This article was written for version 7.3.18 of OP5 Monitor on EL7, it could work on both lower and higher version if nothing else is stated.
Articles in the Community-Space are not supported by OP5 Support.
This article describes how to add SAML based SSO authentication to OP5 Monitor using Apache auth adapter and mod_auth_mellon. The Identity Provider (IdP) used in this example is Okta.
Create Okta Account:
- Go to https://www.okta.com/start-with-okta/ and create a free developer account. You should get an email containing details of your account including the associated subdomain e.g. https://dev-xxxxxx.oktapreview.com
- Login to your https://dev-xxxxxx.oktapreview.com and switch to Admin view.
- Follow this guide to set up a SAML application in Okta, and make sure you replace the following parameters:
- Save the downloaded metadata file somewhere safe. You will need it later.
Configure authentication adapter in Monitor
- Create Apache auth driver in Manage/Configure/Authentication Modules.
- Select the created apache driver in the Common tab and enable auto login.
- Create apache_auth_user group in Manage/Configure/Group Rights with the same permission as the existing admins group.
Configure mod_auth_mellon module to Apache in Monitor:
- SSH to your Monitor machine.
- Install mod_auth_mellon:
This will install mod_auth_mellon v0.11. We will need to update it to the latest version, which is possible by building the module from source. Keep in mind, it will require a lot of development packages, so maybe you want to compile it on a separate machine and simply overwrite the generated *.so file.
This should overwrite the previously installed module, but keep all the config files intact.
- Create a folder that will store mellon configuration and execute a mellon script:
- Copy the downloaded from Okta metadata file to /etc/httpd/mellon
- Change ownership of the files:
- Edit the /etc/httpd/conf.d/auth_mellon.conf file and add the following configuration:
Make sure you set correct values for MellonSPPrivateKeyFile, MellonSPCertFile and MellonRedirectDomains.
- Restart apache:
- Navigate to https://<monitor_ip>/monitor. You should be redirected to the Okta login page.