libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

KEYCLOAK-14105 Document setting SameSite to None for mod_auth_mellon

Browse source
This commit is contained in:
mhajas 2020-06-11 11:06:11 +02:00 committed by Bruno Oliveira da Silva
parent a3004ea2c2
commit 8659b670ab
1 changed files with 20 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
securing_apps/topics/saml/mod-auth-mellon.adoc
View file

@ -2,7 +2,7 @@
=== mod_auth_mellon Apache HTTPD Module === mod_auth_mellon Apache HTTPD Module
The https://github.com/UNINETT/mod_auth_mellon[mod_auth_mellon] module is an Apache HTTPD plugin for SAML. If your language/environment supports using Apache HTTPD as a proxy, then you can use mod_auth_mellon to secure your web application with SAML. For more details on this module see the _mod_auth_mellon_ GitHub repo. The https://github.com/latchset/mod_auth_mellon[mod_auth_mellon] module is an Apache HTTPD plugin for SAML. If your language/environment supports using Apache HTTPD as a proxy, then you can use mod_auth_mellon to secure your web application with SAML. For more details on this module see the _mod_auth_mellon_ GitHub repo.
To configure mod_auth_mellon you'll need: To configure mod_auth_mellon you'll need:
@ -91,6 +91,25 @@ To configure the Mellon service provider, complete the following steps:
NOTE: Some of the files referenced in the code above are created in later steps. NOTE: Some of the files referenced in the code above are created in later steps.
==== Setting the SameSite value for the cookie used by mod_auth_mellon
Browsers are planning to set the default value for the `SameSite` attribute for cookies to `Lax`. This setting means
that cookies will be sent to applications only if the request originates in the same domain. This behavior can affect
the SAML POST binding which may become non-functional. To preserve full functionality of the _mod_auth_mellon_ module,
we recommend setting the `SameSite` value to `None` for the cookie created by _mod_auth_mellon_. Not doing so may result
in an inability to login using {project_name}.
To set the `SameSite` value to `None`, add the following configuration to `<Location / >` tag within your `mellon.conf`
file.
[source,xml]
----
MellonSecureCookie On
MellonCookieSameSite none
----
The support for this configuration is available in the _mod_auth_mellon_ module from version 0.16.0.
===== Creating the Service Provider Metadata ===== Creating the Service Provider Metadata
In SAML IdPs and SPs exchange SAML metadata, which is in XML format. The schema for the metadata is a standard, thus assuring participating SAML entities can consume each other's metadata. You need: In SAML IdPs and SPs exchange SAML metadata, which is in XML format. The schema for the metadata is a standard, thus assuring participating SAML entities can consume each other's metadata. You need: