This is a description how to set up an SP in SURFconext using Apache and the module mod_mellon. It might be a good choice for SPs with very simple requirements. When in doubt, using SimpleSAMLphp or Shibboleth is probably a good choice. This manual is still quite basic.
For more background and options for mod mellon, see: https://github.com/Uninett/mod_auth_mellon/tree/master
There is some ongoing discussion about the project's stewardship. We expect that to be resolved within some time.
Take note that the metadata and the metadata locations used for the test and production environments of SURFconext differ. This example uses TEST urls. Please change to production where appropriate.
Configure SURFconext IdP metadata
Generate a SAML keypair to use for mellon and download SURFconext IdP metadata.
Configure virtual host
Add the following to your virtual host (assuming it lives on https://your.example.domain).
The configuration above requires login for the entire virtual host (url path /). Specifify a different path for location if you only want to protect a specific URL path.
Browse to the root of your vhost. This should now redirect to SURFconext (error message about unknown SP).
The following URL should now give output:
Supply this URL to SURFconext (via SP dashboard or to SURFconext support). It will be configured on their end.
Authenticate and authorize users
Authentication might now just work.
You receive information about the user in environment variables, named like this:
(which attribute's value ends up in REMOTE_USER is defined by the MellonUser directive)
See the Mellon documentation for more information.
It's also possible to add more Mellon* directives to the Apache config. Including directives to authorize users (e.g. only allow users with eduPersonAffiliation = employee) with MellonRequire.
That's all folks
Let us know if you have any questions at firstname.lastname@example.org.