OpenID Connect¶
Atomic Enterprise OSSEC (AEO) supports Single Sign On (SSO) via integration with OpenID Connect. A full list of certified providers is available at: https://openid.net/developers/certified/
Requires
AEO 6.0.0+
OpenID Connect Server
AEO 6.0.0+ registration with OpenID Connect Server
Overview
This module is designed to allow SSO and authentication that utilizes the OpenID Connect protocol.
Note
This meets the requirements for SAML authentication
Step 1: Register AEO with your OpenID Connect endpoint
Note
The process for this is endpoint specific. Refer to your OpenID service provider for more information.
Step 2: Create a user in AEO whose email address matches the email address of the user on file with the OpenID Connect server.
Step 3: Enable OPENID_CONNECT_INTEGRATION=”on” in /etc/asl/config
systemctl restart awpd
Step 4: Navigate to Integrations > OpenID Connect
Step 5: Enter OpenID credentials
Name: is an arbitrary name that displays on the login page
Provider URL is the endpoint of your OpenID Connect server
example: https://openid.server.com/endpoint
ClientID, ClientSecret, and Redirect URL are all provided by the OpenID Connect endpoint when AEO is first registered
ClientID example: 894664563140-361jamgdp65eflek6mv8l11ifa2l05tf.app.website.com
ClientSecret example: SV4bb77clx6m6Ntd_Z8df71S
Redirect URL example: http://fakedomain:30001/auth/app/callback
Step 6: Restart the awpd
systemctl restart awpd
The alias of your OpenID Connect provider should now appear on the bottom of the login page, and the configuration will be written to /var/awp/etc/.integrations/
[
{
"name": "sso",
"provider_url": "https://sso.openidprovider.fake/auth/realms/sso",
"client_id": "atomic",
"client_secret": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
"redirect_url": "https://aeo.domain.com:30001/auth/app/callback"
}
]