OIDC RP

From NIEF Wiki
Revision as of 20:17, 22 January 2019 by Jeff.Krug (talk | contribs) (Created page with "There are many ways to deploy OIDC RPs and OIDC Clients, and many different libraries to do it. The NIEF openid.nief.org test server is available to test with any of these fr...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

There are many ways to deploy OIDC RPs and OIDC Clients, and many different libraries to do it. The NIEF openid.nief.org test server is available to test with any of these frameworks, just contact NIEF help for details.

This specific article is about deploying the mod_auth_openidc Apache module for enabling OIDC SSO at the web server in a similar method to how Shibboleth enables SAML SSO for Apache.

Deploying

For the NIEF Testbed mod_auth_openidc offered the best option for deploying an OIDC RP as it operates as an Apache httpd module (with a somewhat similar integration method as the Shibboleth SP). This httpd module was developed by Ping Identity and is available for free here: https://github.com/zmartzone/mod_auth_openidc.

The github repository includes numerous sample configurations that can provide guidance on how to configure it for your environment and needs.

NIEF Testbed Sample

A sample config from the NIEF Testbed is provided as well as it includes a couple minor things not found elsewhere (specifically requesting the NIEF scope from an OIDC Provider):

  OIDCProviderMetadataURL https://openid.nief.org/oidc/.well-known/openid-configuration
  OIDCScope "profile openid email nief"
  OIDCClientID  [Generated by OIDC Provider]
  OIDCClientSecret [Generated by OIDC Provider]
  OIDCRedirectURI https://testsp.nief.org/oidctest/claims_consumer
  OIDCCryptoPassphrase [Any random string used locally for session management]
  <Location /oidctest/>
      AuthType openid-connect
      Require claim "sub~\w"
  </Location>