5.0 KiB
Setting Up Mellon
See keystone-as-sp
before proceeding with these Mellon-specific instructions.
Configuring Apache HTTPD for mod_auth_mellon
Note
You are advised to carefully examine the mod_auth_mellon documentation.
Follow the steps outlined at: Keystone install guide for SUSE, RedHat or Ubuntu.
Install the Module
Install the Apache module package. For example, on Ubuntu:
# apt-get install libapache2-mod-auth-mellon
The package and module name will differ between distributions.
Configure mod_auth_mellon
Unlike mod_shib
, all of mod_auth_mellon
's
configuration is done in Apache, not in a separate config file. Set up
the shared settings in a single <Location>
directive
near the top in your keystone VirtualHost file, before your protected
endpoints:
<Location /v3>
MellonEnable "info".org.key
MellonSPPrivateKeyFile /etc/apache2/mellon/sp.keystone.example.org.cert
MellonSPCertFile /etc/apache2/mellon/sp.keystone.example
MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml
MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
MellonEndpointPath /v3/mellon
MellonIdP "IDP"</Location>
Configure Protected Endpoints
Configure each protected path to use the Mellon
AuthType:
<Location /v3/OS-FEDERATION/identity_providers/samltest/protocols/saml2/auth>
valid-user
RequireAuthType Mellon
MellonEnable auth</Location>
Do the same for the WebSSO auth paths if using horizon as a single sign-on frontend:
<Location /v3/auth/OS-FEDERATION/websso/saml2>
valid-user
RequireAuthType Mellon
MellonEnable auth</Location>
<Location /v3/auth/OS-FEDERATION/identity_providers/samltest/protocols/saml2/websso>
valid-user
RequireAuthType Mellon
MellonEnable auth</Location>
Configure the Mellon Service Provider Metadata
Mellon provides a script called
mellon_create_metadata.sh
_ which generates the values for
the config directives MellonSPPrivateKeyFile
,
MellonSPCertFile
, and MellonSPMetadataFile
.
Run the script:
$ ./mellon_create_metadata.sh \
https://sp.keystone.example.org/mellon \
http://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/samltest/protocols/saml2/auth/mellon
The first parameter is used as the entity ID, a URN of your choosing
that must uniquely identify the Service Provider to the Identity
Provider. The second parameter is the full URL for the endpoint path
corresponding to the parameter MellonEndpointPath
.
After generating the keypair and metadata, copy the files to the
locations given by the MellonSPPrivateKeyFile
and
MellonSPCertFile
settings in your Apache configuration.
Upload the Service Provider's Metadata file which you just generated to your Identity Provider. This is the file used as the value of the MellonSPMetadataFile in the config. The IdP may provide a webpage where you can upload the file, or you may be required to submit the file using wget or curl. Please check your IdP documentation for details.
Exchange Metadata
Fetch your Identity Provider's Metadata file and copy it to the path
specified by the MellonIdPMetadataFile
setting in your
Apache configuration.
$ wget -O /etc/apache2/mellon/idp-metadata.xml https://samltest.id/saml/idp
Remember to reload Apache after finishing configuring Mellon:
# systemctl reload apache2