I once started protecting web sites using mod_auth_mellon. Back then it seemed much easier to implement it that way, however shibboleth / mod_shib is the default implementation and therefore seems to be the better choice on the long run.
For a basic introduction have a look here.
Existing mellon config
In this example we’ll change the access configuration of https://www.mydomain.de running on apache from mod_auth_mellon to mod_shib.
My current configuration looks like this (/etc/apache2/sites-enables/www.mydomain.de.conf):
<...>
<Location />
MellonEnable "auth"
MellonSecureCookie secure
MellonCookiePath /
MellonEndpointPath "/mellon"
MellonDefaultLoginPath "/"
MellonSessionLength 86400
MellonNoCookieErrorPage "https://www.mydomain.de/no_cookie.html"
MellonSPMetadataFile /etc/apache2/mellon/https_sp1.xml
MellonOrganizationName "MyDomain"
MellonOrganizationDisplayName "en" "MyDomain"
MellonSPPrivateKeyFile /etc/apache2/mellon/sp-www.key
MellonSPCertFile /etc/apache2/mellon/sp-www.cert
MellonIdPMetadataFile /etc/apache2/mellon/keycloak-metadata.xml
MellonRedirectDomains [self]
MellonCond "eduPersonAffiliation" "Allowed Users"
</Location>
<...>Basically I protect the whole web site and I only allow access to users with an eduPersonAffiliation “Allowed Users”. In the backend I use keycloak as IdP and “Allowed Users” is a mapping of a LDAP group to this SAML attribute.
In the next steps we’ll replace this section with a mod_shib configuration.
Corresponding shibd config
First we need to prepare some files: For example the certificates used by mellon need to be copied and their permissions need to be changed to make them readable by shibd:
linux # cp /etc/apache2/mellon/sp-www.cert /etc/shibboleth/sp-www-cert.pem
linux # cp /etc/apache2/mellon/sp-www.key /etc/shibboleth/sp-www-key.pem
linux # chown _shibd:_shibd /etc/shibboleth/sp-www*.pemAfter that let’s adapt the config for our webseite (in my case /etc/apache2/sites-enables/www.mydomain.de.conf). You may not need the first section (as the apache shibboleth Ubuntu packages comes with a global config file enabling this. However in case you want to protect sub-directories using shibboleth you’ll need to add/adapt those settings).
<...>
<Location /Shibboleth.sso>
AuthType None
Require all granted
</Location>
<Location />
AuthType shibboleth
AuthName "Shibboleth"
ShibUseHeaders On
ShibRequestSetting requireSession 1
ShibRequestSetting applicationId www-id
Require shib-attr eduPersonAffiliation "Allowed Users"
#Require valid-user
</Location>
<...>/etc/shibboleth/shibboleth2.xml
<...>
<ApplicationOverride entityID="https://www.mydomain.de" id="www-id"
homeURL="https://www.mydomain.de/Shibboleth.sso/Session"
REMOTE_USER="eppn subject-id pairwise-id persistent-id">
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" handlerURL="/Shibboleth.sso"
cookieProps="https" redirectLimit="exact">
<!-- backing files will be placed in /var/cache/shibboleth/ -->
<SSO entityID="https://keycloak.mydomain.de/realms/MYDOMAIN"> SAML2 </SSO>
</Sessions>
<MetadataProvider type="XML" validate="true" url="https://keycloak.mydomain.de/realms/MYDOMAIN/protocol/saml/descriptor"
backingFilePath="shib-metadata-keycloak-mydomain.xml"/>
<CredentialResolver type="Chaining">
<CredentialResolver type="File"
key="/etc/shibboleth/sp-www-key.pem"
certificate="/etc/shibboleth/sp-www-cert.pem"/>
</CredentialResolver>
</ApplicationOverride>
<...>Now all we need to do is to restart/reload shibd and apache…
linux # systemctl restart shibd
linux # systemctl reload apache2…and to change the “Valid redirect URIs” on the IdP:
From: https://www.mydomain.de/mellon/postResponse
To: https://www.mydomain.de/Shibboleth.sso/SAML2/POSTHint: You can get the correct paths from mellon and shibboleth XML files by grepping for “AssertionConsumerService” and “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST“.