OpenID Connect

Atomic Enterprise OSSEC (AEO) supports Single Sign On (SSO) via integration with OpenID Connect. A full list of certified providers is available at: https://openid.net/developers/certified/

Requires

  • AEO 6.0.0+

  • OpenID Connect Server

  • AEO 6.0.0+ registration with OpenID Connect Server

Overview

This module is designed to allow SSO and authentication that utilizes the OpenID Connect protocol.

Note

This meets the requirements for SAML authentication

Step 1: Register AEO with your OpenID Connect endpoint

Note

The process for this is endpoint specific. Refer to your OpenID service provider for more information.

Step 2: Create a user in AEO whose email address matches the email address of the user on file with the OpenID Connect server.

Step 3: Enable OPENID_CONNECT_INTEGRATION=”on” in /etc/asl/config

systemctl restart awpd

Step 4: Navigate to Integrations > OpenID Connect

../../../_images/openid-01.png

Step 5: Enter OpenID credentials

Name: is an arbitrary name that displays on the login page

Provider URL is the endpoint of your OpenID Connect server

ClientID, ClientSecret, and Redirect URL are all provided by the OpenID Connect endpoint when AEO is first registered

ClientID example: 894664563140-361jamgdp65eflek6mv8l11ifa2l05tf.app.website.com

ClientSecret example: SV4bb77clx6m6Ntd_Z8df71S

Redirect URL example: http://fakedomain:30001/auth/app/callback

Step 6: Restart the awpd

systemctl restart awpd

The alias of your OpenID Connect provider should now appear on the bottom of the login page, and the configuration will be written to /var/awp/etc/.integrations/

[
    {
        "name": "sso",
        "provider_url": "https://sso.openidprovider.fake/auth/realms/sso",
        "client_id": "atomic",
        "client_secret": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
        "redirect_url": "https://aeo.domain.com:30001/auth/app/callback"
    }

]