These instructions relate to manually building the Apache Moonshot module (development version). This version provides support for exporting the SAML attributes received from the IDP as environment variables, thus making them available for the web applications (e.g. OpenStack).
All of the instructions below assume that you have root access, and will work as the root user (either directly or using sudo).
Add the Moonshot libraries.
If you have not already done so, you first need to follow the instructions on how to install the Moonshot Libraries on Debian 8.
Install some prerequisites
Building the Apache mod_auth_kerb module requires you to have several packages already installed on the machine. To install them:
Build the module
We are now ready to build the Apache module.
Protecting a location with Moonshot
To protect a particular location on your Apache server, you must configure it with an AuthType of "Negotiate".
Exporting GSS API attributes as environment variables
The module includes an option called GssapiNameAttributes that allows controlling which GSS API attributes (either SAML or RADIUS) are exported as environment variables. It is used as follows:
This option can be specified multiple times, once for each attribute to expose. The Special value "json" is used to expose all attributes in a json formatted string via the special environment variable GSS_NAME_ATTRS_JSON.
The special environment variable GSS_NAME_ATTR_ERROR is set with the GSS API returned error string in case the inquire name function fails to retrieve attributes, and with the string "0 attributes found", if no attributes are set.
In addition to this, in the event of an authentication failure, the module exports an environment variable called MAG_ERROR which contains one of the following values:
Finally, whenever MAG_ERROR takes a value of "GSS_MECH_ERROR", an additional environment variable named GSS_ERROR_STR is sourced. This variable contains the result of the gss_display_status() call and may help web developers to show a more appropriate error page/string to the user.
Web services often rely on the
HTTPS Internet Explorer compatibility
For updated best practice with Internet Explorer connections, you should also read Microsoft's HTTPS and Keep-Alive Connections article.