Initial version

bf937858 · Pierre.Deshayes · 894acc0f · bf937858 · bf937858 · bf937858
Commit bf937858 authored Aug 05, 2021 by Pierre.Deshayes
--- a/README.md
+++ b/README.md
@@ -27,7 +27,7 @@ Dans la mesure du possible, installez la version la plus récente.

 ## Demander la configuration de l'IdP

-Soumettre une demande de déclaration de site pour la configuration SSO dans l'infrastructure UNIGE
+[Soumettre une demande de déclaration de site pour la configuration SSO dans l'infrastructure UNIGE](https://support-si.unige.ch/openentry.html?tid=SRD000000004902)

 ## Configuration du module OIDC


--- a/my-app.unige.ch-example.conf
+++ b/my-app.unige.ch-example.conf
+<VirtualHost *:80>
+	ServerName my-app.unige.ch
+  RewriteEngine On
+  RewriteCond %{HTTPS} off
+  RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=permanent,L]
+</VirtualHost>
+
+<VirtualHost *:443>
+	ServerName my-app.unige.ch
+  ServerAdmin admin-my-app@unige.ch
+  ErrorLog /var/log/apache2/my-app.unige.ch_info_error.log
+  CustomLog  /var/log/apache2/my-app.unige.ch_access.log combined
+
+  ProxyRequests Off
+  <Proxy *>
+    Order deny,allow
+    Allow from all
+  </Proxy>
+
+  ## Proxy to a web application hosted on the same server (port 5000 must be inaccessible from outside)
+  ProxyPass / http://127.0.0.1:5000/
+  ProxyPassReverse / http://127.0.0.1:5000/
+
+  <Location />
+    Order allow,deny
+    Allow from all
+    AuthType openid-connect
+    Require claim aud:5dd98468-22f8-355a-90t3-3452gte99g5p
+  </Location>
+
+	SSLEngine on
+	SSLCertificateFile /etc/ssl/switchpki/my-app.unige.ch.crt.pem
+	SSLCertificateKeyFile /etc/ssl/switchpki/my-app.unige.ch.key
+
+	# In order to avoid calling userinfo_endpoint the OIDCProviderUserInfoEndpoint must not be set
+	# For this reason, it's not possible to use the OIDCProviderMetadataURL option, every OIDCProvider
+	# URL must be set manually to ensure the userinfo_endpoint is not set.
+	# For more information see discussion : https://groups.google.com/g/mod_auth_openidc/c/Fw9dGXPXrNY/m/_YOn3fF-AQAJ
+	OIDCProviderIssuer https://adfs.unige.ch/adfs
+	OIDCProviderAuthorizationEndpoint https://adfs.unige.ch/adfs/oauth2/authorize/
+	OIDCProviderJwksUri https://adfs.unige.ch/adfs/discovery/keys
+	OIDCProviderTokenEndpoint https://adfs.unige.ch/adfs/oauth2/token/
+	OIDCProviderEndSessionEndpoint https://adfs.unige.ch/adfs/oauth2/logout
+
+	OIDCSessionInactivityTimeout 3600
+	OIDCSessionMaxDuration 28800
+	OIDCCryptoPassphrase d62856f87608da795263efed6e21b153c0ba0283dfea17ac7a6946d023183385
+	OIDCClientID 5dd98468-22f8-355a-90t3-3452gte99g5p
+	OIDCClientSecret FCdcFb7dbd4E42Bde0E2266981e0Dd13709bD12b
+	OIDCRedirectURI https://my-app.unige.ch/oidc-callback
+	OIDCScope "openid allatclaims"
+	OIDCRefreshAccessTokenBeforeExpiry 60
+	OIDCPassClaimsAs headers
+	OIDCRemoteUserClaim upn
+
+	<Location "/oidc-handle">
+    AuthType openid-connect
+    Require claim "upn~^[w+\S+]*@.*unige\.ch$"
+  </Location>
+</VirtualHost>
+
--- a/my-app.unige.ch-example_klif.conf
+++ b/my-app.unige.ch-example_klif.conf
+<VirtualHost *:80>
+	ServerName my-app-test.unige.ch
+  RewriteEngine On
+  RewriteCond %{HTTPS} off
+  RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=permanent,L]
+</VirtualHost>
+
+<VirtualHost *:443>
+	ServerName my-app-test.unige.ch
+  ServerAdmin admin-my-app@unige.ch
+  ErrorLog /var/log/apache2/my-app-test.unige.ch_info_error.log
+  CustomLog  /var/log/apache2/my-app-test.unige.ch_access.log combined
+
+  ProxyRequests Off
+  <Proxy *>
+    Order deny,allow
+    Allow from all
+  </Proxy>
+
+  ## Proxy to a web application hosted on the same server (port 5000 must be inaccessible from outside)
+  ProxyPass / http://127.0.0.1:5000/
+  ProxyPassReverse / http://127.0.0.1:5000/
+
+  <Location />
+    Order allow,deny
+    Allow from all
+    AuthType openid-connect
+    Require claim aud:5dd98468-22f8-355a-90t3-3452gte99g5p
+  </Location>
+
+	SSLEngine on
+	SSLCertificateFile /etc/ssl/switchpki/my-app-test.unige.ch.crt.pem
+	SSLCertificateKeyFile /etc/ssl/switchpki/my-app-test.unige.ch.key
+
+	# In order to avoid calling userinfo_endpoint the OIDCProviderUserInfoEndpoint must not be set
+	# For this reason, it's not possible to use the OIDCProviderMetadataURL option, every OIDCProvider
+	# URL must be set manually to ensure the userinfo_endpoint is not set.
+	# For more information see discussion : https://groups.google.com/g/mod_auth_openidc/c/Fw9dGXPXrNY/m/_YOn3fF-AQAJ
+	OIDCProviderIssuer https://adfsklif.unige.ch/adfs
+	OIDCProviderAuthorizationEndpoint https://adfsklif.unige.ch/adfs/oauth2/authorize/
+	OIDCProviderJwksUri https://adfsklif.unige.ch/adfs/discovery/keys
+	OIDCProviderTokenEndpoint https://adfsklif.unige.ch/adfs/oauth2/token/
+	OIDCProviderEndSessionEndpoint https://adfsklif.unige.ch/adfs/oauth2/logout
+
+	OIDCSessionInactivityTimeout 3600
+	OIDCSessionMaxDuration 28800
+	OIDCCryptoPassphrase d62856f87608da795263efed6e21b153c0ba0283dfea17ac7a6946d023183385
+	OIDCClientID 5dd98468-22f8-355a-90t3-3452gte99g5p
+	OIDCClientSecret FCdcFb7dbd4E42Bde0E2266981e0Dd13709bD12b
+	OIDCRedirectURI https://my-app-test.unige.ch/oidc-callback
+	OIDCScope "openid allatclaims"
+	OIDCRefreshAccessTokenBeforeExpiry 60
+	OIDCPassClaimsAs headers
+	OIDCRemoteUserClaim upn
+
+	<Location "/oidc-handle">
+    AuthType openid-connect
+    Require claim "upn~^[w+\S+]*@.*unige\.ch$"
+  </Location>
+</VirtualHost>
+