This Wiki is a work space for old notes and new ideas. DO NOT RELY on anything you find on this Wiki!
Official Gluu Server documentation is at https://gluu.org/docs.
The Gluu Support site is https://support.gluu.org.
In a traditional Web Access Management (WAM) deployment, the web browser is passive. The browser requests a resource, and the plugin to the web server is the Policy Enforcement Point (PEP). It looks for an authorized token, or re-directs to a Policy Decision Point (PDP).
In UMA jargon, the web agent PEP is acting as both the Resource Server (RS) and the Client. For a mobile application accessing an API, the client (and not the API server!) has the connection to the person.
Assume that you have Apache 2 and Shibboleth 2 SP installed and running already. Both of Linux and Windows are supported.
Both of memcached and sqlite are supported in mod_uma. You should choose one of the two.
If both are valid, memcached will be given priority.
Get The Source
You can download the current development release from the svn page:
Note that if you download a development release you will need current versions of the autotools installed, and you must run ./autogen.sh first before following these instructions.
Enter the mod_uma directory and type:
./configure (./autogen.sh for development release)
make su root make install
Verify that the module has been enabled in your ”httpd.conf”:
# note that the path to your module might be different LoadModule uma_module /usr/lib/apache2/modules/mod_uma.so
Sample mod_uma Apache Configuring for SAML Authentication
<DirectoryMatch "/customer1"> # ShibRedirectUrl is protected in a folder that requires SAML authentication AuthMethod Shibd ShibdRedirectUrl https://test.example.org/shibd/redirect.php # AuthMethod OIDC # ConnectRedirectUri https://sso-dev.example.com/oic/oic_redirect.html # OpenID Connect Configuration # Needed for OpenID Connect Client Registration # ConnectRedirectUri is required for registration, but not used ClientName sptest.example.org ConnectDiscoveryUrl https://sso-dev.example.com/.well-known/openid-configuration # UMA Configuration AuthType TRUSTED_RP_MODE Require valid-user ErrorPage http://sptest.example.org/providence/uma_error.html UmaDiscoveryUrl https://sso-dev.example.com/.well-known/uma-configuration UmaResourceName sptest.example.org UmaRsHost sptest.example.org UmaAmHost sso-dev.example.com "https://schema.example.com/uma/customer1" # OXD Information OxdHostAddr 127.0.0.1 OxdPortNum 8099 # Memcached Info MemcachedHostAddr 127.0.0.1 MemcachedPortNum 11211 </DirectoryMatch>
Sample Apache Configuring for OpenID Connect Authentication
<DirectoryMatch "/protected"> AuthMethod OIC OicRedirectUrl https://www.myapache.com/oic AuthType TRUSTED_RP_MODE ErrorPage http://www.myapache.com/uma/uma_error.html ClientName https://www.myapache.com UmaDiscoveryUrl https://seed.gluu.org/.well-known/uma-configuration UmaResourceName myTestResource UmaRsHost rs.gluu.org UmaAmHost seed.gluu.org "http://www.myapache.com/uma/view;http://www.myapache.com/uma/all" UmaAmHost seed1.gluu.org "http://www.myapache.com/uma/view1;http://www.myapache.com/uma/all1" OxdHostAddr 127.0.0.1 OxdPortNum 8099 MemcachedHostAddr 127.0.0.1 MemcachedPortNum 11211 ShibdRedirectUrl https://www.myapache.com/shibd/redirect.php </DirectoryMatch>
uma/ - Httpd Directory protected by Uma, must be changed by yourself
www.myapache.com - Hostname of your Apache server
uma_error.html - Error page only for Uma, must be named as “uma_error.html” when it is in “uma”
uma_redirect.html - Redirect Page only for Uma, must be named as “uma_redirect.html” when it is in “uma”
REQUIRED. Always must be “TRUSTED_RP_MODE”.
REQUIRED. Always must be “valid-user”.
RECOMMENDED. URL of UMA error page. This page displays the various error messages from UMA module. This could be placed in any location, but recommended to be placed in the same directory protected by UMA. Default: (e.g. http://www.myapache.com/uma/uma_error.html)
REQUIRED. OpenID Connect is used for dynamic client registration. Default: (e.g. https://seed.gluu.org/.well-known/openid-configuration)
REQUIRED. The re-direct URI is also regquired for OpenID Connect . This could be placed in any location, but recommended to be placed in the same directory protected by UMA. If AuthMethod=OIC, should be equal to OIC ConnectRedirectUri. Default: (e.g. https://www.myapache.com/oic/oic_redirect.html)
REQUIRED. Client Name to be pre-registered with the Authorization Server.
REQUIRED. URL specifying the Uma Authorization Server discovery endpoint. Default: (e.g. https://seed.gluu.org/.well-known/uma-configuration)
REQUIRED. Uma Resource Name to be pre-registered with the Authorization Server.
REQUIRED. Uma Authenticate Server Name and Scopes. (Multi Server is available, MAX=3)
OPTIONAL. Host Name or IP address of oxd server. This could be a host name or a IP address on a different host running oxd server. Default: (e.g. localhost or 127.0.0.1)
OPTIONAL. Port Number of oxd server. Default: (e.g. 8099)
OPTIONAL. Host Name or IP address of memcached server. This could be a host name or a IP address on a different host running memcached server. If no use Memcached, invalid. Default: (e.g. localhost or 127.0.0.1)
OPTIONAL. Port Number of memcached server. If no use Memcached, invalid. Default: (e.g. 11211)
REQUIRED. Authentication SP. ( OIC / Shibd )
REQUIRED if AuthMethod=OIC. URL specifying the directory protected by Apapche OIC plugin. Example: (e.g. https://www.myapache.com/oic)
REQUIRED if AuthMethod=Shibd. URL specifying the directory protected by Apapche Shibboleth SP plugin. Example: (e.g. https://www.myapache.com/shibd/redirect.php)
Once edited “uma.conf”, copy it to your “conf.d” folder.
And copy the directories into httpd ROOT directory. You can rearrange these directories, by your need.
# note that the path to your module might be different cp uma.conf /etc/httpd/conf.d/ cp -r ./copies.into.htdocs/uma /var/www cp -r ./copies.into.htdocs/shibd/redirect.php /var/www/shibd (shibd is the directory name of Apache Shibboleth SP)
First, start oxd server:
Next, restart apache:
service httpd restart
In web browser, visit http://www.myapache.com/openid
The diagram below illustrates a use case where the client is acting as both the client and RS. In this case, the plugin is trusting the user attributes obtained via SAML, and passes these claims to the policy decision point (UMA authorization server).
A web server (RS-RP) can either forbid a request or return the resource:
“RPT” cookie must be secure.