Skip to content

SLC6: CERN Single Sign-On using mod_auth_mellon

CERN Single Sign On (SSO) integration with Apache and Mod_Auth_Mellon on SLC6

About CERN Single Sign On and Mod_Auth_Mellon

Installation

As root on your system run:

# /usr/bin/yum install mod_auth_mellon_cern

(above command will install on your system all needed dependencies, including mod_auth_mellon and httpd packages)

Configuration for CERN Single Sign On

We assume that at this point your apache web service (httpd) is already configured for https protocol and that a valid CERN certificate has been installed, on the system and configured in httpd SSL configuration.

CERN Certification Auhtority host certificate can be obtained directly from CERN CA and installed manually on the system,
or can be obtained using the AutoEnrollment and AutoRenewal method.

  • Generate and install mod_auth_mellon metadata and certificates (subsitute HOSTNAME by your system hostname): 
    # cd /etc/httpd/conf.d/mellon/
# /usr/libexec/mod_auth_mellon/mellon_create_metadata.sh \
  https://HOSTNAME.cern.ch/mellon \
  https://HOSTNAME.cern.ch/mellon
    Above command will create in /etc/httpd/conf.d/mellon/ metadata and certificate files: 
    https_HOSTNAME.cern.ch_mellon.key
https_HOSTNAME.cern.ch_mellon.cert
https_HOSTNAME.cern.ch_mellon.xml
  • Edit /etc/httpd/conf.d/auth_mellon_adfs_cern.conf and change entries for metadata and certificate files (subsitute HOSTNAME by your system hostname): 
    MellonSPPrivateKeyFile /etc/httpd/conf.d/mellon/https_HOSTNAME.cern.ch_mellon.key
MellonSPCertFile /etc/httpd/conf.d/mellon/https_HOSTNAME.cern.ch_mellon.cert
MellonSPMetadataFile /etc/httpd/conf.d/mellon/https_HOSTNAME.cern.ch_mellon.xml
  • Review default settings in /etc/httpd/conf.d/auth_mellon_adfs_cern.conf (and/or: /etc/httpd/conf.d/auth_mellon.conf) editing path to protected location.
  • Or edit .htaccess file in a directory to be protected by mod_auth_mellon and insert in it: 
    #
# CERN SSO authentication
#
SSLRequireSSL
MellonEnable "auth"
#
# user authentication
MellonCond ADFS_LOGIN loginname [MAP]
#
# group authentication (e-groups)
MellonCond ADFS_GROUP groupname [MAP]
  • Restart apache for changes to take effect: 
    # /sbin/service httpd restart

CERN SSO application registration

Note: Please configure and start your apache webserver , using documentation above before registering your application.

All CERN SSO applications must be registered at: SSO management site.

Visit above site and register your application:

Choose: Register new SSO Application

Fill-in application registration form:

  • Application Name: please provide meaningful name
  • Service Provider Type: SAML2 for mod_auth_mellon with online metadata
  • Application Uri: https://HOSTNAME.cern.ch/mellon/metadata (Note: same URL as used in metadata generation in Configuration section above, subsititute HOSTNAME by your system hostname.)
  • Application Homepage: an URL at which your application is available (for informational purposes only)
  • Application description: please provide meaningful description
Once your application registration process completed you will receive an information e-mail. From this moment on, your mod_auth_mellon installation should be fully functional.

Support

Please contact CERN Service Desk or use CERN Service Portal for support.
You are seeing an archived version of the Linux website. Please check linux.cern.ch for the main version