SungHoon_Kim

Apache OID Client and CA SSO OIDC Provider

Blog Post created by SungHoon_Kim Employee on Aug 17, 2018

There were already good articles to follow.

 

CA SSO OpenID Connect Provider - Agentless SSO 

CA SSO OpenID Connect Provider - with Apache OpenID Client 

 

If you follow the instructions above, you should be good to setup OpenID Client with CA OpenID Connect Provider.

 

I tested on CA Access Gateway R12.8 base version and above document still remains valid.

There was one thing that I encountered during the configuration and that was in the CA SSO AdminUI creating the OpenID Client.

 

 

When entering the "Redirect URIs" and click "Add", nothing happens.

This page code does not seem to work in IE.

However, by using chrome, I was able to submit and save.

 

Here are the steps, which is simply re-illustrating what the previous authors have documented (credits to them, jack.saunders and Mark.ODonohue)

 

=============

 

1) Prerequisites: 

 

Policy Server R12.8 

 

Access Gateway R12.8 

 

Apache httpd webserver with mod_auth_openidc installed.

  • Installed Apache 2.4 http://www.apachelounge.com/download/ 
    • In my testing, I downloaded httpd-2.4.34-win64-VC15.zip
    • Extract the file and move the Apache24 folder to C:\
    • Configure HTTPS and register apache as service
  • Installed mod_auth_openidc : https://github.com/pingidentity/mod_auth_openidc/releases
    Note : I will cover this one in a bit more detail, below as I had a few dependency issues to fix before it would work correctly.
    • In my testing, I downloaded mod_auth_openidc-2.3.7-apache-2.4.x-win64.zip
    • Extract the zip and copy the "mod_auth_openidc.so" to "<Apache24>/modules" and "cjose.dll, jansson.dll and libcurl.dll" to "<Apache24>/bin" folder.
    • Download openssl-1.0.2o-x64_86-win64.zip from Index of /SSL and extract the "libeay32.dll and ssleay32.dll" files to "<Apache24>/bin" folder.
    • update httpd.conf file to load the "mod_auth_openidc.so" file.
    • Ensure the Apache starts up fine.
  • Link /protected/ to httpd.conf to /cgi-bin/ to launch printenv.pl (You actually need to install perl separately but is not madatory to have this, you can just create a folder under htdocs and use it instead. This is just to dump headers for better visibility)
  • And update printenv.pl where the perl runtime is. 

 

Then follow the steps in CA SSO OpenID Connect Provider - with Apache OpenID Client to create the OpenID Provider and Client.

When you create the OpenID Client, it will automatically generate the "Client ID" and "Client Secret" unless you enter them manually.

 

This value need to be used when you update your OID Client side httpd.conf file.

 

Attaching httpd.conf and Sample_OID_Flow.saz for reference.

Outcomes