How to install Gluu server

Inspired by @oneitonitram in SSO USer Federation in nethserver (gluu,keycloack,privacyID3A) I started a first draft of Gluu server installation.

Installation

Get gluu repo, install the server and start/enable the server. At the end we login to the gluu container for setup.

wget https://repo.gluu.org/centos/Gluu-centos7.repo -O /etc/yum.repos.d/Gluu.repo
wget https://repo.gluu.org/centos/RPM-GPG-KEY-GLUU -O /etc/pki/rpm-gpg/RPM-GPG-KEY-GLUU
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-GLUU
yum -y install gluu-server

/sbin/gluu-serverd enable
/sbin/gluu-serverd start
/sbin/gluu-serverd login

cd /install/community-edition-setup/
./setup.py

Go through the setup. Don’t install apache/httpd. The summary should look like this:

hostname                                              example.org
orgName                                                       123
os                                                         centos
city                                                       Vienna
state                                                          XX
countryCode                                                    XX
Applications max ram                                         3072
Install oxAuth                                               True
Install oxTrust                                              True
Backends                                                   wrends
Java Type                                                     jre
Install Apache 2 web server                                 False
Install Shibboleth SAML IDP                                 False
Install oxAuth RP                                           False
Install Passport                                            False
Install Casa                                                False
Install Oxd                                                 False
Install Gluu Radius                                         False

After installation exit the gluu chroot.

exit

Httpd configuration

I just copied and customized the apache.conf that comes with the internal httpd server. The following creates the gluu.conf file. Please edit example.org to match your domain.

cat << 'EOF' > /etc/httpd/conf.d/gluu.conf
<VirtualHost  *:80>
        ServerName example.org
        # To make letsencrypt work
        RedirectMatch 301 ^(?!/\.well-known/acme-challenge/).* https://example.org
</VirtualHost>

<VirtualHost *:443>
        DocumentRoot "/var/www/html/"
        ServerName example.org:443

        LogLevel warn
        SSLEngine on

#               SetEnv proxy-nokeepalive 1
                SetEnv proxy-initial-not-pooled 1
                Timeout 60
                ProxyTimeout 60

        # Security headers
#        Header always append X-Frame-Options SAMEORIGIN
        Header always set X-Xss-Protection "1; mode=block"
        Header always set X-Content-Type-Options nosniff
#       Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' https://example.org"
        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

        Header edit Set-Cookie ^((?!opbs|session_state).*)$ $1;HttpOnly
        SetEnvIf User-Agent ".*MSIE.*" \
                 nokeepalive ssl-unclean-shutdown \
                 downgrade-1.0 force-response-1.0

                # Unset X-ClientCert to make sure that we not get certificate in request
        RequestHeader unset X-ClientCert

                # Turn off support for true Proxy behaviour as we are acting as a transparent proxy
        ProxyRequests Off

                # Turn off VIA header as we know where the requests are proxied
                ProxyVia Off

                # Turn on Host header preservation so that the servlet container
                # can write links with the correct host and rewriting can be avoided.
                ProxyPreserveHost On

                # Preserve the scheme when proxying the request to Jetty
        RequestHeader set X-Forwarded-Proto "https" env=HTTPS

        Header unset ETag
        FileETag None
        RedirectMatch ^(/)$ /identity/

                # Set the permissions for the proxy
                <Proxy *>
                  AddDefaultCharset off
                  Order deny,allow
                  Allow from all
                </Proxy>

        <Location /idp>
                ProxyPass http://localhost:8086/idp retry=5 connectiontimeout=60 timeout=60
                Order deny,allow
                Allow from all
        </Location>

        <Location /identity>
                ProxyPass http://localhost:8082/identity retry=5 connectiontimeout=60 timeout=60
                Order deny,allow
                Allow from all
        </Location>

        <Location /cas>
                ProxyPass http://localhost:8083/cas retry=5 connectiontimeout=60 timeout=60
                Order deny,allow
                Allow from all
        </Location>

        <Location /oxauth-rp>
                ProxyPass http://localhost:8085/oxauth-rp retry=5 connectiontimeout=60 timeout=60
                Order deny,allow
                Allow from all
        </Location>

        <Location /passport>
                ProxyPass http://localhost:8090/passport retry=5 connectiontimeout=60 timeout=60
                Order deny,allow
                Allow from all
        </Location>

