Set Up SSO in Apache using ModAuthOpenIDC and AzureAD on Rocky Linux 8

This tutorial will walk you through the steps to set up authentication, authorization and single sign-on in Apache web server using the combination of ModAuthOpenIDC and Azure Active Directory as an identity provider on Rocky Linux release 8.

  • Apache is the most widely-used web server in the world. It provides many powerful features including dynamically loadable modules, robust media support, and extensive integration with other popular software.
  • OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 framework. It allows third-party applications to verify the identity of the end-user and to obtain basic user profile information. OIDC uses JSON web tokens (JWTs), which you can obtain using flows conforming to the OAuth 2.0 specifications.
  • ModAuthOpenidc is a certified authentication and authorization module for the Apache HTTP server that implements the OpenID Connect Relying Party functionality. It relays end user authentication to an identity provider and receives user identity information from that idp. It then passes on that identity information to applications protected by the Apache and establishes an authentication session for the identified user.
  • Single sign-on (SSO) is a property of access control of multiple related, yet independent, software systems. With this property, a user logs in with a single ID and password to gain access to a connected system or systems without using different usernames or passwords, or in some configurations seamlessly sign on at each system.
  • Azure Active Directory (AzureAD) is Microsoft's enterprise cloud-based identity and access management (IAM) solution. It can sync with on-premise Active Directory and provide authentication to other cloud-based systems, and applications via authentication protocols like OAuth2, SAML, and WS-Security.



To follow this tutorial along, you will need a (physical or virtual) machine installed with Rocky Linux release 8.

 

Install Prerequisites

Log in to your Rocky Linux using a non-root user having sudo privileges and perform the following steps.

Type following command on your Rocky Linux to set correct timezone:

sudo timedatectl set-timezone Asia/Karachi

Make sure you replace the highlighted text with yours.

Type following command to install Apache, ModAuthOpenidc and other important packages on your Rocky Linux:

sudo dnf -y install openssl httpd mod_ssl mod_auth_openidc

At this stage, you have installed all the required packages on your Rocky Linux.

 

Register an App with Azure Active Directory

To integrate Azure Active Directory authentication in Apache,  you need to register your application with Azure and obtain required information so that you can configure your Apache web server using that information. 

Log in to your Azure Portal and navigate to Azure Active Directory as show in images below:

 

Click on App registrations


 

Click on New registration 

On the following screen:

  • Enter the name of your app in the Name box
  • Select your account type from Supported account types
  • Select Web from Redirect URI drop-down list
  • Enter the URI of your application like
  • Click on Register

From the following screen, you need to copy:

  1. Application (client) ID
  2. Directory (tenant) ID

and paste it on notepad as you need them later to configure your Apache web server.

Click on Certificates & secrets

Click on New client secret

On the following screen:

  • Enter description of your app in the Description box
  • Select an expiry period from the Expires drop-down list 
  • Click on Add

On the following screen, you must copy the Value of the client secrets and paste it on notepad as you need it for your Apache configuration later.

Remember: once you close the above screen, you will not be able to read client secrets value again, as it will be converted to asterisks for security reason, so make sure you write it down on notepad before closing the above screen.

Navigate to Token configuration then click on Add optional claim

On the following screen:

  • Select ID
  • From Claim select upn
  • Click on Add

On the following screen

  • Tick Turn on the Microsoft Graph profile 
  • Click Add

At this stage, you have successfully completed app registration process on your Azure, and you are now ready to configure your Apache web server to integrate Azure Active Directory authentication for your application.

 

Configure ModAuthOpenid in Apache

Log in to your Rocky Linux and perform the following steps to configure ModAuthOpenidc, and Apache web server.

Create an openidc.conf file in the Apache root configuration /etc/httpd/conf.d directory:

sudo nano /etc/httpd/conf.d/openidc.conf

Add following directives:

OIDCProviderMetadataURL https://sts.windows.net/Paste Your Azure Tenant ID Here/.well-known/openid-configuration
OIDCRedirectURI Type Your Redirect URI HERE
OIDCClientID Paste Your Application (client) ID Here
OIDCClientSecret Paste Your Client Secret Here
OIDCCryptoPassphrase "exec:/bin/bash -c \"head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32\""
OIDCRemoteUserClaim upn

Make sure you replace the highlighted text with yours as you have all these information saved on your notepad during azure app registration process:

  • OIDCProviderMetadataURL should have your azure tenant ID
  • OIDCRedirectURI should be the same URI you configured in Azure app registration step.
  • OIDCClientID should have your Application (client) ID.
  • OIDCClientSecret  should have your app client secret.
  • OIDCCryptoPassphrase either you can type a strong password or use the command to generate random password as it is not good idea to keep password in clear text format.
  • OIDCRemoteUserClaim should have upn as you selected it in claim type in azure app registration.

