How to authenticate domains on apache with google apps

Asked 10/7, 2014 at 11:59 Answered 19/7, 2014 at 5:39

Solved apache single-sign-on google-apps mod-auth-openidc

I want to authenticate some of my company's internal websites with Google Apps. We have been using openid based apache module mod_auth_openid and since it got deprecated recently I started looking for alternatives and have found mod_auth_openidc. But I couldn't really get it to work as I didn't understand most parts of it (I have even tried to follow some articles (article1, article2) but that didn't help as it was not clear to me).

Is there any other solution/article that can help me do this?

Bourges answered 10/7, 2014 at 11:59 Comment(0)

The first example in the README.md here: https://github.com/pingidentity/mod_auth_openidc/blob/master/README.md gives a good starting point:

OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <your-client-id-administered-through-the-google-api-console>
OIDCClientSecret <your-client-secret-administered-through-the-google-api-console>

OIDCRedirectURI https://www.example.com/example/redirect_uri
OIDCCryptoPassphrase <password>

OIDCScope "openid email profile"

<Location /example/>
    AuthType openid-connect
    Require valid-user
    Require claim hd:<your-domain>
</Location>

Plain http will work, trailing slashes will work (if used consistently as in the example), no certificate needed just a fully qualified domain name, Debian packages work on Ubuntu 14.04.

The articles that you mention show also how to configure the Google side of things.

Brickwork answered 19/7, 2014 at 5:39 Comment(1)

Just for the incredibly dense folks like me, you can choose whatever you want for OIDCCryptoPassphrase. Also, another good reference is the configuration documentation for openidc: github.com/pingidentity/mod_auth_openidc/blob/master/… – Portent 25/5, 2015 at 12:6

Edit: I just spent several hours configuring this. I wound up using PingIdentity's OpenID Connect RP - https://github.com/pingidentity/mod_auth_openidc (open source - Apache license: https://github.com/pingidentity/mod_auth_openidc/blob/master/LICENSE.txt)

Works well, it's really picky to configure. Some gotchas:

Needs HTTPS - HTTP will not work correctly (despite what the docs say)
All paths & domains must be set correctly & match
Cookie & others paths must not have trailing slashes (/)
ServerName must match cert
Need a REAL cert (~$10)
OIDCMetadataDir must be disabled to work with Google
Binary distros don't work on Ubuntu, I compiled from scratch
Compiling requires several dependencies & running autoconfig.sh
Requires setup through Google's API Console, used Google+ APIs

In other words, it's not tolerant of sloppy configs that might work OK with vanilla Apache. But, in the end, it works great. BTW, there is new Google group for this module here: https://groups.google.com/forum/#!forum/mod_auth_openidc

Other solutions (untested) from my original answer

Odin: http://www.ginzametrics.com/blog/announcing-odin-authenticator/
Google Apps SSO: https://github.com/epotocko/apache-google-apps-sso (hasn't been updated in a while)

P.S. Deleted a previous answer in order to merge two Stack accounts....

Hoofer answered 15/7, 2014 at 23:30 Comment(6)

I have tried Odin and it is using openid :( Do let me know if anything works for you. – Bourges 16/7, 2014 at 3:49

see my last edit. OpenID works, but it needs a modern implementation. mod_auth_openidc is very, very new and seems to work great. I have it currently running, no issues so far. We'll see if it holds up over the next few days. – Hoofer 16/7, 2014 at 3:54

Thanks a lot. I have already compiled and installed mod_auth_openidc on Ubuntu server and I'm only stuck at configuration, can you please share/explain your configuration? That would be awesome. – Bourges 16/7, 2014 at 4:51

Have you configured your Google APIs? What errors are you getting in the logs and browser? – Hoofer 16/7, 2014 at 16:54

Note that by default OIDCMetadataDir is enabled, you have to find it and disable it. I removed all the defaults from the config file and cut/pasted the sample config from GitHub. I also added a full domain name with OIDCCookieDomain. – Hoofer 16/7, 2014 at 17:11

Thanks @Hoofer for all your advice and help. I was able to set this up. – Bourges 22/8, 2014 at 12:23

Recommended topics

Hot tags