Online Help

SafeNet Trusted Access for Apache HTTP Server

Overview

Configuring SafeNet Trusted Access for Apache HTTP Server is a three-step process:

1.Apache HTTP Server setup

2.SafeNet Trusted Access setup

3.Verify authentication

Apache HTTP Server Setup

As prerequisites:

Install Apache HTTP Server 2.2.15 on CentOS 6.8.

Set up a web page (for example, https://example.com/apache/apache_test_page.html) on Apache HTTP Server.

Download the Identity Provider metadata from the SafeNet Trusted Access console by clicking the Download metadata file button. You will need this metadata in one of the steps below.

Perform the following steps to configure SafeNet Trusted Access as your Identity Provider in Apache HTTP Server:

1.Log in to Apache HTTP Server as a root user and enter the following commands to install the Shibboleth server:

a.cd /etc/yum.repos.d

b.wget

http://download.opensuse.org/repositories/security://shibboleth/CentOS_CentOS-6/security:shibboleth.repo

c.yum install -y shibboleth

2.Open the shib.conf file using the following command:

vi /etc/httpd/conf.d/shib.conf

3.Search for LoadModule mod_shib /usr/lib/shibboleth/mod_shib_22.so and, in the next line, add UseCanonicalName On.

4.Search for the <Location /secure> tag and perform the following steps:

a.Replace /secure with the location of the web page (including the file name) to which you want to apply SAML authentication.

For example, <Location /apache/apache_test_page.html>

b.Replace require shib-session, in the line just before </Location>, with require valid-user.

5.Save and then close the shib.conf file.

6.Open the config file using the following command:

vi /etc/selinux/config

7.Replace SELINUX=enforcing with SELINUX=permissive.

8.Save and then close the config file.

9.Enter the following command:

setenforce 0

10.Open the attribute-map.xml file using the following command:

vi /etc/shibboleth/attribute-map.xml

11.Search for the following content:

<! – Fourth,the SAML2.0 NameID Format: -->

<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="">

12.In the search result, replace id="" with id="sasuid".

13.Save and then close the attribute-map.xml file.

14.Open the shibboleth2.xml file using the following command:

vi /etc/shibboleth/shibboleth2.xml

15.Perform the following steps:

a.Search for the ApplicationDefaults tag and replace entityID with https://<DNS or IP of the apache server>/shibboleth.

For example, <ApplicationDefaults entityID=”https://gemex2.com/shibboleth” REMOTE_USER=”eppn persistent-id targeted-id">

b.Search for the SSO tag and replace entityID with the value from the EntityDescriptor tag available in the Identity Provider metadata that you downloaded earlier from the SafeNet Trusted Access console.

For example: <SSO entityID="<Your SafeNet IDP Issuer/Entity ID URL>">

c.Search for the MetadataProvider tag and uncomment it.

For example, <MetadataProvider type="XML" validate="true" file="partner-Metadata.xml"/>

Note:  partner-Metadata.xml is the Identity Provider metadata that you downloaded earlier from the SafeNet Trusted Access console.

d.Copy and paste the Identity Provider metadata (for example, partner-Metadata.xml) at the /etc/shibboleth location.

cp </root/desktop> </etc/shibboleth >

Where, </root/desktop> is the source path where the Identity Provider metadata is saved and </etc/shibboleth> is the destination path.

16.Save and then close the shibboleth2.xml file.

17.Enter the following commands to restart the Apache and Shibboleth services:

service httpd restart

service shibd restart

Obtaining Metadata

Choose either of the following options to download the Apache HTTP Server metadata:

If the Apache websites are hosted on HTTPS, navigate to the https://<DNS or IP of Apache Server>/Shibboleth.sso/Metadata URL.

If the Apache websites are hosted on HTTP, navigate to the http://<DNS or IP of Apache Server>/Shibboleth.sso/Metadata URL.

The metadata gets downloaded automatically. Save it on your local machine with the .xml extension (for example, metadata.xml).

SafeNet Trusted Access Setup

After completing the first step of configuring SafeNet Trusted Access in Apache HTTP Server, the second step is to activate the Apache HTTP Server application in SafeNet Trusted Access by performing the following steps:

1.In the Applications pane, you will notice that the Apache HTTP Server application that you added previously is currently in inactive state by default. To configure and activate this application, click the application (for example, Apache HTTP Server) and proceed to the next step.

2.Under Advanced Settings, in the IDP INITIATED SSO RELAY STATE field, enter the relay state value if your application requires a unique relay state. Relay state is an Apache HTTP Server hosted web page URL to which you will be redirected after successful login.

For the remaining fields, modify the default values as per your preferred configuration.

3.Under STA Setup, perform the following steps:

a.Complete the following fields using the Apache HTTP Server metadata that you downloaded earlier in Obtaining Metadata:

Field Value to be Set
ENTITY ID Enter the entityID that exists in the EntityDescriptor tag.

For example, <md:EntityDescriptor entityID="https://gemex2.com/shibboleth" ID="_5642ea8cc109bd04e37b4dfe0624015e73720888" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
ASSERTION CONSUMER SERVICE Enter the Location URL that exists in the AssertionConsumerService tag.

For example, <md:AssertionConsumerService Location="https://gemex2.com/Shibboleth.sso/SAML2/POST " Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" index="1"/>
SINGLE LOGOUT SERVICE Enter the Location URL that exists in the SingleLogoutService tag.

For example, <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://gemex2.com /Shibboleth.sso/SLO/POST"/>
 

b.In the NAME ID field, ensure that SAS User ID is selected as required by the Apache HTTP Server.

 

4.Click Save Configuration to save the details and activate the Apache HTTP Server application in SafeNet Trusted Access.

Verify Authentication

Using STA Console

Navigate to the Apache HTTP Server URL, https://<IP or DNS of the Apache Server>/<Secure Path>, where <Secure Path> is the name of your organization that you registered in Apache HTTP Server. You will be redirected to the SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the Apache HTTP Server hosted web page after authentication.

Using STA User Portal

Navigate to the User Portal URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click on the Apache HTTP Server application icon, you should be redirected to the Apache HTTP Server hosted web page after authentication.

 

© 2018 SafeNet Trusted Access. Various trademarks held by their respective owners.