CC7: CERN Single Sign-On using mod_auth_mellon¶
CERN Single Sign On (SSO) integration with Apache and Mod_Auth_Mellon on CentOS CERN 7
About CERN Single Sign On and Mod_Auth_Mellon
As root on your system run:
# /usr/bin/yum install mod_auth_mellon_cern
(above command will install on your system all needed dependencies, including mod_auth_mellon and httpd packages)
Configuration for CERN Single Sign On
We assume that at this point your apache web service (httpd) is already configured for https protocol and that a valid CERN certificate has been installed, on the system and configured in httpd SSL configuration.
- Generate and install mod_auth_mellon metadata and certificates (subsitute HOSTNAME by your system hostname):
# cd /etc/httpd/conf.d/mellon/ # /usr/libexec/mod_auth_mellon/mellon_create_metadata.sh \ https://HOSTNAME.cern.ch/mellon \ https://HOSTNAME.cern.ch/mellonAbove command will create in /etc/httpd/conf.d/mellon/ metadata and certificate files:
https_HOSTNAME.cern.ch_mellon.key https_HOSTNAME.cern.ch_mellon.cert https_HOSTNAME.cern.ch_mellon.xml
- Edit /etc/httpd/conf.d/auth_mellon_adfs_cern.conf and change entries for metadata and certificate files (subsitute HOSTNAME by your system hostname):
MellonSPPrivateKeyFile /etc/httpd/conf.d/mellon/https_HOSTNAME.cern.ch_mellon.key MellonSPCertFile /etc/httpd/conf.d/mellon/https_HOSTNAME.cern.ch_mellon.cert MellonSPMetadataFile /etc/httpd/conf.d/mellon/https_HOSTNAME.cern.ch_mellon.xml
- Review the default settings in /etc/httpd/conf.d/auth_mellon_adfs_cern.conf (and/or: /etc/httpd/conf.d/auth_mellon.conf) editing path to protected location. Here is an example:
# Enable authentication only for part of the web site # adjust to your path. # See: /usr/share/doc/mod_auth_mellon*/README for # detailed description of MellonCond <Location /> SSLRequireSSL MellonEnable "auth" # # user authentication MellonCond ADFS_LOGIN loginname [MAP] # # group authentication (e-groups) MellonCond ADFS_GROUP groupname [MAP] </Location>Here is an example of a complete /etc/httpd/conf.d/auth_mellon_adfs_cern.conf file.
Or edit .htaccess file in a directory to be protected by mod_auth_mellon and insert in it:
# Enable authentication only for part of the web site # adjust to your path. # See: /usr/share/doc/mod_auth_mellon*/README for # detailed description of MellonCond <Location /> SSLRequireSSL MellonEnable "auth" # # user authentication MellonCond ADFS_LOGIN loginname [MAP] # # group authentication (e-groups) MellonCond ADFS_GROUP groupname [MAP] </Location>
- Check that there aren't any syntax errors in the Apache configuration files by running the following command:
# /usr/sbin/apachectl -t
- And if there aren't any syntax errors, then restart Apache for the changes to take effect:
# /sbin/service httpd restart
CERN SSO application registrationNote: Do configure and start your Apache Web server, using the above documentation, before registering your application.
Register your SSO Application at the CERN SSO management site, filling in the application registration form with:
- Application Name: a meaningful name
Service Provider Type: "SAML2 for mod_auth_mellon with online metadata"
Application Uri: https://HOSTNAME.cern.ch/mellon/metadata
(Note: same URL as used in metadata generation in the Configuration section above, subsititute HOSTNAME by your system hostname.)
- Application Homepage: https://HOSTNAME.cern.ch/mellon
- Application description: a meaningful description
(Note: subsititute HOSTNAME with your system hostname.)
Once you registerd is done, click on the List SSO Applications tab to make sure that:
- The Identifier (entityID) is set to: https://HOSTNAME.cern.ch/mellon
- The Metadata Uri is set to: https://HOSTNAME.cern.ch/mellon/metadata.
Then if everything is correctly registered, your CERN SSO enabled application should now be fully functional.
Should the Identifier (entityID) not to be ending with /mellon, check that your "/etc/httpd/conf.d/mellon/HOSTNAME.cern.ch_mellon.xml" contains:
entityID="https://HOSTNAME.cern.ch/mellon". If this isn't the case, then re-Generate and install mod_auth_mellon metadata and certificates, as in step 1.
Should the authentication be unsuccessful, loop, etc... you can:
Enable auth_mellon debuging by un-commenting the directive
"MellonSamlResponseDump On"in "/etc/httpd/conf.d/auth_mellon_adfs_cern.conf", then use tail to look at the ssl error log by running the follwowing command:
tail -f /var/log/httpd/ssl_error_log
- For addional or alternative debugging you can, if you are using Firefox use this SAML Message Decoder Add-on
And if you need to open a support ticket, please join the content of the SSL error log or SAML responses to your ticket.
- Enable auth_mellon debuging by un-commenting the directive