I'm trying to set up SAML authentication to an internal Apache2 web server. I've set up a basic SAML app in Okta with Single sign on URL: http://192.168.14.130/ and Audience URI (SP Entity ID): http://192.168.14.130/okta. My one enabled Apache site is the default 000-default.conf with the following added to the beginning: <Location /> Require valid-user AuthType "Mellon" MellonEnable "auth" MellonDecoder "none" MellonVariable "cookie" MellonSecureCookie On MellonUser "NAME_ID" MellonSetEnv "e-mail" "mail" MellonEndpointPath "/endpoint" MellonDefaultLoginPath "/" MellonSessionLength 300 MellonSPPrivateKeyFile /etc/apache2/mellon/http_192.168.14.130_okta.key MellonSPCertFile /etc/apache2/mellon/http_192.168.14.130_okta.cert MellonIdPMetadataFile /etc/apache2/mellon/metadata MellonSamlResponseDump On MellonSessionDump On </Location>
When I attempt to access http://192.168.14.130, I get a redirect loop. Can anyone give me any direction in getting this set up correctly?
I would recommend looking at SAML Tracer (Firefox Addon) to determine what is being sent in your assertion and compare it to what you're expecting. Although Okta Support can't directly help setup your custom site, we can help in troubleshooting if you would like to open a support case (both in the setup of the Okta application and reviewing the Okta logs, which could point to the problem you're experiencing). If you're looking for assistance in setting this custom site up, bring that up in the support case and we can make sure to direct that request to the correct teams.
Thank You, Kyle Andersen Okta Global Customer Care
I did! It turned out to be the configuration on the Okta end that I didn't quite have right. My apache config is mostly the same: <Location /> Require valid-user AuthType "Mellon" MellonEnable "auth" MellonVariable "cookie" #MellonSecureCookie On MellonCookiePath / MellonUser "NAME_ID" MellonSessionDump Off MellonSamlResponseDump Off MellonEndpointPath "/endpoint" MellonDefaultLoginPath "/" MellonSessionLength 43200 MellonSPPrivateKeyFile /etc/apache2/mellon/mellon.key MellonSPCertFile /etc/apache2/mellon/mellon.cert MellonIdPMetadataFile /etc/apache2/mellon/metadata MellonRedirectDomains [self] myorg.okta.com </Location>
The MellonRedirectDomains line is the only change that I think is really important here. The Okta configuration ended up looking like this: Single sign on URL: https://mysite/endpoint/postResponse Audience URI: https://mysite/endpoint/metadata
I'm having a little trouble tracking down exactly what arguments I used for that, but from what I can remember I don't think it matters much. All that script does is create the cert and key files and the SP metadata. I believe I got rid of the metadata file, because all it does is specify some of the settings that you can set in the Apache config. The script takes entity ID and endpoint URL as its arguments, so for the config I posted above, I think the correct command line is: mellon_create_metadata.sh https://mysite/okta https://mysite/endpoint I strongly suspect your issue is somewhere else though. If you want to post your apache config and the arguments in your Okta app config, I'd be happy to see if I could spot the issue.
Matt - I beleive i just got it to work! I recreated the app in Okta and double checked your settings. I also commented out the xml created by the mellon_create_metadata.sh (per your recommendation). In my case, just like you, i'm trying to secure the whole site (Location /), so my httpd.conf (RHEL) is very similar to yours. Okta app settings are 100% the same.
<Location /> Require valid-user AuthType "Mellon" MellonEnable "auth" MellonVariable "cookie" # MellonSecureCookie On MellonCookiePath / MellonUser "NAME_ID" MellonSessionDump Off MellonSamlResponseDump Off MellonEndpointPath "/endpoint" MellonDefaultLoginPath "/" MellonSessionLength 43200 MellonSPPrivateKeyFile /etc/httpd/mellon/http_hostname.example.local_fsd855d.key MellonSPCertFile /etc/httpd/mellon/http_hostname.example.local_fsd855d.cert # MellonSPMetadataFile /etc/httpd/mellon/http_hostname.example.local_fsd855d.xml MellonIdPMetadataFile /etc/httpd/mellon/idp-metadata.xml # MellonSamlResponseDump On # MellonSessionDump On MellonRedirectDomains [self] dev-XXXXXX.oktapreview.com </Location>
One more thing if anyone tries to run this on RHEL7. The current version of mod_auth_mellon that ships with this distro, as of today, only includes v0.11. MellonRedirectDomains directive has only been implemented in v0.12 and above, so you'll need to compile this module from souce. Hopefully sometime in the future RedHat will update this module in their repos so that won't be the case, but until then, use the README that has all the compile instructions and deps.
Matt - huge thanks for your help and starting this thread!