Versions Compared

Old Version 37

changes.mady.by.user Steve Weber

Saved on

compared with

New Version Current

changes.mady.by.user Mirko Vucicevich

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents
stylenone

Getting started

...

Your domain will need valid HTTPS

...

NOTE: FAST Members can access fully functional examples w/ localhost client ID on gitlab.

  • You will need to know your callback URL (depending on your software stack this might be predetermined, check documentation for your libraries!)

  • If doing a reverse proxy to localhost on for example port 8080 it’s critical to firewall that port!

  • Need to contact IST for a client key via a ticket

    • NEW: OpenID Connect

      • ISS-General 2FA https://uwaterloo.atlassian.net/servicedesk/customer/portal/2/group/413/create/1660

      • set summery: “OIDC: add new web client“

      • set Please select the topic you require assistance with: “Duo 2FA support”

      • set body:Additional comments

        Code Block
        ## NOTE: you first need to know your callback URI
## The The django module uses /oidc/duo/callback/
## Apache uses /secure/redirect_uri
hostscallback URIs:
- https://x.x.uwaterloo.ca/oidc/duo/callback/
- https://x-stage.x.uwaterloo.ca/oidc/duo/callback/
*group* in short format, not full DN.
claims: winaccountname, group, email, name, given_name, family_name

  • Combining authentication with Grouper defined NEXUS groups can be a robust solution

...

It’s possible to get AD group information sent through the token information, which can be very useful to separate roles on your website via Grouper.

OIDC

...

You can set up OIDC directly on your Apache / httpd server. This allows you to handle authentication outside of the application itself, and instead push REMOTE_USER to your apps for validating users.

Install Apache module (debian/ubuntu)

Code Block
apt install -y libapache2-mod-auth-openidc
# enable module
a2enmod auth_openidc

Configure the module and a basic VirtualHost

...

development config

During development you will find it helpful to support auth on localhost. The following configuration only supports callbacks to localhost:port/oidc/duo/callback/. We also added a handful of port numbers to keep things simple: 3000,8000,8080,8888,443,80

You can find the secret in the FAST examples gitlab repo linked above

Code Block
OIDC_AUTH_SERVER=https://sso-4ccc589b.sso.duosecurity.com/oidc/DIUHIIU5GLVCYFDLE7P7/
OIDC_CLIENT_ID=DIUHIIU5GLVCYFDLE7P7
OIDC_CLIENT_SECRET=TODO: ask mirko for key.. or perhaps we share it?
OIDC_CALLBACK=/oidc/duo/callback/

OIDC with Apache (mod_auth_openidc)

You can set up OIDC directly on your Apache / httpd server. This allows you to handle authentication outside of the application itself, and instead push REMOTE_USER to your apps for validating users.

Install Apache module (debian/ubuntu)

Code Block
apt install -y libapache2-mod-auth-openidc
# enable module
a2enmod auth_openidc

Configure the module and a basic VirtualHost

Code Block
# For advanced options see: https://github.com/OpenIDC/mod_auth_openidc
<IfModule mod_auth_openidc.c>
    # If you have an ingress proxy like Caddy you'll need the following
    # respect X-Forwarded-* headers passed down from proxy
    OIDCXForwardedHeaders X-Forwarded-Proto X-Forwarded-Host
    # this personal secret is created by you and never shared!
    OIDCCryptoPassphrase XXXXXXXXXXX_PERSONAL_SECRET_XXXXXXXXXXX
    # after successfull login redirect the user to where they wanted to go
    # this path needs to openid-connect protected on your host
    OIDCRedirectURI          https://myhost.fast.uwaterloo.ca/oidc-callback/redirect_uri
    OIDCProviderMetadataURL  https://sso-4ccc589b.sso.duosecurity.com/oidc/XXXXXXXXXXXXXXXXXXXX/.well-known/openid-configuration
    OIDCClientID             XXXXXXXXXXXXXXXXXXXX
    OIDCClientSecret         XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    # NOTE: you can find scopes in the the OIDCProviderMetadataURL
    OIDCScope "openid profile email"
    OIDCRemoteUserClaim user
    # use HTTP_ prefix so env vars are more trusted in CGI. "see: suexec safe_env_lst"
    OIDCClaimPrefix HTTP_OIDC_CLAIM_
    # WARN: default delimiter is comma. AD groups can contain commas! (":" is safer)
    OIDCClaimDelimiter ":"
    OIDCCacheShmEntrySizeMax 270848
</IfModule>

# Assuming handling https on an ingress server like Caddy.
# Also port 80 is firewalled to only talk to your ingress server.
<VirtualHost _default_:80>
    ServerName myhost.fast.uwaterloo.ca
    ServerAlias myhost-stage.fast.uwaterloo.ca
    
    # NOTE: this is needed for the OIDCRedirectURI callback
    <Location /oidc-callback>
        AuthType openid-connect
        Require valid-user
    </Location>

    # example: only allow IdM-HR-staff users
    <Location /staff>
        AuthType openid-connect
        Require #claim NOTEgroup: this is needed for the OIDCRedirectURI callback
    <Location /secure>
   IdM-HR-staff
    </Location>

    # example: require user to be in two groups
    AuthType<Location openid/staff-connectadmin>
        RequireAuthType validopenid-userconnect
    </Location>      # example:each onlyrequire allow IdM-HR-staff users
    <Location /staff>is an OR. If you want AND, use RequireAll:
        AuthType openid-connect<RequireAll>
        Require claim group:IdM-HR-staff
    </Location>    Require claim # example: require user to be in two groups
 group:myhost-admin
        </RequireAll>
  <Location /staff-admin>     # TODO: this might AuthTypealso openid-connectwork
        # eachRequire require is an OR. If you want AND, use RequireAll:
 claim "group:myhost-admin group:IdM-HR-staff"
    </Location>

    <Location <RequireAll>/ >
       Require claimAuthType group:IdM-HR-staffopenid-connect
        Require valid-user
claim group:myhost-admin       # if </RequireAll>you have a simple backend to proxy to
 # TODO: this might also work  ProxyPreserveHost On
     # Require claim "group:myhost-admin group:IdM-HR-staff" ProxyPass 127.0.0.1:8080
    </Location>
</VirtualHost>

...