Categories
Apache Encryption IdP Keycloak Linux SAML Shibboleth SingleSignOn SSO Webserver

Apache SAML authentication with mod_shib (part 2)

There

Multiple SPs on same apache vhost

By default the helper scripts mentioned above use some default values like file names and local hostname. So in case you need multiple SPs within a single apache web service, we’ll need to generate key pairs and metadata for each of them and use more specific settings for each of them:

linux # shib-keygen -h www.mydomain.de -e https://www.mydomain.de/protected -n www.mydomain.de-protected
#  /etc/shibboleth/www.mydomain.de-protected-key.pem
#  /etc/shibboleth/www.mydomain.de-protected-cert.pem

linux # shib-metagen -h www.mydomain.de -e https://www.mydomain.de/protected -c www.mydomain.de-protected-cert.pem > /etc/shibboleth/mydomain-protected.xml

And the corresponding shibboleth2.xml section looks like this:

<...>
<ApplicationOverride entityID="https://www.mydomain.de/protected/Shibboleth.sso" id="federated"
    homeURL="https://www.mydomain.de/protected/Shibboleth.sso/Session"
    REMOTE_USER="eppn subject-id pairwise-id persistent-id">
    <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
        checkAddress="false" handlerSSL="true" handlerURL="/shib-fed-protected/Shibboleth.sso" cookieProps="https"
        redirectLimit="exact">
    <SSO discoveryProtocol="SAMLDS" discoveryURL="https://ds.mydomain.de/ds/"> SAML2 </SSO>
    </Sessions>
    <!-- backing files will be placed in /var/cache/shibboleth/ -->
    <MetadataProvider type="XML" validate="true"
        url="https://keycloak.mydomain.de/realms/MYDOMAIN/protocol/saml/descriptor"
        backingFilePath="shib-metadata-keycloak-mydomain.xml"/>
    <MetadataProvider type="XML" validate="true"
        url="https://simplesaml.otherdomain.de/simplesaml/saml2/idp/metadata.php"
        backingFilePath="shib-metadata-simplesaml-otherdomain.xml"/>
    <CredentialResolver type="Chaining">
        <CredentialResolver type="File"
            key="/etc/shibboleth/sps/www.mydomain.de-protected-key.pem"
            certificate="/etc/shibboleth/www.mydomain.de-protected-cert.pem"/>
    </CredentialResolver>
</ApplicationOverride>
<...>

Non-Standard location

The standard use case for mod_shib is to protect a complete website (not a subset of it). Other setups are more complex (and error prone) and are therefore not recommended.

And a little more special (something like protecting a sub directory):

linux # shib-metagen -h www.mydomain.de/protected -c www.mydomain-cert.pem  -e https://www.mydomain.de/protected/Shibboleth.sso
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://www.mydomain.de/protected/Shibboleth.sso">
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
    <md:KeyDescriptor>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>
            <... CERT HERE ...>
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.mydomain.de/protected/Shibboleth.sso/SAML2/POST" index="1"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://www.mydomain.de/protected/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://www.mydomain.de/protected/Shibboleth.sso/SAML2/ECP" index="3"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://www.mydomain.de/protected/Shibboleth.sso/SAML/POST" index="4"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

Leave a Reply

Your email address will not be published. Required fields are marked *