Secure Apache using ModAuthOpenidc and Azure AD on CentOS7-8

This tutorial will walk you through the steps to configure authentication in Apache web server using OIDC and Azure AD to protect your content, applications and services.

Apache is the most widely-used web server in the world. It provides many powerful features including dynamically loadable modules, robust media support, and extensive integration with other popular software.

mod_auth_openidc is a certified authentication and authorization module for the Apache HTTP server that implements the OpenID Connect Relying Party functionality. It relays end user authentication to a Provider and receives user identity information from that Provider. It then passes on that identity information to applications protected by the Apache web server and establishes an authentication session for the identified user.

Single sign-on (SSO) is a property of access control of multiple related, yet independent, software systems. With this property, a user logs in with a single ID and password to gain access to a connected system or systems without using different usernames or passwords, or in some configurations seamlessly sign on at each system.

Azure AD is Microsoft's enterprise cloud-based identity and access management (IAM) solution. It can sync with on-premise Active Directory and provide authentication to other cloud-based systems, and applications via authentication protocols like OAuth2, SAML, and WS-Security.

Prerequisites

To follow this tutorial along, you will need one (physical or virtual) machine installed with any of your favorite Linux distributions such as CentOS, RHEL, Fedora or Rocky Linux.

Install Required Packages

Log in to your Linux system with a non-root sudo user privileges and install the required packages:

Type below command if you have CentOS7 or RHEL7:

sudo yum -y install openssl httpd mod_ssl mod_auth_openidc

For RHEL8, CentOS8:

sudo dnf -y install openssl httpd mod_ssl mod_auth_openidc

Configure Azure

To configure Authentication for your Apache web server with Azure AD, navigate to your Azure Portal > Azure Active Directory as show in images below:


Click App registrations


 

Click New registration


In the Name field, give some meaningful name > Select Supported account types > Select Web from drop&down > enter the URI like https://your-apache-server-url/protected/redirect_uri and click Register

Note down Application (client) ID, and Directory (tenant) ID, as you will need it for Apache configuration later.


Next, click Certificates & secrets


Click New client secret


Enter some meaningful description, and select the expiry period from the drop&down, then click Add


Copy the Value of the client secrets and save it somewhere on your computer as you need it for Apache configuration later.

Remember, once you close this screen, you will not be able to read this Value again, as it will be converted to asterisks for security reason, so make sure you have copied this value on your computer before switching the screen.

Next, click Token configuration > Add optional claim > cd


For Token type, select ID > for Claim select upn > click Add


Tick Turn on the Microsoft Graph profile, click Add

At this stage, azure app registration process is completed.

Configure Apache

In this step, we will create a openidc.conf file with the required parameters under /etc/httpd/conf.d/ directory like below:

sudo nano /etc/httpd/conf.d/openidc.conf

Directives

OIDCProviderMetadataURL https://sts.windows.net/0cd67963-27f5-49b1-6269-509338c44615/.well-known/openid-configuration
OIDCRedirectURI https://lab.techsupportpk.com/protected/redirect_uri
OIDCClientID 71cb315e-3d0c-2a23-674a-3768fbfc5193
OIDCClientSecret 6f58Q~KXlR3e3-2F0fah0Sc9eWF3rwNoXm5N1bVW
OIDCCryptoPassphrase "exec:/bin/bash -c \"head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32\""
OIDCRemoteUserClaim upn

Make sure you replace the highlighted text with yours. Save and close the editor when you are finished.

Explanation:

OIDCProviderMetadataURL you just need to replace tenant ID with your azure tenant ID
OIDCClientID is the Application (client) ID we asked you to note down in the Azure configuration step.
OIDCRedirectURI is the url, where users will be redirected after successful authentication, this has to be the same as you configured in Azure configuration step.
OIDCCryptoPassphrase you can type a strong password like (myPassw0rd@123) or use the command to generate random password as it is not good idea to keep the readable password in the file.
OIDCRemoteUserClaim upn means user@dmain 

Next, we will generate a Self-signed SSL certificate to be used with https://lab.techsupportpk.com/ using openssl:

cd /etc/httpd/conf.d
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout lab.key -out lab.crt

Next, create a VirtualHost configuration file like below:

sudo nano /etc/httpd/conf.d/lab.techsupportpk.conf

Directives:

<VirtualHost *:443>

ServerName lab.techsupportpk.com
SSLCertificateFile /etc/httpd/conf.d/lab.crt
SSLCertificateKeyFile /etc/httpd/conf.d/lab.key

ErrorLog /var/log/httpd/oidc/error.log
CustomLog /var/log/httpd/oidc/access.log combined

<Location /protected>
AuthType openid-connect
Require valid-user
</Location>
</VirtualHost>

Make sure you replace the highlighted text with yours. Save and close the editor when you are finished.

Create a directory under /var/www/html/ to store your content:

sudo mkdir -p /var/www/html/protected

Next, we will create sample index pages in /var/www/html/protected/ directory:

sudo nano /var/www/html/protected/index.html

Sample code:

<html>
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1" />

<title>Index Page</title>
</head>

<body>
<h3>Welcome to the Sample Index Page</h3>
<h3>You have successfully logged in with your Azure AD credentials</h3>
</body>
</html>

Save and close the editor when you are finished.

Next, create a info.php page

sudo nano /var/www/html/protected/info.php

Sample code:

      <?php session_start(); ?>

<h2>Remote User Claim</h2>
<br/>
<div class="row">

<table class="table" style="width:80%;" border="1">
<?php foreach ($_SERVER as $key=>$value): ?>
<?php if ( preg_match("/OIDC_/i", $key) ): ?>
<tr>
<td data-toggle="tooltip" title=<?php echo $key; ?>><?php echo $key; ?></td>
<td data-toggle="tooltip" title=<?php echo $value; ?>><?php echo $value; ?></td>
</tr>
<?php endif; ?>
<?php endforeach; ?>
</table>

Save and close the editor when you are finished.

Next, create a directory to store logs

sudo mkdir -p /var/log/httpd/oidc

Check Apache configuration files syntax with below command:

sudo apachectl configtest

You will see Syntax OK in the output if everything goes well. If there is any error, fix them first, then proceed with the below step.

Restart Apache to take the changes effect:

sudo systemctl restart httpd

Verify Apache and Azure Authentication

Open up a web browser, type https://your-apache-server-url/protected in the address bar, and hit Enter:


 

This will take you to your Azure AD login page, enter your correct username, password to log in:


After successful log in, you will see your sample index page:


To see the detail of your your logged in user, type https://your-apache-server-url/protected/info.php in the browser address bar:


You will see detail like below:


This info.php is just for testing purpose, you should remove it from your Apache server when you are done testing authentication.

Conclusion

I hope this guide was helpful to set up authentication & authorization in Apache web server using OpenIDC and Azure AD in your environment.

No comments:

ads 728x90 B
Powered by Blogger.