1. Install SAML2.0 authentication module

   1. yum install -y mod_auth_mellon

   2. mkdir -p /etc/httpd/mellon

   3. cd /etc/httpd/mellon
      
      

2. Create metadata for URL
   For entire site:
   /usr/libexec/mod_auth_mellon/mellon_create_metadata.sh https://SiteURL.private.uwaterloo.ca/ "https://SiteURL.private.uwaterloo.ca/mellon"
   
   For specific site:
   /usr/libexec/mod_auth_mellon/mellon_create_metadata.sh https://SiteURL.private.uwaterloo.ca/SITE/ "https://SiteURL.private.uwaterloo.ca/SITE/mellon"
   
   

3. Get ADFS metadata from adfstest

   1. ADFS Test instance

      wget https://adfstest.uwaterloo.ca/FederationMetadata/2007-06/FederationMetadata.xml -O /etc/httpd/mellon/FederationMetadata.xml --no-check-certificate
      
      or

   2. ADFS production instance

      wget https://adfs.uwaterloo.ca/FederationMetadata/2007-06/FederationMetadata.xml -O /etc/httpd/mellon/FederationMetadata.xml --no-check-certificate

      
      

4. Configure site to use authentication module [change filenames where appropriate]
   vi /etc/httpd/conf.d/mellon.conf
   For entire site Add:
   <Location />
      MellonSPPrivateKeyFile /etc/httpd/mellon/https_SiteURL_.private.uwaterloo.ca.key
      MellonSPCertFile /etc/httpd/mellon/https_SiteURL_.private.uwaterloo.ca.cert
      MellonSPMetadataFile /etc/httpd/mellon/https_SiteURL_.private.uwaterloo.ca.xml
      MellonIdPMetadataFile /etc/httpd/mellon/FederationMetadata.xml
   
      MellonEndpointPath /mellon
      MellonEnable "auth"
   </Location>
   
   

5. For specific site Add:
   

   <Location /SITE>
      MellonSPPrivateKeyFile /etc/httpd/mellon/https_SiteURL.private.uwaterloo.ca.key
      MellonSPCertFile /etc/httpd/mellon/https_SiteURL.private.uwaterloo.ca.cert
      MellonSPMetadataFile /etc/httpd/mellon/https_SiteURL.private.uwaterloo.ca.xml
      MellonIdPMetadataFile /etc/httpd/mellon/FederationMetadata.xml

      MellonEndpointPath /mellon
      MellonEnable "auth"
   </Location>

6. Provide metadata to iApp group for ADFS configuration.
   Current Mellon/Lasso package only uses SHA1 [see below for SHA2]
   

7. Copy off and https_SiteURL.private.uwaterloo.ca.xml and completehttps://uwaterloo.ca/request-tracking-system/adfs-request .
   
   

8. Restart WebServer.
     /etc/init.d/httpd restart
   
   FOR SHA-2:
   -> Requires Mellon 0.14+
   -> requires lasso 2.5.0+
   
   Same as above, but prior to #4 edit [req] section in:
   vi /usr/libexec/mod_auth_mellon/mellon_create_metadata.sh
   Add:
   default_md        = sha256
   
   ===
   To do group lookups add in <Location> example uses security group ist-IST:
   
   MellonCond http://schemas.xmlsoap.org/claims/Group ist-IST
   
   Or to use a simpler variable , ex: ADFS_GROUP:
   
   MellonSetEnvNoPrefix ADFS_GROUP http://schemas.xmlsoap.org/claims/Group
   MellonCond ADFS_GROUP ist-IST [MAP]
   
   
   More Configuration options are documented at:
   https://github.com/Uninett/mod_auth_mellon
   
   ==
   
   
   Output files:
   Private key:               https_SiteURL.private.uwaterloo.ca.key
   Certificate:               https_SiteURL.private.uwaterloo.ca.cert
   Metadata:                  https_SiteURL.private.uwaterloo.ca.xml
   Host:                      SiteURL.private.uwaterloo.ca
   
   Endpoints:
   SingleLogoutService:       https://SiteURL.private.uwaterloo.ca/mellon/logout
   AssertionConsumerService:  https://SiteURL.private.uwaterloo.ca/mellon/postResponse

Related articles appear here based on the labels you select. Click to edit the macro and add or change labels.