XML template or Apache set up for ADFS

Owned by Carol Lu (Deactivated)
Last updated: Mar 15, 2023 by Rohan Raghavan
1 min read

 

Metadata

The Metadata file is usually an XML file, below you can see an example of a “sanitized” Metadata file that you can use for reference.

<?xml version="1.0"?>

<md:EntityDescriptor entityID="<identifier>" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">

<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAssertionsSigned="true" AuthnRequestsSigned="false">

<md:KeyDescriptor use="signing">

<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:X509Data>

<ds:X509Certificate><certgoeshere></ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

</md:KeyDescriptor>

<md:KeyDescriptor use="encryption">

<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:X509Data>

<ds:X509Certificate><certgoeshere></ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

</md:KeyDescriptor>

<md:SingleLogoutService Location="<binding>" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>

<md:AssertionConsumerService Location="<binding>" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" index="1"/>

</md:SPSSODescriptor>

</md:EntityDescriptor>



  1. Install SAML2.0 authentication module

    1. yum install -y mod_auth_mellon

    2. mkdir -p /etc/httpd/mellon

    3. cd /etc/httpd/mellon


  2. Create metadata for URL
    For entire site:
    /usr/libexec/mod_auth_mellon/mellon_create_metadata.sh https://SiteURL.private.uwaterloo.ca/ "https://SiteURL.private.uwaterloo.ca/mellon"

    For specific site:
    /usr/libexec/mod_auth_mellon/mellon_create_metadata.sh https://SiteURL.private.uwaterloo.ca/SITE/ "https://SiteURL.private.uwaterloo.ca/SITE/mellon"


  3. Get ADFS metadata from adfstest

    1. ADFS Test instance

      wget https://adfstest.uwaterloo.ca/FederationMetadata/2007-06/FederationMetadata.xml -O /etc/httpd/mellon/FederationMetadata.xml --no-check-certificate

      or

    2. ADFS production instance

      wget https://adfs.uwaterloo.ca/FederationMetadata/2007-06/FederationMetadata.xml -O /etc/httpd/mellon/FederationMetadata.xml --no-check-certificate



  4. Configure site to use authentication module [change filenames where appropriate]
    vi /etc/httpd/conf.d/mellon.conf
    For entire site Add:
    <Location />
       MellonSPPrivateKeyFile /etc/httpd/mellon/https_SiteURL_.private.uwaterloo.ca.key
       MellonSPCertFile /etc/httpd/mellon/https_SiteURL_.private.uwaterloo.ca.cert
       MellonSPMetadataFile /etc/httpd/mellon/https_SiteURL_.private.uwaterloo.ca.xml
       MellonIdPMetadataFile /etc/httpd/mellon/FederationMetadata.xml

       MellonEndpointPath /mellon
       MellonEnable "auth"
    </Location>


  5. For specific site Add:

    <Location /SITE>
       MellonSPPrivateKeyFile /etc/httpd/mellon/https_SiteURL.private.uwaterloo.ca.key
       MellonSPCertFile /etc/httpd/mellon/https_SiteURL.private.uwaterloo.ca.cert
       MellonSPMetadataFile /etc/httpd/mellon/https_SiteURL.private.uwaterloo.ca.xml
       MellonIdPMetadataFile /etc/httpd/mellon/FederationMetadata.xml

       MellonEndpointPath /mellon
       MellonEnable "auth"
    </Location>

  6. Provide metadata to iApp group for ADFS configuration.
    Current Mellon/Lasso package only uses SHA1 [see below for SHA2]

     

  7. Copy off and https_SiteURL.private.uwaterloo.ca.xml and completehttps://uwaterloo.ca/request-tracking-system/adfs-request .


  8. Restart WebServer.
      /etc/init.d/httpd restart

    FOR SHA-2:
    -> Requires Mellon 0.14+
    -> requires lasso 2.5.0+

    Same as above, but prior to #4 edit [req] section in:
    vi /usr/libexec/mod_auth_mellon/mellon_create_metadata.sh
    Add:
    default_md        = sha256

    ===
    To do group lookups add in <Location> example uses security group ist-IST:

    MellonCond http://schemas.xmlsoap.org/claims/Group ist-IST

    Or to use a simpler variable , ex: ADFS_GROUP:

    MellonSetEnvNoPrefix ADFS_GROUP http://schemas.xmlsoap.org/claims/Group
    MellonCond ADFS_GROUP ist-IST [MAP]


    More Configuration options are documented at:
    https://github.com/Uninett/mod_auth_mellon

    ==


    Output files:
    Private key:               https_SiteURL.private.uwaterloo.ca.key
    Certificate:               https_SiteURL.private.uwaterloo.ca.cert
    Metadata:                  https_SiteURL.private.uwaterloo.ca.xml
    Host:                      SiteURL.private.uwaterloo.ca

    Endpoints:
    SingleLogoutService:       https://SiteURL.private.uwaterloo.ca/mellon/logout
    AssertionConsumerService:  https://SiteURL.private.uwaterloo.ca/mellon/postResponse



Related Articles

Need help?

Contact the IST Service Desk online or 519-888-4567 ext. 44357.

Article feedback

If you’d like to share any feedback about this article, please let us know.