Active Directory Federated Services (ADFS) can be used by servers inside or outside of the company network. This makes it an especially attractive authentication option for third party companies as no B2B connectivity is required to just authenticate the user base. Many third-party vendors are starting to support ADFS authentication in their out-of-the-box solution (in which case they should be able to provide config documentation), but anything hosted on Apache HTTPD can be configured using these directions:
This configuration uses the https://github.com/UNINETT/mod_auth_mellon module — I’ve built this from the repo. Once mod_auth_mellon is installed, create a directory for the configuration
Then cd into the directory and run the config script:
/usr/libexec/mod_auth_mellon/mellon_create_metadata.sh urn:samplesite:site.example.com "https://site.example.com/auth/endpoint/"
You will now have three files in the config directory – an XML file along with a cert/key pair. You’ll also need the FederationMetadata.xml from the IT group – it should be
Now configure the module – e.g. a file /etc/httpd/conf.d/20-mellon.conf – with the following:
MellonCacheSize 100 MellonLockFile /var/run/mod_auth_mellon.lock MellonPostTTL 900 MellonPostSize 1073741824 MellonPostCount 100 MellonPostDirectory "/var/cache/mod_auth_mellon_postdata"
To authenticate users through the ADFS directory, add the following to your site config
MellonEnable "auth" Require valid-user AuthType "Mellon" MellonVariable "cookie" MellonSPPrivateKeyFile /etc/httpd/mellon/urn_samplesite_site.example.com.key MellonSPCertFile /etc/httpd/mellon/urn_samplesite_site.example.com.cert MellonSPMetadataFile /etc/httpd/mellon/urn_samplesite_site.example.com.xml MellonIdPMetadataFile /etc/httpd/mellon/FederationMetadata.xml MellonMergeEnvVars On ":" MellonEndpointPath /auth/endpoint
Provide the XML file and certificate to the IT team that manages ADFS to configure the relying party trust.