[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: mod_auth_saml.so



Dear Sampo,

on Feb. 11th you wrote:
After the metadata has been exchanged, first access to /protected will show IdP seletion screen. The screen is shown even if there is just one IdP. Automatic selection of the one IdP is an advanced topic that you should only attempt once you have gotten the SSO to work overall.

Where can I config the automatic selection of an IdP? I haven't found anything in the docs - sorry.

Best regards
Gerhard

-----Urspr|ngliche Nachricht-----
Von: sampo@xxxxxxxxx [mailto:sampo@xxxxxxxxx] 
Gesendet: Mittwoch, 11. Februar 2015 21:05
An: Gutschi Gerhard Alfred HCMS sIT
Cc: sampo@xxxxxxxxx; luk@xxxxxxxxxxxxxx; paul@xxxxxxxxxxxxxx; sampo@xxxxxxxxxxxxxx
Betreff: Re: mod_auth_saml.so

Gutschi Gerhard Alfred HCMS sIT <GerhardAlfred.Gutschi@xxxxxxxxxxxxxxxx> said:
> Dear Mr. Kellomdki,
> 
> sorry, that I contact you directly. But I've a question regarding mod_auth_saml.so and unfortunately I've found nobody else who can help me and in the manuals I haven't found an answer.
> My name is Gerhard Gutschi. I'm working for a large IT-company in Austria which serves the Austrian saving banks.

For open source inquiries, please join the zxid.user mailing list (see web site) and ask your questions there so others can learn from the answers.

ZXID is also commercially supported by company I currently work for, namely Synergetics SA. If you are interested in the commercial support option, please contact Luk Vervenne (luk@xxxxxxxxxxxxxx).

> I'm in charge of a time management system and I've got the request to implement SSO for all users.
> The time management system is an intranet solution implemented in perl and running on DEBIAN squeeze with apache 2.2.
> 
> No I'm working on installing the SAML from your company and I'm using your manual: Apache with mod_auth_saml Receipe for this.

The receipe in the tarball is most up to date. The receipe on web site may be a couple of versions behind.

> The lib: mod_auth_saml.so is loaded to my apache and I'm trying to implement your test-scenario:
> <Location /protected>
>   Require valid-user
>   AuthType "saml"
>   ZXIDConf "URL=myURL"
> </Location>
> 
> So my question. I don't understand where I can config the SAML-lib?

Two places: the configuration file at /var/zxid/zxid.conf (this is the default location, the actual location depends on CPATH configuration
variable) or by supplying more ZXIDConf directives in the httpd.conf.

> How can I tell the system where my IdP-Server is? Where can I get the answer of the IdP server? And so on?

IdPs are described by SAML Metadata (an XML file). You need to introduce the IdP's metadata to mod_auth_saml and you need to send your metadata to the administrator of the IdP. Following commands should get you started

zxcot -h  # Help
zxcot -m >my-sp-meta.xml   # Your metadata that you send to the IdP admin
zxcot -g IDPURL            # Alt 1: IdP admin tells you the URL
zxcot -a <idp-meta.xml     # Alt 2: IdP admin gives you this file

After the metadata has been exchanged, first access to /protected will show IdP seletion screen. The screen is shown even if there is just one IdP. Automatic selection of the one IdP is an advanced topic that you should only attempt once you have gotten the SSO to work overall.

> Is there any manual where I can learn how to config mod_auth_saml and how to prepare apache?
> 

The best documentation is in the tar ball. ls *.pd

> I hope this question is not to boring for you. But I really need help.
> 
> Thank you for your understanding and your help

Cheers,
--Sampo

> Best regards
> Gerhard Gutschi