skip to content
 

Read our how to authenticate users to the University Access Management platform (Entra ID) using OpenID Connect web page before following these instructions.

In the example below, the crypto passphrase is just a random string of characters used for encrypting the authentication flow.

  1. The easiest method for getting Entra ID authentication working in Apache is to use the OpenIDC authentication plugin to Apache.

    # apt-get install libapache2-mod-auth-openidc

  2. Next, enable the module:

    # a2enmod auth_openidc

  3. Now, add the following statements to your vhost configuration:

    
    <virtualhost>
       ServerAdmin webmaster@botolphs.cam.ac.uk
       DocumentRoot /var/www/html
       ErrorLog ${APACHE_LOG_DIR}/error.log
       CustomLog ${APACHE_LOG_DIR}/access.log combined
       ServerName www.botolphs.cam.ac.uk
    
       # OpenIDC Configuration
    
       OIDCProviderMetadataURL https://sts.windows.net/49a50445-bdfa-4b79-ade3-547b4f3986e9/.well-known/openid-configuration
    
       OIDCClientID <CLIENT ID FROM YOUR APP REGISTRATION>
       OIDCClientSecret <SECRET FROM YOUR APPLICATION REGISTRATION>
       OIDCCryptoPassphrase <RANDOM STRING OF DATA>
    
       # This is the redirect URL you specified when creating the application registration
       # This URI must be covered by a <Location> block that includes the "AuthType openid-connect"
       # directive
       OIDCRedirectURI https://www.botolph.cam.ac.uk/aad/redirect_uri
    
       OIDCProviderAuthRequestMethod POST
       OIDCStateMaxNumberOfCookies 5 true
       OIDCRemoteUserClaim upn
    
       # Apply the authentication to some part of your website
       # If you modify this to only cover a portion of your website, make sure you have a
       # <Location> block that covers the URL referenced by the OIDCRedirectURI directive
       <Location />
          AuthType openid-connect
          require valid-user
          Order allow,deny
          Allow from all
        </Location>
    </virtualhost>
    
  4. Restart your Apache server and check that you now have to authenticate via Entra ID to access your site:

    # apachectl restart

Last updated 1st March 2024