Rabu, 31 Agustus 2016

Openam konek to apache


In this tutorial, we will explore how to federate OpenAM credentials with Apache. We will use OpenAM as SAML 2.0 identity provider and Apache as Service Provider, thus providing effective Single SignOn. We will use mod_auth_mellon for enabling SAML in Apache.

The scenario is very intuitive: we have a Apache instance that we want to manage, and at the same time we have an OpenAM installation that acts as identity provider. We want to Federate the Apache access.

First of all, an User accesses the protected Apache page: the request is redirected immediately to the Identity Provider, with a SAML request. The identity provider elaborates the SAML request, and performs the User Authentication using a form. Once authenticated, the identity provider redirects a SAML response to the services provider. In our case the mod_auth_mellon elaborates the request, at the end of this phase, user is logged in.

The scenario is very intuitive: we have a Apache instance that we want to manage, and at the same time we have an OpenAM installation that acts as identity provider. We want to Federate the Apache access.



  • Install OpenAM

    In our example we will use an embedded instance of openDJ. Moreover, we are using as main host www.example.com, resolved locally, in order to perform Single SignOn: the same host must be chosen during Apache installation.
    Link: OpenAM Installation

  • Install Apache2

    $apt-get install apache2

  • Install PHP

    $apt-get install php5 libapach2-mod-php5 php5-mcrypt

  • Install Mod_Auth_Mellon with dependencies

    $apt-get install openssl
    $apt-get install pkg-config
    $apt-get install libalsso3
    $apt-get install libapachemod-auth-mellon  

  • OpenAM: Circle of Trust

    Now we have to configure OpenAM. First of all, we have to create a Circle Of Trust (COT). In order to do this, in the OpenAM home page click on Federation and after click new in the COT table.
In this example we are referring to top realm (/), but you can refer to another one.




  • OpenAM: Hosted Identity Provider


    • Now go back to OpenAM home page. Click on “Create hosted identity provider” on the common tasks tab. Also in this case choose your realm (in our case \ ) Use the “Test” signing key.
    At the end click on Configure button and click Finish. In this way we have created the hosted identity provider.





    • Apache: Mod_Auth_Mellon metadata

    Download the mod_auth_mellon code, we will use the script in the repository to generate the metadata.
    $git clone https://github.com/UNINETT/mod_auth_mellon.git
    mod_auth_mellon requires metadata for your service provider. To create this metadata, you can use a script:
    mellon_create_metadata.sh
    This script takes in two options:
            The entity ID, which identifies your service.
            The base URL to the endpoints for mod_auth_mellon.  
        Example:
        $./mellon_create_metadata.sh http://www.example.com/myEntityID http://www.example.com/secret 

    This will create three files: 
            A .key-file, which contains the private key in PEM format. This file should be set in the MellonSPPrivateKeyFile option.
            A .cert-file, which contains the certificate in PEM format. This file should be set in the MellonSPCertFile option.
            A .xml-file, which contains the metadata file for the SP. This file should be set in the MellonSPMetadataFile option.
    You should save the files in some directory, e.g./etc/apache2/mellon. The files should also be readable by the web-server. You may therefore have to change the owner to the user Apache is running as. 

    • OpenAM: IDP Metadata 
      Next, you need to add the metadata of OpenAM to Mod_auth_Mellon. 
      Example: 
      http://www.example.com:8080/openam/saml2/jsp/exportmetadata.jsp
      Access the above link and download the XML data to a file and name it as idp-metadata.xml and copy to /etc/apache2/mellon
       
    • Configuring Mod_Auth_Mellon
    This configuration assumes that you want to provide attributes from mod_auth_mellon to all scripts on your server, while only triggering authentication if the user accesses, add this configuration to the /etc/apache2/sites-enabled/000-default.conf file
    # This is a server-wide configuration that will add information from the Mellon session to all requests.
    <Location />
        # Add information from the mod_auth_mellon session to the request.
        MellonEnable "info"

        # Configure the SP metadata
        # This should be the files which were created when creating SP metadata.
        MellonSPPrivateKeyFile /etc/apache2/mellon/http_www.example.com_myEntityID.key

        MellonSPCertFile /etc/apache2/mellon/http_www.example.com_myEntityID.cert
        MellonSPMetadataFile /etc/apache2/mellon/http_www.example.com_myEntityID.xml

        # IdP metadata. This should be the metadata file you got from the IdP.
        MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml

        # The location all endpoints should be located under.
        # It is the URL to this location that is used as the second parameter to the metadata generation script.
        # This path is relative to the root of the web server.
        MellonEndpointPath /mellon
    </Location>

    # This is a location that will trigger authentication when requested.
    <Location /auth_mellon.php>
        # This location will trigger an authentication request to the IdP.
        MellonEnable "auth"
    </Location>

    • Remote Service Provider
    Download the xml file(SP Metadata) and go to OpenAM and click on the Common Tasks Tab. Then, click on “Register Remote Service Provider”. Select the your relam (in our case “/”): Choose File radio. Upload the SP metadata XML The circle of trust must be the same as the one that was created in the previous steps.

    If the meta-data URL is correct, OpenAM will show a popup windows confirming your configuration. 
    Change the default URL of the Service Provider to the Apache home page. 
    In the OpenAM home page click on Federation, in the entity provider list click on the SP, in the new page click on the Services tab and at the bottom change the Assertion consuer service to http://www.example.com/, this is the page OpenAM will redirect to after the authentication. 

    • Testing the Federation
    Create a PHP script named "auth_mellon.php" with the following contents under /var/www/html
    <?php
    header('Content-Type: text/plain');
    foreach($_SERVER as $key=>$value) {
      if(substr($key, 0, 7) == 'MELLON_') {
        echo($key . '=' . $value . "\r\n");
      }
    }

    You can then go to:
    https://www.example.com/auth_mellon.php
    You should be redirected to the login page on the IdP. Login use the following credentials
    Username: demo
    Password: changeit
     After authentication, you should be redirected back to the original URL.
    • Manual login
    To start a login operation manually, you can use the mod_auth_mellon login endpoint.

    http://www.example.com/mellon/login?ReturnTo=/index.html

    The ReturnTo parameter is the URL the user should be sent to after logging in.
    • Logout 
    To start a logout operation, you need to send the user the mod_auth_mellon logout endpoint.

    http://www.example.com/mellon/logout?ReturnTo=/logged_out.html

    The ReturnTo parameter is the URL the user should be sent to after logging out.

    You should also remember that the user can be logged out by the IdP. To handle this, you should check that the user has a valid mod_auth_mellon session for each request. This can be done by checking whether the MELLON_NAME_ID variable is set
    Diposting oleh di

    Tidak ada komentar:

    Posting Komentar

    Langganan: Posting Komentar (Atom)