Hi Kseniya, I have done the following setup using the NoAuth handler and BasicAuth stack, binding the apache env variables to OpenXPKI.
Apache uses OpenIDC with some GUID mapping for AzureAD groups in my case to generate the above env variables. Original doc here : https://openxpki.readthedocs.io/en/stable/reference/configuration/realm.html#stack at the end of the section /etc/apache2/mods-enabled/auth_openidc.conf OIDCProviderMetadataURL https://sts.windows.net/[tenantuuid]/.well-known/openid-configuration OIDCRedirectURI https://[yourdomain]/openxpki/redirect_uri # This must match the Redirect URI of Azure configuration above OIDCClientID [client uuid] OIDCClientSecret [client secret] OIDCCryptoPassphrase [random] OIDCPassClaimsAs both OIDCRemoteUserClaim unique_name /etc/apache2/sites-enabled/openxpki.conf [Relevant only] <VirtualHost *:443> ## -- at the end – script to print the env variables, useful for troubleshooting #### Test script for openidc config -- please remove as it exposes the env ScriptAlias /env.py /usr/lib/cgi-bin/testenv.py </VirtualHost> # Require SSO Auth <Location /> SSLRequireSSL SSLOptions +StdEnvVars AuthType openid-connect require valid-user Options Includes FollowSymLinks ExecCGI AllowOverride AuthConfig Limit Order allow,deny Allow from all ## If use belongs to A & B => User, if A & C => Admin RewriteCond %{HTTP:OIDC_CLAIM_groups} ^([^,]+,)*([GUID-A])(,[^,]+)*$ RewriteCond %{HTTP:OIDC_CLAIM_groups} ^([^,]+,)*([GUID-B])(,[^,]+)*$ RewriteRule .* - [E=OPENXPKI_SSO_ROLE:User,NE] RewriteCond %{HTTP:OIDC_CLAIM_groups} ^([^,]+,)*([GUID-A])(,[^,]+)*$ RewriteCond %{HTTP:OIDC_CLAIM_groups} ^([^,]+,)*([GUID-C])(,[^,]+)*$ RewriteRule .* - [E=OPENXPKI_SSO_ROLE:RA\ Operator,NE] </Location> /usr/lib/cgi-bin/testenv.py – script to debug env variables, UNSAFE #!/usr/bin/python import os d = os.environ k = d.keys() k.sort() print "Content-type: text/html\n\n" print "<HTML><Head><TITLE>Print Env Variables</TITLE></Head><BODY>" print "<h1>Environment Variables</H1>" for item in k: print "<p><B>%s</B>: %s </p>" % (item, d[item]) print "</BODY></HTML>" /etc/openxpki/config.d/realm/arubapoc/auth/handler.yaml # Those stacks are usually required so you should not remove them Anonymous: type: Anonymous label: Anonymous System: type: Anonymous role: System # Read the userdata from a YAML file defined in auth/connector.yaml LocalPassword: type: Password user@: connector:auth.connector.userdb ExternalAuth: type: NoAuth /etc/openxpki/config.d/realm/arubapoc/auth/stack.yaml # The default handler for automated interfaces, hidden from the UI _System: handler: System BasicAuth: handler: ExternalAuth type: client param: envkeys: username: OIDC_CLAIM_unique_name email: OIDC_CLAIM_unique_name role: OPENXPKI_SSO_ROLE Enjoy 😉 Florian Cramoisan PoC Engineer - WW | HPE Aruba Global Solutions | PoC ACEX #102 – ACMX#831 | ACCX#1261 | ACDX#1282 | ACSX#1475 Mobile : +33 (0)6 14 58 32 45 | Desk :+33 (0)4 80 32 35 16 Hewlett Packard Enterprise | 5 av Raymond CHANAS | 38053 Grenoble | France [Image result for aruba logo] This e-mail may contain confidential and/or legally privileged material for the sole use of the intended recipient. If you are not the intended recipient (or authorized to receive for the recipient) please contact the sender by reply e-mail and delete all copies of this message. If you are receiving this message internally within the Hewlett Packard Enterprise company, you should consider the contents “CONFIDENTIAL”. From: Kseniya Schwarz <[email protected]> Date: Thursday, 21 September 2023 at 08:15 To: [email protected] <[email protected]> Subject: Re: [OpenXPKI-users] SSO configuration using SAML Thanks Oliver! I would also like to ask if it's possible to pass username (e.g. with a REMOTE_USER variable) and roles from apache to openxpki.
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
