Administration Guide : Set Up to Use SAML 2.0-based Single Sign On (SSO) for Linux : Set Up the Xinet Server to Use SAML (on Linux)
Set Up the Xinet Server to Use SAML (on Linux)
This section tells you how to configure SAML for the Xinet server on Linux.
On the Xinet server, you will need to add the Xinet SAML auth module (based on mod_auth_mellon) in order to support the Apache Authentication module.
Warning: Do not use yum to install the mellon module. It will not work. The Xinet module has been modified to accommodate Portal sites and will conflict with the mellon module.
Prerequisites
You need to enable SSL on the Apache server. On Linux this is as simple as:
yum -y install mod_ssl
A likely missing library is lasso. Install it by running this command:
yum -y install lasso
Remember to restart Apache after any change to the configuration.
Install mod_auth_xinetsaml.so library
Xinet provides a modified mod_auth_xinetsaml.so library that supports Portal sites. Get the correct version for your server (Redhat 6 or 7 is supported) and put it on your Xinet server.
We recommend using this location:
/etc/httpd/modules/xinet/
Check to see if all the needed libraries for mod_auth_xinetsaml.so are installed:
cd /etc/httpd/modules/xinet
ldd mod_auth_xinetsaml.so
If there are libraries that are not found, create the directory and install them. For example,
mkdir /etc/httpd/modules/xinet
Create Entity ID names
You will need to create Entity ID names for the Service Providers (SPs) Note that the Xinet server and each Portal Site are all SPs. These names are arbitrary strings but they do have to be known by the IdP and must be unique compared to any other SP that the IdP serves. We recommend using only alphanumeric characters or a period, and no other special characters.
For example, you could use names like the following:
xinet.15.webnative
xinet.PortalServer.Marquee
xinet.PortalServer.Exhibit
Set up XML exchange between the IdP and SPs
(SimpleSAML)
For SimpleSAML:
1.
Log in to the simplesaml interface for your SAML IdP. (Our server: Xinet SAML IdP)
2.
Click on the Federation tab.
3.
Click on Login as Administrator.
4.
Click on the Show Metadata link under SAML 2.0 IdP Metadata.
(Google IdP)
For Google IdP:
1.
Obtain the XML Metadata from your Google account administrator.
2.
Copy the displayed XMP to a file on the Xinet Webnative or Portal server.
3.
The location of the IdP's XML file on the WNV server is arbitrary, but it should not be public.
An example would be creating /etc/httpd/xinetsaml as user "apache", mode 700, and copying the XML to "idp-metadata.xml" in that folder.
Generate XML for the WebNative Server SP
Use the Xinet provided script mellon_create_metadata.sh to generate the necessary output.
./mellon_create_metadata.sh <EntityID> http://<WNHOST>/webnative/mellon
Values you will need to provide are EntityID of the SP that you created in the Create Entity ID names section and the hostname or IP address of your Xinet server.
Here’s an example command line where the EntityID is “xinet.15.webnative” and the host machine IP address is “192.168.0.15”:
./mellon_create_metadata.sh xinet.15.webnative http://192.168.0.15/webnative/mellon
Here’s an example of the output of this command:
Output files:
Private key: xinet.15.webnative.key
Certificate: xinet.15.webnative.cert
Metadata: xinet.15.webnative.xml
Host: 192.168.0.15
 
Endpoints:
SingleLogoutService: http://192.168.0.15/webnative/mellon/logout
AssertionConsumerService: http://192.168.0.15/webnative/mellon/postResponse
(SimpleSAML Only)
For SimpleSAML, the files listed in the output should be in the current directory where you ran the script.
1.
Take the contents of the XML file that was just created ("xinet.15.webnative.xml" in the example above) and convert it using the XML to SimpleSAMLphp metadata converter in the Tools section of the Federation tab of the simplesaml IdP server.
2.
Copy and paste the contents of the XML into the XML metadata window.
3.
Click on Parse.
4.
