SAML Authentication with Active Directory Federated Services (ADFS) and mod_auth_mellon
The following details how to use ADFS infrastructure via SAML authentication to authenticate to an OpenOnDemand deployment.
Prepare the Host
Before beginning, retrieve the following information from the ADFS administrator:
The SAML 2.0 service URL (e.g., https://adfs.organization.com/ADFS/ls)
The IdP metadata URL (e.g., https://adfs.organization.com/ADFS/metadata.xml)
Ensure SSL is properly configured and any organizational certificate authorities are properly integrated into the host’s trust store, see Secure Apache httpd
Install mod_auth_mellon
Ensure Software Collections is enabled on the system
Install the mod_auth_mellon module:
yum install httpd24-mod_auth_mellon httpd24-mod_ssl
yum install mod_auth_mellon mod_ssl
apt install libapache2-mod-auth-mellon
Configure mod_auth_mellon
Note that this configuration assumes that SAML has been configured such that the returned NameID directly maps to a Unix user on the OOD host. For more information, see https://jdennis.fedorapeople.org/doc/mellon-user-guide/mellon_user_guide.html
Download the IDP metadata file
cd /etc/httpd/mellon/ wget https://adfs.organization.com/ADFS/metadata.xml -O idpmetadata.xml
Generate the mellon metadata
export mellon_endpoint="https://$(hostname)/mellon" /usr/libexec/mod_auth_mellon/mellon_create_metadata.sh "${mellon_endpoint}/metadata" "${mellon_endpoint}" mv *.cert ./mellon.cert mv *.key ./mellon.key mv *.xml ./mellon_metadata.xml
Create a mellon configuration file
vi /etc/httpd/conf.d/00-mellon.conf
Add the following to the
00-mellon.conf
file<Location /> MellonSPPrivateKeyFile /etc/httpd/mellon/mellon.key MellonSPCertFile /etc/httpd/mellon/mellon.cert MellonSPMetadataFile /etc/httpd/mellon/mellon_metadata.xml MellonIdPMetadataFile /etc/httpd/mellon/idpmetadata.xml MellonEndpointPath /mellon MellonEnable "auth" </Location>
Convert the key and cert files into PFX format
openssl pkcs12 -export -inkey /etc/httpd/mellon/mellon.key -in /etc/httpd/mellon/mellon.cert -out /etc/httpd/mellon/mellon.pfx
Provide the
mellon.pfx
andmellon_metadata.xml
files to your ADFS administrator. The files can then be imported into the ADFS system.
Configure OOD
Edit the
ood_portal.yml
file to include the following:# /etc/ood/config/ood_portal.yml --- # ... # Your other custom configuration options... # ... auth: - 'AuthType Mellon' - 'Require valid-user'
Restart the HTTPD
systemctl restart httpd