CC7: CERN Single Sign-On using mod_auth_mellon

CERN Single Sign On (SSO) integration with Apache and Mod_Auth_Mellon on CentOS CERN 7

About CERN Single Sign On and Mod_Auth_Mellon

• CERN Single Sign On documentation.
• mod_auth_mellon information and documentation.

---

Installation

As root on your system run:

# /usr/bin/yum install mod_auth_mellon_cern

(above command will install on your system all needed dependencies, including mod_auth_mellon and httpd packages)

---

Configuration for CERN Single Sign On

We assume that at this point your apache web service (httpd) is already configured for https protocol and that a valid CERN certificate has been installed, on the system and configured in httpd SSL configuration.

CERN Certification Auhtority host certificate can be obtained directly from CERN CA and installed manually on the system,
or can be obtained using the AutoEnrollment and AutoRenewal method.

1. Generate and install mod_auth_mellon metadata and certificates (subsitute HOSTNAME by your system hostname):

   # cd /etc/httpd/conf.d/mellon/
   # /usr/libexec/mod_auth_mellon/mellon_create_metadata.sh \
     https://HOSTNAME.cern.ch/mellon \
     https://HOSTNAME.cern.ch/mellon
   

   Above command will create in /etc/httpd/conf.d/mellon/ metadata and certificate files:

   https_HOSTNAME.cern.ch_mellon.key
   https_HOSTNAME.cern.ch_mellon.cert
   https_HOSTNAME.cern.ch_mellon.xml
   

2. Edit /etc/httpd/conf.d/auth_mellon_adfs_cern.conf and change entries for metadata and certificate files (subsitute HOSTNAME by your system hostname):

   MellonSPPrivateKeyFile /etc/httpd/conf.d/mellon/https_HOSTNAME.cern.ch_mellon.key
   MellonSPCertFile /etc/httpd/conf.d/mellon/https_HOSTNAME.cern.ch_mellon.cert
   MellonSPMetadataFile /etc/httpd/conf.d/mellon/https_HOSTNAME.cern.ch_mellon.xml
   

3. Review the default settings in /etc/httpd/conf.d/auth_mellon_adfs_cern.conf (and/or: /etc/httpd/conf.d/auth_mellon.conf) editing path to protected location. Here is an example:

       # Enable authentication only for part of the web site
       # adjust to your path.
       # See: /usr/share/doc/mod_auth_mellon*/README for
       # detailed description of MellonCond
   
       <Location />
   
          SSLRequireSSL
          MellonEnable "auth"
          #
          # user authentication
          MellonCond ADFS_LOGIN loginname [MAP]
          #
          # group authentication (e-groups)
          MellonCond ADFS_GROUP groupname [MAP]
   
        </Location>

   Here is an example of a complete /etc/httpd/conf.d/auth_mellon_adfs_cern.conf file.
   
   Or edit .htaccess file in a directory to be protected by mod_auth_mellon and insert in it:

    # Enable authentication only for part of the web site
    # adjust to your path.
    # See: /usr/share/doc/mod_auth_mellon*/README for
    # detailed description of MellonCond
   
    <Location />
   
       SSLRequireSSL
       MellonEnable "auth"
       #
       # user authentication
       MellonCond ADFS_LOGIN loginname [MAP]
       #
       # group authentication (e-groups)
       MellonCond ADFS_GROUP groupname [MAP]
   
     </Location>

4. Check that there aren't any syntax errors in the Apache configuration files by running the following command:

   # /usr/sbin/apachectl -t

5. And if there aren't any syntax errors, then restart Apache for the changes to take effect:

   # /sbin/service httpd restart

---

CERN SSO application registration

Note: Do configure and start your Apache Web server, using the above documentation, before registering your application.

Register your SSO Application at the CERN SSO management site, filling in the application registration form with:

• Application Name: a meaningful name
  
  
• Service Provider Type: "SAML2 for mod_auth_mellon with online metadata"
  
  
• Application Uri: https://HOSTNAME.cern.ch/mellon/metadata
  (Note: same URL as used in metadata generation in the Configuration section above, subsititute HOSTNAME by your system hostname.)
  
  
• Application Homepage: https://HOSTNAME.cern.ch/mellon

(Note: subsititute HOSTNAME with your system hostname.)


• Application description: a meaningful description

Here is an example of how the registration ought to made.

Once you registerd is done, click on the List SSO Applications tab to make sure that:

• The Identifier (entityID) is set to: https://HOSTNAME.cern.ch/mellon
• The Metadata Uri is set to: https://HOSTNAME.cern.ch/mellon/metadata.

Here is an example.

Then if everything is correctly registered, your CERN SSO enabled application should now be fully functional.

---

Troubleshooting

• Should the Identifier (entityID) not to be ending with /mellon, check that your "/etc/httpd/conf.d/mellon/HOSTNAME.cern.ch_mellon.xml" contains:
  entityID="https://HOSTNAME.cern.ch/mellon". If this isn't the case, then re-Generate and install mod_auth_mellon metadata and certificates, as in step 1.


• Should the authentication be unsuccessful, loop, etc... you can:
  
  
  • Enable auth_mellon debuging by un-commenting the directive

    "MellonSamlResponseDump On"

    in "/etc/httpd/conf.d/auth_mellon_adfs_cern.conf", then use tail to look at the ssl error log by running the follwowing command:

    tail -f /var/log/httpd/ssl_error_log

  • For addional or alternative debugging you can, if you are using Firefox use this SAML Message Decoder Add-on
  
  And if you need to open a support ticket, please join the content of the SSL error log or SAML responses to your ticket.

---

Support

Please contact CERN Service Desk or use CERN Service Portal for support.