Skip to content

OIDC configuration for Apache

Many legacy web applications at CERN rely on the Apache server, often configured with Shibboleth and SAML using the old SSO. To migrate to OIDC, there are several options:

  • For Apache-based web applications that are behind the SSO, you may consider the CERNSSO Apache module
  • If you have a more complex web application that mixes public and private pages, you can use the location directive to protect pages. E.g.
    <Location /private/>
      AuthType openid-connect
       Require  claim cern_roles:admin
    </Location>
    
  • If you are already using the "apache" puppet module, you can simply include the openidc sub-module in your manifest: include ::apache::mod::auth_openidc .
  • To configure OIDC, you need to define the following in your configuration files or puppet code:
    OIDCProviderMetadataURL "https://auth.cern.ch/auth/realms/cern/.well-known/openid-configuration"
      OIDCRedirectURI https://myserver.cern.ch/myapp/redirect_uri
      OIDCClientID myclientid
      OIDCClientSecret myclientsecret
      OIDCCryptoPassphrase mycrytopassphrase
      OIDCProviderTokenEndpointAuth client_secret_basic
      OIDCRemoteUserClaim email
    
    NB: If you do this with Puppet, please use tbag/teigi for your secrets! You may also wish to change some of these parameters depending on your application.