Documentation
Introduction

Use this guide to enable 2-Factor Authentication access to the Apache HTTP Server using Shibboleth SP.

Prerequisites

1. Have an Apache HTTP Server account

2. Create a New Realm for the Apache HTTP Server integration

3. Configure the following tabs in the Web Admin before configuring the Post Authentication tab:

  • Overview – the description of the realm and SMTP connections must be defined
  • Data – an enterprise directory must be integrated with SecureAuth IdP
  • Workflow – the way in which users will access this application must be defined
  • Registration Methods – the 2-Factor Authentication methods that will be used to access this page (if any) must be defined
Apache Configuration Steps
 1. Download and Install Shibboleth SP
 2. Add this configuration to Apache
[adminuser@localhost conf.d]$ cat shib.conf 
# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
# RPM installations on platforms with a conf.d directory will
# result in this file being copied into that directory for you
# and preserved across upgrades.
# For non-RPM installs, you should copy the relevant contents of
# this file to a configuration location you control.
#
# Load the Shibboleth module.
#
LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_22.so
#
# Ensures handler will be accessible.
#
<Location /Shibboleth.sso>
  Satisfy Any
  Allow from all
</Location>
#
# Used for example style sheet in error templates.
#
<IfModule mod_alias.c>
  <Location /shibboleth-sp>
    Satisfy Any
    Allow from all
  </Location>
  Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
</IfModule>


#
# Configure the module for content.
#
# You MUST enable AuthType shibboleth for the module to process
# any requests, and there MUST be a require command as well. To
# enable Shibboleth but not specify any session/access requirements
# use "require shibboleth".
#
<Location /google>
  AuthType shibboleth
  ShibCompatWith24 On
  ShibRequestSetting requireSession 1
  require shib-session
</Location>
 3. Configure the mod_proxy

