Commit bf937858 authored by Pierre.Deshayes's avatar Pierre.Deshayes
Browse files

Initial version

parent 894acc0f
......@@ -27,7 +27,7 @@ Dans la mesure du possible, installez la version la plus récente.
## Demander la configuration de l'IdP
Soumettre une demande de déclaration de site pour la configuration SSO dans l'infrastructure UNIGE
[Soumettre une demande de déclaration de site pour la configuration SSO dans l'infrastructure UNIGE](https://support-si.unige.ch/openentry.html?tid=SRD000000004902)
## Configuration du module OIDC
......
<VirtualHost *:80>
ServerName my-app.unige.ch
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=permanent,L]
</VirtualHost>
<VirtualHost *:443>
ServerName my-app.unige.ch
ServerAdmin admin-my-app@unige.ch
ErrorLog /var/log/apache2/my-app.unige.ch_info_error.log
CustomLog /var/log/apache2/my-app.unige.ch_access.log combined
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
## Proxy to a web application hosted on the same server (port 5000 must be inaccessible from outside)
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
<Location />
Order allow,deny
Allow from all
AuthType openid-connect
Require claim aud:5dd98468-22f8-355a-90t3-3452gte99g5p
</Location>
SSLEngine on
SSLCertificateFile /etc/ssl/switchpki/my-app.unige.ch.crt.pem
SSLCertificateKeyFile /etc/ssl/switchpki/my-app.unige.ch.key
# In order to avoid calling userinfo_endpoint the OIDCProviderUserInfoEndpoint must not be set
# For this reason, it's not possible to use the OIDCProviderMetadataURL option, every OIDCProvider
# URL must be set manually to ensure the userinfo_endpoint is not set.
# For more information see discussion : https://groups.google.com/g/mod_auth_openidc/c/Fw9dGXPXrNY/m/_YOn3fF-AQAJ
OIDCProviderIssuer https://adfs.unige.ch/adfs
OIDCProviderAuthorizationEndpoint https://adfs.unige.ch/adfs/oauth2/authorize/
OIDCProviderJwksUri https://adfs.unige.ch/adfs/discovery/keys
OIDCProviderTokenEndpoint https://adfs.unige.ch/adfs/oauth2/token/
OIDCProviderEndSessionEndpoint https://adfs.unige.ch/adfs/oauth2/logout
OIDCSessionInactivityTimeout 3600
OIDCSessionMaxDuration 28800
OIDCCryptoPassphrase d62856f87608da795263efed6e21b153c0ba0283dfea17ac7a6946d023183385
OIDCClientID 5dd98468-22f8-355a-90t3-3452gte99g5p
OIDCClientSecret FCdcFb7dbd4E42Bde0E2266981e0Dd13709bD12b
OIDCRedirectURI https://my-app.unige.ch/oidc-callback
OIDCScope "openid allatclaims"
OIDCRefreshAccessTokenBeforeExpiry 60
OIDCPassClaimsAs headers
OIDCRemoteUserClaim upn
<Location "/oidc-handle">
AuthType openid-connect
Require claim "upn~^[w+\S+]*@.*unige\.ch$"
</Location>
</VirtualHost>
<VirtualHost *:80>
ServerName my-app-test.unige.ch
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=permanent,L]
</VirtualHost>
<VirtualHost *:443>
ServerName my-app-test.unige.ch
ServerAdmin admin-my-app@unige.ch
ErrorLog /var/log/apache2/my-app-test.unige.ch_info_error.log
CustomLog /var/log/apache2/my-app-test.unige.ch_access.log combined
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
## Proxy to a web application hosted on the same server (port 5000 must be inaccessible from outside)
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
<Location />
Order allow,deny
Allow from all
AuthType openid-connect
Require claim aud:5dd98468-22f8-355a-90t3-3452gte99g5p
</Location>
SSLEngine on
SSLCertificateFile /etc/ssl/switchpki/my-app-test.unige.ch.crt.pem
SSLCertificateKeyFile /etc/ssl/switchpki/my-app-test.unige.ch.key
# In order to avoid calling userinfo_endpoint the OIDCProviderUserInfoEndpoint must not be set
# For this reason, it's not possible to use the OIDCProviderMetadataURL option, every OIDCProvider
# URL must be set manually to ensure the userinfo_endpoint is not set.
# For more information see discussion : https://groups.google.com/g/mod_auth_openidc/c/Fw9dGXPXrNY/m/_YOn3fF-AQAJ
OIDCProviderIssuer https://adfsklif.unige.ch/adfs
OIDCProviderAuthorizationEndpoint https://adfsklif.unige.ch/adfs/oauth2/authorize/
OIDCProviderJwksUri https://adfsklif.unige.ch/adfs/discovery/keys
OIDCProviderTokenEndpoint https://adfsklif.unige.ch/adfs/oauth2/token/
OIDCProviderEndSessionEndpoint https://adfsklif.unige.ch/adfs/oauth2/logout
OIDCSessionInactivityTimeout 3600
OIDCSessionMaxDuration 28800
OIDCCryptoPassphrase d62856f87608da795263efed6e21b153c0ba0283dfea17ac7a6946d023183385
OIDCClientID 5dd98468-22f8-355a-90t3-3452gte99g5p
OIDCClientSecret FCdcFb7dbd4E42Bde0E2266981e0Dd13709bD12b
OIDCRedirectURI https://my-app-test.unige.ch/oidc-callback
OIDCScope "openid allatclaims"
OIDCRefreshAccessTokenBeforeExpiry 60
OIDCPassClaimsAs headers
OIDCRemoteUserClaim upn
<Location "/oidc-handle">
AuthType openid-connect
Require claim "upn~^[w+\S+]*@.*unige\.ch$"
</Location>
</VirtualHost>
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment