PingFederate not modifying HTTP headers

849 views Asked by At

I am using PingFederate Apache (Linux) Integration Kit 3.2 to authenticate my application . The application is running, and PingFederate is able set the headers as well as environment variables but changes made to the HTTP headers by PingFederate are ignored by Apache. Below is an excerpt of my apache error log

[Thu Aug 31 07:16:35.836754 2017] [:info] [pid 28376] Exposing of session information is enabled for all requests within a session
[Thu Aug 31 07:16:35.836757 2017] [:info] [pid 28376] Exposing session information into the environment variables and HTTP headers...
[Thu Aug 31 07:16:35.836763 2017] [:info] [pid 28376]  Setting environment variable: PF_AUTH_UID = .....
[Thu Aug 31 07:16:35.836766 2017] [:info] [pid 28376]  Setting the request HTTP header: PF_AUTH_UID = ....
[Thu Aug 31 07:16:35.836769 2017] [:info] [pid 28376]  Setting environment variable: PF_AUTH_SN = ...
[Thu Aug 31 07:16:35.836772 2017] [:info] [pid 28376]  Setting the request HTTP header: PF_AUTH_SN = ...
....
....
[Thu Aug 31 07:16:35.836837 2017] [:info] [pid 28376]  Total environment variables added: 12
[Thu Aug 31 07:16:35.836839 2017] [:info] [pid 28376]  Total HTTP request headers added: 12
[Thu Aug 31 07:16:35.836842 2017] [:info] [pid 28376] Releasing the dynamically allocated payload...
[Thu Aug 31 07:16:35.836844 2017] [:info] [pid 28376] Granting access to the requested resource
[Thu Aug 31 07:16:35.836846 2017] [:info] [pid 28376] Returning DECLINED to let Apache take its default actions for the modified request
[Thu Aug 31 07:16:35.836849 2017] [:info] [pid 28376] Exiting the Content handler
[Thu Aug 31 07:16:35.836851 2017] [:info] [pid 28376] Returning HTTP code -1 (DECLINED)

The following are some of the configuration for my mod_pf.conf:

PingFederateFilter                  /.*
PingFederateFilter                  /cgi-bin/.*

PingFederateExposeSessionAttributesToEnvironmentVariables   yes
PingFederateExposeSessionAttributesToHttpHeaders            yes

PingFederateAuthnPrefix                PF_AUTH_

Below are snippet of my Apache configuration (httpd.conf)

LoadModule access_compat_module modules/mod_access_compat.so
LoadFile modules/libopentoken.so
LoadModule pf_module modules/mod_pf.so
PingFederateConfigurationFile conf/mod_pf.conf

<Directory "/var/www/cgi-bin">
    Order deny,allow
    Deny from all

    AuthType PFApacheAgent
    Allow from all
    Require valid-user
</Directory>

Apache version is Apache/2.4.6 (CentOS)

1

There are 1 answers

0
Arvind_Kumar On

There is a line in mod_pf "PingFederateStartPageUrl /.cmd=PingStartPage." Enable this line and enter the following URL in the browser. It will show the Headers being sent to Apache by PingFederate. If you are not able to see any HTTP Headers, then PingFederate is not sending the attributes.

URL is "https://yourapachehost:apacheport/protectedresource/?cmd=PingStartPage."