Administration Guide : Set Up to Use SAML 2.0-based Single Sign On (SSO) for macOS : Set Up the Xinet Server to Use SAML (on macOS)
Set Up the Xinet Server to Use SAML (on macOS)
This section tells you how to configure SAML for the Xinet server on macOS.
On the Xinet server, you will need to add the Xinet SAML auth module (based on mod_auth_mellon) in order to support the new Apache Authentication module. The Xinet module has been modified to accommodate Portal sites and will conflict with the mellon module.
Prerequisites
OS X: Mavericks 10.9 or later is required.
Install mod_auth_xinetsaml.so library
Xinet provides a modified mod_auth_xinetsaml.so library that supports Portal sites. Get the correct version for your server and put it on your Xinet server. We recommend downloading to this location: /usr/libexec/apache2/xinet/
Check to see if all the needed libraries for mod_auth_xinetsaml.so are installed:
cd /usr/libexec/apache2/xinet/
otool -L mod_auth_xinetsaml.so
If there are libraries not found, create the directory and install them. For example,
mkdir /etc/httpd/modules/xinet
Create Entity ID names
You will need to create Entity ID names for the Service Providers (SPs). Remember that the Xinet server and each Portal Site are all SPs. These names are arbitrary strings but they do have to be known by the IdP and must be unique compared to any other SP that the IdP serves. We recommend using only alphanumeric characters or a period, and no other special characters.
For example, we used names similar to the following:
xinet.15.webnative
xinet.PortalServer.Marquee
xinet.PortalServer.Exhibit
Set up XML exchange between the IdP and SPs
(SimpleSAML)
1.
Log in to the simplesaml interface for your SAML IdP. (Our server: Xinet SAML IdP)
2.
Click on the Federation tab.
3.
Click on Login as Administrator.
4.
Click on the Show Metadata link under SAML 2.0 IdP Metadata.
(Google IdP)
The XML Metadata must be obtained from your Google account Administrator.
Copy the displayed XMP to a file on the Xinet Webnative or Portal server.
The location of the IdP's XML file on the WNV server is arbitrary, but it shouldn’t be public.
An example would be creating /etc/apache2/xinetsaml on OS X, as user "apache", mode 700, and copying the XML to "idp-metadata.xml" in that folder.
Generate XML for the WebNative Server SP
Use the Xinet-provided script mellon_create_metadata.sh to generate the necessary output:
./mellon_create_metadata.sh <EntityID> http://<WNHOST>/webnative/mellon
Values you will need to provide are the EntityID of the SP that you created in the Create Entity ID names section and the hostname or IP address of your Xinet server.
Here’s an example command line where the EntityID is xinet.15.webnative and the host machine IP address is 10.168.0.15:
./mellon_create_metadata.sh xinet.15.webnative http://10.168.0.15/webnative/mellon
Here’s an example of the output of this command:
Output files:
Private key: xinet.15.webnative.key
Certificate: xinet.15.webnative.cert
Metadata: xinet.15.webnative.xml
Host: 10.168.0.15
 
Endpoints:
SingleLogoutService: http://10.168.0.15/webnative/mellon/logout
AssertionConsumerService: http://10.168.0.15/webnative/mellon/postResponse
(SimpleSAML)
The files listed in the output should be in the current directory where you ran the script.
Take the contents of the .xml file that was just created ("xinet.15.webnative.xml" in the example above) and convert it using the XML to SimpleSAMLphp metadata converter in the Tools section of the Federation tab of the simplesaml IdP server.
Copy and paste the contents of the .xml into the XML metadata window.
Click on Parse.
The converted output should look similar to this:
 
