Requirements
NGINIX Plus (NGINX Plus)
SurePassID Identity Provider
Install
Follow the nginx-openid-connect installation instructions.
NGINX (nginx-openid-connect) - Installation
Install the jq
command-line JSON processor. There is a dependency for this but it is not automatically installed.
sudo yum install jq
SELinux Issue Workaround
There is an issue with NGINIX’s permissions for the directory “/etc/nginx/conf.d
". The simplest workaround for this is to change the owner and group of that directory to "nginix
".
sudo chown ngnix:ngnix /etc/nginx/conf.d
A better solution would be to fix SELinux httpd_t
context to allow the nginix process to create files in that directory.
https://www.nginx.com/blog/using-nginx-plus-with-selinux/
Configuring the SurePassID Identity Provider
NGINX (nginx-openid-connect) - Configuring your IdP
NGINX OpenID Connect Client Configuration
Use the following SurePassID Identity Provider OpenID Connect client configuration for the NGNIX replying party.
Update the following properties as required.
ClientId
ClientName
ClientSecrets.Value
RedirectUris
PostLogoutRedirectUris
Properties.*
See Client Object Reference for more details.
|
Configuring NGINIX Plus
NGINX (nginx-openid-connect) - Configuring NGINX Plus
Run the configure.sh
script using the SurePassID OpenID Connect Discovery URL.
./configure.sh https://oidc.surepassid.com/.well-known/openid-configuration
Make the following changes to the openid_connect_configuration.conf
file.
Added the following end session endpoint mapping.
map $host $oidc_endsession_endpoint { default https://oidc.surepassid.com/connect/endsession; } |
Add the following to the file so that the JWKS URL can be used to automatically keep the keys up-to-date.
map $host $oidc_jwks_uri { default https://oidc.surepassid.com/.well-known/openid-configuration/jwks; } |
Set the Client ID and Client Secret in the mappings as shown.
map $host $oidc_client { default "<OIDC_CLIENT_ID>"; } map $host $oidc_client_secret { default "<OIDC_CLIENT_SECRET>"; } |
Modify the $oidc_logout_redirect
to use the URI "/oidc_logout
". This will be configured in the next section
map $host $oidc_logout_redirect { # Where to send browser after requesting /logout location. This can be # replaced with a custom logout page, or complete URL. default "/oidc_logout"; } |
This is a complete example of the updated openid_connect_configuration.conf
file.
|
Make the following changes to the frontend.conf
file. This is where the backend application server is configured.
Configure the upstream (backend) servers.
upstream directive
upstream backend_app_server { zone backend_app_server 64k; # Server Private IP Address server 10.1.2.3:443; # DNS #resolver 8.8.8.8; #server app-proxy.example.com:443; } |
If applicable, configure SSL.
http://nginx.org/en/docs/http/ngx_http_ssl_module.html
server { ... ##################### # SSL Configuration # ##################### server_name app-proxy.example.com; listen 443 ssl; ssl_certificate ssl/example.com.crt; ssl_certificate_key ssl/example.com.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ... } |
Add the /oidc_logout
location. Place this in the server
block before the /
location.
server { ... location = /oidc_logout { # https://identityserver4.readthedocs.io/en/latest/endpoints/endsession.html proxy_ssl_server_name on; # For SNI to the IdP # $oidc_endsession_endpoint? // Defined in openid_connect_configuration.conf # id_token_hint=$arg_token& # post_logout_redirect_uri=https://app-proxy.example.com:433/_logout // The URL value must be URL encoded. proxy_pass $oidc_endsession_endpoint?id_token_hint=$arg_token&post_logout_redirect_uri=https%3a%2f%2fapp-proxy.example.com%3a433%2f_logout; } location / { ... } } |
Configure the reverse proxy to the backend application server.
server { ... location / { # This site is protected with OpenID Connect auth_jwt "" token=$session_jwt; error_page 401 = @do_oidc_flow; #auth_jwt_key_file $oidc_jwt_keyfile; # Enable when using filename auth_jwt_key_request /_jwks_uri; # Enable when using URL # Successfully authenticated users are proxied to the backend, # with 'sub' claim passed as HTTP header proxy_set_header username $jwt_claim_sub; proxy_pass https://backend_app_server; # The backend site/app proxy_set_header Host app-proxy.example.com; proxy_cookie_domain app-proxy.example.com $host; } } |
This is a complete example of the updated frontend.conf
file.
|