Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents
stylenone

Getting started

...

Your domain will need valid HTTPS

...

NOTE: FAST Members can access fully functional examples w/ localhost client ID on gitlab.

  • You will need to know your callback URL (depending on your software stack this might be predetermined, check documentation for your libraries!)

  • If doing a reverse proxy to localhost on for example port 8080 it’s critical to firewall that port!

  • Need to contact IST for a client key via a ticket

    • NEW: OpenID Connect

      • ISS-General 2FA https://uwaterloo.atlassian.net/servicedesk/customer/portal/2/group/413/create/1660

      • set summery: “OIDC: add new web client“

      • set select topic you require assistance with: “Duo 2FA support”

      • set Additional comments:

        Code Block
        ## NOTE:The youdjango first need to know your callback URI
        ## The django module module uses /oidc/duo/callback/
        ## Apache uses /secure/redirect_uri
        Allowedcallback URIs:
        - https://x.x.uwaterloo.ca/oidc/duo/callback/
        - https://x-stage.x.uwaterloo.ca/oidc/duo/callback/
        *group* in short format, not full DN.
        claims: winaccountname, group, email, name, given_name, family_name
  • Combining authentication with Grouper defined NEXUS groups can be a robust solution

...

During development you will find it helpful to support auth on localhost. The following configuration only supports callbacks to localhost:port/oidc/duo/callback/. We also added a handful of port numbers to keep things simple: 3000,8000,8080,8888,443,80

You can find the secret in the FAST examples gitlab repo linked above

Code Block
OIDC_AUTH_SERVER=https://sso-4ccc589b.sso.duosecurity.com/oidc/DIUHIIU5GLVCYFDLE7P7/
OIDC_CLIENT_ID=DIUHIIU5GLVCYFDLE7P7
OIDC_CLIENT_SECRET=TODO: ask mirko for key.. or perhaps we share it?
OIDC_CALLBACK=/oidc/duo/callback/

...

Code Block
# For advanced options see: https://github.com/OpenIDC/mod_auth_openidc
<IfModule mod_auth_openidc.c>
    # If you have an ingress proxy like Caddy you'll need the following
    # respect X-Forwarded-* headers passed down from proxy
    OIDCXForwardedHeaders X-Forwarded-Proto X-Forwarded-Host
    # this personal secret is created by you and never shared!
    OIDCCryptoPassphrase XXXXXXXXXXX_PERSONAL_SECRET_XXXXXXXXXXX
    # after successfull login redirect the user to where they wanted to go
    # this path needs to openid-connect protected on your host
    OIDCRedirectURI          https://myhost.fast.uwaterloo.ca/secureoidc-callback/redirect_uri
    OIDCProviderMetadataURL  https://sso-4ccc589b.sso.duosecurity.com/oidc/XXXXXXXXXXXXXXXXXXXX/.well-known/openid-configuration
    OIDCClientID             XXXXXXXXXXXXXXXXXXXX
    OIDCClientSecret         XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    # NOTE: you can find scopes in the the OIDCProviderMetadataURL
    OIDCScope "openid profile email"
    OIDCRemoteUserClaim user
    # use HTTP_ prefix so env vars are more trusted in CGI. "see: suexec safe_env_lst"
    OIDCClaimPrefix HTTP_OIDC_CLAIM_
    # WARN: default delimiter is comma. AD groups can contain commas! (":" is safer)
    OIDCClaimDelimiter ":"
    OIDCCacheShmEntrySizeMax 270848
</IfModule>

# Assuming handling https on an ingress server like Caddy.
# Also port 80 is firewalled to only talk to your ingress server.
<VirtualHost _default_:80>
    ServerName myhost.fast.uwaterloo.ca
    ServerAlias myhost-stage.fast.uwaterloo.ca
    
    # NOTE: this is needed for the OIDCRedirectURI callback
    <Location /secure>oidc-callback>
        AuthType openid-connect
        Require valid-user
    </Location>

    # example: only allow IdM-HR-staff users
    <Location /staff>
        AuthType openid-connect
        Require claim group:IdM-HR-staff
    </Location>

    # example: require user to be in two groups
    <Location /staff-admin>
        AuthType openid-connect
        # each require is an OR. If you want AND, use RequireAll:
        <RequireAll>
        Require claim group:IdM-HR-staff
        Require claim group:myhost-admin
        </RequireAll>
        # TODO: this might also work
        # Require claim "group:myhost-admin group:IdM-HR-staff"
    </Location>

    <Location / >
        AuthType openid-connect
        Require valid-user
        # if you have a simple backend to proxy to
        ProxyPreserveHost On
        ProxyPass 127.0.0.1:8080
    </Location>
</VirtualHost>

...