SLC6: CERN Single Sign-On using mod_auth_mellon¶
CERN Single Sign On (SSO) integration with Apache and Mod_Auth_Mellon on SLC6
About CERN Single Sign On and Mod_Auth_Mellon
As root on your system run:
# /usr/bin/yum install mod_auth_mellon_cern
(above command will install on your system all needed dependencies, including mod_auth_mellon and httpd packages)
Configuration for CERN Single Sign On
We assume that at this point your apache web service (httpd) is already configured for https protocol and that a valid CERN certificate has been installed, on the system and configured in httpd SSL configuration.
- Generate and install mod_auth_mellon metadata and certificates (subsitute HOSTNAME by your system hostname):
# cd /etc/httpd/conf.d/mellon/ # /usr/libexec/mod_auth_mellon/mellon_create_metadata.sh \ https://HOSTNAME.cern.ch/mellon \ https://HOSTNAME.cern.ch/mellonAbove command will create in /etc/httpd/conf.d/mellon/ metadata and certificate files:
https_HOSTNAME.cern.ch_mellon.key https_HOSTNAME.cern.ch_mellon.cert https_HOSTNAME.cern.ch_mellon.xml
- Edit /etc/httpd/conf.d/auth_mellon_adfs_cern.conf and change entries for metadata and certificate files (subsitute HOSTNAME by your system hostname):
MellonSPPrivateKeyFile /etc/httpd/conf.d/mellon/https_HOSTNAME.cern.ch_mellon.key MellonSPCertFile /etc/httpd/conf.d/mellon/https_HOSTNAME.cern.ch_mellon.cert MellonSPMetadataFile /etc/httpd/conf.d/mellon/https_HOSTNAME.cern.ch_mellon.xml
- Review default settings in /etc/httpd/conf.d/auth_mellon_adfs_cern.conf (and/or: /etc/httpd/conf.d/auth_mellon.conf) editing path to protected location.
- Or edit .htaccess file in a directory to be protected by mod_auth_mellon and insert in it:
# # CERN SSO authentication # SSLRequireSSL MellonEnable "auth" # # user authentication MellonCond ADFS_LOGIN loginname [MAP] # # group authentication (e-groups) MellonCond ADFS_GROUP groupname [MAP]
- Restart apache for changes to take effect:
# /sbin/service httpd restart
CERN SSO application registrationNote: Please configure and start your apache webserver , using documentation above before registering your application.
All CERN SSO applications must be registered at: SSO management site.
Visit above site and register your application:
Choose: Register new SSO Application
Fill-in application registration form:
- Application Name: please provide meaningful name
- Service Provider Type: SAML2 for mod_auth_mellon with online metadata
- Application Uri: https://HOSTNAME.cern.ch/mellon/metadata (Note: same URL as used in metadata generation in Configuration section above, subsititute HOSTNAME by your system hostname.)
- Application Homepage: an URL at which your application is available (for informational purposes only)
- Application description: please provide meaningful description