Apache mod_mellon basic installation and configuration on Ubuntu

28 November 20154 November 2023

If you need to install a SAML Single sign-on authentication system you can use the Mellon module.
The following guide refers to an installation on Ubuntu Server environment with Apache as Web server.

Apache mod_mellon basic installation and configuration on Ubuntu

apache_modmellon

You can use two ways to install the Mellon module in Apache, APT-GET or via source:

Installation via git/source

Download it from https://github.com/UNINETT/mod_auth_mellon

sudo apt-get update
sudo apt-get upgrade

#### INSTALLA DIPEDENZE
sudo apt-get install build-essential liblasso3 liblasso3-dev apache2-dev libcurl4-openssl-dev pkg-config

#### SCARIDA ED INSTALLA IL MODULO auth mellon.
wget https://github.com/UNINETT/mod_auth_mellon/archive/master.zip
tar xvfz master.zip
cd master
autoconf
./configure

#### SE SI RISCONTRANO ERRORI DURANTE L'INSTALLAZIONE, ESEGUI IL FILE autoreconf.sh
make
sudo make install

# CREA IL MODULO PER UBUNTU.
sudo vi /etc/apache2/mods-available/mod_auth_mellon.load

# AGGIUNGI QUESTA RIGA DENTRO IL FILE.
LoadModule auth_mellon_module /usr/lib/apache2/modules/mod_auth_mellon.so

# ABILITA MELLON
apxs2 -q LIBEXECDIR
sudo a2enmod mod_auth_mellon

Installation via apt-get


### INSTALLAZIONE DEL MODULO MELLON
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install libapache2-mod-auth-mellon -y

### ABILITA MELLON
apxs2 -q LIBEXECDIR
sudo a2enmod mod__auth_mellon

Module configuration

Edit or create if it does not exist, the file in/etc/apache2/mods-available/mod_auth_mellon.conf


###########################################################################
# Global configuration for mod_auth_mellon. This configuration is shared by
# every virtual server and location in this instance of apache.
###########################################################################
 
# MellonCacheSize sets the maximum number of sessions which can be active
# at once. When mod_auth_mellon reaches this limit, it will begin removing
# the least recently used sessions. The server must be restarted before any
# changes to this option takes effect.
# Default: MellonCacheSize 100
MellonCacheSize 100
 
# MellonCacheEntrySize sets the maximum size for a single session entry in
# bytes. When mod_auth_mellon reaches this limit, it cannot store any more
# data in the session and will return an error. The minimum entry size is
# 65536 bytes, values lower than that will be ignored and the minimum will
# be used.
# Default: MellonCacheEntrySize 196608
 
# MellonLockFile is the full path to a file used for synchronizing access
# to the session data. The path should only be used by one instance of
# apache at a time. The server must be restarted before any changes to this
# option takes effect.
# Default: MellonLockFile "/var/run/mod_auth_mellon.lock"
MellonLockFile "/var/run/mod_auth_mellon.lock"
 
# MellonPostDirectory is the full path of a directory where POST requests
# are saved during authentication. This directory must writeable by the
# Apache user. It should not be writeable (or readable) by other users.
# Default: None
# Example: MellonPostDirectory "/var/cache/mod_auth_mellon_postdata"
 
# MellonPostTTL is the delay in seconds before a saved POST request can
# be flushed.
# Default: MellonPostTTL 900 (15 mn)
MellonPostTTL 900
 
# MellonPostSize is the maximum size for saved POST requests
# Default: MellonPostSize 1073741824 (1 GB)
MellonPostSize 1073741824
 
# MellonPostCount is the maximum amount of saved POST requests
# Default: MellonPostCount 100
MellonPostCount 100
 
###########################################################################
# End of global configuration for mod_auth_mellon.
###########################################################################

Web configuration

Edit or create if it does not exist, the file /etc/apache2/conf-available/mellon.conf


    # www.garanet.net
    # Questo configurazione é server-wide, aggiunge informazioni dalla sessione di Mellon in tutte le richieste.


    # Add information from the mod_auth_mellon session to the request.
    MellonEnable "auth"
 
    # Configure the SP metadata
    # This should be the files which were created when creating SP metadata.
    MellonSPPrivateKeyFile /etc/apache2/mellon/http_MY_PRIVATE_KEY_DOMAIN.key
    MellonSPCertFile /etc/apache2/mellon/http_MY_PRIVATE_KEY_DOMAIN.cert
    MellonSPMetadataFile /etc/apache2/mellon/http_MY_PRIVATE_KEY_DOMAIN.xml
 
    # IdP metadata. This should be the metadata file you got from the IdP.
    MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
  
    # MellonUser selects which attribute we should use for the username.
    MellonUser "uid"
    MellonSessionDump On
    MellonVariable "cookie"
 
    # MellonSecureCookie enforces the HttpOnly and secure flags
    # for the mod_mellon cookie
    # Default: Off
    MellonSecureCookie On
    MellonCookiePath /
 
    # MellonCookieDomain allows to specify of the cookie which auth_mellon will set
    # Default: the domain for the received request (the Host: header if
    # present, of the ServerName of the VirtualHost declaration, or if
    # absent a reverse resolution on the local IP)
    MellonCookieDomain MY_DOMAIN.com
 
    # The location all endpoints should be located under.
    # It is the URL to this location that is used as the second parameter to the metadata generation script.
    # This path is relative to the root of the web server.
    MellonEndpointPath /URL-PATH-LOGIN/secret

Creating the SAML 2.0 metadata

Downloda it : 
wget http://modmellon.googlecode.com/svn/trunk/mod_mellon2/mellon_create_metadata.sh

The script needs two options:

     An entity ID, which identifies your service.
     The base URL for the endpoints for mod_mellon.

Example:

mellon_create_metadata.sh https://sp.example.org/myEntityIDhttps://sp.example.org/mellon

We will create these three files:
  * A .key-file, which contains the private key in PEM format. This file should be configured in MellonSPPrivateKeyFile.
  * A .cert-file, which contains the certificate in PEM format. This file should be configured in MellonSPCertFile.
  * An .xml-file, which contains the metadata file for the SP. This file should be configured in MellonSPMetadataFile.

You should save these files in some directory like: / etc / apache2 / mellon.
The files should have read privileges from the web-server.

Login Manual


Per testare il login manualmente, puoi usare il mod_mellon login endpoint.

  https://sp.example.org/mellon/login?ReturnTo=/index.html

Il parametro `ReturnTo` é l'URL che dovrebbe reindirizzare l'utente dopo il login.

Manual logout


Per testare il logout, hai bisogno di indirizzare l'utente al mod_mellon logout endpoint.

  https://sp.example.org/mellon/logout?ReturnTo=/logged_out.html

Il parametro `ReturnTo` é l'URL che dovrebbe reindirizzare l'utente dopo il logout.

Ricorda che l'utente dovrebbe essere logged out anche dall'IdP.
Per controllare questo,guarda se l'utente ha una sessione valida per ogni richiesta.
Questo puó essere fatto controllando se l'opzione MELLON_NAME_ID é configurata.

References:

https://modmellon.googlecode.com/svn-history/r160/wiki/GenericSetup.wiki
https://github.com/UNINETT/mod_auth_mellon