Single Sign On Implementation

How to implement SSO(Single Sign On)

If you have Linux based system then you can use mod_auth_mellon for setting up the SSO integration with the ADFS.

ADFS or identity provider is generally maintained at the organization level and is customized with the organization domain name like federation identity appended to domain name. So you need to work closely with the identity provider go get your endpoint URLs configured along with metadata.

There are 3 parts of SSO configuration at the client end and coordination with IDP:

1.Metadata generation

2.Setting up connection with ADFS

3. Invoking the ADFS link for authentication

Below are the detailed steps:

First Step is to disable the firewalls on the linux machine using the below commands:

systemctl stop firewalld
systemctl disable firewalld

To  install the required packages below command can be used:

yum -y install ntpdate httpd mod_ssl mod_auth_mellon php openssl wget
mkdir -p /etc/httpd/mellon
mkdir -p /var/www/sp
mkdir -p /var/www/protected
cd /etc/httpd/mellon
Create a self-generated SSL certificate using the following command:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/sp.key -out /etc/pki/tls/certs/sp.crt
Country Name (2 letter code) [XX]: country
State or Province Name (full name) []:state
Locality Name (eg, city) [Default City]:your city
Organization Name (eg, company) [Default Company Ltd]:TS
Organizational Unit Name (eg, section) []:Technical Support
Common Name (eg, your name or your server's hostname) []:yourdomain.com
Email Address []:support@yourdomain.com

Create a sample index.html page like below:

echo Welcome! This is from sp directory > /var/www/sp/index.html
echo Welcome! This is from protected directory > /var/www/protected/index.html

Create mellon metadata using the following command:

cd /etc/httpd/mellon
/usr/libexec/mod_auth_mellon/mellon_create_metadata.sh https://yourdomain.com/ “ma https://yourdomain.com//mellon”

Type the following commands to rename these three files:
mv *.key mellon.key
mv *.cert mellon.cert
mv *.xml mellon.xml

You need to ask your identity provider the URL for the federation metadata and download ADFS metadata using the following command:

wget https://idp.yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml -O /etc/httpd/mellon/FederationMetadata.xml –no-check-certificate

Create a mellon.conf file like below:
vi /etc/httpd/conf.d/mellon.conf

Add configuration directives like below:

DocumentRoot /var/www/
ServerName yourserverdnsname

ServerSignature Off
ErrorLog /var/log/httpd/error_sp.log
LogLevel info
CustomLog /var/log/httpd/access_sp.log combined

SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/sp.crt
SSLCertificateKeyFile /etc/pki/tls/private/sp.key

MellonSPPrivateKeyFile /etc/httpd/mellon/mellon.key
MellonSPCertFile /etc/httpd/mellon/mellon.cert
MellonSPMetadataFile /etc/httpd/mellon/mellon.xml
MellonIdPMetadataFile /etc/httpd/mellon/FederationMetadata.xml
MellonEndpointPath /mellon
MellonEnable "info"
MellonEnable "auth"

 

Once your metadata is generated you need to send the same to IDP to configure the same for you. Once it is configured you can use the SAML Tracer tool to check the SSO integration in your application.

Please use the above steps you should be able to configure the SSO.

Further you may configure the proxy and reverse proxy also in the above configuration file.

Please write down in comments in case you need more help on the same.

Leave a Comment

Your email address will not be published.