Apache HTTP Server (IdP-initiated) Integration Guide

Introduction

Use this guide to enable Multi-Factor Authentication access to the Apache HTTP Server using Shibboleth SP.

Prerequisites

1. Have an Apache HTTP Server account

2. Create a New Realm for the Apache HTTP Server integration

3. Configure the following tabs in the Web Admin before configuring the Post Authentication tab:

Overview – the description of the realm and SMTP connections must be defined
Data – an enterprise directory must be integrated with SecureAuth IdP
Workflow – the way in which users will access this application must be defined
Multi-Factor Methods – the Multi-Factor Authentication methods that will be used to access this page (if any) must be defined

Apache Configuration Steps

[adminuser@localhost conf.d]$ cat shib.conf 
# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
# RPM installations on platforms with a conf.d directory will
# result in this file being copied into that directory for you
# and preserved across upgrades.
# For non-RPM installs, you should copy the relevant contents of
# this file to a configuration location you control.
#
# Load the Shibboleth module.
#
LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_22.so
#
# Ensures handler will be accessible.
#
<Location /Shibboleth.sso>
  Satisfy Any
  Allow from all
</Location>
#
# Used for example style sheet in error templates.
#
<IfModule mod_alias.c>
  <Location /shibboleth-sp>
    Satisfy Any
    Allow from all
  </Location>
  Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
</IfModule>


#
# Configure the module for content.
#
# You MUST enable AuthType shibboleth for the module to process
# any requests, and there MUST be a require command as well. To
# enable Shibboleth but not specify any session/access requirements
# use "require shibboleth".
#
<Location /google>
  AuthType shibboleth
  ShibCompatWith24 On
  ShibRequestSetting requireSession 1
  require shib-session
</Location>

Warning

This process is different for AJP13 connectors

[adminuser@localhost conf.d]$ cat proxy.conf 
#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
<IfModule mod_proxy.c>
ProxyRequests On
SSLProxyEngine on 
ProxyVia Block
ProxyPass /sample https://192.168.1.170:8443/sample
ProxyPassReverse /sample https://192.168.1.170:8443/sample
ProxyPass /SecureAuth3 https://192.168.1.25/SecureAuth3
ProxyPassReverse /SecureAuth3 https://192.168.1.25/SecureAuth3
ProxyPass /saml/SecureAuth3 https://192.168.1.25/SecureAuth3
ProxyPassReverse /saml/SecureAuth3 https://192.168.1.25/SecureAuth3
ProxyPass /saml https://192.168.1.25/SecureAuth3/Authorized/SAML20IdPInit.aspx
ProxyPassReverse /saml https://192.168.1.25/SecureAuth3/Authorized/SAML20IdPInit.aspx
ProxyPass /google http://www.google.com
ProxyPassReverse /google http://www.google.com
</IfModule>

