#OpenID Connect OIDCProviderMetadataURL https://idp.mydomain.com/.well-known/openid-configuration OIDCClientID (client-id-you-got-back-when-you-added-the-client) OIDCClientSecret (your-client-secret) OIDCRedirectURI https://mydomain/midpoint/redirect_uri OIDCResponseType code OIDCScope "openid profile email user_name" OIDCSSLValidateServer Off OIDCCryptoPassphrase (a-random-seed-value) OIDCPassClaimsAs both OIDCClaimPrefix USERINFO_ OIDCPassIDTokenAs payload <Location ~ "/midpoint*"> Require valid-user AuthType openid-connect </Location> ... ProxyRequests Off ProxyPreserveHost On ProxyPass /midpoint http://localhost:8080/midpoint ProxyPassReverse /midpoint http://localhost:8080/midpoint
Midpoint and SSO using Gluu HOWTO
OBSOLETEThis functionality is obsolete. It is no longer supported or maintained.
The following is a tutorial on how to configure midPoint with Gluu in order to perform SSO using OpenID Connect.
In this example we are using:
First version of the Howto document contributed by Dario Tongue
Firstly please make sure that you have Apache Tomcat and midPoint installed and working properly. Also install Apache with rewrite, proxy and proxy_http modules and configure them to work with Apache Tomcat and midPoint. There steps can be found in this previous how to.
Next configure Apache with SSL. And install the mod_auth_openidc module onto Apache and configure it properly so it will work with your OpenID Connect Provider. For more details follow the following how to.
The claim user_name of our OpenID Connect Provider (Gluu in our case) matches midPoint user "name". This also means that one of the scopes of your client mod_auth_openidc defined on your OpenID Connect Provider contains the claim user_name.
After applying the configuration restart apache:
sudo service apache2 restart
Edit the ctx-web-security.xml located at /var/lib/tomcat8/webapps/midpoint/WEB-INF
Uncomment the following so that reads:
<!--For SSO integration use the following: --> <custom-filter position="PRE_AUTH_FILTER" ref="requestHeaderAuthenticationFilter" />
Edit the following value "principalRequestHeader" in the bean "requestHeaderAuthenticationFilter" so that it reads:
<!-- Following bean is used with pre-authentication based on HTTP headers (e.g. for SSO integration) --> ... <beans:property name="principalRequestHeader" value="USERINFO_user_name"/> ...
Edit the following value "defaultTargetUrl" in the bean "logoutHandler" so that it reads :
<beans:bean id="logoutHandler" class="com.evolveum.midpoint.web.security.AuditedLogoutHandler"> <beans:property name="defaultTargetUrl" value=" https://mydomain/midpoint/redirect_uri?logout=https%3A%2F%2Flocalhost%2F(a logout page) "/> </beans:bean>
sudo service tomcat8 restart