Single Sign-On (SSO): OpenAM + mod_auth_mellon
The post is designed for beginners who are just getting acquainted with SSO. There is not a lot of documentation on the OpenAM and mod_auth_mellon bundles on the Internet, especially in Russian.
For a quick start, I will use Docker images. For user authentication, I’ll consider the mod_auth_mellon module, but other methods can be used, for example, Policy Agent or OpenIG .
Single Sign-On Technology (Single Sign-On) is a technology that uses a user to move from one portal section to another without re-authentication.
OpenAM (Access Management) - identity provider (IdP, identity identity provider), performs user authentication.
mod_auth_mellon is an apache module that authenticates the user via IdP (OpenAM).
Add domains to / etc / hosts for OpenAM and test applications:
Run OpenAM:
')
We start test applications:
Customize OpenAM. It was possible to create a docker image in order not to do it manually. But I think it would be better to go through these simple steps yourself in order to better understand how this works:
- open http://openam.example.com:8080/openam/ ;
- click Create Default Configuration;
- password for amAdmin - secret12, for UrlAccessAgent - secret123;
- go to Home (amAdmin / secret12), then Federation and add a new Circle of Trust with the name TestCOT;
- go to the Create Identity Provider page: http://openam.example.com:8080/openam/task/CreateHostedIDP . Change the Signing Key to test and wait for Configure, then Finish;
- go to the Create Remote Service Provider page: http://openam.example.com:8080/openam/task/CreateRemoteSP . We are waiting for File and download fake_app_1 / mellon / fake_mellon_app_one.xml, make sure that COT is selected TestCOT
- the same for fake_mellon_app_two.xml.
Configuring mod_auth_mellon. Here it is better to read https://github.com/UNINETT/mod_auth_mellon and see an example implementation in test applications https://bitbucket.org/agobzhelyan/openam_mellon/src .
- exit the admin panel http://openam.example.com:8080/openam/ and go to Appendix 1 - http://fake.mellon.app.one:8091/ ;
- click the link backend;
- we will be redirected to the login page. Enter demo / changeit;
- after that we return to the requested (protected) page;
- go to Appendix 2 http: //fake.mellon.app.two: 8092 / backend / and note that here we are logged in.
As you can see, everything is simple, but at the stage of exploring the new technology takes a lot of time. I hope the time to write this post is not wasted and it will be useful to someone. Those who have experience with this technology, please share them in the comments.
- www.lab-ic.ru/solutions/sso
- doc.arcgis.com/en/arcgis-online/reference/configure-openam.htm
- openam.forgerock.org/doc/getting-started/index.html
- en.wikipedia.org/wiki/Single_sign-on
- blog.kaliconseil.fr/2011/02/21/using-openam-with-apache-as-a-reverse-proxy
- mkchendil.blogspot.ch/2015/02/apache-and-openam-saml-federation.html
- blogs.splunk.com/2013/03/28/splunkweb-sso-samlv2
For a quick start, I will use Docker images. For user authentication, I’ll consider the mod_auth_mellon module, but other methods can be used, for example, Policy Agent or OpenIG .
Theory
Single Sign-On Technology (Single Sign-On) is a technology that uses a user to move from one portal section to another without re-authentication.
OpenAM (Access Management) - identity provider (IdP, identity identity provider), performs user authentication.
mod_auth_mellon is an apache module that authenticates the user via IdP (OpenAM).
Customization
Add domains to / etc / hosts for OpenAM and test applications:
127.0.0.1 openam.example.com fake.mellon.app.one fake.mellon.app.two Run OpenAM:
')
docker run -d -t -p 8080:8080 --add-host "openam.example.com:127.0.0.1" wstrange/openam-base-nightly We start test applications:
git clone git@bitbucket.org:agobzhelyan/openam_mellon.git cd openam_mellon docker build -t fake_mellon_app_one fake_app_1 docker run -d -p 8091:80 --name fake_mellon_app_one fake_mellon_app_one docker build -t fake_mellon_app_two fake_app_2 docker run -d -p 8092:80 --name fake_mellon_app_two fake_mellon_app_two Customize OpenAM. It was possible to create a docker image in order not to do it manually. But I think it would be better to go through these simple steps yourself in order to better understand how this works:
- open http://openam.example.com:8080/openam/ ;
- click Create Default Configuration;
- password for amAdmin - secret12, for UrlAccessAgent - secret123;
- go to Home (amAdmin / secret12), then Federation and add a new Circle of Trust with the name TestCOT;
- go to the Create Identity Provider page: http://openam.example.com:8080/openam/task/CreateHostedIDP . Change the Signing Key to test and wait for Configure, then Finish;
- go to the Create Remote Service Provider page: http://openam.example.com:8080/openam/task/CreateRemoteSP . We are waiting for File and download fake_app_1 / mellon / fake_mellon_app_one.xml, make sure that COT is selected TestCOT
- the same for fake_mellon_app_two.xml.
Configuring mod_auth_mellon. Here it is better to read https://github.com/UNINETT/mod_auth_mellon and see an example implementation in test applications https://bitbucket.org/agobzhelyan/openam_mellon/src .
Testing
- exit the admin panel http://openam.example.com:8080/openam/ and go to Appendix 1 - http://fake.mellon.app.one:8091/ ;
- click the link backend;
- we will be redirected to the login page. Enter demo / changeit;
- after that we return to the requested (protected) page;
- go to Appendix 2 http: //fake.mellon.app.two: 8092 / backend / and note that here we are logged in.
Conclusion
As you can see, everything is simple, but at the stage of exploring the new technology takes a lot of time. I hope the time to write this post is not wasted and it will be useful to someone. Those who have experience with this technology, please share them in the comments.
Bibliography
- www.lab-ic.ru/solutions/sso
- doc.arcgis.com/en/arcgis-online/reference/configure-openam.htm
- openam.forgerock.org/doc/getting-started/index.html
- en.wikipedia.org/wiki/Single_sign-on
- blog.kaliconseil.fr/2011/02/21/using-openam-with-apache-as-a-reverse-proxy
- mkchendil.blogspot.ch/2015/02/apache-and-openam-saml-federation.html
- blogs.splunk.com/2013/03/28/splunkweb-sso-samlv2
Source: https://habr.com/ru/post/254503/
All Articles