From f2f3f509524165842bdac875e1bd82657f83e849 Mon Sep 17 00:00:00 2001 From: Jen Malloy Date: Wed, 29 Mar 2017 16:44:21 -0400 Subject: [PATCH] fixed RHSSO-913, added code syntax where possible --- .../topics/saml/mod-auth-mellon.adoc | 58 +++++++++++++------ 1 file changed, 39 insertions(+), 19 deletions(-) diff --git a/securing_apps/topics/saml/mod-auth-mellon.adoc b/securing_apps/topics/saml/mod-auth-mellon.adoc index c3bf05d22f..8b7321a603 100644 --- a/securing_apps/topics/saml/mod-auth-mellon.adoc +++ b/securing_apps/topics/saml/mod-auth-mellon.adoc @@ -59,6 +59,8 @@ To configure the Mellon service provider, complete the following steps: . Create the file /etc/httpd/conf.d/mellon.conf with this content: +[source,xml] +---- MellonEnable info MellonEndpointPath /mellon/ @@ -67,14 +69,14 @@ To configure the Mellon service provider, complete the following steps: MellonSPCertFile /etc/httpd/saml2/mellon.crt MellonIdPMetadataFile /etc/httpd/saml2/idp_metadata.xml - AuthType Mellon MellonEnable auth Require valid-user +---- -Note: Some of the files referenced in the code above are created in later steps. +NOTE: Some of the files referenced in the code above are created in later steps. ===== Creating the Service Provider Metadata @@ -100,21 +102,30 @@ SAML IdPs and SPs identify themselves using a unique name known as an EntityID. To create the SP metadata, complete the following steps: . Create a few helper shell variables: - - fqdn=`hostname` - mellon_endpoint_url="https://${fqdn}/mellon" - mellon_entity_id="${mellon_endpoint_url}/metadata" - file_prefix="$(echo "$mellon_entity_id" | sed 's/[^A-Za-z.]/_/g' | sed 's/__*/_/g')" ++ +[source] +---- +fqdn=`hostname` +mellon_endpoint_url="https://${fqdn}/mellon" +mellon_entity_id="${mellon_endpoint_url}/metadata" +file_prefix="$(echo "$mellon_entity_id" | sed 's/[^A-Za-z.]/_/g' | sed 's/__*/_/g')" +---- . Invoke the Mellon metadata creation tool by running this command: + - /usr/libexec/mod_auth_mellon/mellon_create_metadata.sh $mellon_entity_id $mellon_endpoint_url +[source] +---- +/usr/libexec/mod_auth_mellon/mellon_create_metadata.sh $mellon_entity_id $mellon_endpoint_url +---- . Move the generated files to their destination (referenced in the /etc/httpd/conf.d/mellon.conf file created above): + - mv ${file_prefix}.cert /etc/httpd/saml2/mellon.crt - mv ${file_prefix}.key /etc/httpd/saml2/mellon.key - mv ${file_prefix}.xml /etc/httpd/saml2/mellon_metadata.xml +[source] +---- +mv ${file_prefix}.cert /etc/httpd/saml2/mellon.crt +mv ${file_prefix}.key /etc/httpd/saml2/mellon.key +mv ${file_prefix}.xml /etc/httpd/saml2/mellon_metadata.xml +---- ===== Adding the Mellon Service Provider to the {{book.project.name}} Identity Provider @@ -176,20 +187,29 @@ The remaining steps are performed on $sp_host. Now that you have created the realm on the IdP you need to retrieve the IdP metadata associated with it so the Mellon SP recognizes it. In the /etc/httpd/conf.d/mellon.conf file created previously, the MellonIdPMetadataFile is specified as /etc/httpd/saml2/idp_metadata.xml but until now that file has not existed on $sp_host. To get that file we will retrieve it from the IdP. . Retrieve the file from the IdP by substituting $idp_host with the correct value: - - curl -k -o /etc/httpd/saml2/idp_metadata.xml \ - https://$idp_host/auth/realms/test_realm/protocol/saml/descriptor ++ +[source] +---- +curl -k -o /etc/httpd/saml2/idp_metadata.xml \ +https://$idp_host/auth/realms/test_realm/protocol/saml/descriptor +---- + Mellon is now fully configured. . To run a syntax check for Apache configuration files: - - apachectl configtest + -Note: configtest is equivalent to the -t argument to apachectl. If the configuration test shows any errors, correct them before proceeding. +[source] +---- +apachectl configtest +---- ++ +NOTE: Configtest is equivalent to the -t argument to apachectl. If the configuration test shows any errors, correct them before proceeding. . Restart the Apache server: - - systemctl restart httpd.service ++ +[source] +---- +systemctl restart httpd.service +---- You have now set up both {{book.project.name}} as a SAML IdP in the test_realm and mod_auth_mellon as SAML SP protecting the URL $sp_host/protected (and everything beneath it) by authenticating against the ``$idp_host`` IdP.