In Apache, using OIDC instead of SAML makes for easier testing

May 8, 2025

In my earlier installment, I wrote about my views on the common Apache modules for SAML and OIDC authentication, where I concluded that OpenIDC was generally easier to use than Mellon (for SAML). Recently I came up with another reason to prefer OIDC, one sufficiently strong enough that we converted one of our remaining Mellon uses over to OIDC. The advantage is that OIDC is easier to test if you're building a new version of your web server under another name.

Suppose that you're (re)building a version of your Apache based web server with authentication on, for example, a new version of Ubuntu, using a test server name. You want to test that everything still works before you deploy it, including your authentication. If you're using Mellon, as far as I can see you have to generate an entirely new SP configuration using your test server's name and then load it into your SAML IdP. You can't use your existing SAML SP configuration from your existing web server, because it specifies the exact URL the SAML IdP needs to use for various parts of the SAML protocol, and of course those URLs point to your production web server under its production name. As far as I know, to get another set of URLs that point to your test server, you need to set up an entirely new SP configuration.

OIDC has an equivalent thing in its redirect URI, but the OIDC redirect URL works somewhat differently. OIDC identity providers typically allow you to list multiple allowed redirect URIs for a given OIDC client, and it's the client that tells the server what redirect URI to use during authentication. So when you need to test your new server build under a different name, you don't need to register a new OIDC client; you can just add some more redirect URIs to your existing production OIDC client registration to allow your new test server to provide its own redirect URI. In the OpenIDC module, this will typically require no Apache configuration changes at all (from the production version), as the module automatically uses the current virtual host as the host for the redirect URI. This makes testing rather easier in practice, and it also generally tests the Apache OIDC configuration you'll use in production, instead of a changed version of it.

(You can put a hostname in the Apache OIDCRedirectURI directive, but it's simpler to not do so. Even if you did use a full URL in this, that's a single change in a text file.)

Comments on this page:

From 193.219.181.219 at 2025-05-09 16:52:30:

it specifies the exact URL the SAML IdP needs to use for various parts of the SAML protocol, and of course those URLs point to your production web server under its production name. As far as I know, to get another set of URLs that point to your test server, you need to set up an entirely new SP configuration.

No, not exactly – SAML AuthnRequest does specify the AssertionConsumerServiceURL, and the SP's metadata at the IdP can have multiple AssertionConsumerService endpoints listed. The IdP will try to find the matching endpoint (see modules/saml/src/IdP/SAML2.php), using the default one only if none match.

There also seems to be an option on the IdP to trust arbitrary redirect URLs as long as the SP signs the AuthnRequest (<SPSSODescriptor AuthnRequestsSigned="true" ...>).

If you're writing PHP-format metadata in SimpleSAMLphp, the examples used to default to specifying a simple string, but the latest version removes that shortcut and requires it to always be an array-of-arrays (kinda matching the XML format).

$metadata["https://example.com/shibboleth"] = [
    "AssertionConsumerService" => [
        [
            "Location" => "https://example.com/samltestone/",
        ],
        [
            "Location" => "https://example.com/samltesttwo/",
        ],
    ],
];

(The entity ID can be arbitrary, it only acts as a key into $metadata, and doesn't even have to be an URL – some SPs have used URNs and whatnot.)

Written on 08 May 2025.
« Chosing between "it works for now" and "it works in the long term"
Some notes on using 'join' to supplement one file with data from another »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, View Normal.
Search:
Login: Password:
Last modified: Thu May 8 22:56:21 2025
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.