Adding ADFS integration to Apache
Overview
ADFS is Microsoft Active Directory Federated Services. It is a single sign-on solution, and this post explains how to tie in Apache 2.4 (CentOS 7) to ADFS. All of this works even with SELinux enforcing! The test environment described by this document includes the following. Root URL: https://sample.example.org (10.1.9.192) Protected subdirectory: https://sample.example.org/auth1/ Warning! ADFS Configuration changes can take a few minutes to take effect.
Adding ADFS integration to Apache
This guide assumes you have a functional apache environment.
Configuring apache
Install mod_auth_mellon from the regular centos repository. Also include php.
yum -y install mod_auth_mellon php
Set up mellon with the sample hostname and url using the provided tool.
mkdir -p /etc/httpd/mellon
cd /etc/httpd/mellon
/usr/libexec/mod_auth_mellon/mellon_create_metadata.sh urn:samplesite:sample.example.org "https://sample.example.org/auth1/endpoint/"
This script outputs 3 files to the current directory.
urn_samplesite_sample.example.org.key
urn_samplesite_sample.example.org.cert
urn_samplesite_sample.example.org.xml
This certificate is a self-signed certificate, but other options can be used and should be considered for production environments. Be aware that the certificates are also dumped into the xml file that will be shared with the ADFS host, so be sure to share any new certificates there as well. Collect the ADFS metadata and store it locally. Such metadata is usually available at a URL similar to the following. https://adfs.example.org/federationmetadata/2007-06/FederationMetadata.xml Here is a copy-pastable line for people like me.
wget https://adfs.example.org/federationmetadata/2007-06/FederationMetadata.xml -O /etc/httpd/mellon/FederationMetadata.xml
Build the apache Mellon config.
cat <<EOF >/etc/httpd/conf.d/auth_mellon.conf
MellonCacheSize 100
MellonLockFile /var/run/mod_auth_mellon.lock
MellonPostTTL 900
MellonPostSize 1073741824
MellonPostCount 100
MellonPostDirectory "/var/cache/mod_auth_mellon_postdata"
EOF
My test environment uses a modular ssl directives include file:
cat <<EOFSSL >/etc/httpd/sites/all-ssl.cnf
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SetEnvIf User-Agent ".*MSIE 4\.0b2.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
LogLevel warn
ErrorLog logs/ssl_error_log
CustomLog logs/ssl_access_log combinedvhost
<Directory "/var/www/html/notfound/">
AllowOverride None
Order allow,deny
Allow from all
</Directory>
# END OF FILE all-ssl.cnf
EOFSSL
In the apache config, probably /etc/httpd/sites/sample.conf, modify the virtual host.
cat <<EOF >/etc/httpd/sites/sample.conf
Listen 10.1.9.192:80
Listen 10.1.9.192:443
<VirtualHost 10.1.9.192:80>
ServerName sample.example.org:80
ServerAlias sample
# Redirect everything to the https site
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost 10.1.9.192:443>
ServerName sample.example.org:443
ServerAlias sample sample.example.org
DocumentRoot /var/www/html/sample.example.org
Include sites/all-ssl.cnf
<Directory "/var/www/html/sample.example.org">
AllowOverride None
Order allow,deny
Allow from all
Options Indexes FollowSymLinks
</Directory>
<Location /auth1/>
# Mellon auth which goes to ADFS
Include sites/adfs.cnf
MellonCond "groups" "WebAppUsers_grp" [REG,SUB,NC]
</Location>
</VirtualHost>
EOF
Make the post dump location, which is not necessary but might be useful in the future.
mkdir -p /var/cache/mod_auth_mellon_postdata
chown apache:apache /var/cache/mod_auth_mellon_postdata
chmod 0700 /var/cache/mod_auth_mellon_postdata
Building the include files
We already built the all-ssl.cnf include file, so we just need the adfs include file.
