Read our how to authenticate users to the University Access Management platform (Entra ID) using OpenID Connect web page before following these instructions.
In the example below, the crypto passphrase is just a random string of characters used for encrypting the authentication flow.
-
The easiest method for getting Entra ID authentication working in Apache is to use the OpenIDC authentication plugin to Apache.
# apt-get install libapache2-mod-auth-openidc
-
Next, enable the module:
# a2enmod auth_openidc
-
Now, add the following statements to your vhost configuration:
<virtualhost> ServerAdmin webmaster@botolphs.cam.ac.uk DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined ServerName www.botolphs.cam.ac.uk # OpenIDC Configuration OIDCProviderMetadataURL https://sts.windows.net/49a50445-bdfa-4b79-ade3-547b4f3986e9/.well-known/openid-configuration OIDCClientID <CLIENT ID FROM YOUR APP REGISTRATION> OIDCClientSecret <SECRET FROM YOUR APPLICATION REGISTRATION> OIDCCryptoPassphrase <RANDOM STRING OF DATA> # This is the redirect URL you specified when creating the application registration # This URI must be covered by a <Location> block that includes the "AuthType openid-connect" # directive OIDCRedirectURI https://www.botolph.cam.ac.uk/aad/redirect_uri OIDCProviderAuthRequestMethod POST OIDCStateMaxNumberOfCookies 5 true OIDCRemoteUserClaim upn # Apply the authentication to some part of your website # If you modify this to only cover a portion of your website, make sure you have a # <Location> block that covers the URL referenced by the OIDCRedirectURI directive <Location /> AuthType openid-connect require valid-user Order allow,deny Allow from all </Location> </virtualhost>
-
Restart your Apache server and check that you now have to authenticate via Entra ID to access your site:
# apachectl restart
Last updated 1st March 2024