Linux Apache Service Providers

Shibboleth SP

Tested working with flexmls IdP

The flexmls IdP uses Shibboleth software, and generally the same SAML vendor works better using the same SP and IdP. We have the most experience with Shibboleth, and can provide help if you decide on this method. The only downside to Shibboleth is it’s more difficult to cluster across multiple machines, unless “sticky” sessions are used in load balancing.  (One user always stays on the same web server)  To avoid sticky sessions, read this document for information on clustering the shibd session manager.

  • To enable SAML attributes (extra information about the user) replace the attribute-map.xml configuration file with this example. This file is set up to map all of the flexmls attributes, if they are available for each user.
  • Comment out the Location tag in /etc/httpd/conf.d/shib.conf

mod_auth_saml

Should work with flexmls IdP, but untested

mod_auth_saml uses ZXID as the underlying SP software. ZXID after version 0.65 should work with the flexmls IdP, so hypothetically this Apache module should work as well.

mod_mellon

mod_mellon doesn’t appear to be as active as ZXID or Shibboleth. It uses Lasso as the SP software.

Download here and check out the README file.

There are a few other ways to hook Apache into SAML authentication, but these are the main packages that have survived the test of time.

Comments on this entry are closed.