Einrichtung von SAML-SSO#
In this tutorial, we describe how to set up single sign-on (SSO) for i-doit using SAML. In this example, we use Mellon as authenticator against LDAP-AD-FS.
We use two servers for the sample configuration, a Windows server with domain/AD and FS and a Debian 11 server with Apache and Melon:
✔ Both servers must be able to resolve each other via FQDN.
✔ The Windows server must have a configured AD that includes the AD-FS role.
✔ I-doit is already pre-installed and usable.
Als Systemarchitektur sollte ein x86 in 64bit zum Einsatz kommen
We are creating a directory for this under
/etc/apache2 and store our configuration data here.
With the following command we create our Mellon metadata “Please adjust URLs”
Now we need to fetch the AD-FS metadata from our AD “Please adjust URLs”
Now we need to create our Mellon configuration.
Insert the following configuration directives based on the example:
1 2 3 4 5 6 7 8
First we create a self signed certificate "name can be individual".
1 2 3 4 5 6 7
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
In this example only the directory protected via Mellon is protected under
/var/www/html. So we can create another VHost config later to install e.g. i-doit pro.
Creating the directory:
Create an example html to test the call later on:
1 2 3 4 5 6 7 8
Activate Mods and Configs:
1 2 3 4
At this point, we are done with the configuration of the Linux server for the time being and can now turn our attention to our AD.
First download the file
mellon_metadata.xml from the Linux server e.g. via WinSCP and save it.
Claims aware remains active and then on Start
In the next step we select "import data ...." and navigate to our previously saved XML
The following note can be ignored if it appears.
Now we enter the FQDN from our Linux server.
In the next step we can control accesses, for the sake of simplicity we leave it at Permit everyone for now.
We can also disregard the next window and just click next.
Finally only Close and the Party Trust is created
Now we need to define Claim Issuance Policies so that our user can also log in via mail.
Now a window opens and we click on Add Rule.
Now we select Send LDAP Attributes as Claim and click Next
We give the rule a unique name and add the mapping as shown.
Then we create another rule and select Transform an Incoming Claim
Please configure as follows:
Now we have a fully configured Relying Party Trust and can test the authentication once.
Open the URL from the server once in the browser Example: https://mywebserver.example.com/protected
After successful registration, we should receive the following output.
Installation i-doit pro:#
The installation can be installed as described in the KB article for Debian.
SSO login for i-doit pro#
For this we have to go to the Administration -> System settings and adjust the configuration as follows. Important information about contacts: It is mandatory that the e-mail address of the respective user is stored as login in i-doit!
Since we currently followed our instructions or KB, we need to adjust the VHost configuration so that we can now log in via SSO
Disable i-doit Vhost
Customize Mellon Vhost created at the beginning
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
Finally restart Apache once
If we now open the URL again in our browser and log in, we will be taken directly to the i-doit