OIDC configuration for Apache
Many legacy web applications at CERN rely on the Apache server, often configured with Shibboleth and SAML using the old SSO. To migrate to OIDC, there are several options:
- For Apache-based web applications that are behind the SSO, you may consider the CERNSSO Apache module
- If you have a more complex web application that mixes public and private pages, you can use the location directive to protect pages. E.g.
<Location /private/> AuthType openid-connect Require claim cern_roles:admin </Location>
- If you are already using the "apache" puppet module, you can simply include the openidc sub-module in your manifest:
include ::apache::mod::auth_openidc
. - To configure OIDC, you need to define the following in your configuration files or puppet code:
NB: If you do this with Puppet, please use tbag/teigi for your secrets! You may also wish to change some of these parameters depending on your application.
OIDCProviderMetadataURL "https://auth.cern.ch/auth/realms/cern/.well-known/openid-configuration" OIDCRedirectURI https://myserver.cern.ch/myapp/redirect_uri OIDCClientID myclientid OIDCClientSecret myclientsecret OIDCCryptoPassphrase mycrytopassphrase OIDCProviderTokenEndpointAuth client_secret_basic OIDCRemoteUserClaim email