This process is different for AJP13 connectors

[adminuser@localhost conf.d]$ cat proxy.conf 
#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
<IfModule mod_proxy.c>
ProxyRequests On
SSLProxyEngine on 
ProxyVia Block
ProxyPass /sample https://192.168.1.170:8443/sample
ProxyPassReverse /sample https://192.168.1.170:8443/sample
ProxyPass /SecureAuth3 https://192.168.1.25/SecureAuth3
ProxyPassReverse /SecureAuth3 https://192.168.1.25/SecureAuth3
ProxyPass /saml/SecureAuth3 https://192.168.1.25/SecureAuth3
ProxyPassReverse /saml/SecureAuth3 https://192.168.1.25/SecureAuth3
ProxyPass /saml https://192.168.1.25/SecureAuth3/Authorized/SAML20IdPInit.aspx
ProxyPassReverse /saml https://192.168.1.25/SecureAuth3/Authorized/SAML20IdPInit.aspx
ProxyPass /google http://www.google.com
ProxyPassReverse /google http://www.google.com
</IfModule>
 4. Create an XML file for SecureAuth IdP metadata
[adminuser@localhost shibboleth]$ cat secureauth.xml 
<md:EntityDescriptor entityID="secureauth" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="0" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIFZDCCBEygAwIBAgIKLUaCiQAAAAAFeTANBgkqhkiG9w0BAQUFADCBxzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExHzAdBgNVBAoTFlNlY3VyZUF1dGggQ29ycG9yYXRpb24xOzA5BgNVBAsTMihjKSAyMDEyIFNlY3VyZUF1dGggQ29ycCAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEmMCQGA1UEAxMdU2VjdXJlQXV0aCBJbnRlcm1lZGlhdGUgQ0EgMUEwHhcNMTMwOTMwMTY1NTU3WhcNMjMwOTMwMTY1NTU3WjCBnjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAcTBklydmluZTEiMCAGA1UEChMZU2FsZXMgRW5naW5lZXIgU2VjdXJlQXV0aDEXMBUGA1UECxMOU2FsZXMgRW5naW5lZXIxLDAqBgNVBAMTI05pY2hvbGFzQnVjaGFub24wMVZNLnNlY3VyZWF1dGguY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnO9uC6uTtSXzIXdMbsBiAOU1yOdAJFSjR0T2XRBJ5kfh/KGRQLktU+OcPDVRszowOmoifQ4sithAD+CYvvJLQByRogGCEMjPYD7PzIFMpPC1VaNMOw+m6kM+LgCtnSnF/6h0Pn9zDBPHdNXygUlxHV3P9Tk8szG9X/5NITxUlGIauGJVAr+F8Wq/z4cybCxy6lZso3NE6om+R8Ieh97NrnmtPkuN35JYclF01mhCPFKGOrI1v5z6Uurjt0HBeJLmx0kEK1uoIh03oQpM2XurzYYaS0mszpYXs0khigFW2tRZ1cJv2i146SYt0PgNreGsw8W82F5dHDxX+JQJlq+VMwIDAQABo4IBdzCCAXMwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUPVtAH2dI3AHOjxDoezt92Gu8mXEwHwYDVR0jBBgwFoAUxgSdmPDKdjfM0WXV/LP7dSy5Fg0wYwYDVR0fBFwwWjBYoFagVIZSaHR0cDovL3g1MDkubXVsdGlmYWN0b3J0cnVzdDMuY29tL0NlcnRJbmZvL1NlY3VyZUF1dGglMjBJbnRlcm1lZGlhdGUlMjBDQSUyMDFBLmNybDCBmQYIKwYBBQUHAQEEgYwwgYkwgYYGCCsGAQUFBzAChnpodHRwOi8veDUwOS5tdWx0aWZhY3RvcnRydXN0My5jb20vQ2VydEluZm8vU0FJbnRDQS0xQS5iYW5uZXIubXVsdGlmYWN0b3J0cnVzdDMuY29tX1NlY3VyZUF1dGglMjBJbnRlcm1lZGlhdGUlMjBDQSUyMDFBLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAbseoACfXNYwrGafRXSNYegyQmHsOH+Fj52ZpJaF+h42hY61S60W8JwOxilOCQjcFxuthIjwEAGGA0k2e1aJyk4jq9qLRdQRudQu9w25UzuVx6KY+RksJTH4VhpisxyfID6dpbIioP4v9ufJ1S5I6s+Zuqs8KASx3UmrjbBHeqm2q///Lmp7kXzOQWGFwW0317kXLHaD8P6OE4LLRG11fTGu0jE3oTC6UtizET/vBwE7skv524SszUTalJY2jSDNpzEeuI9RYolHbC3aOxafeFn6ixLBGGpQ6+K9sblzqJFeTXUADQF/lnk/HRNNeo5yJO6NGLTwaXrWN0dW8cSMEjg==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://vmsa.vmdom.local/SecureAuth11/" index="0" isDefault="1" />
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://vmsa.vmdom.local/SecureAuth11/" />
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vmsa.vmdom.local/SecureAuth11/" />
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://vmsa.vmdom.local/SecureAuth11/" />
    <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://vmsa.vmdom.local/SecureAuth11/" />
    <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vmsa.vmdom.local/SecureAuth11/" />
    <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://vmsa.vmdom.local/SecureAuth11/" />
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://vmsa.vmdom.local/SecureAuth11/" />
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vmsa.vmdom.local/SecureAuth11/" />
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://vmsa.vmdom.local/SecureAuth11/" />
  </md:IDPSSODescriptor>
  <md:AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIFZDCCBEygAwIBAgIKLUaCiQAAAAAFeTANBgkqhkiG9w0BAQUFADCBxzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExHzAdBgNVBAoTFlNlY3VyZUF1dGggQ29ycG9yYXRpb24xOzA5BgNVBAsTMihjKSAyMDEyIFNlY3VyZUF1dGggQ29ycCAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEmMCQGA1UEAxMdU2VjdXJlQXV0aCBJbnRlcm1lZGlhdGUgQ0EgMUEwHhcNMTMwOTMwMTY1NTU3WhcNMjMwOTMwMTY1NTU3WjCBnjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAcTBklydmluZTEiMCAGA1UEChMZU2FsZXMgRW5naW5lZXIgU2VjdXJlQXV0aDEXMBUGA1UECxMOU2FsZXMgRW5naW5lZXIxLDAqBgNVBAMTI05pY2hvbGFzQnVjaGFub24wMVZNLnNlY3VyZWF1dGguY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnO9uC6uTtSXzIXdMbsBiAOU1yOdAJFSjR0T2XRBJ5kfh/KGRQLktU+OcPDVRszowOmoifQ4sithAD+CYvvJLQByRogGCEMjPYD7PzIFMpPC1VaNMOw+m6kM+LgCtnSnF/6h0Pn9zDBPHdNXygUlxHV3P9Tk8szG9X/5NITxUlGIauGJVAr+F8Wq/z4cybCxy6lZso3NE6om+R8Ieh97NrnmtPkuN35JYclF01mhCPFKGOrI1v5z6Uurjt0HBeJLmx0kEK1uoIh03oQpM2XurzYYaS0mszpYXs0khigFW2tRZ1cJv2i146SYt0PgNreGsw8W82F5dHDxX+JQJlq+VMwIDAQABo4IBdzCCAXMwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUPVtAH2dI3AHOjxDoezt92Gu8mXEwHwYDVR0jBBgwFoAUxgSdmPDKdjfM0WXV/LP7dSy5Fg0wYwYDVR0fBFwwWjBYoFagVIZSaHR0cDovL3g1MDkubXVsdGlmYWN0b3J0cnVzdDMuY29tL0NlcnRJbmZvL1NlY3VyZUF1dGglMjBJbnRlcm1lZGlhdGUlMjBDQSUyMDFBLmNybDCBmQYIKwYBBQUHAQEEgYwwgYkwgYYGCCsGAQUFBzAChnpodHRwOi8veDUwOS5tdWx0aWZhY3RvcnRydXN0My5jb20vQ2VydEluZm8vU0FJbnRDQS0xQS5iYW5uZXIubXVsdGlmYWN0b3J0cnVzdDMuY29tX1NlY3VyZUF1dGglMjBJbnRlcm1lZGlhdGUlMjBDQSUyMDFBLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAbseoACfXNYwrGafRXSNYegyQmHsOH+Fj52ZpJaF+h42hY61S60W8JwOxilOCQjcFxuthIjwEAGGA0k2e1aJyk4jq9qLRdQRudQu9w25UzuVx6KY+RksJTH4VhpisxyfID6dpbIioP4v9ufJ1S5I6s+Zuqs8KASx3UmrjbBHeqm2q///Lmp7kXzOQWGFwW0317kXLHaD8P6OE4LLRG11fTGu0jE3oTC6UtizET/vBwE7skv524SszUTalJY2jSDNpzEeuI9RYolHbC3aOxafeFn6ixLBGGpQ6+K9sblzqJFeTXUADQF/lnk/HRNNeo5yJO6NGLTwaXrWN0dW8cSMEjg==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://vmsa.vmdom.local/SecureAuth11/" />
  </md:AttributeAuthorityDescriptor>
</md:EntityDescriptor>
 5. Edit Shibboleth2.xml
[adminuser@localhost shibboleth]$ cat shibboleth2.xml
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    clockSkew="180">
    <!--
    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
    -->
    <!--
    To customize behavior for specific resources on Apache, and to link vhosts or
    resources to ApplicationOverride settings below, use web server options/commands.
    See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
    
