorization failure during the dsame_check (possibly a kind of heartbeat message to see if the agent is alive ?):

2011-11-04 16:48:16.069    Info 27773:7fb5259550e0 all: 
dsame_check_access(): starting...
2011-11-04 16:48:16.069   Debug 27773:7fb5259550e0 all: 
get_request_url(): ..
..
2011-11-04 16:48:16.069   Debug 27773:7fb5259550e0 all: 
get_request_url(): Returning request URL = 
http://..:80/error/HTTP_UNAUTHORIZED.html.var.

In the Apache access log for the computer with the policy agent we get the following 401 Unauthorized HTTP errors (192.168.1.1 is the local IP of the OpenAM server):

192.168.1.1 - "" [07/Nov/2011:12:42:58 +0100] 
"POST /UpdateAgentCacheServlet?shortcircuit=false HTTP/1.1" 401 - "-" "Java/1.6"

How can we change the configuration to enable BasicAuth and SSO? Or is it not possible at all? If we remove the protection for the Apache web server, the dsame check and the SSO work again.

1
apachesingle-sign-onbasic-authenticationopenam
The BasicAuth works on our Proof-of-Concept System, but not for our Staging and Production systems, which run in a DMZ zone. Therefore I guess it has something to do with the enhanced security of the DMZ, maybe one of the Firewalls is blocking the communication between OpenAM server and web policy agent. - 0x4a6f4672
The problem occurs for an Apache 2.2.10 running on SUSE Linux Enterprise Server 11. We have no problems for our local systems and our Proof-of-Concept System which run on Ubuntu and have an Apache 2.2.16 (Ubuntu 10.10) or Apache 2.2.14 (Ubuntu 10.04). - 0x4a6f4672

1 Answers

0
votes

It is possible to add BasicAuth protectiont at a higher level through the Rails framework itself by the HttpAuthentication module.

This solved the problem for me, since Apache and the Apache agent are not aware of the protection at this level.

class ApplicationController
http_basic_authenticate_with :name => "..", :password => ".."

One can add if Rails.env.staging? to enable this protection only for a certain environment.