cat <<EOF >/etc/httpd/sites/adfs.cnf
# File: /etc/httpd/sites/adfs.cnf
MellonEnable "auth"
Require valid-user
AuthType "Mellon"
MellonVariable "cookie"
#MellonSamlResponseDump On
MellonSPPrivateKeyFile /etc/httpd/mellon/urn_samplesite_sample.example.org.key
MellonSPCertFile /etc/httpd/mellon/urn_samplesite_sample.example.org.cert
MellonSPMetadataFile /etc/httpd/mellon/urn_samplesite_sample.example.org.xml
MellonIdPMetadataFile /etc/httpd/mellon/FederationMetadata.xml
MellonMergeEnvVars On ":"
MellonEndpointPath /auth1/endpoint
EOF
Here, the MellonMergeEnvVars On ":" means that any multiple-value attribute (like Groups) will be added to one colon-delimited string instead of being assigned to "Mellon_Groups_1" "Mellon_Groups_2" and so on. It's how the MellonCond works in the virtual host configuration.
Building example sites
Build the index file for the protected directory.
cat <<EOF >/var/www/html/sample.example.org/auth1/index.html
<html>
<head><title>Authorized zone</title></head>
<body>
<h1>Welcome to the authorized zone.</h1>
You should only be able to see this if you are authenticated and authorized.
</body>
</html>
EOF
Make a php troubleshooting file.
thisfile=/var/www/html/sample.example.org/auth1/info.php
cat <<EOF >${thisfile}
<?php
phpinfo(INFO_VARIABLES);
?>
EOF
chown apache:apache ${thisfile}
chmod 644 ${thisfile}
This little php file will show the apache environment variables that are available for use in the apache directives. The important ones here will be the ones prepended with "MELLON_."
Configuring ADFS to share data
On the ADFS server, add a new relying party trust. Run the AD FS management tool. Navigate in the tree structure to AD FS --> Trust relationships --> Relying party trusts. Select on the action menu "Add relying party trust..." The easiest way to do this is to use the xml file generated by that script earlier. Do not configure multi-factor authentication. Permit all users to access this relying party. Edit the properties of the relying party trust --> Advanced tab. Set value "Secure hash algorithm" to SHA-1.
Adding claim rules
Right-click this relying party trust and select "Edit Claim Rules." Add a rule of type "Transform incoming claim." Incoming claim type: Windows account name Outgoing claim type: Name ID Outgoing name ID format: Transient Identifier Radio button: Pass through all claim values The rule text looks like:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
Reference: Specific example of mellon configuration Add custom rule "Get all groups user belongs to."
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);
The add command instead of issue passes the information on to the next rule. Reference: Custom rules sharing Add custom rule "Filter your groups only."
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ ".*WebAppUsers_grp.*|.*IT.*"]
=> issue(Type = "groups", Value = c.Value, Issuer = c.Issuer);
The type name of "groups" means that mellon will provide an apache environment variable of "MELLON_groups" which we are performing the condition statement on in the virtual host. The regex in the first part is looking for any group name that has "IT" in it at all or "WebAppUsers_grp" which is probably pretty specific to just that one group. What this does is limit the groups being sent so instead of those 538 AD groups possible that that one user is in, it will pass back only the 28 IT department-related ones and the WebAppUsers_grp. After the apachectl configtest, give apache graceful a shot! https://sample.example.org/auth1/info.php The above link (modified for you of course) should redirect to the AD FS login page and then send authenticated users back! The benefits here include using apache as a reverse proxy to tomcat applications (local or otherwise) and providing a layer of authentication.
References
- Official mellon page https://github.com/UNINETT/mod_auth_mellon
- Specific example of mellon configuration https://answers.splunk.com/answers/177936/accessing-splunk-enterprise-using-adfs-authenticat.html
- https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html
- ADFS saml rules https://support.zendesk.com/hc/en-us/articles/203663896-Mapping-attributes-from-Active-Directory-with-ADFS-and-SAML-Professional-and-Enterprise-
- Regex is allowed in claims https://social.technet.microsoft.com/wiki/contents/articles/8008.ad-fs-2-0-selectively-send-group-membership-s-as-a-claim.aspx
- http://serverfault.com/questions/700126/sending-ad-attributes-as-ad-fs-claims-to-shibboleth-sp-attributes
- Custom rules sharing http://molikop.com/2014/04/adfs-claim-rules-filtering-groups/
- http://stackoverflow.com/questions/6861534/is-it-possible-to-output-any-or-all-available-variables-in-a-htaccess-file
Comments