    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
    file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
    -->
    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
    <ApplicationDefaults entityID="https://sp.example.org/shibboleth"
                         REMOTE_USER="eppn persistent-id targeted-id">
        <!--
        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
        You MUST supply an effectively unique handlerURL value for each of your applications.
        The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
        a relative value based on the virtual host. Using handlerSSL="true", the default, will force
        the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
        Note that while we default checkAddress to "false", this has a negative impact on the
        security of your site. Stealing sessions via cookie theft is much easier with this disabled.
        -->
        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="false" cookieProps="http">
            <!--
            Configures SSO for a default IdP. To allow for >1 IdP, remove
            entityID property and adjust discoveryURL to point to discovery service.
            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
            You can also override entityID on /Login query string, or in RequestMap/htaccess.
            -->
            <SSO entityID="secureauth">
              SAML2
            </SSO>
            <!-- SAML and local-only logout. -->
            <Logout>SAML2 Local</Logout>
            
            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
            <!-- Status reporting service. -->
            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
            <!-- Session diagnostic service. -->
            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
            <!-- JSON feed of discovery information. -->
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>
        <!--
        Allows overriding of error template information/filenames. You can
        also add attributes with values that can be plugged into the templates.
        -->
        <Errors supportContact="root@localhost"
            helpLocation="/about.html"
            styleSheet="/shibboleth-sp/main.css"/>
        
        <!-- Example of remotely supplied batch of signed metadata. -->
        <!--
        <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
              backingFilePath="federation-metadata.xml" reloadInterval="7200">
            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
            <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
        </MetadataProvider>
        -->
        <!-- Example of locally maintained metadata. -->
        <MetadataProvider type="XML" file="secureauth.xml"/>
        <!-- Map to extract attributes from SAML assertions. -->
        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
        
        <!-- Use a SAML query if no attributes are supplied during SSO. -->
        <AttributeResolver type="Query" subjectMatch="true"/>
        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
        <!-- Simple file-based resolver for using a single keypair. -->
        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
        <!--
        The default settings can be overridden by creating ApplicationOverride elements (see
        the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
        Resource requests are mapped by web server commands, or the RequestMapper, to an
        applicationId setting.
        