        <Location /casa>
                ProxyPass http://localhost:8099/casa retry=5 connectiontimeout=60 timeout=60
                Order deny,allow
                Allow from all
        </Location>

        <Location /oxauth>
                ProxyPass http://localhost:8081/oxauth retry=5 connectiontimeout=60 timeout=60
#                Header set Access-Control-Allow-Origin "*"
                Order deny,allow
                Allow from all
        </Location>

        <LocationMatch /oxauth/auth/cert/cert-login.htm>
            SSLVerifyClient optional_no_ca
            SSLVerifyDepth 10
            SSLOptions -StdEnvVars +StrictRequire +ExportCertData

            # Forward certificate to destination server
            RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s
        </LocationMatch>

        ProxyPass        /.well-known/openid-configuration http://localhost:8081/oxauth/.well-known/openid-configuration
        ProxyPass        /.well-known/simple-web-discovery http://localhost:8081/oxauth/.well-known/simple-web-discovery
        ProxyPass        /.well-known/webfinger http://localhost:8081/oxauth/.well-known/webfinger
        ProxyPass        /.well-known/uma2-configuration http://localhost:8081/oxauth/restv1/uma2-configuration
        ProxyPass        /.well-known/fido-configuration http://localhost:8081/oxauth/restv1/fido-configuration
        ProxyPass        /.well-known/fido2-configuration http://localhost:8081/oxauth/restv1/fido2/configuration
        ProxyPass        /.well-known/fido-u2f-configuration http://localhost:8081/oxauth/restv1/fido-configuration
        ProxyPass        /.well-known/scim-configuration http://localhost:8082/identity/restv1/scim-configuration

        ProxyErrorOverride On
        <If "%{REQUEST_URI} =~ m#(.*)/rest(.*)#">
            ProxyErrorOverride Off
        </If>

        ErrorDocument 404 /custom_404.html
        ErrorDocument 500 /custom_500.html
        ErrorDocument 502 /custom_502.html
        ErrorDocument 503 /custom_503.html
        ErrorDocument 504 /custom_504.html

</VirtualHost>
EOF

Apply config:

systemctl reload httpd

Browse to https://example.org and start playing with Gluu…

2 Likes

i am getting a 400 bad request. though on the url it redirectd to /identity

I used a separate domain. Could that be the problem again?

You can check the vhost order with

httpd -S

i also used a separate subdomain, other than the main one

have you checked whether gluu supports two way sync for users created either in gluu or in nethserver?

No, I didn’t manage to set it up yet, it’s not intuitive.

how did this journey go.

there is a massive nethserver project i am currently working on a massive Nethserver project. ill soon post a forum for discussion. i currently require SSO application. with 2 way sync.

Sorry, Gluu is not really on top of my todo list. I hoped to help you by providing an install howto so you can test if it works for you.

This is interesting–looks like a much more powerful and flexible (and resource-intensive–they recommend 5 cores, 6 GB of RAM, and 50 GB of disk space for a minimum installation) SSO provider than either AD or LDAP by a long shot, so I’ve started playing with it a bit (though not on Neth right now). My main interest at the moment is in connection with this:

Obviously I wouldn’t want to use a Google account to provide security for my network, but it seems this will work with any OIDC provider, which Gluu is. Though there are a number of things I’d want to change which are “left as an exercise for the student”…

It would be nice to have a proper SSO provider as the default authenticator for Neth; I see a number of benefits here:

  • It lets you set security policies across your entire network–at least, across as much of it uses that SSO. Want to require TOTP-based 2FA for everything? Too easy. A hardware security key? It can do that too. Need 2FA only for admin tasks, or for admin users? Again, done. Changing those policies is also done at the provider level, not at the application level.
  • Not only does it set those policies, it implements them. It knows how to do FIDO2, U2F, TOTP, etc., so that SOGo/Nextcloud/Cockpit/WebTop don’t need to–all they need to know is how to authenticate via SAML/OIDC/something else supported by the SSO provider. You don’t need to figure out how to enter a PIN in Roundcube, because Gluu (or whatever) handles the authentication page.
  • It reduces your exposure to vulnerabilities in your applications, as those applications never see a user’s credentials. Today, a vulnerability in Nextcloud, Cockpit, SOGo, or any other web app that authenticates to Neth’s LDAP or AD can leak passwords, which are then valid system-wide. With something like Gluu, those applications never see the passwords, so they can’t leak them.
2 Likes