FIX login loop due to unsecured cookie

I think the login loop was due to the browser not being happy with the cookie. Toggling the secure cookie flag seems to fix this. I also forced samesite to none at the time, but I'm not sure if that's necessary. This patch doesn't force samesite to none, cause I'm hoping the automatic samesite none code works fine without us having to do anything. So I added code that'll set the secure cookie flag to true if we're using a SIMPLESAMLPHP_BASEURL that starts with https. Note that SIMPLESAMLPHP_BASEURL config is needed because SimpleSAMLphp errors out if the application baseURL isn't https. Since we have an ingress load balancer in front of the pods handling https, SimpleSAMLphp itself doesn't know we're actually using https without this setting. Sent SimpleSAMLphp logs to stderr so they show up in the kubectl logs. Easiest way for us to see those logs.
ubc · Jul 21, 2024 · 5743474 · 5743474
1 parent 520d974
commit 5743474
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -155,7 +155,8 @@ Required SP environment variables:
 * SIMPLESAMLPHP_ADMIN_PASSWORD - Password for the default admin user.
 * SIMPLESAMLPHP_MEMCACHED_SERVER - SimpleSAMLphp's SP cannot use the cookie cache as the wiki side SimpleSAMLphp extension will conflict with it. So we need to use a separate cache. For this purpose, we can just use the same Memcached server that the wiki uses.
 * SIMPLESAMLPHP_TRUSTED_DOMAIN - Enter the wiki's domain here so that the SP knows it is safe.
-* SIMPLESAMLPHP_BASEURL - Base URL for the SP. The SP needs to share the same domain as the wiki (or you run into cookie domain issues), so the base URL should be a path under the wiki domain.
+* SIMPLESAMLPHP_BASEURL - Base URL for the SP (no path). The SP needs to share the same domain as the wiki (or you run into cookie domain issues), so the base URL should just be the wiki domain with an http:// or https:// prefix. This config lets SimpleSAMLphp knows it's running externally on https even if internally the backend server is plain http, such as when behind a load balancer/reverse proxy.
+* SIMPLESAMLPHP_BASEURLPATH - Base URL plus the path for the SP.
 * SIMPLESAMLPHP_SP_ENTITY_ID - The identifier that the SP uses to identify itself
 * SIMPLESAMLPHP_IDP_ENTITY_ID - The target IDP's identifier.
 * SIMPLESAMLPHP_IDP_METADATA_URL - URL where we can get the IDP's metadata.

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -43,7 +43,8 @@ services:
       SIMPLESAMLPHP_DEV: 1
       SIMPLESAMLPHP_MEMCACHED_SERVER: memcached
       SIMPLESAMLPHP_TRUSTED_DOMAIN: wiki.docker:8080
-      SIMPLESAMLPHP_BASEURL: '_saml2/'
+      SIMPLESAMLPHP_BASEURL: 'http://wiki.docker:8080'
+      SIMPLESAMLPHP_BASEURLPATH: 'http://wiki.docker:8080/_saml2'
       SIMPLESAMLPHP_SP_ENTITY_ID: 'http://wiki.docker:8080/_saml2'
       SIMPLESAMLPHP_IDP_ENTITY_ID: 'http://idp.docker:8190'
       SIMPLESAMLPHP_IDP_METADATA_URL: 'http://idp.docker:8190/simplesaml/module.php/saml/idp/metadata'

diff --git a/docker/simplesamlphp/sp/config/config.php b/docker/simplesamlphp/sp/config/config.php
@@ -18,7 +18,10 @@
     exit("Set env var SIMPLESAMLPHP_TRUSTED_DOMAIN to the wiki's domain so SimpleSAMLphp knows it's safe.");
 }
 if (!isset($_ENV['SIMPLESAMLPHP_BASEURL'])) {
-    exit("Set env var SIMPLESAMLPHP_BASEURL to the SP's expected base url, e.g.: https://wiki.ubc.ca/_saml2/");
+    exit("Set env var SIMPLESAMLPHP_BASEURL to the SP's expected base url, e.g.: https://wiki.ubc.ca");
+}
+if (!isset($_ENV['SIMPLESAMLPHP_BASEURLPATH'])) {
+    exit("Set env var SIMPLESAMLPHP_BASEURLPATH to the SP's expected path, e.g.: https://wiki.ubc.ca/_saml2/");
 }
 if (!is_dir('/var/www/simplesamlphp/cert')) {
     exit("Missing cert directory, generate key+cert and mount them into /var/www/simplesamlphp/cert");
@@ -55,7 +58,7 @@
      * external url, no matter where you come from (direct access or via the
      * reverse proxy).
      */
-    'baseurlpath' => $_ENV['SIMPLESAMLPHP_BASEURL'],
+    'baseurlpath' => $_ENV['SIMPLESAMLPHP_BASEURLPATH'],
 
     /*
      * The 'application' configuration array groups a set configuration options
@@ -76,7 +79,7 @@
          * need to compute the right URLs yourself and pass them dynamically
          * to SimpleSAMLphp's API.
          */
-        //'baseURL' => 'https://example.com',
+        'baseURL' => $_ENV['SIMPLESAMLPHP_BASEURL'],
     ],
 
     /*
@@ -389,8 +392,8 @@
      * must exist and be writable for SimpleSAMLphp. If set to something else, set
      * loggingdir above to 'null'.
      */
-    'logging.level' => SimpleSAML\Logger::NOTICE,
-    'logging.handler' => 'syslog',
+    'logging.level' => SimpleSAML\Logger::INFO,
+    'logging.handler' => 'stderr',
 
     /*
      * Specify the format of the logs. Its use varies depending on the log handler used (for instance, you cannot
@@ -656,7 +659,7 @@
      *
      * If unset, SimpleSAMLphp will try to automatically determine the right value
      */
-    //'session.cookie.secure' => true,
+    'session.cookie.secure' => str_starts_with($_ENV['SIMPLESAMLPHP_BASEURL'], 'https') ? true : false,
 
     /*
      * Set the SameSite attribute in the cookie.