$metadata['xinet.15.webnative'] = array (
'entityid' => 'xinet.15.webnative',
'contacts' =>
array (
),
'metadata-set' => 'saml20-sp-remote',
'AssertionConsumerService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'http://192.168.0.15/webnative/mellon/postResponse',
'index' => 0,
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://192.168.0.15/webnative/mellon/logout',
),
),
'keys' =>
array (
0 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIICsDCCAZgCCQD+DAnFQWH5bjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw8x
MzEuMTA2LjExMC4yMDUwHhcNMTYwNzI5MTY0MzA2WhcNMjYwNzI5MTY0MzA2WjAa
MRgwFgYDVQQDEw8xMzEuMTA2LjExMC4yMDUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDButyRsy2LSnrtN7104EAz3DRfYlPINZlr803F6DJdzQmEFABz
ed9rkB7a/2j+lqYF5ZajE1TIHL5RYUo7jsAevU9PZUKsv5zsBVt7G6WfRGYB/2aW
YlOT05jIEaWBd5DoIs5SFXH0TsPtbqD/7NSRUpW1z19Cn7zv7SDBARgGjyFbmhWs
hKr43T4JDoXTIpXlqHMM6oDo2LfkG1Ijvdl8MXy2jlR6Yu4T+5eRJ5pIYoNofm0E
d2MTivrvGLElKp6updWtJqDzR6YRMxicQ3xQXALaSBNsQi1xYWk1bP6tnSES4t8N
/UjpkGrgwYYc6Qmte8CTtI66zpM02zh5ZzIBAgMBAAEwDQYJKoZIhvcNAQEFBQAD
ggEBAI9seg5JudJEQLN6jrmdoh0LAkx5zGRVAPYdJm5lRtOhXpEECOvLjUuh6ypL
5MGN1IvhzeI8VI9TpRCXI4KU6c+jDBJ941U1kCtKuBg3VsYtrT91N4FrFh1jQ8wC
FcxfnYPU+Z3K+6/H8RvPGxdjNGDg4H9XmvxbwNer7lCfz80GQwmbQzQrceFrLCtB
4IBE6H8PcPGDj+ADaeGhTnanbkVDaRZRo+3+UooUtwzRwCZvgDQcd6k4rTqpFUSv
4nC6zcYfmOc5S3QY0RoaXRWkKwY0rwm1xajtBS8fdmlnYrJgmYMgQ+dyLQKgPnUW
ywMaqq8WcDZz92wHJJ1m8oCO8mQ=',
),
),
);
Update the IdP machine
(SimpleSAML)
1.
Edit the saml20-sp-remote.php file which is located on the IdP server in /var/simplesamlphp/metadata/
2.
Look for this section:
/*
* Example SimpleSAMLphp SAML 2.0 SP
*/
$metadata['https://saml-server.xinet.com'] = array(
'AssertionConsumerService' => 'https://saml-server.xinet.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
'SingleLogoutService' => 'https://saml-server.xinet.com/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
);
3.
Add the data from the “XML to SimpleSAMLphp metadata converter" AFTER the section mentioned above.
(Google IdP)
The Google IdP requires the following information:
Note: Google IdP requires HTTPS for the ACS URL.
Copy the .cert and .key files to the Xinet server
The .cert and .key files created by mellon_create_metadata.sh need to go where Apache on the Xinet server can access them.
Copy the .cert and .key files to /etc/apache2/xinetsaml on the Xinet server and note this location. Again, the location is arbitrary, but the location will be used in the Add Mellon entries to the httpd.conf section.
Add LoadModule call to httpd.conf
This entry points to the location of mod_auth_xinetsaml.so that was determined in the Install mod_auth_xinetsaml.so library section.
Add the LoadModule call next to the other LoadModule entries in the httpd.conf file:
LoadModule auth_mellon_module libexec/apache2/xinet/mod_auth_xinetsaml.so
Add Mellon entries to httpd.conf
For Xinet server configuration, you have to add the Mellon module configuration to three sections in the httpd.conf file, once for each area on the filesystem that Xinet uses.
There are several variables where your specific information will be different from the above values. Please use the correct values for the following variables:
MellonUser
This information is in the /var/simplesamlphp/attributemap/name2oid.php file on the SimpleSAML IdP server. Search for “userid” in that file and use that value. It will have a similar format to the value in the examples below.
For Google IdP you can map any attribute you want to the user ID. We chose 'uid' to map the user email which is what is used to log in.
MellonSPentityId
The string you chose for the Xinet Service Provider Entity ID in the Create Entity ID names section.
MellonSPPrivateKeyFile
The path where you put the ".key" output file in the Copy the .cert and .key files to the Xinet server section.
MellonSPCertFile
The path where you put the ".cert" output file in the Copy the .cert and .key files to the Xinet server section.
MellonIdPMetadataFile
The path to the IdP's Metadata file from the Set up XML exchange between the IdP and SPs section.
Here is a sample output of the repeated section in the configs that must be updated from the sections below.
macOS:
MellonSPentityId "xinet.15.webnative"
MellonSPPrivateKeyFile /etc/apache2/xinetsaml/xinet.15.webnative.key
MellonSPCertFile /etc/apache2/xinetsaml/xinet.15.webnative.cert
MellonIdPMetadataFile /etc/apache2/xinetsaml/idp-metadata.xml
WebNative cgi directory
The italics show what is removed, and bold text what is added. Italics within a bold line shows fields that need to be edited.
For the WebNative cgi directory section, replace this:
# WebNative cgi directory
<Directory /usr/etc/webnative>
AuthType Basic
AuthName WebNative
AuthBasicProvider file
AuthUserFile /usr/adm/webnative/apache.userfile
Require valid-user
Options ExecCGI
</Directory>
 
with this:
 
