Web Server Authentication#

We introduced a new authentication module in vpn-user-portal >= 3.10.0. It can handle all kinds of web server authentication modules, we test and document the following:

Basic
Shibboleth
Mellon
OpenID
Client Certificates

This module both simplifies the web server configuration, e.g. there is no need to exclude certain paths for API access and removes the application specific configuration. Everything is configured through the web server now.

Instead of refactoring just one authentication module, or all of them separately, we decided to create a new one that supports all Apache authentication modules and is configured in a very similar way.

We have configuration snippets for each of the authentication mechanisms, and how you would configure them with the new module.

The authentication module makes use of a number of environment variables that you can set in the web server. See the various examples in the specific configuration instructions below.

Variable	Default	Description
`VPN_LOGOUT_PATH`	N/A	The URL exposed by the module to trigger logout
`VPN_LOGOUT_RETURN_TO`	N/A	The URL parameter of the module’s logout URL to specify the URL to return to after logout
`VPN_PERMISSION_ATTRIBUTES`	N/A	Space separated list of attribute names that are used for VPN permissions
`VPN_PERMISSION_ATTRIBUTES_DELIMITER`	`;`	The character used to separate permission attribute values
`VPN_PERMISSION_ATTRIBUTES_URL_DECODE`	`no`	URL decode the permission attribute values, value can be `yes` or `no`

Basic#

<Location /vpn-user-portal/__ws_auth/verify>
    AuthType Basic
    AuthName "VPN Portal"
    AuthUserFile "/etc/httpd/valid-user"
    Require valid-user
</Location>

Shibboleth#

SetEnv VPN_LOGOUT_PATH /Shibboleth.sso/Logout
SetEnv VPN_LOGOUT_RETURN_TO return
SetEnv VPN_PERMISSION_ATTRIBUTES "entitlement affiliation"

<Location /vpn-user-portal/__ws_auth/verify>
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    Require valid-user
</Location>

Mellon#

SetEnv VPN_LOGOUT_PATH /saml/logout
SetEnv VPN_LOGOUT_RETURN_TO ReturnTo
SetEnv VPN_PERMISSION_ATTRIBUTES "urn:oid:1.3.6.1.4.1.5923.1.1.1.1"

<Location />
    MellonEnable "info"
    MellonSecureCookie On
    MellonMergeEnvVars On
    MellonSPPrivateKeyFile /etc/httpd/saml/sp.key
    MellonSPCertFile /etc/httpd/saml/sp.crt
    MellonEndpointPath /saml
    MellonIdPMetadataFile /etc/httpd/saml/idp.tuxed.net.xml
    # uid
    MellonUser urn:oid:0.9.2342.19200300.100.1.1
</Location>

<Location /vpn-user-portal/__ws_auth/verify>
    MellonEnable "auth"
</Location>

OpenID#

SetEnv VPN_LOGOUT_PATH /vpn-user-portal/redirect_uri
SetEnv VPN_LOGOUT_RETURN_TO logout
SetEnv VPN_PERMISSION_ATTRIBUTES "groups"

<Location /vpn-user-portal/__ws_auth/verify>
    AuthType openid-connect
    Require valid-user
</Location>

Client Certificate#

SSLVerifyClient optional
SSLVerifyDepth 1
# Fedora/EL
SSLCACertificateFile /etc/pki/tls/certs/ca.crt
# Debian/Ubuntu
#SSLCACertificateFile /etc/ssl/certs/ca.crt
SSLUserName SSL_CLIENT_S_DN_CN