Versions Compared

Old Version 2

changes.mady.by.user Dick Visser

Saved on

compared with

New Version 3

changes.mady.by.user Dick Visser

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Before you start, make sure you have these bits:


  • A correctly configured apache web server that is serving an HTTPS web site.
  • A SAML Identity Provider (IdP).
  • An account on that IdP.
  • An attribute that can be used as username in Confluence (for example eduPersonPrincipalName). Attributes for full name and e-mail are optional but recommended.
  • The user name of the to-be administrator account. So, if you choose eduPersonPrincipalName as the attribute for username, you need to know your own value (for instance 'dvisser@surfnet.nl'.

...

Code Block
apt-get install apache2-mpm-worker libapache2-mod-auth-mellon
a2enmod auth_mellon

 

Create a directory /etc/apache/mellon, and store the Identity Provider metadata in XML format to a file called idp.xml.

Create the cryptographic material for the mellon SP:

Code Block
openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout coresp.key -out coresp.crt

Create a 

...

Now add this to the configuration of the vhost:
 
 Code Block
ProxyRequests Off
<Proxy http://localhost:8090>
        Order deny,allow
        Allow from all
</Proxy>


ProxyPass /mellon/ !
ProxyPass / http://localhost:8090/
ProxyPassReverse / http://localhost:8090/


# Mobile theme does not honour new seraph values, so we have to redirect that
RewriteEngine on
RewriteCond     %{QUERY_STRING} ^originalUrl=(.*)$      [NC]
Rewriterule     ^/plugins/servlet/mobile/login          /mellon/login?ReturnTo=%1 [R,NE]

<Location />
        MellonEnable "info"
        MellonSecureCookie On
        MellonSessionDump Off
        MellonSamlResponseDump Off
        MellonEndpointPath "/mellon"
        MellonSPPrivateKeyFile /etc/apache2/mellon/sp.key
        MellonSPCertFile /etc/apache2/mellon/sp.crt
        MellonIdPMetadataFile /etc/apache2/mellon/idp.xml


        # First unset to avoid security holes
        RequestHeader unset REMOTE_USER
        RequestHeader set REMOTE_USER "%{MELLON_username}e" env=MELLON_username


        RequestHeader unset FULLNAME
        RequestHeader set FULLNAME "%{MELLON_fullname}e" env=MELLON_fullname


        RequestHeader unset MAIL
        RequestHeader set MAIL "%{MELLON_email}e" env=MELLON_email
</Location>
...
 
 
PostgreSQL
 Code Block
apt-get install postgresql
...