# WebNative cgi directory
<Directory /usr/etc/webnative>
AuthType "Mellon"
AuthName WebNative
Require valid-user
Options ExecCGI
MellonEnable "auth"
MellonVariable "WNcookie"
MellonSecureCookie Off
MellonUser "urn:oid:0.9.2342.19200300.100.1.1"
MellonSetEnv "e-mail" "mail"
MellonSetEnvNoPrefix "DISPLAY_NAME" "displayName"
MellonMergeEnvVars On
MellonMergeEnvVars On ":"
MellonEnvVarsIndexStart 1
MellonEnvVarsSetCount On
MellonSessionDump Off
MellonSamlResponseDump Off
MellonEndpointPath "/webnative/mellon"
MellonSessionLength 86400
MellonSPentityId "<EntityID>"
MellonSPPrivateKeyFile /etc/apahce2/xinetsaml/<EntityID>.key
MellonSPCertFile /etc/apache2/xinetsaml/<EntityID>.cert
MellonIdPMetadataFile /etc/apache2/xinetsaml/idp-metadata.xml
MellonSubjectConfirmationDataAddressCheck Off
MellonECPSendIDPList Off
MellonRedirectDomains [self]
</Directory>
Note: For OS X 10.9, which still uses Apache 2.2, the old Order and Allow directives must be included:
<Directory /usr/etc/webnative>
...
Order Allow,Deny
Allow from All
AllowOverride None
...
</Directory>
If you are using Google IDP, your MellonUser entry should look like this:
MellonUser "uid"
WebNative document directory
The italics show what is removed, and bold text what is added. Italics within a bold line shows fields that need to be edited.
Taking note, again, of the above entries that will need specific information for your set up, for the WebNative document directory section, replace this:
# WebNative document directory
<Directory /usr/adm/webnative>
AuthType Basic
AuthName WebNative
AuthBasicProvider file
AuthUserFile /usr/adm/webnative/apache.userfile
Require valid-user
Options None
</Directory>
with this:
 
# WebNative document directory
<Directory /usr/adm/webnative>
AuthType "Mellon"
AuthName WebNative
Require valid-user
Options None
MellonEnable "auth"
MellonVariable "WNcookie"
MellonSecureCookie Off
MellonUser "urn:oid:0.9.2342.19200300.100.1.1"
MellonSetEnv "e-mail" "mail"
MellonSetEnvNoPrefix "DISPLAY_NAME" "displayName"
MellonMergeEnvVars On
MellonMergeEnvVars On ":"
MellonEnvVarsIndexStart 1
MellonEnvVarsSetCount On
MellonSessionDump Off
MellonSamlResponseDump Off
MellonEndpointPath "/webnative/mellon"
MellonSessionLength 86400
MellonSPentityId "<EntityID>"
MellonSPPrivateKeyFile /etc/apache2/xinetsaml/<EntityID>.key
MellonSPCertFile /etc/apache2/xinetsaml/<EntityID>.cert
MellonIdPMetadataFile /etc/apache2/xinetsaml/idp-metadata.xml
MellonSubjectConfirmationDataAddressCheck Off
MellonECPSendIDPList Off
MellonRedirectDomains [self]
</Directory>
Note: For OS X 10.9, which still uses Apache 2.2, the old Order and Allow directives must be included:
<Directory /usr/etc/webnative>
...
Order Allow,Deny
Allow from All
AllowOverride None
...
</Directory>
If you are using Google IDP, your MellonUser entry should look like this:
MellonUser "uid"
WebNative styles directory
The italics show what is removed, and bold text what is added. Italics within a bold line shows fields that need to be edited.
Taking note, again, of the above entries that will need specific information for your setup, for the WebNative styles directory section, replace this:
# WebNative styles directory
<Directory /usr/etc/webnative/styles>
Order Deny,Allow
AllowOverride None
Deny from All
<Files ~ "\.(css|js|html)$">
Order Allow,Deny
Allow from All
AuthType Basic
AuthName WebNative
require valid-user
AuthUserFile /var/adm/webnative/apache.userfile
Options None
</Files>
</Directory>
with this:
 
# WebNative styles directory
<Directory /usr/etc/webnative/styles>
Order Deny,Allow
AllowOverride None
Deny from All
<Files ~ "\.(css|js|html)$">
Order Allow,Deny
Allow from All
AuthType "Mellon"
AuthName WebNative
Require valid-user
Options None
MellonEnable "auth"
MellonVariable "WNcookie"
MellonSecureCookie Off
MellonUser "urn:oid:0.9.2342.19200300.100.1.1"
MellonSetEnv "e-mail" "mail"
MellonSetEnvNoPrefix "DISPLAY_NAME" "displayName"
MellonMergeEnvVars On
MellonMergeEnvVars On ":"
MellonEnvVarsIndexStart 1
MellonEnvVarsSetCount On
MellonSessionDump Off
MellonSamlResponseDump Off
MellonEndpointPath "/webnative/mellon"
MellonSessionLength 86400
MellonSPentityId "<EntityID>"
MellonSPPrivateKeyFile /etc/apache2/xinetsaml/<EntityID>.key
MellonSPCertFile /etc/apache2/xinetsaml/<EntityID>.cert
MellonIdPMetadataFile /etc/apache2/xinetsaml/idp-metadata.xml
MellonSubjectConfirmationDataAddressCheck Off
MellonECPSendIDPList Off
MellonRedirectDomains [self]
</Files>
</Directory>
If you are using Google IDP, your MellonUser entry should look like this:
MellonUser "uid"
Restart Apache
Restart Apache by running:
apachectl restart
Test logging into the Xinet server
If the redirection is happening, you will be sent to a log in screen displayed by the IdP server. The URL should contain a hostname or IP address that is different from your Xinet server.