diff --git a/global/overlay/etc/puppet/modules/soc/files/sso/401.html b/global/overlay/etc/puppet/modules/soc/files/sso/401.html new file mode 100644 index 0000000..5fffa96 --- /dev/null +++ b/global/overlay/etc/puppet/modules/soc/files/sso/401.html @@ -0,0 +1,31 @@ + + + + + Centrumtext + + + +
+

401 - Unauthorized

+

The SSO proxy did not find your user in any required user groups defined in the SSO proxy config. +

+ + diff --git a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp index 9b4284d..007edf3 100644 --- a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp +++ b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp @@ -31,20 +31,22 @@ # Default set to value of proxy. class soc::sso( - String $ssotype = 'docker', - String $hostname = $facts['networking']['fqdn'], - String $email = 'cert@cert.sunet.se', - Optional[String] $service_endpoint = undef, - Array $groups = ['PLACEHOLDER'], - Array $passthrough = [], - Boolean $x_remote_user = false, - Boolean $single_user = false, - Boolean $satosa = true, - Boolean $satosa_certbot = false, - String $translog = 'INFO', - String $proxy = 'https://shared-sso-proxy1.cert.sunet.se/idp', - String $entityID = $proxy, - Optional[String] $extra_proxy_conf = undef, + String $ssotype = 'docker', + String $hostname = $facts['networking']['fqdn'], + String $email = 'cert@cert.sunet.se', + Optional[String] $service_endpoint = undef, + Array $groups = ['PLACEHOLDER'], + Array $passthrough = [], + Boolean $x_remote_user = false, + Boolean $remote_user = false, + Boolean $unset_auth_header = false, + Boolean $single_user = false, + Boolean $satosa = true, + Boolean $satosa_certbot = false, + String $translog = 'INFO', + String $proxy = 'https://shared-sso-proxy1.cert.sunet.se/idp', + String $entityID = $proxy, + Optional[String] $extra_proxy_conf = undef, ) { if $ssotype == "docker" { diff --git a/global/overlay/etc/puppet/modules/soc/templates/sso/apache-site.conf.erb b/global/overlay/etc/puppet/modules/soc/templates/sso/apache-site.conf.erb index d37a53c..df36f70 100644 --- a/global/overlay/etc/puppet/modules/soc/templates/sso/apache-site.conf.erb +++ b/global/overlay/etc/puppet/modules/soc/templates/sso/apache-site.conf.erb @@ -27,6 +27,13 @@ # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf + Alias /error /var/www/error + + AuthType None + Require all granted + + ErrorDocument 401 /error/401.html + AuthType shibboleth ShibRequestSetting requireSession On @@ -38,7 +45,9 @@ <%- else -%> ShibUseHeaders On <%- end -%> - + <%- if @unset_auth_header -%> + RequestHeader unset Authorization + <%- end -%> <%- if @extra_proxy_conf -%> IncludeOptional <%= @extra_proxy_conf %> <%- end -%> @@ -46,14 +55,15 @@ AuthGroupFile /etc/apache2/groups.txt Require group <% @groups.each.with_index do |group, i| %><%= group %><%= ' ' if i < (@groups.size - 1) %><% end %> - <%- @passthrough.each do |path| -%> + <%- @passthrough.each do |path| -%> > AuthType None Require all granted <%- end -%> + ProxyPass "/error" ! ProxyPass "/" "<%= @service_endpoint %>/" ProxyPassReverse "/" "<%= @service_endpoint %>/" UseCanonicalName On diff --git a/global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb b/global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb index ecc0b79..184bdfa 100644 --- a/global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb +++ b/global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb @@ -23,6 +23,10 @@ services: <% end -%> - ./shibboleth/sp-cert.pem:/etc/shibboleth/sp-cert.pem - ./shibboleth/sp-key.pem:/etc/shibboleth/sp-key.pem + - ./apache/401.html:/var/www/error/401.html:ro +<% if @extra_proxy_conf -%> + - @extra_proxy_conf:@extra_proxy_conf +<% end -%> networks: sso: external: true