CODEWITHSUNDEEP
apacheoktamod-auth-openidcmellon
Prajith
Prajith

Reputation: 11

Example to support both SAML and OpenIDC

I have a requirement to support both OIDC(openidc) and Mellon(Saml) in our application.We have created two apps in Okta for testing the flow.

  1. OIDC App
  2. SAML App

httpd.conf looks something like below :

<IfModule mod_ssl.c>

<Location />
    MellonVariable "cookie"
    MellonEnable "auth"
    MellonEndpointPath /mellon/
    MellonSPMetadataFile /etc/apache2/saml/mellon_metadata.xml
    MellonSPPrivateKeyFile /etc/apache2/saml/mellon.key
    MellonSPCertFile /etc/apache2/saml/mellon.crt
    MellonIdPMetadataFile /etc/apache2/saml/idp_metadata.xml
</Location>
<VirtualHost _default_:443>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    #Enable/Disable SSL for this virtual host.
    SSLEngine on
    SSLCertificateFile  /etc/ssl/certs/server.pem
    SSLCertificateKeyFile /etc/ssl/private/private.key
    OIDCScope "openid email profile"
    OIDCClientID "xxxx"
    OIDCClientSecret "xxxxx"
    OIDCCryptoPassphrase "xxxx"
    OIDCMetadataDir "/var/cache/apache2/mod_auth_openidc/metadata"
    OIDCRedirectURI "https://apachesso.example.com/callback"
    OIDCResponseType "code"
    <Location /uliya>
            <If "%{REQUEST_URI} =~ /callback=/">
                AuthType openid-connect
                Require valid-user
            </If>
            <Else>
                AuthType "Mellon"
                Require valid-user
                MellonEnable "auth"
            </Else>
        </Location>
</VirtualHost>

<VirtualHost *:443>
        <Location /uliya>
        AuthType openid-connect
        require valid-user
        </Location>
</VirtualHost>
<VirtualHost *:443>
        <Location /transport>
            AuthType "Mellon"
            MellonEnable auth
            Require valid-user
        </Location>
</VirtualHost>
</IfModule>

The goal is that, the request to https://apachesso.example.com/uliya should go through openid-connect Auth Flow and request to https://apachesso.example.com/transport should go through mellon flow.

However, with above configuration all the request authentication goes to Mellon Plugin by default and below config doesnt take effect.

<Location /uliya>
  AuthType openid-connect
  Require valid-user
</Location>

Is it possible to get both these plugins to work together?

Upvotes: 0

Views: 1114

Answers (1)

Hans Z.
Hans Z.

Reputation: 54118

Just don't use any authentication directives on "/", but use mod_auth_openidc directives on "/uliya" (including setting OIDCRedirectURI to /uliya/redirect_uri" and use mod_mellon directives only on "/transport".

Upvotes: 1

Related Questions