 

Create a self-signed SSL certificate

You can obtain an SSL certificate from any of the digital certificate provider i.e. VeriSign, DigiCert, etc. Since this is our test environment, we will create a self-signed SSL certificate to be used with https://myapp.stepstoperform.com/ url:

sudo nano /etc/httpd/conf.d/ssl.cnf

Add following directives:

[req]
default_bits = 2048
default_keyfile = private.key
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
commonName = myapp.stepstoperform.com

Make sure you replace the highlighted text with yours. Save and close the editor when you are finished.

Execute following command to create a self-signed SSL certificate:

cd /etc/httpd/conf.d

sudo openssl req -utf8 -batch -config "ssl.cnf" -new -x509 -days 3652 -nodes -out "myapp.crt" -keyout "myapp.key"

 

Create Apache VirtualHost

We will create myapp.conf file in Apache root configuration directory /etc/httpd/conf.d to declare https://myapp.stepstoperform.com/protected URL:

sudo nano /etc/httpd/conf.d/myapp.conf

Add following directives:

<VirtualHost *:443>
DocumentRoot /var/www/html
ServerName myapp.stepstoperform.com

ErrorLog /var/log/httpd/oidc/error.log
CustomLog /var/log/httpd/oidc/access.log combined

SSLEngine on
SSLCertificateFile /etc/httpd/conf.d/myapp.crt
SSLCertificateKeyFile /etc/httpd/conf.d/myapp.key

<Location /protected>
AuthType openid-connect
Require valid-user
</Location>
</VirtualHost>

Make sure you replace the highlighted text with yours. Save and close the editor when you are finished.

Create a protected directory in /var/www/html to host your app contents:

sudo mkdir -p /var/www/html/protected

We do not have any application to host but for demonstration purpose we will create a sample index page in /var/www/html/protected directory:

sudo nano /var/www/html/protected/index.html

Add sample html code:

<html>
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1" />

<title>Index Page</title>
</head>

<body>
<h3>Welcome</h3>
<h3>You have successfully logged in with your Azure AD credentials!</h3>
</body>
</html>

Save and close the editor when you are finished.

Create info.php sample index page as well

sudo nano /var/www/html/protected/info.php

Add sample php code:

<?php session_start(); ?>
<h2>Remote User Claim</h2>
<br/>
<div class="row">
<table class="table" style="width:80%;" border="1">
<?php foreach ($_SERVER as $key=>$value): ?>
<?php if ( preg_match("/OIDC_/i", $key) ): ?>
<tr>
<td data-toggle="tooltip" title=<?php echo $key; ?>><?php echo $key; ?></td>
<td data-toggle="tooltip" title=<?php echo $value; ?>><?php echo $value; ?></td>
</tr>
<?php endif; ?>
<?php endforeach; ?>
</table>

Save and close the editor when you are finished.

Create a directory in /var/log/httpd to store your Apache VirtualHost logs:

sudo mkdir -p /var/log/httpd/oidc

Type following command to verify Apache configuration:

sudo apachectl configtest

You will see Syntax OK in the output if everything goes well. If there is any error, fix them first, then proceed to next step.

Restart Apache to take the changes effect:

sudo systemctl restart httpd

At this stage your Apache, and ModAuthOpenidc configuration is completed.

 

Test Apache, ModAuthOpenidc and Azure AD Authentication

Open a web browser and enter your application URL https://myapp.stepstoperform.com/protected for example, in the address bar:


 

This will take you to your Azure AD login page where you can log in using valid credentiasls:

Upon successful authentication, you will be redirected to your sample index page as you can see in screenshot below:


You can see logged in users info by accessing https://myapp.stepstoperform.com/protected/info.php in the browser address bar:


This will show you logged in user's information like as shown in screenshot below:


The info.php is just for testing purpose, you should remove it from your Apache when you are done testing your authentication configuration.

 

Conclusion

I hope this guide was helpful to configure authentication, authorization and single sign-on in Apache web server using ModAuthOpenIDC and Azure Active Directory to secure your application. We highly appreciate if you leave few words of thoughts about this tutorial in the comment section below.

No comments:

Powered by Blogger.