Professional Documents
Culture Documents
Apache SAML SSO The Hard Way
Apache SAML SSO The Hard Way
richard-purves.com/2019/05/07/apache-saml-sso-the-hard-way
May 7, 2019
This will likely be my last tech post for a while if ever, so with that in mind.
1/6
The world is going cloud whether we like it or not. The old concepts of perimeter security
are slowly going away and replaced with a zero trust concept based on identity, 2FA and up
to date security patching. Good thing too.
Recently I had a requirement to build a cloud based web server. The issue being that I had
to lock it away from non authorised users.
Use an Apache LDAP plugin against a cloud IdP service with cloud LDAP
Use SAML and have authentication via a cloud IdP SSO service.
The first is easier but the second is better as there’s a lot more scope for user requirements
past a basic username password combination. If your organisation decides to implement
2FA across all systems, then it’s the matter of a few switches flipped on your IdP than
reinventing the wheel. I like that idea. The issue for me was how to implement it with
almost zero documentation out there.
Thankfully there is a plugin for Apache called mod_auth_mellon that can do SSO for us
with a little configuration. The issue is that it’s extremely poorly documented and there is
only one example online.
I’m going to assume you’ve already installed Apache and other services you require. Start
by installing that auth plugin and it’s requirements onto an Ubuntu 18.04LTS server with
the following command.
We also need to get a metadata generation script for the mod_auth_mellon apache plugin
or we can’t tell the plugin where things are, and secure communications with the proper
certificates.
Now that we have the project cloned down, we feed the script the correct information to
generate the files we need.
cd mod_auth_mellon
2/6
Obviously replace the url.of.server with the actual FQDN of the server and any custom
port you plan to use.
The /secret part is important. It should be different from the URL you plan to protect,
because if they match you will end up stuck in an infinite loop between your site and your
IdP!
In our case since we’re protecting the entire site, this isn’t an issue. A matter of moments
later, the script will generate you three files that look something like this:
https_url.of.server.cert
https_url.of.server.key
https_url.of.server.xml
These should be copied into a new folder that only apache can access. In this example:
/etc/apache2/mellon/
The .cert file is used to encrypt the communications between your server and the IdP
service
The .key file is the private key companion to the .cert file above. Keep this safe!
The .xml file is the service provider entity metadata. This is the info from your server (the
service provider) supplied to the IdP containing things like the proper URL’s to talk to.
The .cert and .xml files should be copied to your SSO SAML administrator. He/She will
give you back an idp-metadata.xml file. This file should be copied to the server and placed
in the same folder as /etc/apache2 . If you are the IdP administrator as well, then follow
the instructions you have for creating a new SAML integration app.
Finally we need to configure the .conf file for the web server. Assuming you’re using the
/etc/apache2/sites-enabled/000-default.conf then you need to insert the following code
into that file. (or whichever .conf file you’re editing if you’re being clever like I was at the
time.)
3/6
# Accessing the / should trigger an IdP request
<Location />
# access either.
MellonEnable "auth"
MellonSPPrivateKeyFile /etc/apache2/mellon/https_url.of.server.key
MellonSPCertFile /etc/apache2/mellon/https_url.of.server.cert
MellonSPMetadataFile /etc/apache2/mellon/https_url.of.server.xml
MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
</Location>
5/6
Replace the filenames with the actual names you generated earlier or you’ll get weird
failures and very little meaningful logs.
Once Apache has restarted you should be able to test your SSO IdP authentication! It’ll
automatically redirect to your organisations sign on page and then redirect back if you
authenticated properly. If you then implement 2FA through your IdP then this will
automatically reflect on your users.
6/6