Monday, July 14, 2014

Will it blend? Configure OpenAM to use Ping's OIDC RP module

OpenAM can be configured as an OpenID Connect provider.  Ping provides an open source relying party (RP) module for Apache that supports OIDC. This module is an an Apache filter that protects pages and requires the user to authenticate with an OIDC provider. The module asserts the user's identity to proxied applications by setting HTTP headers.

  • A recent OpenAM 12 build. Subscription customers can contact ForgeRock to get the required functionality in OpenAM 11.x
  • The Ping OIDC module from here
  • Configure OpenAM as an OIDC provider
  • Create an Agent for the Ping module (Realm -> Agents -> OAuth2 -> new agent)

The Apache configuration details will depend on your O/S distribution. Create an Apache .conf file for the OIDC module and include it your configuration . Here is an example:

OIDCProviderTokenEndpointAuth client_secret_post
OIDCSSLValidateServer Off
OIDCOAuthSSLValidateServer Off
OIDCClientID apache
OIDCClientSecret password
OIDCScope "openid email profile"
OIDCCryptoPassphrase password
<Location /openam/>
Authtype openid-connect
require valid-user

The OIDC connect configuration will depend on the details of your OpenAM installation. Things to watch out for:

  • Add the redirect uri to OpenAM's agent configuration. In the above example the Apache server is available at The redirect_uri from above is not a real web resource (you will not find a page that corresponds to that URL). The Ping module intercepts requests to the URL to handle the OAuth protocol dance.
  • The Location directive (/openam) protects pages at that root with the OIDC module. This is just an example - you do not need to use /openam.