Secure Apache using ModAuthOpenidc and Azure AD on Ubuntu 20.04

This tutorial will show you how to enable authentication, and single sign-on (SSO) functionality in Apache web server using mod_auth_openidc and Azure AD on Ubuntu 20.04

Apache is the most widely-used web server in the world. It provides many powerful features including dynamically loadable modules, robust media support, and extensive integration with other popular software.
mod_auth_openidc is a certified authentication and authorization module for the Apache HTTP server that implements the OpenID Connect Relying Party functionality. It relays end user authentication to a Provider and receives user identity information from that Provider. It then passes on that identity information to applications protected by the Apache web server and establishes an authentication session for the identified user.
Single sign-on (SSO) is a property of access control of multiple related, yet independent, software systems. With this property, a user logs in with a single ID and password to gain access to a connected system or systems without using different usernames or passwords, or in some configurations seamlessly sign on at each system.
Azure AD is Microsoft's enterprise cloud-based identity and access management (IAM) solution. It can sync with on-premise Active Directory and provide authentication to other cloud-based systems, and applications via authentication protocols like OAuth2, SAML, and WS-Security.


To follow this tutorial along, you will need one (physical or virtual) machine installed with Ubuntu 20.04.

Install Required Packages

Log in to your Linux system with a non-root sudo user privileges and install the required packages:

sudo apt install apache2 libapache2-mod-auth-openidc

Configure Azure

To configure Authentication for your Apache web server with Azure AD, navigate to your Azure Portal > Azure Active Directory as show in images below:

Click App registrations


Click New registration

In the Name field, give some meaningful name > Select Supported account types > Select Web from drop&down > enter the URI like https://your-apache-server-url/protected/redirect_uri and click Register

Note down Application (client) ID, and Directory (tenant) ID, as you will need it for Apache configuration later.

Next, click Certificates & secrets

Click New client secret

Enter some meaningful description, and select the expiry period from the drop&down, then click Add

Copy the Value of the client secrets and save it somewhere on your computer as you need it for Apache configuration later.

Remember, once you close this screen, you will not be able to read this Value again, as it will be converted to asterisks for security reason, so make sure you have copied this value on your computer before switching the screen.

Next, click Token configuration > Add optional claim > cd

For Token type, select ID > for Claim select upn > click Add

Tick Turn on the Microsoft Graph profile, click Add

At this stage, azure app registration process is completed.

Configure Apache

In this step, we will create a openidc.conf file with the required parameters like below:

sudo nano /etc/apache2/conf-available/openidc.conf


OIDCClientID 71cb315e-3d0c-2a23-674a-3768fbfc5193
OIDCClientSecret 6f58Q~KXlR3e3-2F0fah0Sc9eWF3rwNoXm5N1bVW
OIDCCryptoPassphrase "exec:/bin/bash -c \"head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32\""
OIDCRemoteUserClaim upn

Make sure you replace the highlighted text with yours. Save and close the editor when you are finished.


OIDCProviderMetadataURL you just need to replace tenant ID with your azure tenant ID
OIDCClientID is the Application (client) ID we asked you to note down in the Azure configuration step.
OIDCRedirectURI is the url, where users will be redirected after successful authentication, this has to be the same as you configured in Azure configuration step.
OIDCCryptoPassphrase you can type a strong password like (myPassw0rd@123) or use the command to generate random password as it is not good idea to keep the readable password in the file.
OIDCRemoteUserClaim upn means user@dmain 

Next, we will generate a Self-signed SSL certificate to be used with using openssl:

cd /etc/ssl/certs
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout lab.key -out lab.crt

Next, create a VirtualHost configuration file like below:

sudo nano /etc/apache/sites-available/lab.conf

Add following configuration:

<VirtualHost *:443>
    SSLCertificateFile /etc/ssl/certs/lab.crt
    SSLCertificateKeyFile /etc/ssl/certs/lab.key

    ErrorLog /var/log/apache2/oidc/error.log
    CustomLog /var/log/apache2/oidc/access.log combined

<Location /protected>
    AuthType openid-connect
    Require valid-user

Make sure you replace the highlighted text with yours. Save and close the editor when you are finished.

Create a directory under /var/www/html/ to store your content:

sudo mkdir -p /var/www/html/protected

Next, we will create sample index pages in /var/www/html/protected/ directory:

sudo nano /var/www/html/protected/index.html

Sample code:

<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1" />

<title>Index Page</title>

<h3>Welcome to the Sample Index Page</h3>
<h3>You have successfully logged in with your Azure AD credentials</h3>

Save and close the editor when you are finished.

Next, create a info.php page

sudo nano /var/www/html/protected/info.php

Sample code:

      <?php session_start(); ?>

<h2>Remote User Claim</h2>
<div class="row">

<table class="table" style="width:80%;" border="1">
<?php foreach ($_SERVER as $key=>$value): ?>
<?php if ( preg_match("/OIDC_/i", $key) ): ?>
<td data-toggle="tooltip" title=<?php echo $key; ?>><?php echo $key; ?></td>
<td data-toggle="tooltip" title=<?php echo $value; ?>><?php echo $value; ?></td>
<?php endif; ?>
<?php endforeach; ?>

Save and close the editor when you are finished.

Next, create a directory to store logs

sudo mkdir -p /var/log/apache2/oidc

Type following command to enable SSL module, as well as your configuration files in Apache

sudo a2enmod ssl
sudo a2enconf openidc.conf
sudo a2ensite lab.conf

Check Apache configuration files syntax with below command:

sudo apache2ctl configtest

You will see Syntax OK in the output if everything goes well. If there is any error, fix them first, then proceed with the below step.

Restart Apache to take the changes effect:

sudo systemctl restart apache2

Verify Apache and Azure Authentication

Open up a web browser, type https://your-apache-server-url/protected in the address bar, and hit Enter:


This will take you to your Azure AD login page, enter your correct username, password to log in:

After successful log in, you will see your sample index page:

To see the detail of your your logged in user, type https://your-apache-server-url/protected/info.php in the browser address bar:

You will see detail like below:

This info.php is just for testing purpose, you should remove it from your Apache server when you are done testing authentication.


I hope this guide was helpful to set up authentication in Apache web server on Ubuntu 20.04 using mod_auth_openidc and Azure AD in your environment.

No comments:

ads 728x90 B
Powered by Blogger.