-
Notifications
You must be signed in to change notification settings - Fork 326
Curity Identity Server
Curity Identity Server provides centralized, secure and flexile authentication that enables SSO and MFA.
OAuth and OpenID Connect enables the use of tokens, scopes and claims in order to achieve a powerful and flexible authorization system for applications and APIs.
In addition to that a standardized SCIM API can be exposed to simplify access to legacy data sources for user management.
This is a quickstart guide that outlines the configuration details for integrating the Apache mod_auth_openidc module with the Curity Identity Server for authentication and access control of applications hosted in the Apache server.
A protected location is configured in the mod_auth_openidc module that enforces the presence of an access token. If no token is available the configuration will trigger a redirect to the Curity Identity Server where a token is issued after a successful authentication.
An installation of the Curity Identity Server is required and the rest of this guide assumes that the Curity Basic Setup Wizard has been completed.
- Log in to the Curity Admin UI (https://idsvr.example.com:6749/admin)
- Go to Profile -> Token Service -> Clients (left side menu) -> Click New Client
- Give it a name, for example
mod-auth-clientthen click Create - In the Capabilities section, click Add capabilities
- Choose
Code Flowand click Next - Add the redirect URI of the application that is to be protected running in the Apache instance, ex https://apache-host/protected
- Set a
Client Authenticationmethod. In this guideSecretwill be used. Chose secret from the drop down menu and add a Secret that will later be used in the mod_auth_openidc module configuration - Click next and select Authenticator
- In the
OAuth/OpenID Settingssection, select and add theopenidcscope from the drop-down menu - Make sure to commit the changes
This tutorial describing the configuration of the Code Flow is also a good resource.
- Log in to the Curity Admin UI (https://idsvr.example.com:6749/admin)
- Go to Profile -> Authentication Service -> Authenticators (left side menu) -> New Authenticator
- Give the authenticator a name (html). In this example we will use an
HTML Formauthenticator, select that option and click next. Note that other types of authenticators could be used also. - Choose a
Credentials Managerand optionally anAccount Manager - Make sure to commit the changes
More details on configuring an Authenticator in Curity is outlined in this tutorial, Setup a Username Authenticator.
Install Apache httpd with the mod_auth_openidc module according to the documentation. The readme is a good start.
OIDCRedirectURI /protected
OIDCCryptoPassphrase MyPa$$phrase
OIDCProviderMetadataURL https://idsvr.example.com/oauth/v2/oauth-anonymous/.well-known/openid-configuration
If a Metadata URL is not used the needed URLs can be configured manually:
OIDCProviderIssuer https://idsvr.example.com
OIDCProviderAuthorizationEndpoint https://idsvr.example.com/oauth/v2/oauth-authorize
OIDCProviderTokenEndpoint https://idsvr.example.com/oauth/v2/oauth-token
OIDCProviderMetadataURL https://idsvr.example.com/oauth/v2/oauth-anonymous/.well-known/openid-configuration
OIDCRedirectURI /protected
OIDCClientID mod-auth-client
OIDCClientSecret MyPa$$w0rd
OIDCCryptoPassphrase MyPa$$phrase
For questions and comments, contact Curity.