INSTALL 2.21 KB
Newer Older
ale's avatar
ale committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84
ai-sso - a Single Sign-On implementation
========================================

This documents should guide you through the installation of
ai-sso-server (sso_server) and setup a simple SSO-protected
Apache virtual host.


sso_server
----------

First of all, you will need to generate the public and private keys
used by the SSO server.
Simply run::

    # cd /etc/sso
    # ssotool --gen-keys

The file 'secret.key' should only be readable by the user which runs
the sso_server (in this example, and if you are using the Debian
packages, it is 'ai-sso')::

    # chmod 400 /etc/sso/secret.key
    # chown ai-sso /etc/sso/secret.key

After that, modify /etc/sso/config according to your needs. You will
want to set at least the 'SSO_DOMAIN' and 'SSO_SECRET_KEY' options::

    SSO_AUTH_MODULE = 'sso_server.auth.auth_test'
    SSO_DOMAIN = 'somedomain.org'
    SSO_SECRET_KEY = 'something random'

Start the service::

    # /etc/init.d/ai-sso-server start


Apache - mod_sso
----------------

Enable 'mod_sso' in Apache. On Debian systems, you can use the
a2enmod utility::

    # a2enmod sso

Every VirtualHost that should be protected by SSO must be deployed
over SSL, so you'll have to rewrite the http:// url to point to
https://url.  Then, configure SSO just like any normal Apache
authentication module::

    <VirtualHost *:443>
      ServerName example.somedomain.org
      SSLEngine on
      SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
      SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

      SSOPublicKeyFile "/etc/sso/public.key"
      SSODomain somedomain.org
      SSOService example.somedomain.org/

      <Location />
        AuthType SSO
        AuthName somename
        require valid-user
      </Location>

      DocumentRoot /var/www
    </VirtualHost>

Note that the SSOPublicKeyFile (the SSO public key file) must
be distributed to all servers that need to verify SSO tokens.


Using mod_sso with mod_proxy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you plan to use SSO on a server with mod_proxy enabled, you will
need to exclude the 'sso_login' and 'sso_logout' endpoints from being
served by the proxy module. Add these directives to your configuration::

    ProxyPass /sso_login !
    ProxyPass /sso_logout !