Monday, July 14, 2014

Will it blend? Configure OpenAM to use Ping's OIDC RP module



OpenAM can be configured as an OpenID Connect provider.  Ping provides an open source relying party (RP) module for Apache that supports OIDC. This module is an an Apache filter that protects pages and requires the user to authenticate with an OIDC provider. The module asserts the user's identity to proxied applications by setting HTTP headers.

Prerequisites:
  • A recent OpenAM 12 build. Subscription customers can contact ForgeRock to get the required functionality in OpenAM 11.x
  • The Ping OIDC module from here https://github.com/pingidentity/mod_auth_openidc
  • Configure OpenAM as an OIDC provider
  • Create an Agent for the Ping module (Realm -> Agents -> OAuth2 -> new agent)

The Apache configuration details will depend on your O/S distribution. Create an Apache .conf file for the OIDC module and include it your configuration . Here is an example:
From:

OIDCProviderIssuer https://openam.example.com:8443/openam
OIDCProviderAuthorizationEndpoint https://openam.example.com:8443/openam/oauth2/authorize
OIDCProviderTokenEndpoint https://openam.example.com:8443/openam/oauth2/access_token
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderUserInfoEndpoint https://openam.example.com:8443/openam/oauth2/userinfo
OIDCSSLValidateServer Off
OIDCOAuthSSLValidateServer Off
 
OIDCClientID apache
OIDCClientSecret password
OIDCScope "openid email profile"
OIDCRedirectURI https://www.example.com:1443/openam/redirect_uri
OIDCCryptoPassphrase password
 
<Location /openam/>
Authtype openid-connect
require valid-user
</Location>


The OIDC connect configuration will depend on the details of your OpenAM installation. Things to watch out for:

  • Add the redirect uri to OpenAM's agent configuration. In the above example the Apache server is available at www.example.com. The redirect_uri from above is not a real web resource (you will not find a page that corresponds to that URL). The Ping module intercepts requests to the URL to handle the OAuth protocol dance.
  • The Location directive (/openam) protects pages at that root with the OIDC module. This is just an example - you do not need to use /openam.