Will it blend? Configure OpenAM to use Ping's OIDC RP module



OpenAM can be configured as an OpenID Connect provider.  Ping provides an open source relying party (RP) module for Apache that supports OIDC. This module is an an Apache filter that protects pages and requires the user to authenticate with an OIDC provider. The module asserts the user's identity to proxied applications by setting HTTP headers.

Prerequisites:
  • A recent OpenAM 12 build. Subscription customers can contact ForgeRock to get the required functionality in OpenAM 11.x
  • The Ping OIDC module from here https://github.com/pingidentity/mod_auth_openidc
  • Configure OpenAM as an OIDC provider
  • Create an Agent for the Ping module (Realm -> Agents -> OAuth2 -> new agent)

The Apache configuration details will depend on your O/S distribution. Create an Apache .conf file for the OIDC module and include it your configuration . Here is an example:
From:

OIDCProviderIssuer https://openam.example.com:8443/openam
OIDCProviderAuthorizationEndpoint https://openam.example.com:8443/openam/oauth2/authorize
OIDCProviderTokenEndpoint https://openam.example.com:8443/openam/oauth2/access_token
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderUserInfoEndpoint https://openam.example.com:8443/openam/oauth2/userinfo
OIDCSSLValidateServer Off
OIDCOAuthSSLValidateServer Off
 
OIDCClientID apache
OIDCClientSecret password
OIDCScope "openid email profile"
OIDCRedirectURI https://www.example.com:1443/openam/redirect_uri
OIDCCryptoPassphrase password
 
<Location /openam/>
Authtype openid-connect
require valid-user
</Location>


The OIDC connect configuration will depend on the details of your OpenAM installation. Things to watch out for:

  • Add the redirect uri to OpenAM's agent configuration. In the above example the Apache server is available at www.example.com. The redirect_uri from above is not a real web resource (you will not find a page that corresponds to that URL). The Ping module intercepts requests to the URL to handle the OAuth protocol dance.
  • The Location directive (/openam) protects pages at that root with the OIDC module. This is just an example - you do not need to use /openam. 

Comments

Post a Comment

Popular posts from this blog

Introducing ds-operator, the ForgeRock Directory Services Operator for Kubernetes

Image
ForgeRock Directory Services 7.0 was a big achievement for the Grenoble Directory team.  It is the only "Kubernetes native" directory where you can add a new replica using kubectl: kubectl scale sts/ds-idrepo --replicas=3 The 7.0 deployment is assembled using standard Kubernetes primitives such as StatefulSets , Persistent Volume Claims, and Services.  This is all built and orchestrated using Skaffold and Kustomize .  An emerging pattern in the Kubernetes world is the use of Custom Resources and Operators .  Broadly speaking, a custom resource is the declaration of the desired system state, and the operator's job is to observe the current state and bring the system into alignment with the declared state: source: https://blog.container-solutions.com/kubernetes-operators-explained The Kubernetes API server (the thing that responds to your kubectl commands) can be extended to handle new custom types.  A custom resource definition (CRD) describes to the API server the syntax
Read more

Automating OpenDJ backups on Kubernetes

Image
Kubernetes   StatefulSets  are designed to run "pet" like services such as databases.   ForgeRock's OpenDJ LDAP server is an excellent fit for StatefulSets as it requires stable network identity and persistent storage. The ForgeOps project contains a Kubernetes Helm chart to deploy DJ to a Kubernetes cluster. Using a StatefulSet, the cluster will auto-provision persistent storage for our pod. We configure OpenDJ to place its backend database on this storage volume. This gives us persistence that survives container restarts, or even restarts of the cluster. As long as we don't delete the underlying persistent volume, our data is safe. Persistent storage is quite reliable, but we typically want additional offline backups. The high level approach to accomplish this is as follows: Configure the OpenDJ container to support scheduled backups to a volume. Configure a Kubernetes volume to store the backups. Create a sidecar container that archives the backups
Read more

Deploying the ForgeRock platform on Kubernetes using Skaffold and Kustomize

Image
If you are following along with the  ForgeOps repository, you will see some significant changes in the way we deploy the ForgeRock IAM platform to Kubernetes.  These changes are aimed at dramatically simplifying the workflow to configure, test and deploy ForgeRock Access Manager, Identity Manager, Directory Services and the Identity Gateway. To understand the motivation for the change, let's recap the current deployment approach: The Kubernetes manifests are maintained in one git repository ( forgeops ), while the product configuration is another ( forgeops-init ). At runtime ,  Kubernetes init containers clone the configuration from git and make it  available to the component using a shared volume. The advantage of this approach is that the docker container for a product can be (relatively) stable. Usually it is the configuration that is changing, not the product binary. This approach seemed like a good idea at the time, but in retrospect it created a lot of c
Read more