...
NOTE: FAST Members can access fully functional examples w/ localhost client ID on gitlab.
Your domain You will need valid HTTPSNeed a callback URL (usually handled by one of the solutions below.to know your callback URL (depending on your software stack this might be predetermined, check documentation for your libraries!)
If doing a reverse proxy to localhost on for example port 8080 it’s critical to firewall that port!
Need to contact IST for a client key via a ticket
NEW: OpenID Connect
ISS-General 2FA https://uwaterloo.atlassian.net/servicedesk/customer/portal/2/group/413/create/1660
set summery: “OIDC: add new web client“
set select topic you require assistance with: “Duo 2FA support”
set Additional comments:
Code Block ## NOTE: you first need to know your callback URI ## The django module uses /oidc/duo/callback/ ## Apache uses /secure/redirect_uri Allowedcallback URIs: - https://x.x.uwaterloo.ca/oidc/duo/callback/ - https://x-stage.x.uwaterloo.ca/oidc/duo/callback/ *group* in short format, not full DN. claims: winaccountname, group, email, name, given_name, family_name
Combining authentication with Grouper defined NEXUS groups can be a robust solution
...
During development you will find it helpful to support auth on localhost. The following configuration only supports callbacks to localhost:port/oidc/duo/callback/
. We also added a handful of port numbers to keep things simple: 3000,8000,8080,8888,443,80
You can find the secret in the FAST examples gitlab repo linked above
Code Block |
---|
OIDC_AUTH_SERVER=https://sso-4ccc589b.sso.duosecurity.com/oidc/DIUHIIU5GLVCYFDLE7P7/ OIDC_CLIENT_ID=DIUHIIU5GLVCYFDLE7P7 OIDC_CLIENT_SECRET=TODO: ask mirko for key.. or perhaps we share it? OIDC_CALLBACK=/oidc/duo/callback/ |
...
Code Block |
---|
# For advanced options see: https://github.com/OpenIDC/mod_auth_openidc <IfModule mod_auth_openidc.c> # If you have an ingress proxy like Caddy you'll need the following # respect X-Forwarded-* headers passed down from proxy OIDCXForwardedHeaders X-Forwarded-Proto X-Forwarded-Host # this personal secret is created by you and never shared! OIDCCryptoPassphrase XXXXXXXXXXX_PERSONAL_SECRET_XXXXXXXXXXX # after successfull login redirect the user to where they wanted to go # this path needs to openid-connect protected on your host OIDCRedirectURI https://myhost.fast.uwaterloo.ca/secureoidc-callback/redirect_uri OIDCProviderMetadataURL https://sso-4ccc589b.sso.duosecurity.com/oidc/XXXXXXXXXXXXXXXXXXXX/.well-known/openid-configuration OIDCClientID XXXXXXXXXXXXXXXXXXXX OIDCClientSecret XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # NOTE: you can find scopes in the the OIDCProviderMetadataURL OIDCScope "openid profile email" OIDCRemoteUserClaim user # use HTTP_ prefix so env vars are more trusted in CGI. "see: suexec safe_env_lst" OIDCClaimPrefix HTTP_OIDC_CLAIM_ # WARN: default delimiter is comma. AD groups can contain commas! (":" is safer) OIDCClaimDelimiter ":" OIDCCacheShmEntrySizeMax 270848 </IfModule> # Assuming handling https on an ingress server like Caddy. # Also port 80 is firewalled to only talk to your ingress server. <VirtualHost _default_:80> ServerName myhost.fast.uwaterloo.ca ServerAlias myhost-stage.fast.uwaterloo.ca # NOTE: this is needed for the OIDCRedirectURI callback <Location /secure>oidc-callback> AuthType openid-connect Require valid-user </Location> # example: only allow IdM-HR-staff users <Location /staff> AuthType openid-connect Require claim group:IdM-HR-staff </Location> # example: require user to be in two groups <Location /staff-admin> AuthType openid-connect # each require is an OR. If you want AND, use RequireAll: <RequireAll> Require claim group:IdM-HR-staff Require claim group:myhost-admin </RequireAll> # TODO: this might also work # Require claim "group:myhost-admin group:IdM-HR-staff" </Location> <Location / > AuthType openid-connect Require valid-user # if you have a simple backend to proxy to ProxyPreserveHost On ProxyPass / 127.0.0.1:8080 </Location> </VirtualHost> |
...