分享一个实例:Apache 集成ADFS单点登陆。
Apache集成ADFS,具体是使用的apache的一个模块名叫mellon,安装比较简单:
yum -y install mod_auth_mellon。安装完成,可以使用命令生成一些文件,这些文件是做集成ADFS使用。命令如下:
/usr/libexec/mod_auth_mellon/mellon_create_metadata.sh urn:hrrt501:hrrt501.dc.dianrong.com/auth1 "https://hrrt501.dc.dianrong.com/auth1/endpoint"
ADFS添加信赖放
下载xml文件至adfs服务器,做为创建信赖放信任使用,操作步骤如下:
安全哈希算法选择“SHA-1”
配置方法:双击test-选择“高级”-点击“安全哈希算法”的下拉菜单,选择SHA-1
编辑规则声明:
选择“test”-点击“编辑声明规则”-添加规则
1、添加转换传入声明
具体配置如图所示:
声明规则名称:无特殊要求,但必须有
输入声明类型:Windows账号名
传出声明类型:名称ID
传出名称ID格式:临时标识符
2、添加“以声明方式发送LADP特性”
具体配置如下:
声明规则名称:无特殊要求,但必须有
特性存储:Active Directory
LADP特性到传出声明类型的映射:(这里根据业务要求自己定义)
ADFS端添加信赖放完成
应用端添加信赖放
下载ADFS通用配置信赖放文件
https://adfstest502.adtest.dianrong.com/federationmetadata/2007-06/federationmetadata.xml
下面是apahce端配置文件:
<VirtualHost *:80>
ServerName hrrt501.dc.dianrong.com
DocumentRoot "/var/www/html"
Redirect permanent / https://hrrt501.dc.dianrong.com/
</VirtualHost>
<VirtualHost *:443>
ServerName hrrt501.dc.dianrong.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog /var/log/httpd/hrrt501.dc.dianrong.com-error.log
CustomLog /var/log/httpd/hrrt501.dc.dianrong.com-access.log combined
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5
#SSLCertificateFile /etc/pki/tls/certs/dianrong.com.crt
SSLCertificateFile /etc/pki/tls/certs/hrrt501.dc.dianrong.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/hrrt501.dc.dianrong.com.key
SSLCACertificateFile /etc/pki/tls/certs/dianrong.ca-chain.cert.pem
#SSLVerifyClient require
#SSLVerifyDepth 10
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
<Location /auth1>
DirectoryIndex index.html
Require all granted
MellonEnable "auth"
Require valid-user
AuthType "Mellon"
MellonVariable "cookie"
#MellonSamlResponseDump On
MellonSPPrivateKeyFile /etc/httpd/mellon/urn_hrrt_hrrt_.dc.dianrong.com_auth_.key
MellonSPCertFile /etc/httpd/mellon/urn_hrrt_hrrt_.dc.dianrong.com_auth_.cert
MellonSPMetadataFile /etc/httpd/mellon/urn_hrrt_hrrt_.dc.dianrong.com_auth_.xml
MellonIdPMetadataFile /etc/httpd/mellon/federationmetadata.xml
MellonMergeEnvVars On ":"
MellonEndpointPath "/auth1/endpoint"
MellonSecureCookie On
MellonSetEnv "e-mail" "mail"
MellonSetEnvNoPrefix "DISPLAY_NAME" "displayName"
MellonEnvVarsIndexStart 1
MellonEnvVarsSetCount On
MellonSessionDump Off
# MellonCond "groups" "WebAppUsers_grp" [REG,SUB,NC]
</Location>
</VirtualHost>
验证
输入https://hrrt501.dc.dianrong.com/
这里不会跳转,直接显示简单的网页
输入https://hrrt501.dc.dianrong.com/auth1
这里会跳转到adfstest502的登录网页
输入用户名和密码进行登录
验证成功。
今日推荐
