{"id":8374,"date":"2021-11-06T13:30:23","date_gmt":"2021-11-06T18:30:23","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=8374"},"modified":"2021-11-06T13:30:23","modified_gmt":"2021-11-06T18:30:23","slug":"sso-in-apache-httpd-adfs","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=8374","title":{"rendered":"SSO In Apache HTTPD &#8212; ADFS"},"content":{"rendered":"<p>Active Directory Federated Services (ADFS) can be used by servers inside or outside of the company network. This makes it an especially attractive authentication option for third party companies as no B2B connectivity is required to <em>just<\/em> authenticate the user base. Many third-party vendors are starting to support ADFS authentication in their out-of-the-box solution (in which case they should be able to provide config documentation), but anything hosted on Apache HTTPD can be configured using these directions:<\/p>\n<p>This configuration uses the <a href=\"https:\/\/github.com\/UNINETT\/mod_auth_mellon\">https:\/\/github.com\/UNINETT\/mod_auth_mellon<\/a> module &#8212; I\u2019ve built this from the repo. Once mod_auth_mellon is installed, create a directory for the configuration<\/p>\n<pre>mkdir \/etc\/httpd\/mellon<\/pre>\n<p>Then cd into the directory and run the config script:<\/p>\n<pre>\/usr\/libexec\/mod_auth_mellon\/mellon_create_metadata.sh urn:samplesite:site.example.com \"https:\/\/site.example.com\/auth\/endpoint\/\"<\/pre>\n<p>&nbsp;<\/p>\n<p>You will now have three files in the config directory \u2013 an XML file along with a cert\/key pair. You\u2019ll also need the FederationMetadata.xml from the IT group \u2013 it <em>should<\/em> be<\/p>\n<p>Now configure the module \u2013 e.g. a file \/etc\/httpd\/conf.d\/20-mellon.conf \u2013 with the following:<\/p>\n<pre>MellonCacheSize 100\r\nMellonLockFile \/var\/run\/mod_auth_mellon.lock\r\nMellonPostTTL 900\r\nMellonPostSize 1073741824\r\nMellonPostCount 100\r\nMellonPostDirectory \"\/var\/cache\/mod_auth_mellon_postdata\"<\/pre>\n<p>To authenticate users through the ADFS directory, add the following to your site config<\/p>\n<pre>MellonEnable \"auth\"\r\nRequire valid-user\r\nAuthType \"Mellon\"\r\nMellonVariable \"cookie\"\u00a0\r\nMellonSPPrivateKeyFile \/etc\/httpd\/mellon\/urn_samplesite_site.example.com.key\r\nMellonSPCertFile \/etc\/httpd\/mellon\/urn_samplesite_site.example.com.cert\r\nMellonSPMetadataFile \/etc\/httpd\/mellon\/urn_samplesite_site.example.com.xml\r\nMellonIdPMetadataFile \/etc\/httpd\/mellon\/FederationMetadata.xml\r\nMellonMergeEnvVars On \":\"\r\nMellonEndpointPath \/auth\/endpoint<\/pre>\n<p>&nbsp;<\/p>\n<p>Provide the XML file and certificate to the IT team that manages ADFS to configure the relying party trust.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Active Directory Federated Services (ADFS) can be used by servers inside or outside of the company network. This makes it an especially attractive authentication option for third party companies as no B2B connectivity is required to just authenticate the user base. Many third-party vendors are starting to support ADFS authentication in their out-of-the-box solution (in &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[503,1122,326],"class_list":["post-8374","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-adfs","tag-apache-httpd","tag-sso"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/8374","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8374"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/8374\/revisions"}],"predecessor-version":[{"id":8375,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/8374\/revisions\/8375"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8374"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8374"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8374"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}