The converted output should look similar to the following code:
$metadata['xinet.15.webnative'] = array (
'entityid' => 'xinet.15.webnative',
'contacts' =>
array (
),
'metadata-set' => 'saml20-sp-remote',
'AssertionConsumerService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'http://192.168.0.15/webnative/mellon/postResponse',
'index' => 0,
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://192.168.0.15/webnative/mellon/logout',
),
),
'keys' =>
array (
0 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIICsDCCAZgCCQD+DAnFQWH5bjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw8x
MzEuMTA2LjExMC4yMDUwHhcNMTYwNzI5MTY0MzA2WhcNMjYwNzI5MTY0MzA2WjAa
MRgwFgYDVQQDEw8xMzEuMTA2LjExMC4yMDUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDButyRsy2LSnrtN7104EAz3DRfYlPINZlr803F6DJdzQmEFABz
ed9rkB7a/2j+lqYF5ZajE1TIHL5RYUo7jsAevU9PZUKsv5zsBVt7G6WfRGYB/2aW
YlOT05jIEaWBd5DoIs5SFXH0TsPtbqD/7NSRUpW1z19Cn7zv7SDBARgGjyFbmhWs
hKr43T4JDoXTIpXlqHMM6oDo2LfkG1Ijvdl8MXy2jlR6Yu4T+5eRJ5pIYoNofm0E
d2MTivrvGLElKp6updWtJqDzR6YRMxicQ3xQXALaSBNsQi1xYWk1bP6tnSES4t8N
/UjpkGrgwYYc6Qmte8CTtI66zpM02zh5ZzIBAgMBAAEwDQYJKoZIhvcNAQEFBQAD
ggEBAI9seg5JudJEQLN6jrmdoh0LAkx5zGRVAPYdJm5lRtOhXpEECOvLjUuh6ypL
5MGN1IvhzeI8VI9TpRCXI4KU6c+jDBJ941U1kCtKuBg3VsYtrT91N4FrFh1jQ8wC
FcxfnYPU+Z3K+6/H8RvPGxdjNGDg4H9XmvxbwNer7lCfz80GQwmbQzQrceFrLCtB
4IBE6H8PcPGDj+ADaeGhTnanbkVDaRZRo+3+UooUtwzRwCZvgDQcd6k4rTqpFUSv
4nC6zcYfmOc5S3QY0RoaXRWkKwY0rwm1xajtBS8fdmlnYrJgmYMgQ+dyLQKgPnUW
ywMaqq8WcDZz92wHJJ1m8oCO8mQ=',
),
),
);
Update the IdP machine
(SimpleSAML)
For SimpleSAML:
1.
Edit the saml20-sp-remote.php file, located on the IdP server in the following location:
/var/simplesamlphp/metadata/
2.
Look for this section:
/*
* Example SimpleSAMLphp SAML 2.0 SP
*/
$metadata['https://saml-server.xinet.com'] = array(
'AssertionConsumerService' => 'https://saml-server.xinet.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
'SingleLogoutService' => 'https://saml-server.xinet.com/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
);
3.
Add the data from the "XML to SimpleSAMLphp metadata converter" AFTER the section mentioned above.
(Google IdP)
Google IdP requires the following information.
Note: Google IdP requires https for the ACS URL.
Copy the .cert and .key files to the Xinet server
The .cert and .key files created by mellon_create_metadata.sh need to go where Apache on the Xinet server can access them.
Copy the .cert and .key files to /etc/httpd/xinetsaml on the Xinet server and note this location. The location is arbitrary, but the location will be used in the Add Mellon entries to httpd.conf section.
Add LoadModule call to httpd.conf load
This entry points to the location of mod_auth_xinetsaml.so that was determined in the Install mod_auth_xinetsaml.so library section.
To create the conf file to load the module, /etc/httpd/conf.modules.d/10-saml.conf, run:
echo "LoadModule auth_mellon_module modules/xinet/mod_auth_xinetsaml.so" > /etc/httpd/conf.modules.d/10-saml.conf
Note: If /etc/httpd/conf.d/10-auth_mellon.conf exists delete it. It also means the standard mellon auth module had been installed on this machine!
Add Mellon entries to httpd.conf
For Xinet server configuration, you have to add the Mellon module configuration to three sections in the httpd.conf file. Once for each area on the filesystem that Xinet uses.
There are several variables where your specific information will be different from the above values. Use the correct values for the following variables:
MellonUser
This information is in the /var/simplesamlphp/attributemap/name2oid.php file on the SimpleSAML IdP server. Search for “userid” in that file and use that value. It will have a similar format to the value in the examples below.
For Google IdP you can map any attribute you want to the user ID. We chose “uid'’ to map the user email which is what is used to log in.
MellonSPentityId
The string you chose for the Xinet Service Provider Entity ID in the Create Entity ID names section.
MellonSPPrivateKeyFile
The path where you put the ".key" output file in the Copy the .cert and .key files to the Xinet server section.
MellonSPCertFile
The path where you put the ".cert" output file in the Copy the .cert and .key files to the Xinet server section.
MellonIdPMetadataFile
The path to the IdP's Metadata file from the Set up XML exchange between the IdP and SPs section.
Here is a sample output of the repeated section in the configs that must be updated from the sections below.
Linux:
MellonSPentityId "xinet.15.webnative"
MellonSPPrivateKeyFile /etc/httpd/xinetsaml/xinet.15.webnative.key
MellonSPCertFile /etc/httpd/xinetsaml/xinet.15.webnative.cert
MellonIdPMetadataFile /etc/httpd/xinetsaml/idp-metadata.xml
WebNative cgi directory
The italics show what is removed, and bold text what is added. Italics within a bold line shows fields that need to be edited.
