ADFS - Revision history

C256zhao: specify the NameIDFormat in SP metadata

2025-10-16T20:32:21Z

specify the NameIDFormat in SP metadata

← Older revision		Revision as of 15:32, 16 October 2025
Line 23:		Line 23:
	Also see https://cs.uwaterloo.ca/twiki/view/CF/ADFS.		Also see https://cs.uwaterloo.ca/twiki/view/CF/ADFS.

	Install the mod_auth_mellon module:		Install the <code>mod_auth_mellon</code> module:
	<pre>		<pre>
	apt install libapache2-mod-auth-mellon		apt install libapache2-mod-auth-mellon
	</pre>		</pre>
	Create a keypair and XML file:		Create a keypair and SP metadata XML file:
	<pre>		<pre>
	mellon_create_metadata https://csclub.uwaterloo.ca https://csclub.uwaterloo.ca/saml		mellon_create_metadata https://csclub.uwaterloo.ca https://csclub.uwaterloo.ca/saml
	</pre>		</pre>
			Because we use persistent format for Name IDs with ADFS IdP, add the following <code><NameIDFormat></code> line under the <code><SPSSODescriptor></code> scope like below in the generated XML metadata:
⚫	Place the files under /etc/apache2/saml on caffeine (make sure the private key is only readable by root), and store a copy under /home/sysadmin/certs/saml_csclub.uwaterloo.ca on xylitol.
			<!-- ... omitted ... -->
			<NameIDFormat><nowiki>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</nowiki></NameIDFormat>
			</SPSSODescriptor>
			</EntityDescriptor>
		⚫	Place the files under <code>/etc/apache2/saml</code> on caffeine (make sure the private key is only readable by root), and store a copy under <code>/home/sysadmin/certs/saml_csclub.uwaterloo.ca</code> on <code>xylitol</code>.

	Also download a copy of the ADFS IdP metadata XML file:		Also download a copy of the ADFS IdP metadata XML file:

Merenber at 07:38, 29 December 2021

2021-12-29T07:38:34Z

@@ Line 1: / Line 1: @@
 Starting from July 2021, we are a registered SAML SP (Service Provider) for the University of Waterloo's [https://uwaterloo.ca/information-systems-technology/services/web-based-central-authentication ADFS] system.
-* Assertion Consumer Service URL (POST binding only): https://csclub.uwaterloo.ca/saml/postResponse
+Our metadata URL is https://csclub.uwaterloo.ca/saml/metadata.
 Our SP certificate is currently set to expire in July 2031; <b>make sure to renew it before then</b>.
@@ Line 92: / Line 90: @@
 == Known limitations ==
 It is not currently possible to use any of the Mellon* directives in a .htaccess file. [https://github.com/latchset/mod_auth_mellon/issues/82 Here] is the open GitHub issue for it (if it is now closed, please update this wiki page).

Merenber at 07:34, 29 December 2021

2021-12-29T07:34:50Z

← Older revision		Revision as of 02:34, 29 December 2021
Line 6:		Line 6:

	Our SP certificate is currently set to expire in July 2031; <b>make sure to renew it before then</b>.		Our SP certificate is currently set to expire in July 2031; <b>make sure to renew it before then</b>.

			The ADFS IdP metadata XML (from the university) is set to expire in October 2025; <b>make sure to download a new copy before then</b>.

	== Paperwork ==		== Paperwork ==
Line 32:		Line 34:
	</pre>		</pre>
	Place the files under /etc/apache2/saml on caffeine (make sure the private key is only readable by root), and store a copy under /home/sysadmin/certs/saml_csclub.uwaterloo.ca on xylitol.		Place the files under /etc/apache2/saml on caffeine (make sure the private key is only readable by root), and store a copy under /home/sysadmin/certs/saml_csclub.uwaterloo.ca on xylitol.

