How to install Gluu server

Inspired by @oneitonitram in SSO USer Federation in nethserver (gluu,keycloack,privacyID3A) I started a first draft of Gluu server installation.


Get gluu repo, install the server and start/enable the server. At the end we login to the gluu container for setup.

wget -O /etc/yum.repos.d/Gluu.repo
wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-GLUU
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-GLUU
yum -y install gluu-server

/sbin/gluu-serverd enable
/sbin/gluu-serverd start
/sbin/gluu-serverd login

cd /install/community-edition-setup/

Go through the setup. Don’t install apache/httpd. The summary should look like this:

orgName                                                       123
os                                                         centos
city                                                       Vienna
state                                                          XX
countryCode                                                    XX
Applications max ram                                         3072
Install oxAuth                                               True
Install oxTrust                                              True
Backends                                                   wrends
Java Type                                                     jre
Install Apache 2 web server                                 False
Install Shibboleth SAML IDP                                 False
Install oxAuth RP                                           False
Install Passport                                            False
Install Casa                                                False
Install Oxd                                                 False
Install Gluu Radius                                         False

After installation exit the gluu chroot.


Httpd configuration

I just copied and customized the apache.conf that comes with the internal httpd server. The following creates the gluu.conf file. Please edit to match your domain.

cat << 'EOF' > /etc/httpd/conf.d/gluu.conf
<VirtualHost  *:80>
        # To make letsencrypt work
        RedirectMatch 301 ^(?!/\.well-known/acme-challenge/).*

<VirtualHost *:443>
        DocumentRoot "/var/www/html/"

        LogLevel warn
        SSLEngine on

#               SetEnv proxy-nokeepalive 1
                SetEnv proxy-initial-not-pooled 1
                Timeout 60
                ProxyTimeout 60

        # Security headers
#        Header always append X-Frame-Options SAMEORIGIN
        Header always set X-Xss-Protection "1; mode=block"
        Header always set X-Content-Type-Options nosniff
#       Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline'"
        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

        Header edit Set-Cookie ^((?!opbs|session_state).*)$ $1;HttpOnly
        SetEnvIf User-Agent ".*MSIE.*" \
                 nokeepalive ssl-unclean-shutdown \
                 downgrade-1.0 force-response-1.0

                # Unset X-ClientCert to make sure that we not get certificate in request
        RequestHeader unset X-ClientCert

                # Turn off support for true Proxy behaviour as we are acting as a transparent proxy
        ProxyRequests Off

                # Turn off VIA header as we know where the requests are proxied
                ProxyVia Off

                # Turn on Host header preservation so that the servlet container
                # can write links with the correct host and rewriting can be avoided.
                ProxyPreserveHost On

                # Preserve the scheme when proxying the request to Jetty
        RequestHeader set X-Forwarded-Proto "https" env=HTTPS

        Header unset ETag
        FileETag None
        RedirectMatch ^(/)$ /identity/

                # Set the permissions for the proxy
                <Proxy *>
                  AddDefaultCharset off
                  Order deny,allow
                  Allow from all

        <Location /idp>
                ProxyPass http://localhost:8086/idp retry=5 connectiontimeout=60 timeout=60
                Order deny,allow
                Allow from all

        <Location /identity>
                ProxyPass http://localhost:8082/identity retry=5 connectiontimeout=60 timeout=60
                Order deny,allow
                Allow from all

        <Location /cas>
                ProxyPass http://localhost:8083/cas retry=5 connectiontimeout=60 timeout=60
                Order deny,allow
                Allow from all

        <Location /oxauth-rp>
                ProxyPass http://localhost:8085/oxauth-rp retry=5 connectiontimeout=60 timeout=60
                Order deny,allow
                Allow from all

        <Location /passport>
                ProxyPass http://localhost:8090/passport retry=5 connectiontimeout=60 timeout=60
                Order deny,allow
                Allow from all

        <Location /casa>
                ProxyPass http://localhost:8099/casa retry=5 connectiontimeout=60 timeout=60
                Order deny,allow
                Allow from all

        <Location /oxauth>
                ProxyPass http://localhost:8081/oxauth retry=5 connectiontimeout=60 timeout=60
#                Header set Access-Control-Allow-Origin "*"
                Order deny,allow
                Allow from all

        <LocationMatch /oxauth/auth/cert/cert-login.htm>
            SSLVerifyClient optional_no_ca
            SSLVerifyDepth 10
            SSLOptions -StdEnvVars +StrictRequire +ExportCertData

            # Forward certificate to destination server
            RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s

        ProxyPass        /.well-known/openid-configuration http://localhost:8081/oxauth/.well-known/openid-configuration
        ProxyPass        /.well-known/simple-web-discovery http://localhost:8081/oxauth/.well-known/simple-web-discovery
        ProxyPass        /.well-known/webfinger http://localhost:8081/oxauth/.well-known/webfinger
        ProxyPass        /.well-known/uma2-configuration http://localhost:8081/oxauth/restv1/uma2-configuration
        ProxyPass        /.well-known/fido-configuration http://localhost:8081/oxauth/restv1/fido-configuration
        ProxyPass        /.well-known/fido2-configuration http://localhost:8081/oxauth/restv1/fido2/configuration
        ProxyPass        /.well-known/fido-u2f-configuration http://localhost:8081/oxauth/restv1/fido-configuration
        ProxyPass        /.well-known/scim-configuration http://localhost:8082/identity/restv1/scim-configuration

        ProxyErrorOverride On
        <If "%{REQUEST_URI} =~ m#(.*)/rest(.*)#">
            ProxyErrorOverride Off

        ErrorDocument 404 /custom_404.html
        ErrorDocument 500 /custom_500.html
        ErrorDocument 502 /custom_502.html
        ErrorDocument 503 /custom_503.html
        ErrorDocument 504 /custom_504.html


Apply config:

systemctl reload httpd

Browse to and start playing with Gluu…


i am getting a 400 bad request. though on the url it redirectd to /identity

I used a separate domain. Could that be the problem again?

You can check the vhost order with

httpd -S

i also used a separate subdomain, other than the main one

have you checked whether gluu supports two way sync for users created either in gluu or in nethserver?

No, I didn’t manage to set it up yet, it’s not intuitive.

how did this journey go.

there is a massive nethserver project i am currently working on a massive Nethserver project. ill soon post a forum for discussion. i currently require SSO application. with 2 way sync.

Sorry, Gluu is not really on top of my todo list. I hoped to help you by providing an install howto so you can test if it works for you.