Understand SSO on XDMoD

As seen from the image the workflow to setup SSO on XdMod would be as follows. Setup the IdP metadata on Xdmod node (step 1- more details found here https://open.xdmod.org/9.5/simpleSAMLphp.html). Post which we need to seup the webserver, Apache in our case.

Pre-req

First you will need to create the folders for the SimpleSAMLphp files to live:

 mkdir -p /etc/xdmod/simplesamlphp/config
 mkdir -p /etc/xdmod/simplesamlphp/metadata
 mkdir -p /etc/xdmod/simplesamlphp/cert

1. Setting up IdP metadata Get the metadata from the IdP (if you are using SAML IdP to test https://{{HOSTNAME}}/metadata) and use the SimpleSAMLphp built in converter located at https://{{HOSTNAME}}/simplesaml/admin/metadata-converter.php to create the saml20-idp-remote.php config file more information can be found on the Simple Saml PHP website. Template

$metadata['urn:example:idp'] = array (
  'name' => array(
    'en' => 'idp.example.com:7000'
  ),
  'entityid' => 'urn:example:idp',
  'metadata-set' => 'saml20-idp-remote',
  'SingleSignOnService' =>
  array (
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://idp.example.com:7000',
    ),
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://idp.example.com:7000',
    ),
  ),
  'SingleLogoutService' =>
  array (
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://idp.example.com:7000/logout',
    ),
  ),
  'ArtifactResolutionService' =>
  array (
  ),
  'keys' =>
  array (
    array (
      'encryption' => false,
      'signing' => true,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIEMD...Bfaq9pWo0LsKwKZVmOJU+4VzD6EkJ5dtE=',
    ),
  ),
);

The properties that are required currently for login are:

username
This will be used to identify Users via the moddb.Users.username column
This is currently the main identifying piece of information that must be created, we use it with an identifier of itname in our authentication code, so this means you need to edit the file /etc/xdmod/simplesamlphp/config/authsources.php and make sure that an attribute is mapped to this index.

Conditionally, if your installation supports multiple organizations then you must provide the following:

organization
This will be used to identify which Organization the user should be associated with via the modw.organization.name column

2. Web Server Setup -Apache Just follow the SimpleSAMLphp documentation for apache. Make sure to include the updated configuration locations. This will need to be the full path to the configuration directory. Uncomment the SimpleSAML configuration in your Apache VirtualHost:

  <Directory /usr/share/xdmod/vendor/simplesamlphp/simplesamlphp/www>
    Options FollowSymLinks
    AllowOverride All
    # Apache 2.4 access controls.
    <IfModule mod_authz_core.c>
      Require all granted
    </IfModule>
  </Directory>

3. Integrations Open XDMoD can be integrated with other applications such as Open OnDemand

To enable integration, the Open XDMoD instance must be configured to give explicit permission to the browser. The Open XDMoD application settings to enabled this are described below.

Open XDMoD Settings Cross-Origin Resource Sharing (CORS) To allow CORS a list of domains that are allowed to communicate with Open XDMoD is configured in the domains setting in the cors section of portal_settings.ini.