在Apache中使用MOD_AUTH_MELLON配置多个SAML应用程序?
我们需要支持SSO(OKTA和Google)的SAML。我已经能够在Google中设置自己的自定义SAML应用程序,并在Apache中配置Mellon。但是,我们需要为客户在OKTA中配置SAML,并在Google中为我们的内部用户配置SAML。
#################################################################################
# Global configuration for mod_auth_mellon.
# This configuration is shared by every virtual server and location in this instance of apache.
#################################################################################
# MellonCacheSize sets the maximum number of sessions which can be active at once. When mod_auth_mellon reaches this limit, it will begin removing # the least recently used sessions. The server must be restarted before any changes to this option takes effect.
# Default: MellonCacheSize 100
MellonCacheSize 100
# MellonLockFile is the full path to a file used for synchronizing access to the session data. The path should only be used by one instance of apache at a time.The server must be restarted before any changes to this option takes effect.
# Default: MellonLockFile "/var/run/mod_auth_mellon.lock"
MellonLockFile "/var/run/mod_auth_mellon.lock"
# MellonPostCount is the maximum amount of saved POST requests
# Default: MellonPostCount 100
MellonPostCount 100
###########################################################################
# End of global configuration for mod_auth_mellon.
###########################################################################
<Location />
MellonEnable "info"
Require valid-user
AuthType "Mellon"
MellonVariable "cookie"
MellonSamlResponseDump On
MellonSPPrivateKeyFile /etc/apache2/googlesaml/mellon.key
MellonSPCertFile /etc/apache2/googlesaml/mellon.crt
MellonSPMetadataFile /etc/apache2/googlesaml/mellon_metadata.xml
MellonIdPMetadataFile /etc/apache2/googlesaml/GoogleIDPMetadata.xml
MellonEndpointPath /mellon
MellonDefaultLoginPath /
RequestHeader set MELLON_NAME_ID %{MELLON_NAME_ID}e
</Location>
<VirtualHost *:443>
ServerName host_name
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.pem
SSLCertificateKeyFile /etc/ssl/private/private.key
<Location />
AuthType Mellon
MellonEnable auth
Require valid-user
</Location>
<Location /protected>
AuthType Mellon
MellonEnable auth
Require valid-user
</Location>
</VirtualHost>
我们如何将Okta和Google(SAML)之间的传入请求区分为位置 /&gt;指令只能由SAML提供商中的任何一个配置。
We have a requirement to support SAML for SSO (Okta and Google). I have been able to set up my own custom SAML application in Google and configure mellon in apache. However, we have a requirement to configure SAML in Okta for customers and SAML in Google for our internal users.
#################################################################################
# Global configuration for mod_auth_mellon.
# This configuration is shared by every virtual server and location in this instance of apache.
#################################################################################
# MellonCacheSize sets the maximum number of sessions which can be active at once. When mod_auth_mellon reaches this limit, it will begin removing # the least recently used sessions. The server must be restarted before any changes to this option takes effect.
# Default: MellonCacheSize 100
MellonCacheSize 100
# MellonLockFile is the full path to a file used for synchronizing access to the session data. The path should only be used by one instance of apache at a time.The server must be restarted before any changes to this option takes effect.
# Default: MellonLockFile "/var/run/mod_auth_mellon.lock"
MellonLockFile "/var/run/mod_auth_mellon.lock"
# MellonPostCount is the maximum amount of saved POST requests
# Default: MellonPostCount 100
MellonPostCount 100
###########################################################################
# End of global configuration for mod_auth_mellon.
###########################################################################
<Location />
MellonEnable "info"
Require valid-user
AuthType "Mellon"
MellonVariable "cookie"
MellonSamlResponseDump On
MellonSPPrivateKeyFile /etc/apache2/googlesaml/mellon.key
MellonSPCertFile /etc/apache2/googlesaml/mellon.crt
MellonSPMetadataFile /etc/apache2/googlesaml/mellon_metadata.xml
MellonIdPMetadataFile /etc/apache2/googlesaml/GoogleIDPMetadata.xml
MellonEndpointPath /mellon
MellonDefaultLoginPath /
RequestHeader set MELLON_NAME_ID %{MELLON_NAME_ID}e
</Location>
<VirtualHost *:443>
ServerName host_name
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.pem
SSLCertificateKeyFile /etc/ssl/private/private.key
<Location />
AuthType Mellon
MellonEnable auth
Require valid-user
</Location>
<Location /protected>
AuthType Mellon
MellonEnable auth
Require valid-user
</Location>
</VirtualHost>
How can we differentiate incoming request between Okta and Google (SAML) as Location /> directive can be configured by only either one of SAML provider.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
MOD_AUTH_MELLON模块仅将SAML应用于特定的
&lt; location/&gt; ...&lt;/location&gt;,因此您必须为每个IDP提供商配置一个位置。如果您想根据用户的标头动态执行此操作,我不建议MOD_AUTH_MELLON,让您的应用程序提供身份验证会更有意义。
希望这会有所帮助。
The mod_auth_mellon module only applies SAML to a specific
<Location />...</Location>, so you would have to configure a location for each idP provider.If you want to do this dynamically based on the user's headers, I wouldn't recommend mod_auth_mellon, having your application serve up the authentication would make more sense.
Hope this helps.
我尝试了以下配置,它适用于OpenIDC和Mellon。显然,这种情况对愿意为内部IDP配置Okta(Mellon)和Google SSO的人有帮助。
I have tried below config and it works for openidc and mellon both. Apparently, this scenario would be helpful for those willing to configure Okta (mellon) and google sso for internal IDP.