For the WebNative cgi directory section, replace this:
# WebNative cgi directory
<Directory /usr/etc/webnative>
AuthType Basic
AuthName WebNative
AuthBasicProvider file
AuthUserFile /usr/adm/webnative/apache.userfile
Require valid-user
Options ExecCGI
</Directory>
with this:
# WebNative cgi directory
<Directory /usr/etc/webnative>
AuthType "Mellon"
AuthName WebNative
Require valid-user
Options ExecCGI
MellonEnable "auth"
MellonVariable "WNcookie"
MellonSecureCookie Off
MellonUser "urn:oid:0.9.2342.19200300.100.1.1"
MellonSetEnv "e-mail" "mail"
MellonSetEnvNoPrefix "DISPLAY_NAME" "displayName"
MellonMergeEnvVars On
MellonMergeEnvVars On ":"
MellonEnvVarsIndexStart 1
MellonEnvVarsSetCount On
MellonSessionDump Off
MellonSamlResponseDump Off
MellonEndpointPath "/webnative/mellon"
MellonSessionLength 86400
MellonSPentityId "<EntityID>"
MellonSPPrivateKeyFile /etc/httpd/xinetsaml/<EntityID>.key
MellonSPCertFile /etc/httpd/xinetsaml/<EntityID>.cert
MellonIdPMetadataFile /etc/httpd/xinetsaml/idp-metadata.xml
MellonSubjectConfirmationDataAddressCheck Off
MellonECPSendIDPList Off
MellonRedirectDomains [self]
</Directory>
If you are using Google IDP, your MellonUser entry should look like this:
MellonUser "uid"
WebNative document directory
Taking note, again, of the above entries that will need specific information for your set up, update the information for the WebNative document directory section. (The italics show what is removed, and bold text what is added. Italics within a bold line shows fields that need to be edited.)
Replace this:
# WebNative document directory
<Directory /usr/adm/webnative>
AuthType Basic
AuthName WebNative
AuthBasicProvider file
AuthUserFile /usr/adm/webnative/apache.userfile
Require valid-user
Options None
</Directory>
With this:
# WebNative document directory
<Directory /usr/adm/webnative>
AuthType "Mellon"
AuthName WebNative
Require valid-user
Options None
MellonEnable "auth"
MellonVariable "WNcookie"
MellonSecureCookie Off
MellonUser "urn:oid:0.9.2342.19200300.100.1.1"
MellonSetEnv "e-mail" "mail"
MellonSetEnvNoPrefix "DISPLAY_NAME" "displayName"
MellonMergeEnvVars On
MellonMergeEnvVars On ":"
MellonEnvVarsIndexStart 1
MellonEnvVarsSetCount On
MellonSessionDump Off
MellonSamlResponseDump Off
MellonEndpointPath "/webnative/mellon"
MellonSessionLength 86400
MellonSPentityId "<EntityID>"
MellonSPPrivateKeyFile /etc/httpd/xinetsaml/<EntityID>.key
MellonSPCertFile /etc/httpd/xinetsaml/<EntityID>.cert
MellonIdPMetadataFile /etc/httpd/xinetsaml/idp-metadata.xml
MellonSubjectConfirmationDataAddressCheck Off
MellonECPSendIDPList Off
MellonRedirectDomains [self]
</Directory>
If you are using Google IDP, your MellonUser entry should look like this:
MellonUser "uid"
WebNative styles directory
Taking note, again, of the above entries that will need specific information for your set up, update the WebNative styles directory section. (The italics show what is removed, and bold text what is added. Italics within a bold line shows fields that need to be edited.)
Replace this:
# WebNative styles directory
<Directory /usr/etc/webnative/styles>
Order Deny,Allow
AllowOverride None
Deny from All
<Files ~ "\.(css|js|html)$">
Order Allow,Deny
Allow from All
AuthType Basic
AuthName WebNative
require valid-user
AuthUserFile /var/adm/webnative/apache.userfile
Options None
</Files>
</Directory>
With this:
# WebNative styles directory
<Directory /usr/etc/webnative/styles>
Order Deny,Allow
AllowOverride None
Deny from All
<Files ~ "\.(css|js|html)$">
Order Allow,Deny
Allow from All
AuthType "Mellon"
AuthName WebNative
Require valid-user
Options None
MellonEnable "auth"
MellonVariable "WNcookie"
MellonSecureCookie Off
MellonUser "urn:oid:0.9.2342.19200300.100.1.1"
MellonSetEnv "e-mail" "mail"
MellonSetEnvNoPrefix "DISPLAY_NAME" "displayName"
MellonMergeEnvVars On
MellonMergeEnvVars On ":"
MellonEnvVarsIndexStart 1
MellonEnvVarsSetCount On
MellonSessionDump Off
MellonSamlResponseDump Off
MellonEndpointPath "/webnative/mellon"
MellonSessionLength 86400
MellonSPentityId "<EntityID>"
MellonSPPrivateKeyFile /etc/httpd/xinetsaml/<EntityID>.key
MellonSPCertFile /etc/httpd/xinetsaml/<EntityID>.cert
MellonIdPMetadataFile /etc/httpd/xinetsaml/idp-metadata.xml
MellonSubjectConfirmationDataAddressCheck Off
MellonECPSendIDPList Off
MellonRedirectDomains [self]
</Files>
</Directory>
If you are using Google IDP, your MellonUser entry should look like this:
MellonUser "uid"
Restart Apache
Restart Apache by running:
apachectl restart
Test log into the Xinet server
If the redirection is happening, you will be sent to a log in screen displayed by the IdP server. The URL should contain a hostname or IP address that is different from your Xinet server.