Reputation: 21
mod_auth_openidc with Apache2.4 reverse proxy
I'm trying to setup SSO with OpenID for Centreon web app. Here is the architecture : Apache 2.4 (windows) with mod_auth_openidc 2.3.9 Centreon 2.8.17
I want only one vhost to authenticate through SSO so I added all the openidc conf to the vhost.conf file :
<VirtualHost *:80>
ServerName myserver.com
<Location />
AuthType openid-connect
Require valid-user
</Location>
OIDCProviderMetadataURL https://openid.com/fss/.well-known/openid-configuration
OIDCClientID MY-Centreon
OIDCClientSecret abcdefghijklmnop
OIDCProviderTokenEndpointAuth client_secret_post
OIDCRedirectURI https://myserver.com/ssoredirect
OIDCScope "openid profile"
OIDCCryptoPassphrase mypassphrase
OIDCAuthNHeader MY_HEADER
OIDCRemoteUserClaim sub
OIDCClaimPrefix myprefix_
ProxyPreserveHost on
ProxyPass / http://10.10.10.10/
ProxyPassReverse / http://10.10.10.10/
</VirtualHost>
On Centreon the only thing we have to do is to give the name of the HTTP Header that contains the user login (see documentation) : CENTREON SSO CONF
When I go to https://myserver.com it redirects me to the SSO login page. From here i'm able to identify and I'm redirected to Centreon but not logged in so it redirects me to the Centreon login page. In the centreon login.log I have :
[WEB] No contact found with this login : ''
It shows that Centreon does not receive anything in the "MY_HEADER" header, thus SSO authentication is not working.
Additional information: (don't know if it can be useful) : My Apache reverse proxy is listening on http (80) behind a load balancer that listens on HTTPS (443) and transfers it to the server on HTTP (80)
My question : I'm not sure about the header name that contains the username. In the above config, can somebody confirm that Centreon should receive a header "MY_HEADER" containing the username? Thanks
Upvotes: 0
Views: 2893
Answers (1)
Reputation: 61
If you have this message, it means that the user maybe doesn't exist into "Configuration > Users > Contacts / Users".
Maybe you need to connect your LDAP server and enable "Auto Import" user to import missing users automatically.
Also long time ago there was a bug where you had to fill any email address in the filed 'SSO blacklist client addresses' otherwise it will send this error [WEB] No contact found with this login : '', you can try this.
Upvotes: 1
Related Questions
- Setting up an Apache Proxy with Authentication
- authentication for custom web application with mod_auth_openidc
- Apache 2.4 reverse proxy setup cannot impose basic authentication
- Is there a way to bypass mod_auth_openidc module used in an Apache Web Server for some users/IP ranges/service-calls?
- Apache reverse proxy with basic authentication
- Basic Auth on Apache Forward Proxy
- Apache doesn't recognize mod_auth_openidc commands
- Using authenticated proxy with apache http client 4.3.6
- Bypass http authentication by using a reverse proxy
- Apache2 mod_proxy authentication