skip to content
Home

IT Help and Support

University Information Services
 

Set up Apache 2 on Ubuntu to use OpenID Connect

Read our how to authenticate users to the University Access Management platform (Entra ID) using OpenID Connect web page before following these instructions.

Security vulnerability warning

There is a security vulnerability in versions of mod_openidc prior to v2.4.16.11 Please ensure your mod_openidc is at least v2.4.16.11 to ensure your application is not affected.

In the example below, the crypto passphrase is just a random string of characters used for encrypting the authentication flow.

  1. The easiest method for getting Entra ID authentication working in Apache is to use the OpenIDC authentication plugin to Apache.

    # apt-get install libapache2-mod-auth-openidc

  2. Next, enable the module:

    # a2enmod auth_openidc

  3. Now, add the following statements to your vhost configuration:

    
<virtualhost>
   ServerAdmin webmaster@botolphs.cam.ac.uk
   DocumentRoot /var/www/html
   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined
   ServerName www.botolphs.cam.ac.uk

   # OpenIDC Configuration

   OIDCProviderMetadataURL https://sts.windows.net/49a50445-bdfa-4b79-ade3-547b4f3986e9/.well-known/openid-configuration

   OIDCClientID <CLIENT ID FROM YOUR APP REGISTRATION>
   OIDCClientSecret <SECRET FROM YOUR APPLICATION REGISTRATION>
   OIDCCryptoPassphrase <RANDOM STRING OF DATA>

   # This is the redirect URL you specified when creating the application registration
   # This URI must be covered by a <Location> block that includes the "AuthType openid-connect"
   # directive
   OIDCRedirectURI https://www.botolph.cam.ac.uk/aad/redirect_uri

   OIDCProviderAuthRequestMethod POST
   OIDCStateMaxNumberOfCookies 5 true
   OIDCRemoteUserClaim upn

   # Apply the authentication to some part of your website
   # If you modify this to only cover a portion of your website, make sure you have a
   # <Location> block that covers the URL referenced by the OIDCRedirectURI directive
   <Location />
      AuthType openid-connect
      require valid-user
    </Location>
</virtualhost>

  4. Restart your Apache server and check that you now have to authenticate via Entra ID to access your site:

    # apachectl restart

Last updated 11th December 2024

Contact us

UIS facilities

Resources

UIS websites

Study at Cambridge

About the University

Research at Cambridge