I recently tried to clone an existing SSO-protected application to use a new IdP. The older instance was protected using SAML (keycloak based) and worked fine. Now the IdP changed to (a much larger) SimpleSAMLphp and while the login itself worked the application refused to work. Suspected culprit: attributes (missing, unmapped or mapped the wrong […]
Category: SSO
I’ve been running my nextcloud instance for quite some years now, and I finally decided to change its authentication from LDAP to SAML for a better single sign on experience. By using keycloak as IdP there’ll also be an option to enable multi factor authentication (MFA) for all connected applications at once. Where I come […]
Usually I’m using a web based mail tool, however for some tasks a full-featured mail client comes in handy. So after quite some idle time I started up my thunderbird today just to find that the GSSAPI/Kerberos authentication fails. Since the last time I used it I re-installed the mail server, so it is not […]
As mentioned earlier I was going to replace thiss-mdq with pyFF for my SAML federation metadata query service. Comparison thiss-mdq / pyFF On its project site thiss-mdq describes itself as The thiss-mdq is a minimal implementation of MDQ that only supports JSON data. while pyFF considers itself “a SAML metadata aggregator written in python”. Both […]
Categories
SAML discovery service
Federated services If you want to provide web bases services in a federated (SAML) environment, you’ll need a way for your users to select their home institution in order to log into the service using their local credentials. That service is called discovery service. What’s that discovery service doing? So what happens if a user […]
There Multiple SPs on same apache vhost By default the helper scripts mentioned above use some default values like file names and local hostname. So in case you need multiple SPs within a single apache web service, we’ll need to generate key pairs and metadata for each of them and use more specific settings for […]
I once started protecting web sites using mod_auth_mellon. Back then it seemed much easier to implement it that way, however shibboleth / mod_shib is the default implementation and therefore seems to be the better choice on the long run. For a basic introduction have a look here. Existing mellon config In this example we’ll change […]
Till now I was mainly using mod_auth_mellon in order to do SAML-based authentication for web services. I did so because it seemed quite easy to configure (and the Ubuntu mod_shib package had a nasty bug some years ago when I made first contact with SAML). However mod_shib (part of the shibboleth service provider (SP) implenetation) […]
If you want to use Keycloak as IdP for your SAML login you might wish to limit access to certain Service Providers (SPs) according to your LDAP group memberships. The way to do this is not very intuitive, so I’ll try to show an easy way to do this. What we’ll be doing: Step 1: […]
This short post is about how to run the open-webui docker container with an apache based reversed proxy (handling the SSL termination and authentication with mod-auth-mellon). In the following example the open-webui docker container is listening on localhost only, port 8009 (s. variable definition at the beginning of the apache2 config): In order to use […]