[adminuser@localhost shibboleth]$ cat secureauth.xml 
<md:EntityDescriptor entityID="secureauth" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="0" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIFZDCCBEygAwIBAgIKLUaCiQAAAAAFeTANBgkqhkiG9w0BAQUFADCBxzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExHzAdBgNVBAoTFlNlY3VyZUF1dGggQ29ycG9yYXRpb24xOzA5BgNVBAsTMihjKSAyMDEyIFNlY3VyZUF1dGggQ29ycCAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEmMCQGA1UEAxMdU2VjdXJlQXV0aCBJbnRlcm1lZGlhdGUgQ0EgMUEwHhcNMTMwOTMwMTY1NTU3WhcNMjMwOTMwMTY1NTU3WjCBnjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAcTBklydmluZTEiMCAGA1UEChMZU2FsZXMgRW5naW5lZXIgU2VjdXJlQXV0aDEXMBUGA1UECxMOU2FsZXMgRW5naW5lZXIxLDAqBgNVBAMTI05pY2hvbGFzQnVjaGFub24wMVZNLnNlY3VyZWF1dGguY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnO9uC6uTtSXzIXdMbsBiAOU1yOdAJFSjR0T2XRBJ5kfh/KGRQLktU+OcPDVRszowOmoifQ4sithAD+CYvvJLQByRogGCEMjPYD7PzIFMpPC1VaNMOw+m6kM+LgCtnSnF/6h0Pn9zDBPHdNXygUlxHV3P9Tk8szG9X/5NITxUlGIauGJVAr+F8Wq/z4cybCxy6lZso3NE6om+R8Ieh97NrnmtPkuN35JYclF01mhCPFKGOrI1v5z6Uurjt0HBeJLmx0kEK1uoIh03oQpM2XurzYYaS0mszpYXs0khigFW2tRZ1cJv2i146SYt0PgNreGsw8W82F5dHDxX+JQJlq+VMwIDAQABo4IBdzCCAXMwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUPVtAH2dI3AHOjxDoezt92Gu8mXEwHwYDVR0jBBgwFoAUxgSdmPDKdjfM0WXV/LP7dSy5Fg0wYwYDVR0fBFwwWjBYoFagVIZSaHR0cDovL3g1MDkubXVsdGlmYWN0b3J0cnVzdDMuY29tL0NlcnRJbmZvL1NlY3VyZUF1dGglMjBJbnRlcm1lZGlhdGUlMjBDQSUyMDFBLmNybDCBmQYIKwYBBQUHAQEEgYwwgYkwgYYGCCsGAQUFBzAChnpodHRwOi8veDUwOS5tdWx0aWZhY3RvcnRydXN0My5jb20vQ2VydEluZm8vU0FJbnRDQS0xQS5iYW5uZXIubXVsdGlmYWN0b3J0cnVzdDMuY29tX1NlY3VyZUF1dGglMjBJbnRlcm1lZGlhdGUlMjBDQSUyMDFBLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAbseoACfXNYwrGafRXSNYegyQmHsOH+Fj52ZpJaF+h42hY61S60W8JwOxilOCQjcFxuthIjwEAGGA0k2e1aJyk4jq9qLRdQRudQu9w25UzuVx6KY+RksJTH4VhpisxyfID6dpbIioP4v9ufJ1S5I6s+Zuqs8KASx3UmrjbBHeqm2q///Lmp7kXzOQWGFwW0317kXLHaD8P6OE4LLRG11fTGu0jE3oTC6UtizET/vBwE7skv524SszUTalJY2jSDNpzEeuI9RYolHbC3aOxafeFn6ixLBGGpQ6+K9sblzqJFeTXUADQF/lnk/HRNNeo5yJO6NGLTwaXrWN0dW8cSMEjg==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://vmsa.vmdom.local/SecureAuth11/" index="0" isDefault="1" />
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://vmsa.vmdom.local/SecureAuth11/" />
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vmsa.vmdom.local/SecureAuth11/" />
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://vmsa.vmdom.local/SecureAuth11/" />
    <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://vmsa.vmdom.local/SecureAuth11/" />
    <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vmsa.vmdom.local/SecureAuth11/" />
    <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://vmsa.vmdom.local/SecureAuth11/" />
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://vmsa.vmdom.local/SecureAuth11/" />
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vmsa.vmdom.local/SecureAuth11/" />
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://vmsa.vmdom.local/SecureAuth11/" />
  </md:IDPSSODescriptor>
  <md:AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIFZDCCBEygAwIBAgIKLUaCiQAAAAAFeTANBgkqhkiG9w0BAQUFADCBxzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExHzAdBgNVBAoTFlNlY3VyZUF1dGggQ29ycG9yYXRpb24xOzA5BgNVBAsTMihjKSAyMDEyIFNlY3VyZUF1dGggQ29ycCAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEmMCQGA1UEAxMdU2VjdXJlQXV0aCBJbnRlcm1lZGlhdGUgQ0EgMUEwHhcNMTMwOTMwMTY1NTU3WhcNMjMwOTMwMTY1NTU3WjCBnjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAcTBklydmluZTEiMCAGA1UEChMZU2FsZXMgRW5naW5lZXIgU2VjdXJlQXV0aDEXMBUGA1UECxMOU2FsZXMgRW5naW5lZXIxLDAqBgNVBAMTI05pY2hvbGFzQnVjaGFub24wMVZNLnNlY3VyZWF1dGguY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnO9uC6uTtSXzIXdMbsBiAOU1yOdAJFSjR0T2XRBJ5kfh/KGRQLktU+OcPDVRszowOmoifQ4sithAD+CYvvJLQByRogGCEMjPYD7PzIFMpPC1VaNMOw+m6kM+LgCtnSnF/6h0Pn9zDBPHdNXygUlxHV3P9Tk8szG9X/5NITxUlGIauGJVAr+F8Wq/z4cybCxy6lZso3NE6om+R8Ieh97NrnmtPkuN35JYclF01mhCPFKGOrI1v5z6Uurjt0HBeJLmx0kEK1uoIh03oQpM2XurzYYaS0mszpYXs0khigFW2tRZ1cJv2i146SYt0PgNreGsw8W82F5dHDxX+JQJlq+VMwIDAQABo4IBdzCCAXMwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUPVtAH2dI3AHOjxDoezt92Gu8mXEwHwYDVR0jBBgwFoAUxgSdmPDKdjfM0WXV/LP7dSy5Fg0wYwYDVR0fBFwwWjBYoFagVIZSaHR0cDovL3g1MDkubXVsdGlmYWN0b3J0cnVzdDMuY29tL0NlcnRJbmZvL1NlY3VyZUF1dGglMjBJbnRlcm1lZGlhdGUlMjBDQSUyMDFBLmNybDCBmQYIKwYBBQUHAQEEgYwwgYkwgYYGCCsGAQUFBzAChnpodHRwOi8veDUwOS5tdWx0aWZhY3RvcnRydXN0My5jb20vQ2VydEluZm8vU0FJbnRDQS0xQS5iYW5uZXIubXVsdGlmYWN0b3J0cnVzdDMuY29tX1NlY3VyZUF1dGglMjBJbnRlcm1lZGlhdGUlMjBDQSUyMDFBLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAbseoACfXNYwrGafRXSNYegyQmHsOH+Fj52ZpJaF+h42hY61S60W8JwOxilOCQjcFxuthIjwEAGGA0k2e1aJyk4jq9qLRdQRudQu9w25UzuVx6KY+RksJTH4VhpisxyfID6dpbIioP4v9ufJ1S5I6s+Zuqs8KASx3UmrjbBHeqm2q///Lmp7kXzOQWGFwW0317kXLHaD8P6OE4LLRG11fTGu0jE3oTC6UtizET/vBwE7skv524SszUTalJY2jSDNpzEeuI9RYolHbC3aOxafeFn6ixLBGGpQ6+K9sblzqJFeTXUADQF/lnk/HRNNeo5yJO6NGLTwaXrWN0dW8cSMEjg==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://vmsa.vmdom.local/SecureAuth11/" />
  </md:AttributeAuthorityDescriptor>
</md:EntityDescriptor>

