OpenID Connect

Atomic Enterprise OSSEC (AEO) supports Single Sign On (SSO) via integration with OpenID Connect. A full list of certified providers is available at: https://openid.net/developers/certified/

Requires

• AEO 6.0.0+

• OpenID Connect Server

• AEO 6.0.0+ registration with OpenID Connect Server

Overview

This module is designed to allow SSO and authentication that utilizes the OpenID Connect protocol.

Note

This meets the requirements for SAML authentication

Step 1: Register AEO with your OpenID Connect endpoint

Note

The process for this is endpoint specific. Refer to your OpenID service provider for more information.

Step 2: Create a user in AEO whose email address matches the email address of the user on file with the OpenID Connect server.

Step 3: Enable OPENID_CONNECT_INTEGRATION=”on” in /etc/asl/config

systemctl restart awpd

Step 4: Navigate to Integrations > OpenID Connect

Step 5: Enter OpenID credentials

Name: is an arbitrary name that displays on the login page

Provider URL is the endpoint of your OpenID Connect server

example: https://openid.server.com/endpoint

ClientID, ClientSecret, and Redirect URL are all provided by the OpenID Connect endpoint when AEO is first registered

ClientID example: 894664563140-361jamgdp65eflek6mv8l11ifa2l05tf.app.website.com

ClientSecret example: SV4bb77clx6m6Ntd_Z8df71S

Redirect URL example: http://fakedomain:30001/auth/app/callback

Step 6: Restart the awpd

systemctl restart awpd

The alias of your OpenID Connect provider should now appear on the bottom of the login page, and the configuration will be written to /var/awp/etc/.integrations/

[
    {
        "name": "sso",
        "provider_url": "https://sso.openidprovider.fake/auth/realms/sso",
        "client_id": "atomic",
        "client_secret": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
        "redirect_url": "https://aeo.domain.com:30001/auth/app/callback"
    }

]