ADFS

From CSCWiki
Revision as of 02:21, 29 December 2021 by Merenber (talk | contribs) (Created page with "Starting from July 2021, we are a registered SAML SP (Service Provider) for the University of Waterloo's [https://uwaterloo.ca/information-systems-technology/services/web-base...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Starting from July 2021, we are a registered SAML SP (Service Provider) for the University of Waterloo's ADFS system.

Paperwork

Unfortunately the form which we need to submit to IST to become a SP can only be accessed by faculty, so ask our club advisor to submit it for us (as of this writing, that is Dr. Prabhakar Ragde). IST may be slow to respond, so make sure to do this well before our certificate expires.

Here's some information which you'll need for the form:

Apache setup

These steps are adapted from https://jdennis.fedorapeople.org/doc/mellon-user-guide/mellon_user_guide.html.
Also see https://cs.uwaterloo.ca/twiki/view/CF/ADFS.

Install the mod_auth_mellon module:

apt install libapache2-mod-auth-mellon

Create a keypair and XML file:

mellon_create_metadata https://csclub.uwaterloo.ca https://csclub.uwaterloo.ca/saml

Place the files under /etc/apache2/saml on caffeine (make sure the private key is only readable by root), and store a copy under /home/sysadmin/certs/saml_csclub.uwaterloo.ca on xylitol.

Enable the Mellon module:

a2enmod auth_mellon

Add the following snippet to /etc/apache2/sites-real/csc on caffeine:

    <Location / >
      MellonEnable info
      MellonEndpointPath /saml
      MellonSPMetadataFile /etc/apache2/saml/https_csclub.uwaterloo.ca.xml
      MellonSPPrivateKeyFile /etc/apache2/saml/https_csclub.uwaterloo.ca.key
      MellonSPCertFile /etc/apache2/saml/https_csclub.uwaterloo.ca.cert
      MellonIdPMetadataFile /etc/apache2/saml/FederationMetadata.xml
      MellonSecureCookie On
      MellonRedirectDomains *
      MellonMergeEnvVars On
      MellonSetEnvNoPrefix REMOTE_USER NAME_ID
      MellonSetEnvNoPrefix ADFS_GROUP http://schemas.xmlsoap.org/claims/Group
    </Location>