[adminuser@localhost shibboleth]$ cat shibboleth2.xml
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    clockSkew="180">
    <!--
    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
    -->
    <!--
    To customize behavior for specific resources on Apache, and to link vhosts or
    resources to ApplicationOverride settings below, use web server options/commands.
    See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
    
    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
    file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
    -->
    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
    <ApplicationDefaults entityID="https://sp.example.org/shibboleth"
                         REMOTE_USER="eppn persistent-id targeted-id">
        <!--
        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
        You MUST supply an effectively unique handlerURL value for each of your applications.
        The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
        a relative value based on the virtual host. Using handlerSSL="true", the default, will force
        the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
        Note that while we default checkAddress to "false", this has a negative impact on the
        security of your site. Stealing sessions via cookie theft is much easier with this disabled.
        -->
        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="false" cookieProps="http">
            <!--
            Configures SSO for a default IdP. To allow for >1 IdP, remove
            entityID property and adjust discoveryURL to point to discovery service.
            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
            You can also override entityID on /Login query string, or in RequestMap/htaccess.
            -->
            <SSO entityID="secureauth">
              SAML2
            </SSO>
            <!-- SAML and local-only logout. -->
            <Logout>SAML2 Local</Logout>
            
            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
            <!-- Status reporting service. -->
            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
            <!-- Session diagnostic service. -->
            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
            <!-- JSON feed of discovery information. -->
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>
        <!--
        Allows overriding of error template information/filenames. You can
        also add attributes with values that can be plugged into the templates.
        -->
        <Errors supportContact="root@localhost"
            helpLocation="/about.html"
            styleSheet="/shibboleth-sp/main.css"/>
        
        <!-- Example of remotely supplied batch of signed metadata. -->
        <!--
        <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
              backingFilePath="federation-metadata.xml" reloadInterval="7200">
            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
            <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
        </MetadataProvider>
        -->
        <!-- Example of locally maintained metadata. -->
        <MetadataProvider type="XML" file="secureauth.xml"/>
        <!-- Map to extract attributes from SAML assertions. -->
        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
        
        <!-- Use a SAML query if no attributes are supplied during SSO. -->
        <AttributeResolver type="Query" subjectMatch="true"/>
        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
        <!-- Simple file-based resolver for using a single keypair. -->
        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
        <!--
        The default settings can be overridden by creating ApplicationOverride elements (see
        the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
        Resource requests are mapped by web server commands, or the RequestMapper, to an
        applicationId setting.
        
