Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Info |
---|
This guide describes how mod_auth_mellon can be configured as a SAML Service Provider for eduTEAMS. mod_auth_mellon is an authentication module for Apache. It authenticates the user against a SAML 2.0 IdP, and grants access to directories depending on attributes received from the IdP. It used to be maintained by Uninett, but is now in the community. The code and documentation can be found at https://github.com/latchset/mod_auth_mellon. This guide assumes you're using a Debian-based Linux distribution, and you have installed and enabled the mod-auth-mellon module. |
1. mod_auth_mellon
We suggest replicating the global configuration options given in the github repository (see above) for your configuration. Edit your auth_mellon.conf file to read as follows:
########################################################################### # Global configuration for mod_auth_mellon. This configuration is shared by # every virtual server and location in this instance of apache. ########################################################################### # MellonCacheSize sets the maximum number of sessions which can be active # at once. When mod_auth_mellon reaches this limit, it will begin removing # the least recently used sessions. The server must be restarted before any # changes to this option takes effect. # Default: MellonCacheSize 100 MellonCacheSize 100 # MellonCacheEntrySize sets the maximum size for a single session entry in # bytes. When mod_auth_mellon reaches this limit, it cannot store any more # data in the session and will return an error. The minimum entry size is # 65536 bytes, values lower than that will be ignored and the minimum will # be used. # Default: MellonCacheEntrySize 196608 # MellonLockFile is the full path to a file used for synchronizing access # to the session data. The path should only be used by one instance of # apache at a time. The server must be restarted before any changes to this # option takes effect. # Default: MellonLockFile "/var/run/mod_auth_mellon.lock" MellonLockFile "/var/run/mod_auth_mellon.lock" # MellonPostDirectory is the full path of a directory where POST requests # are saved during authentication. This directory must writable by the # Apache user. It should not be writable (or readable) by other users. # Default: None # Example: MellonPostDirectory "/var/cache/mod_auth_mellon_postdata" # MellonPostTTL is the delay in seconds before a saved POST request can # be flushed. # Default: MellonPostTTL 900 (15 mn) MellonPostTTL 900 # MellonPostSize is the maximum size for saved POST requests # Default: MellonPostSize 1048576 (1 MB) MellonPostSize 1048576 # MellonPostCount is the maximum amount of saved POST requests # Default: MellonPostCount 100 MellonPostCount 100 ########################################################################### # End of global configuration for mod_auth_mellon. ###########################################################################
Next, add a location under the web server that will be protected, requiring a SAML authentication (and authorization if you require).
You will add this snippet after the global configuration, in the file auth_mellon.conf.
<Location />
MellonEnable info
MellonEndpointPath /mellon/
# MellonSPMetadataFile /etc/httpd/saml2/demo_sp_metadata.xml
MellonSPPrivateKeyFile /etc/apache2/mellon/https_mellon.sp.iamfederated.org_mellon_metadata.key
MellonSPCertFile /etc/apache2/mellon/https_mellon.sp.iamfederated.org_mellon_metadata.cert
MellonIdPMetadataFile /etc/apache2/mellon/eduTEAMS-metadata.xml
MellonOrganizationURL "en" "mellon test for https://www.eduteams.org"
MellonUser "urn:oasis:names:tc:SAML:attribute:subject-id"
</Location>
<Location /private>
AuthType Mellon
MellonEnable auth
Require valid-user
</Location>
Next, download the eduTEAMS metadata
mkdir /etc/apache/mellon
wget "https://proxy.acc.eduteams.org/metadata/frontend.xml" -O /etc/apache2/mellon/eduTEAMS-metadata.xml
Now generate the metadata for your mellon SP
It is a matter of record that any shell script designed to be useful in setting up a system is both present and missing simultaneously. If having installed the Apache auth-mellon package for your system you cannot find the script mellon_create_metadata.sh you can source it from the github home of the package eg https://github.com/latchset/mod_auth_mellon
Usage: mellon_create_metadata.sh ENTITY-ID ENDPOINT-URL
Example:
mellon_create_metadata.sh urn:someservice https://sp.example.org/mellon
./mellon_create_metadata.sh https://[your_sp]/mellon/metadata https://[your_sp]/mellon
This will give you three files:
https_[your_sp]_mellon_metadata.cert
https_[your_sp]_mellon_metadata.key
https_[your_sp]_mellon_metadata.xml