Skip to main content
avillanueva
23-Emerald I
avillanueva23-Emerald I
23-Emerald I
July 9, 2024
Solved

Configuring SAML SSO with Reverse Proxy

  • July 9, 2024
  • 2 replies
  • 9667 views

Version: Windchill 12.0

 

Use Case: I have a slightly advanced setup of a reverse proxy handling SSL https and the external facing hostname for users and the internal PTC Apache server configured with HTTP and a virtual hostname known only on that server (not in DNS) . The shibboleth metadata file that was generated exposes that internal virtual hostname and my IDP requires reply and login urls to be https. Where did I good this?


Description:

@jbailey you might know this off the top of your head. 

For discussions sake, say my system DNS addressable host is pdmlink-test.mycompany.com and the internal name is pdm12.mycompany.com. I've installed shibboleth to my windchill server, configured it, defined an entityID that is "https://pdmlink-test.my company.com/shibboleth" and it is talking to my IDP. We got an error from the IDP when login was redirected that the replyURL did not match. Checking the metadata file, all the location attributes are showing "http://pdm12.mycompany.com/Shibboleth.sso/..." yada yada. Am I correct is saying that this should have said https://pdmlink-test.mycompany.com...?

Did Shibboleth need to be configured on my reverse proxy webserver? I have that module installed on my PTC Apache server which is behind the proxy. 

Best answer by avillanueva

I justed wanted to return to this thread and close it out thought I still have a few more loose ends to wrap up. Thank you so much to @jbailey for all your help. We actually took this offline to keep thread smaller. Here is a summary of what I learned:

  • Metadata file must reference your proxy so that should be the domain you present to IDP.
  • bindingTemplate.html CAN be copied from PTC codebase so long as you are not doing anything fancy. Documentation has wrong location. Its in the codebase/templates folder not WEB-INF. 
  • PTC HttpServer ServerName needed to match the proxy domain. This is what seemed to influence what shibboleth used in generating the Metadata file. I also received 404 errors getting the Metadata file when it did not match.
  • I still have issues with the sessionHook.jsp for which I have a PTC ticket on. Take note of this debug logger (sso.shibboleth.sessionHook). This was key to it complaining about the different domains. I was able to code around the issue but intend to return to OOTB hook. For now, its working as it should. I will try and collect my notes and write up something clearer.

2 replies

jbailey
jbailey18-Opal
18-Opal
July 9, 2024

Your IdP shouldn't need to know (or expose) anything for the local host.  entityID is just a string that matches the IdP. 

 

"Checking the metadata file, all the location attributes are showing "http://pdm12.mycompany.com/Shibboleth.sso/..." yada yada. Am I correct is saying that this should have said https://pdmlink-test.mycompany.com...?"

  • Yes, or maybe... You can either use a full address for handlerURL="https://pdmlink-test.mycompany.com/Shibboleth.sso" or a relative address like handlerURL="/Shibboleth.sso.
  • Interestingly enough in my main Session - I used the full URL - and in my reauthsecure ApplicationOverride (needed for electronic signatures) I used a relative URL handlerURL="/reauthsecure/Shibboleth.sso 

Shibboleth shouldn't be installed at the proxy level- because then you would have to configure Windchill Apache to accept the username in the header from the proxy which could be impersonated (PTC recommends against this method anyway).

 

If your IdP is configured with FQDN's instead of relative paths for the Assertion Consumer Service URL's, make sure they are for the proxy FQDN, not the internal host name.  Ideally you could just use relative URL's

jbailey_0-1720543430141.png

 

 

Also, I would consider end to end HTTPS. Yes, it is another cert and probably a little bit of a performance hit in transactions, but you will end up more secure.

avillanueva
23-Emerald I
avillanueva23-Emerald IAuthor
23-Emerald I
July 9, 2024

Agreed on more secure but this setup makes cloning and other things easier. Recommended by consultants. We've also changed company names so many darn times, its nice to be able to change it in a few locations (on the proxy and some xconf file).

avillanueva
23-Emerald I
avillanueva23-Emerald IAuthor
23-Emerald I
July 9, 2024

Here is some testing of configurations info. My IDP has return URL as "https://pdmlink-test.mycompany.com..." pattern. With the configuration below:

<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
 checkAddress="false" handlerSSL="false" cookieProps="https"
 redirectLimit="exact" >

yields a urlMismatchError from the IDP since it was being given "http://pdm12.mycompany.com..." as the URL. I can confirm that the metadata file indeed does show pdm12 as hostname and I can download it using https://pdmlink-test.mycompany.com/Shibboleth.sso/Metadata 

In an attempt to fix this I modified the above configuration to the following:

<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
 checkAddress="false" handlerSSL="false" cookieProps="https"
 redirectLimit="exact" handlerURL="https://pdmlink-test.mycompany.com/Shibboleth.sso">

 Now my IDP redirects me to https://pdmlink-test.mycompany.com/Shibboleth.sso/SAML2/POST but I now get a 404 error. It seems that the IDP liked what it got but something went wrong between the proxy and the main webserver. I can see in the webserver access log the 404 message. Getting closer. Any clue where to look next? I think it might be the Shibboleth module configuration on the Windchill webserver.

jbailey
jbailey18-Opal
18-Opal
July 9, 2024

Download the SAML Tracer extension for Chrome or Edge and redo the auth attempt from a clean session with SAML tracer open. It will help you figure out what isn't liked (if it is SP side or IdP side).

 

Is the proxy new for you?  (just going through my proxy notes, not assuming you missed any of this 🙂

 

Did you set wt.server.codebase="$(wt.webserver.protocol)://<PROXY FQDN>:$(wt.webserver.port)/$(wt.webapp.name)" -t codebase/wt.properties -p ?

 

Something else you might try in your proxy conf file is to add ProxyPass and ProxyPassReverse for the SSO related paths ( I don't know if this is necessary or not but you could do it to force to the right local address)

 

ProxyPass /Shibboleth.sso https://<LOCAL WC SERVER FQDN>:443/Shibboleth.sso
ProxyPassReverse /Shibboleth.sso https://<LOCAL WC SERVER FQDN>:443/Shibboleth.sso
ProxyPass /secure https://<LOCAL WC SERVER FQDN>:443/secure
ProxyPassReverse /secure https://<LOCAL WC SERVER FQDN>:443/secure
ProxyPass /reauthsecure https://<LOCAL WC SERVER FQDN>:443/reauthsecure
ProxyPassReverse /reauthsecure https://<LOCAL WC SERVER FQDN>:443/reauthsecure
avillanueva
23-Emerald I
avillanueva23-Emerald IAuthor
23-Emerald I
July 9, 2024

No proxy is not new. I've been running it for years. Here is my proxy config:

# Windchill Reverse Proxy Additions and Settings
RewriteEngine on
SSLProxyEngine on
ProxyPass /Windchill/ http://pdm12.mycompany.com:8888/Windchill/
ProxyPassReverse /Windchill/ http://pdm12.mycompany.com:8888/Windchill/
ProxyPass /Windchill-WHC http://pdm12.mycompany.com:8888/Windchill-WHC
ProxyPassReverse /Windchill-WHC http://pdm12.mycompany.com:8888/Windchill-WHC
ProxyPass /Windchill-WHC/ http://pdm12.mycompany.com:8888/Windchill-WHC/
ProxyPassReverse /Windchill-WHC/ http://pdm12.mycompany.com:8888/Windchill-WHC/
RewriteRule ^/Windchill$ /Windchill/ [R]

#Shibboleth Reverse Proxy Additions and Settings
ProxyPass /Shibboleth.sso/ http://pdm12.mycompany.com:8888/Shibboleth.sso/
ProxyPassReverse /Shibboleth.sso/ http://pdm12.mycompany.com:8888/Shibboleth.sso/

#Basic Authentication login page settings
ProxyPass /basicLogin.html http://pdm12.mycompany.coml:8888/basicLogin.html
ProxyPassReverse /bsaicLogin.html http://pdm12.mycompany.com:8888/basicLogin.html

# Force requests to Windchill
RedirectMatch ^/$ https://pdmlink-test.mycompany.com/Windchill/
RedirectMatch ^/windchill$ https://pdmlink-test.mycompany.com/Windchill/

What was added was the Shibboleth and basic auth sections. The other proxy settings I've always had. I can see that its hitting the pdm12 webserver since its logs the URL and a 404 error. This is why I suspect Shibboleth module is throwing the error. 

Terms & ConditionsCookie settingsAccessibility statement