        Example of a second application (for a second vhost) that has a different entityID.
        Resources on the vhost would map to an applicationId of "admin":
        -->
        <!--
        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
        -->
    </ApplicationDefaults>
    
    <!-- Policies that determine how to process and authenticate runtime messages. -->
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
    <!-- Low-level configuration about protocols and bindings available for use. -->
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
SecureAuth IdP Configuration Steps
Data

 

1. In the Profile Fields section, map the directory field that contains the user's Apache ID to the SecureAuth IdP Property

For example, add the Apache ID to the Email 2 Property if it is not already contained somewhere else

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Post Authentication

 

2. Select SAML 2.0 (IdP Initiated) Assertion Page from the Authenticated User Redirect dropdown in the Post Authentication tab in the Web Admin

3. An unalterable URL will be auto-populated in the Redirect To field, which will append to the domain name and realm number in the address bar (Authorized/SAML20IdPInit.aspx)

4. A customized post authentication page can be uploaded, but it is not required

User ID Mapping

 

5. Select the SecureAuth IdP Property that corresponds to the directory field that contains the Apache ID (Email 2)

6. Select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified from the Name ID Format dropdown (default)

Select a different option if Apache requires it, which the Service Provider (SP) will provide

7. Select False from the Encode to Base64 dropdown

SAML Assertion / WS Federation

 

8. Set the WSFed Reply To/SAML Target URL to the resource URL to where users will be redirected once authenticated (e.g. https://[domain]/google)

9. Set the SAML Consumer URL to the URL at which the SAML assertions will be validated

For this integration, it would be the Shibboleth module (e.g. https://[domain]/Shibboleth.sso)

10. Set the WSFed/SAML Issuer to a Unique Name that will be shared with Apache

The WSFed/SAML Issuer must match exactly on the SecureAuth IdP side and the Apache side

11. Set the SAML Offset Minutes to make up for time differences between devices

12. Set the SAML Valid Hours to limit for how long the SAML assertion is valid

No configuration is required for the SAML Recipient or SAML Audience fields

 

 

 

13. Leave the Signing Cert Serial Number as the default value, unless there is a third-party certificate being used for the SAML assertion

If using a third-party certificate, click Select Certificate and choose the appropriate certificate

14. Provide the Domain in order to Download the Metadata File to send to Apache (if required)

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes

Forms Auth / SSO Token

 

15. Click View and Configure FormsAuth keys / SSO token to configure the token/cookie settings and to configure this realm for SSO

These are optional configurations

 To configure this realm's token/cookie settings, follow these steps:
Forms Authentication


1. If SSL is required to view the token, select True from the Require SSL dropdown

2. Choose whether SecureAuth IdP will deliver the token in a cookie to the user's browser or device:

  • UseCookies enables SecureAuth IdP to always deliver a cookie
  • UseUri disables SecureAuth IdP to deliver a cookie, and instead deliver the token in a query string
  • AutoDetect enables SecureAuth IdP to deliver a cookie if the user's settings allow it
  • UseDeviceProfile enables SecureAuth IdP to deliver a cookie if the browser's settings allow it, no matter the user's settings

3. Set the Sliding Expiration to True if the cookie remains valid as long as the user is interacting with the page

4. Set the Timeout length to determine for how many minutes a cookie is valid

No configuration is required for the Name, Login URL, or Domain fields

Machine Key

5. No changes are required in the Validation field, unless the default value does not match the company's requirement

If a different value is required, select it from the dropdown

6. No changes are required in the Decryption field, unless the default value does not match the company's requirement

If a different value is required, select it from the dropdown

No configuration is required for the Validation Key or Decryption Key fields

Authentication Cookies

 

7. Enable the cookie to be Persistent by selecting True - Expires after Timeout from the dropdown

Selecting False - Session Cookie enables the cookie to be valid as long as the session is open, and will expire once the browser is closed or the session expires

No configuration is required for the Pre-Auth Cookie, Post-Auth Cookie, or the Clean Up Pre-Auth Cookie fields

Click Save once the configurations have been completed and before leaving the Forms Auth / SSO Token page to avoid losing changes

To configure this realm for SSO, refer to SecureAuth IdP Single Sign-on Configuration

To configure this realm for Windows Desktop SSO, refer to Windows Desktop SSO Configuration Guide