Previous Topic

Book Contents

Book Index

Next Topic
Sample SAML Setup with Valuemation

Prerequisities

  • Valuemation is running on the '/vmweb/vmweb' url.
  • SAML authentication module is installed on Apache

    For example, see this page at the Github website.

  • The rewrite module (mod_rewrite) and headers module (mod_headers) are enabled on Apache.
  • Apache is configured to send request for the Valuemation URL to Tomcat (for example, by the 'mode_jk' Tomcat connector).
  • SAML module has been configured properly on Apache.

Note: The HTTP header used for the username is named 'VM_USER' in this sample setup.

Configuration

To use SAML as the authentication module on Apache in front of the Valuemation servlet running on Tomcat, it necessary to:
  1. Setup SSO and configure Valuemation to get the username from the given HTTP header.
    • Set SSO main parameters to following values:

      [VMWeb, VMWebSSOEnabled] = 'true'

      [VMWeb, VMWebSSOType] = 'TrustedRemoteUserName'

      [VMWeb, VMWebSSOUserHTTPHeaderName] = 'VM_USER'

      [VMWeb, VMWebSSOUsers] = ‘*’ (or define the SSO user mapping).
    • Set 'AUTH_TYPE=AuthenticationManagerWEBLogon' in the 'AuthenticationManager.properties' file.
  2. Configure the Apache to protect the Valuemation URL by the SAML authentication module and set the defined HTTP header sent to Valuemation by the value of the authenticated user from the SAML module.

    Add the authentication information from the mellon module the request headers on Apache for the location of Valuemation (the Apache headers module must be installed).

    Set the '/vmweb/vmweb' Apache location configuration as follows:

    <Location /vmweb>

    MellonEnable "auth"

    RequestHeader add VM_USER %{MELLON_CN}e

    </Location>

    Notes:

    • The %{MELLON_CN} variable is provided by the Mellon authentication module.
    • The first part is the 'SAML protection' of the '/vmweb' url (SAML module does not let the request to go further until the user either has an existing active browser session with the identity provider or establishes one by logging into the identity provider).
    • The second part gets the authenticated username from the SAML module and sets it as a value of HTTP header 'VM_USER'.

Now if you restart Apache and restart Tomcat, SSO should work.

See Also

SSO by SAML on Apache (as a sample of the HTTP header SSO method)