OIDC OAUTH ESP Authentication

1 Introduction

As part of the Kemp Edge Security Pack (ESP), the LoadMaster supports a number of authentication protocols, including OIDC/OAUTH authentication.

Open ID Connect (OIDC) is the preferred protocol from Microsoft for Azure AD/Identity Management OIDC is an authentication protocol based on the OAuth2 protocol (which is used for authorization). OIDC uses the standardized message flows from OAuth2 to provide identity services.

Open ID Connect (OIDC) is an identity layer added to the OAuth2.0 Protocol that enables authentication of users via tokens provided by an Identity Provider(IdP) (Referred to as the Authorisation Server role in Oauth). OIDC is commonly used to enabled Single Sign On of users across multiple applications via a single Identity Provider. OIDC uses the standardized message flows from OAuth2 to provide identity services.

When using OIDC on the LoadMaster, the loadmaster performs the Resource Server role, granting or denying access to an application via authorisation tokens. This requires an Identity Provider to be utilised for actually authenticating the users for example Microsoft Azure AD Identity Management.

Image 1.png

Below is a brief outline of the flow when using OIDC to authenticate users on LoadMaster. Some details of the OIDC/Oauth protocol have been left out for simplicity.

Image 2.png

As can be seen the LoadMaster doesn't process user credentials but instead access is granted via the authorization token that is provided by the Identity Provider. Where Single Sign on is enabled the user does not need to sign in to subsequent applications and the flow shown can occur 'silently' without user input.

 

1.1 Document Purpose

This document provides step-by-step instructions on how to configure authentication using OIDC/OAUTH in the LoadMaster.

1.2 Intended Audience

This document is intended to be used by anyone who is interested in finding out how to configure OIDC/OAUTH ESP authentication in the Kemp LoadMaster.

1.3 Related Firmware Version

This document was published with LoadMaster Operating System (LMOS) version 7.2.53. This document has not required substantial changes since 7.2.53. However, the content is in sync with the latest LoadMaster Generally Available (GA) firmware.

2 Configure OIDC OAUTH ESP Authentication

Follow the steps in the sections below to configure the LoadMaster to use OIDC/OAUTH ESP authentication.

2.1 Prerequisites

Before configuring the LoadMaster, please ensure that you have obtained the following information from the application configuration on your Identity Provider:

1. The Application (client) ID

2. The OAuth 2.0 authorization endpoint URL

3. The OAuth 2.0 Token Endpoint URL

4. The Logoff URL

5. The Client Secret

This information will be used to configure the Client-Side Single Sign On (SSO) configuration settings.

2.2 Create an SSO Domain

Follow the steps below to create an SSO domain in the LoadMaster:

1. In the LoadMaster WUI, navigate to Virtual Services > Manage SSO.

Create an SSO Domain.png

2. Enter a name for the SSO domain in the Add new Client Side Configuration text box and click Add

 

SSO options OIDC.png

 

3. Select OIDC / OAUTH as the Authentication Protocol.

4. Enter the Application (client) ID of the application in the Application ID field and click Set Application ID.

5. Enter the OAuth 2.0 authorization endpoint URL of the application in the Authorization Endpoint URL field and click Set Authorization Endpoint URL.

6. Enter the OAuth 2.0 Token Endpoint URL of the application in the Token Endpoint URL field and click Set Authorization Endpoint URL.

7. Enter the Logout URL of the application in the Logoff URL field and click Set Logoff URL.

8. Enter the value of the Client Secret of the application in the Application Secret field and click Set Secret.

9. If using Session Idle Duration, enter the Session Idle Duration and click Set Idle Duration

 

 

 

 

 

 

 

2.3 Create a Virtual Service

Follow the steps below to create a Virtual Service and configure the ESP Options:

1. In the main menu of the LoadMaster WUI, navigate to Virtual Services > Add New.

Create a Virtual Service.png

2. Enter a valid IP address in the Virtual Address text box.

3. Fill out the other fields as needed.

4. Click Add this Virtual Service.

Create a Virtual Service_1.png

5. Expand the ESP Options section.

6. Tick the Enable ESP check box.

7. Select OIDC/OAUTH as the Client Authentication Mode..

8. Select the OIDC/OAUTH SSO domain, which was previously configured, from the SSO Domain drop-down list.

ESP Options OIDC.png

9. Fill out any other fields, as needed.

10. Add any Real Servers, as needed.

When using the OIDC/OAUTH Client Authentication Mode, the only available Server Authentication Modes are None and KCD

If the Logoff String is configured but the Logoff URL field in the Manage SSO options is left blank, when the Logoff String is used the user's session on the LoadMaster will be closed but they will not be logged out of their session with the Identity Provider. If a logoff URL is provided, any request that matches the logoff string will end the session on the LoadMaster and trigger a logout of the session with the Identity Provider.

For an explanation of all of the WUI fields, refer to the Web User Interface (WUI), Configuration Guide.

3 RESTful API Updates

This section contains details about the OIDC/OAUTH type API commands and parameters added to SSO domain and ESP options. You can retrieve or configure each of these parameters using the get or set RESTful API commands.

 

3.1 Add a Client-side SSO Domain

To add a client-side SSO domain, run the adddomain?domain=<domain_name> command. For example:

/access/adddomain?domain=<domain_name>

3.2 Set the OIDC-OAUTH Authentication Type

To set the OIDC/OAUTH authentication type, run the moddomain?domain=<domain_name>&auth_type=OIDC-OAUTH command. For example:

/access/moddomain?domain=<domain_name>&auth_type=OIDC-OAUTH

3.3 Add the OIDC Application ID

To add the OIDC application ID of the Azure application in the added SSO domain for OIDC, run the moddomain?domain=<domain_name>&oidc_app_id=<app_id> command. For example:

/access/moddomain?domain=<domain_name>&oidc_app_id=<app_id>

3.4 Add the Authentication Endpoint URL

To add the authentication endpoint URL of the Azure application, run the moddomain?domain=<domain_name>&oidc_auth_ep_url=<end_point_URL> command. For example:

/access/moddomain?domain=<domain_name>&oidc_auth_ep_url=<end_point_URL>

3.5 Add the Token Endpoint URL

To add the token endpoint URL of the Azure application, run the moddomain?domain=<domain_name>&oidc_token_ep_ur=<end_point_URL> command. For example:

/access/moddomain?domain=<domain_name>&oidc_token_ep_url=<end_point_URL>

3.6 Set the Log-off URL

To set the log-off URL of the Azure application in OIDC, run the moddomain?domain=<domain_name>&oidc_ logoff_url=<logoff_URL> command. For example:

/access/moddomain?domain=<domain_name>&oidc_ logoff_url=<logoff_URL>

3.7 Set the OIDC Secret ID

To set the OIDC application secret ID of the Azure application, run the moddomain?domain=<domain_name>&oidc_ secret=<secret_id> command. For example:

/access/moddomain?domain=<domain_name>&oidc_ secret=<secret_id>

3.8 Set the OIDC-OAUTH in ESP

To set the OIDC/OAUTH type mode been added for InputAuthMode parameter for modvs/showvs, run the modvs?vs=2&port=443&inputauthmode=8 command. For example:

/access/modvs?vs=2&port=443&inputauthmode=8

Last Updated Date

This document was last updated on 20 March 2021.

Was this article helpful?

0 out of 0 found this helpful

Comments