Mozilla IAM demo reference architectures, configurations, etc. to implement OIDC, SAML in different ways
You can see this in action at https://testrp.security.allizom.org/
What can I do with this?
- Test (https://testrp.security.allizom.org/), see how the login and implementation look like.
- Copy examples, to implement your own easily.
- OpenID Connect (OIDC)
Easy "get a login page in front of my site"
- Run an Apache reverse-proxy in front of your web-site that requires login and specific group membership to access the site. Session, Login, etc. will be cared for automatically.
- Run the equivalent Nginx reverse-proxy.
- All attributes are also passed in HTTP headers to your site.
More advanced login integrations
- Run Python code that allows you to integrate the login experience better (for example through a sign-in button)
- Run equivalent NodeJS, etc. code.
Integrate an authorization flow (via OAuth2)
- Run an Nginx reverse-proxy that passes access tokens to access data on behalf of users/machines.
- Allow other applications to request tokens from you.
This is deployed in the
infosec-dev AWS account in the
us-west-2 region. It can be accessed with the
id_rsa_infosec_us-west-2 EIS shared SSH key in the GPG store.
Accessing the server
ssh -i ~/.ssh/id_rsa_infosec_us-west-2 firstname.lastname@example.org
The Route53 records for
*.testrp.security.allizom.org are CNAMEs to the ec2 instance. As a result if the ec2 instance is stopped and started again it will get a new IP and name and these Route53 records will no longer point to the instance.
Logs for the webserver are located in
These logs are not rotated and will eventually fill the 8GB disk.