			Also download a copy of the ADFS IdP metadata XML file:
			<pre>
			wget -O /etc/apache2/saml/FederationMetadata.xml https://adfs.uwaterloo.ca/FederationMetadata/2007-06/FederationMetadata.xml
			</pre>

	Enable the Mellon module:		Enable the Mellon module:

Merenber at 07:28, 29 December 2021

2021-12-29T07:28:52Z

@@ Line 4: / Line 4: @@
 * Single Logout Service URL (Redirect binding only): https://csclub.uwaterloo.ca/saml/logout
 * Metadata URL: https://csclub.uwaterloo.ca/saml/metadata
 == Paperwork ==
@@ Line 52: / Line 54: @@
     </Location>
 </pre>

Merenber: Created page with "Starting from July 2021, we are a registered SAML SP (Service Provider) for the University of Waterloo's [https://uwaterloo.ca/information-systems-technology/services/web-base..."

2021-12-29T07:21:50Z

Created page with "Starting from July 2021, we are a registered SAML SP (Service Provider) for the University of Waterloo's [https://uwaterloo.ca/information-systems-technology/services/web-base..."

New page

Starting from July 2021, we are a registered SAML SP (Service Provider) for the University of Waterloo's [https://uwaterloo.ca/information-systems-technology/services/web-based-central-authentication ADFS] system.

* Assertion Consumer Service URL (POST binding only): https://csclub.uwaterloo.ca/saml/postResponse
* Single Logout Service URL (Redirect binding only): https://csclub.uwaterloo.ca/saml/logout
* Metadata URL: https://csclub.uwaterloo.ca/saml/metadata

== Paperwork ==
Unfortunately the [https://uwaterloo.ca/request-tracking-system/adfs-request form] which we need to submit to IST to become a SP can only be accessed by faculty, so ask our club advisor to submit it for us (as of this writing, that is Dr. Prabhakar Ragde). IST may be slow to respond, so make sure to do this well before our certificate expires.

Here's some information which you'll need for the form:

* Environment requested: production environment
* URL for the application metadata file: https://csclub.uwaterloo.ca/saml/metadata
* Claims required to be passed to the application: group, emailaddress, surname, givenname, samaccountname, UPN
* Is 2FA required for this application: yes
* Valid Redirect URI: https://csclub.uwaterloo.ca/*

== Apache setup ==
These steps are adapted from https://jdennis.fedorapeople.org/doc/mellon-user-guide/mellon_user_guide.html.
<br>
Also see https://cs.uwaterloo.ca/twiki/view/CF/ADFS.

Install the mod_auth_mellon module:
<pre>
apt install libapache2-mod-auth-mellon
</pre>
Create a keypair and XML file:
<pre>
mellon_create_metadata https://csclub.uwaterloo.ca https://csclub.uwaterloo.ca/saml
</pre>
Place the files under /etc/apache2/saml on caffeine (make sure the private key is only readable by root), and store a copy under /home/sysadmin/certs/saml_csclub.uwaterloo.ca on xylitol.

Enable the Mellon module:
<pre>
a2enmod auth_mellon
</pre>

Add the following snippet to /etc/apache2/sites-real/csc on caffeine:
<pre>
<Location / >
MellonEnable info
MellonEndpointPath /saml
MellonSPMetadataFile /etc/apache2/saml/https_csclub.uwaterloo.ca.xml
MellonSPPrivateKeyFile /etc/apache2/saml/https_csclub.uwaterloo.ca.key
MellonSPCertFile /etc/apache2/saml/https_csclub.uwaterloo.ca.cert
MellonIdPMetadataFile /etc/apache2/saml/FederationMetadata.xml
MellonSecureCookie On
MellonRedirectDomains *
MellonMergeEnvVars On
MellonSetEnvNoPrefix REMOTE_USER NAME_ID
MellonSetEnvNoPrefix ADFS_GROUP http://schemas.xmlsoap.org/claims/Group
</Location>
</pre>