mod auth openidc setup authentication

How to setup mod auth openidc setup authentication(https://github.com/zmartzone/mod_auth_openidc/wiki/Step-up-Authentication) with gluu server 4.0.

Prerequisites

1. Gluu Server 4.0.
2. Web Server apache2.
3. mod auth openidc

How to create open id connect client in gluu server.

1. Log in to oxtrust admin panel.
2. navigate to open id connect
3. on client section , click on add client.
4. create a client by providing appropriate login redirect uri , scope , grant uri and response type.
5. Note down client secret and client id.

Enable and setup DUO script for 2 factor authentication.

1. Login in to oxtrust admin panel.
2. In Configuration section move to manage custom script.
3. Enable and setup duo script by following the document (https://gluu.org/docs/ce/authn-guide/duo/)

Note Since we don't need duo as default authentication so don't enable under Configuration > Manage Authentication > Default Authentication Method.

How to setup mod auth openidc for setup authentication.

We need to setup two authentication for two level of the site , suppose top level '/' only require password authentication while within site there is folder called '2fa' which required two factor authentication.

1. vi /etc/apache2/sites-available/default-ssl.conf

OIDCProviderMetadataURL /.well-known/openid-configuration

OIDCClientID client id

OIDCClientSecret client secret

OIDCRedirectURI

OIDCResponseType code

OIDCScope "openid profile email"

OIDCSSLValidateServer Off

OIDCCryptoPassphrase test1

OIDCPassClaimsAs environment

OIDCClaimPrefix USERINFO_

OIDCPassIDTokenAs payload

<Location "/">

Require valid-user

AuthType openid-connect

</ Location>

<Location "/2fa/">

AuthType openid-connect

Require claim acr:duo

OIDCUnAutzAction auth

OIDCPathAuthRequestParams acr_values=duo

Require valid-user

</ Location>