        Example of a second application (for a second vhost) that has a different entityID.
        Resources on the vhost would map to an applicationId of "admin":
        -->
        <!--
        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
        -->
    </ApplicationDefaults>
    
    <!-- Policies that determine how to process and authenticate runtime messages. -->
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
    <!-- Low-level configuration about protocols and bindings available for use. -->
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>

SecureAuth IdP Configuration Steps

Data

1. In the Profile Fields section, map the directory field that contains the user's Apache ID to the SecureAuth IdP Property

For example, add the Apache ID to the Email 2 Property if it is not already contained somewhere else

Warning

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Post Authentication

2. Select SAML 2.0 (IdP Initiated) Assertion Page from the Authenticated User Redirect dropdown in the Post Authentication tab in the Web Admin

3. An unalterable URL will be auto-populated in the Redirect To field, which will append to the domain name and realm number in the address bar (Authorized/SAML20IdPInit.aspx)

4. A customized post authentication page can be uploaded, but it is not required

User ID Mapping

5. Select the SecureAuth IdP Property that corresponds to the directory field that contains the Aphache ID (Email 2)

6. Select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified from the Name ID Format dropdown (default)

Select a different option if Apache requires it, which the Service Provider (SP) will provide

7. Select False from the Encode to Base64 dropdown

SAML Assertion / WS Federation

8. Set the WSFed Reply To/SAML Target URL to the resource URL to where users will be redirected once authenticated (e.g. https://[domain]/google)

9. Set the SAML Consumer URL to the URL at which the SAML assertions will be validated

For this integration, it would be the Shibboleth module (e.g. https://[domain]/Shibboleth.sso)

10. Set the WSFed/SAML Issuer to a Unique Name that will be shared with Apache

The WSFed/SAML Issuer must match exactly on the SecureAuth IdP side and the Apache side

11. Set the SAML Offset Minutes to make up for time differences between devices

12. Set the SAML Valid Hours to limit for how long the SAML assertion is valid

Note

No configuration is required for the SAML Recipient, SAML Audience, or SP Start URL fields

13. Leave the Signing Cert Serial Number as the default value, unless there is a third-party certificate being used for the SAML assertion

If using a third-party certificate, click Select Certificate and choose the appropriate certificate

14. Provide the Domain in order to Download the Metadata File to send to Apache (if required)

Warning

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes

Forms Auth / SSO Token

Optionally, in the Forms Auth / SSO Token section, click the View and Configure FormsAuth keys/SSO token link to configure the token/cookie settings and configure this realm for SSO.

In the Forms Authentication section, set the following:

Require SSL	If the SSL is required to view the token, set to True.
Cookieless	Indicate whether SecureAuth IdP will deliver the token in a cookie to the user's browser or device: UseCookies – Always deliver a cookie UseUri – Do not deliver a cookie, deliver the token in a query string AutoDetect – Deliver a cookie if the user's settings allow it. UseDeviceProfile – Deliver a cookie if the browser settings allow it, regardless of the user's settings
Sliding Expiration	For the cookie to remain valid as long as the user is interacting with the page, set to True.
Timeout	Set the length of time in minutes the cookie is valid.

In the Machine Key section, set the following:

Validation	If the default value does not match your organization's requirements, choose another value.
Decryption	If the default value does not match your organization's requirements, choose another value.

In the Authentication Cookies section, set the following:

Persistent

Set one of the following values:

True - Expires after Timeout – Allow the cookie to be persistent
False - Session Cookie – Allow the cookie to be valid as long as the session is open, and expires when the browser is closed or the session expires

Save your changes.

Note

To configure this realm for SSO, refer to SecureAuth IdP Single Sign-on Configuration

Note

To configure this realm for Windows Desktop SSO, refer to Windows desktop SSO configuration

In this section:

Apache HTTP Server (IdP-initiated) Integration Guide

Introduction

Prerequisites

Apache Configuration Steps

Warning

SecureAuth IdP Configuration Steps

Data

Warning

Post Authentication

User ID Mapping

SAML Assertion / WS Federation

Note

Warning

Forms Auth / SSO Token

Note

Note

Search results