Version
This article was written for version 7.3.18 of OP5 Monitor on EL7, it could work on both lower and higher version if nothing else is stated.
Articles in the Community-Space are not supported by OP5 Support.
This article describes how to add SAML based SSO authentication to OP5 Monitor using Apache auth adapter and mod_auth_mellon. The Identity Provider (IdP) used in this example is Okta.
Step-by-step guide
Create Okta Account:
- Go to https://www.okta.com/free-trial/ and create a free developer account. You should get an email containing details of your account including the associated subdomain e.g. https://dev-xxxxxx.oktapreview.com
- Login to your https://dev-xxxxxx.oktapreview.com and switch to Admin view.
- Follow this guide to set up a SAML application in Okta, and make sure you replace the following parameters:
- Single Sign On URL = https://<monitor_ip>/mellon/postResponse
- Audience URI (SP Entity ID) = https://<monitor_ip>/mellon/metadata
- Save the downloaded metadata file somewhere safe. You will need it later.
Configure authentication adapter in Monitor
- Create Apache auth driver in Manage/Configure/Authentication Modules.
- Select the created apache driver in the Common tab and enable auto login.
- Create apache_auth_user group in Manage/Configure/Group Rights with the same permission as the existing admins group.
Configure mod_auth_mellon module to Apache in Monitor:
- SSH to your Monitor machine.
- Install mod_auth_mellon:
# yum install mod_auth_mellon
This will install mod_auth_mellon v0.11. We will need to update it to the latest version, which is possible by building the module from source. Keep in mind, it will require a lot of development packages, so maybe you want to compile it on a separate machine and simply overwrite the generated *.so file.
yum groupinstall "Development Tools"
yum install lasso lasso-devel httpd-devel libcurl-devel
git clone https://github.com/UNINETT/mod_auth_mellon
cd mod_auth_mellon
git checkout tags/v0.13.1
git checkout -b v0.13.1
./autogen.sh./configure --with-apxs2=/usr/bin/apxs
make && make install
This should overwrite the previously installed module, but keep all the config files intact. - Create a folder that will store mellon configuration and execute a mellon script:
mkdir /etc/httpd/mellon
cd /etc/httpd/mellon
# assuming that location of the cloned repository is /root/mod_auth_mellon
/root/mod_auth_mellon/mellon_create_metadata.sh op5_okta_<random_id> https://<monitor_ip>/mellon - Copy the downloaded from Okta metadata file to /etc/httpd/mellon
- Change ownership of the files:
# chown monitor:apache /etc/httpd/mellon/*
- Edit the /etc/httpd/conf.d/auth_mellon.conf file and add the following configuration:
MellonCacheSize 100
MellonLockFile "/run/mod_auth_mellon/lock"
<Location />
#Require valid-user
AuthType "Mellon"
MellonEnable "info"
MellonVariable "cookie2"
#MellonSecureCookie On
MellonCookiePath /
MellonUser "NAME_ID"
MellonSessionDump Off
MellonSamlResponseDump Off
MellonEndpointPath "/mellon"
MellonDefaultLoginPath "/"
MellonSessionLength 43200
MellonSPPrivateKeyFile /etc/httpd/mellon/op5_okta.key
MellonSPCertFile /etc/httpd/mellon/op5_okta.cert
MellonIdPMetadataFile /etc/httpd/mellon/metadata
MellonRedirectDomains [self] dev-xxxxx.oktapreview.com
RequestHeader set PHP_AUTH_USER %{MELLON_NAME_ID}e
ProxyPassInterpolateEnv On
</Location>
<Location /monitor/>
MellonEnable "auth"
</Location>
Make sure you set correct values for MellonSPPrivateKeyFile, MellonSPCertFile and MellonRedirectDomains. - Restart apache:
# systemctl restart httpd
- Navigate to https://<monitor_ip>/monitor. You should be redirected to the Okta login page.
Resources
https://stackoverflow.com/questions/32709589/mod-auth-mellon-not-populating-environment-variables
https://github.com/UNINETT/mod_auth_mellon
https://developer.okta.com/standards/SAML/setting_up_a_saml_application_in_okta
https://github.com/UNINETT/mod_auth_mellon/wiki/GenericSetup
https://serverfault.com/questions/739756/splunk-saml-sso-from-an-idp-with-apache-mod-mellon-fails
https://support.okta.com/help/answers?id=9062A000000bmU9QAI
https://centos.pkgs.org/7/centos-x86_64/mod_auth_mellon-0.11.0-4.el7.x86_64.rpm.html
Comments
0 comments
Please sign in to leave a comment.