Page tree
Skip to end of metadata
Go to start of metadata

This is a description how to set up an SP in SURFconext using Apache and the module mod_mellon. It might be a good choice for SPs with very simple requirements. When in doubt, using SimpleSAMLphp or Shibboleth is probably a good choice. This manual is still quite basic.

For more background and options for mod mellon, see: https://github.com/Uninett/mod_auth_mellon/tree/master

There is some ongoing discussion about the project's stewardship. We expect that to be resolved within some time.

SURFconext Metadata

Take note that the metadata and the metadata locations used for the test and production environments of SURFconext differ. This example uses TEST urls. Please change to production where appropriate.

Install things

apt install apache2 libapache2-mod-auth-mellon
a2enmod auth_mellon
service apache2 restart

Configure Apache to work for your application. Set up HTTPS with a working certificate and a high score on https://ssllabs.com/ssltest and/or https://internet.nl.

Configure SURFconext IdP metadata

Generate a SAML keypair to use for mellon and download SURFconext IdP metadata.

mkdir /etc/apache2/mellon/
cd !^

openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out saml.pem -keyout saml.key

curl -O https://metadata.test.surfconext.nl/engineblock.test.surfconext.nl.20190208.pem
curl -O https://metadata.test.surfconext.nl/idp-metadata.xml


Configure virtual host

Add the following to your virtual host (assuming it lives on https://your.example.domain).

<Location />
    MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
    MellonIdPPublicKeyFile /etc/apache2/mellon/engineblock.test.surfconext.nl.20190208.pem
    MellonSPCertFile /etc/apache2/mellon/saml.pem
    MellonSPPrivateKeyFile /etc/apache2/mellon/saml.key
    MellonSecureCookie On
    MellonSPentityId "https://your.example.domain"
    MellonOrganizationName "Your Organization Name"

    AuthType "Mellon"
    Require valid-user
    MellonEnable "auth"
</Location>

Reload Apache.

The configuration above requires login for the entire virtual host (url path /). Specifify a different path for location if you only want to protect a specific URL path.

Browse to the root of your vhost. This should now redirect to SURFconext (error message about unknown SP).

The following URL should now give output: https://your.example.domain/mellon/metadata.

Supply this URL to SURFconext (via SP dashboard or to SURFconext support). It will be configured on their end.

Authenticate and authorize users

Authentication might now just work.

You receive information about the user in environment variables, named like this:

REMOTE_USER

(which attribute's value ends up in REMOTE_USER is defined by the MellonUser directive)

MELLON_urn:mace:attribute-def:eduPersonPrincipalName

etc.

See the Mellon documentation for more information.

It's also possible to add more Mellon* directives to the Apache config. Including directives to authorize users (e.g. only allow users with eduPersonAffiliation = employee) with MellonRequire.

That's all folks

Let us know if you have any questions at support@surfconext.nl.