23.7. Integrating Identity Management Smart-card Authentication with Web Applications
As a developer whose applications use the Identity Management server as an authentication back end through the Identity Management web infrastructure Apache modules, you can configure the applications to enable authentication of users with multiple role accounts linked to their smart card. This enables these users to use the application under allowed role accounts.
23.7.1. Prerequisites for Web Application Authentication with Smart Cards
On the server where the Apache web application is running:
- Enroll the server as a client in the Identity Management domain.
- Install the sssd-dbus and mod_lookup_identity packages.
- Make sure Apache has a working HTTPS connection configured using the
mod_nss
module.
23.7.2. Configuring Identity Management Smart-card Authentication for a Web Application
- Enable TLS renegotiation in the
mod_nss
configuration in the/etc/httpd/conf.d/nss.conf
file:NSSRenegotiation NSSRequireSafeNegotiation on
- Make sure that the CA issuing the user certificates is trusted for the client certificates in the
mod_nss
certificate database. The default location for the database is/etc/httpd/alias
. - Add the web application. In this procedure, we are using an almost minimal example consisting of a login page and a protected area.
- The
/login
end point only lets the user provide a user name and sends the user to a protected part of the application. - The
/app
end point checks theREMOTE_USER
environment variable. If the login was successful, the variable contains the ID of the logged-in user. Otherwise, the variable is unset.
- Create a directory, and set its group to
apache
and the mode to at least750
. In this procedure, we are using a directory named/var/www/app/
. - Create a file, and set its group to
apache
and the mode to at least750
. In this procedure, we are using a file named/var/www/app/login.py
.Save the following contents to the file:#! /usr/bin/env python def application(environ, start_response): status = '200 OK' response_body = """ <!DOCTYPE html> <html> <head> <title>Login</title> </head> <body> <form action='/app' method='get'> Username: <input type='text' name='username'> <input type='submit' value='Login with certificate'> </form> </body> </html> """ response_headers = [ ('Content-Type', 'text/html'), ('Content-Length', str(len(response_body))) ] start_response(status, response_headers) return [response_body]
- Create a file, and set its group to
apache
and the mode to at least750
. In this procedure, we are using a file named/var/www/app/protected.py
.Save the following contents in the file:#! /usr/bin/env python def application(environ, start_response): try: user = environ['REMOTE_USER'] except KeyError: status = '400 Bad Request' response_body = 'Login failed.\n' else: status = '200 OK' response_body = 'Login succeeded. Username: {}\n'.format(user) response_headers = [ ('Content-Type', 'text/plain'), ('Content-Length', str(len(response_body))) ] start_response(status, response_headers) return [response_body]
- Create a configuration file for your application. In this procedure, we are using a file named
/etc/httpd/conf.d/app.conf
with the following contents:<IfModule !lookup_identity_module> LoadModule lookup_identity_module modules/mod_lookup_identity.so </IfModule> WSGIScriptAlias /login /var/www/app/login.py WSGIScriptAlias /app /var/www/app/protected.py <Location "/app"> NSSVerifyClient require NSSUserName SSL_CLIENT_CERT LookupUserByCertificate On LookupUserByCertificateParamName "username" </Location>
In this file:- The first part loads
mod_lookup_identity
if it is not already loaded. - The next part maps the
/login
and/app
end points to the respective Web Server Gateway Interface (WSGI) scripts. - The last part configures
mod_nss
for the/app
end point so that it requires a client certificate during the TLS handshake and uses it. In addition, it configures an optional request parameterusername
to look up the identity of the user.