How to implement SSO(Single Sign On)
If you have Linux based system then you can use mod_auth_mellon for setting up the SSO integration with the ADFS.
ADFS or identity provider is generally maintained at the organization level and is customized with the organization domain name like federation identity appended to domain name. So you need to work closely with the identity provider go get your endpoint URLs configured along with metadata.
There are 3 parts of SSO configuration at the client end and coordination with IDP:
1.Metadata generation
2.Setting up connection with ADFS
3. Invoking the ADFS link for authentication
Below are the detailed steps:
First Step is to disable the firewalls on the linux machine using the below commands:
systemctl stop firewalld systemctl disable firewalld
To install the required packages below command can be used:
yum -y install ntpdate httpd mod_ssl mod_auth_mellon php openssl wget
mkdir -p /etc/httpd/mellon mkdir -p /var/www/sp mkdir -p /var/www/protected
cd /etc/httpd/mellon
Create a self-generated SSL certificate using the following command:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/sp.key -out /etc/pki/tls/certs/sp.crt
Country Name (2 letter code) [XX]: country State or Province Name (full name) []:state Locality Name (eg, city) [Default City]:your city Organization Name (eg, company) [Default Company Ltd]:TS Organizational Unit Name (eg, section) []:Technical Support Common Name (eg, your name or your server's hostname) []:yourdomain.com Email Address []:support@yourdomain.com
Create a sample index.html page like below:
echo Welcome! This is from sp directory > /var/www/sp/index.html
echo Welcome! This is from protected directory > /var/www/protected/index.html
Create mellon metadata using the following command:
cd /etc/httpd/mellon
/usr/libexec/mod_auth_mellon/mellon_create_metadata.sh https://yourdomain.com/ “ma https://yourdomain.com//mellon”
mv *.key mellon.key mv *.cert mellon.cert mv *.xml mellon.xml
You need to ask your identity provider the URL for the federation metadata and download ADFS metadata using the following command:
wget https://idp.yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml -O /etc/httpd/mellon/FederationMetadata.xml –no-check-certificate
Create a mellon.conf file like below:
vi /etc/httpd/conf.d/mellon.conf
Add configuration directives like below:
DocumentRoot /var/www/
ServerName yourserverdnsname
ServerSignature Off
ErrorLog /var/log/httpd/error_sp.log
LogLevel info
CustomLog /var/log/httpd/access_sp.log combined
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/sp.crt
SSLCertificateKeyFile /etc/pki/tls/private/sp.key
MellonSPPrivateKeyFile /etc/httpd/mellon/mellon.key
MellonSPCertFile /etc/httpd/mellon/mellon.cert
MellonSPMetadataFile /etc/httpd/mellon/mellon.xml
MellonIdPMetadataFile /etc/httpd/mellon/FederationMetadata.xml
MellonEndpointPath /mellon
MellonEnable "info"
MellonEnable "auth"
Once your metadata is generated you need to send the same to IDP to configure the same for you. Once it is configured you can use the SAML Tracer tool to check the SSO integration in your application.
Please use the above steps you should be able to configure the SSO.
Further you may configure the proxy and reverse proxy also in the above configuration file.
Please write down in comments in case you need more help on the same.