ADFS
Starting from July 2021, we are a registered SAML SP (Service Provider) for the University of Waterloo's ADFS system.
- Assertion Consumer Service URL (POST binding only): https://csclub.uwaterloo.ca/saml/postResponse
- Single Logout Service URL (Redirect binding only): https://csclub.uwaterloo.ca/saml/logout
- Metadata URL: https://csclub.uwaterloo.ca/saml/metadata
Paperwork
Unfortunately the form which we need to submit to IST to become a SP can only be accessed by faculty, so ask our club advisor to submit it for us (as of this writing, that is Dr. Prabhakar Ragde). IST may be slow to respond, so make sure to do this well before our certificate expires.
Here's some information which you'll need for the form:
- Environment requested: production environment
- URL for the application metadata file: https://csclub.uwaterloo.ca/saml/metadata
- Claims required to be passed to the application: group, emailaddress, surname, givenname, samaccountname, UPN
- Is 2FA required for this application: yes
- Valid Redirect URI: https://csclub.uwaterloo.ca/*
Apache setup
These steps are adapted from https://jdennis.fedorapeople.org/doc/mellon-user-guide/mellon_user_guide.html.
Also see https://cs.uwaterloo.ca/twiki/view/CF/ADFS.
Install the mod_auth_mellon module:
apt install libapache2-mod-auth-mellon
Create a keypair and XML file:
mellon_create_metadata https://csclub.uwaterloo.ca https://csclub.uwaterloo.ca/saml
Place the files under /etc/apache2/saml on caffeine (make sure the private key is only readable by root), and store a copy under /home/sysadmin/certs/saml_csclub.uwaterloo.ca on xylitol.
Enable the Mellon module:
a2enmod auth_mellon
Add the following snippet to /etc/apache2/sites-real/csc on caffeine:
<Location / >
MellonEnable info
MellonEndpointPath /saml
MellonSPMetadataFile /etc/apache2/saml/https_csclub.uwaterloo.ca.xml
MellonSPPrivateKeyFile /etc/apache2/saml/https_csclub.uwaterloo.ca.key
MellonSPCertFile /etc/apache2/saml/https_csclub.uwaterloo.ca.cert
MellonIdPMetadataFile /etc/apache2/saml/FederationMetadata.xml
MellonSecureCookie On
MellonRedirectDomains *
MellonMergeEnvVars On
MellonSetEnvNoPrefix REMOTE_USER NAME_ID
MellonSetEnvNoPrefix ADFS_GROUP http://schemas.xmlsoap.org/claims/Group
</Location>