Mozilla IAM demo reference architectures, configurations, etc. to implement OIDC, SAML in different ways

You can see this in action at https://testrp.security.allizom.org/

• Test (https://testrp.security.allizom.org/), see how the login and implementation look like.
• Copy examples, to implement your own easily.

• OpenID Connect (OIDC)
• SAML

• Run an Apache reverse-proxy in front of your web-site that requires login and specific group membership to access the site. Session, Login, etc. will be cared for automatically.
• Run the equivalent Nginx reverse-proxy.
• All attributes are also passed in HTTP headers to your site.

• Run Python code that allows you to integrate the login experience better (for example through a sign-in button)
• Run equivalent NodeJS, etc. code.

• Run an Nginx reverse-proxy that passes access tokens to access data on behalf of users/machines.
• Allow other applications to request tokens from you.

This is deployed in the mozilla-iam AWS account in the us-west-2 region. It is deployed with the CloudFormation template in this repo which creates

• The EC2 instance
• The security group
• An empty IAM role in case one's needed
• The elastic IP

The instance can be accessed with the id_rsa_infosec_us-west-2 EIS shared SSH key in the GPG store.

The CloudFormation template provisions the instance using a custom AMI based on CentOS 7. This AMI was created from the live running instance previously in the infosec-dev account and as a result it has some non public data in the AMI (letsencrypt private keys, logs)

To deploy the CloudFormation template, either upload it to the AWS web console or deploy with the awscli, providing the SSH key name that the instance should be provisioned with as the one parameter that the template takes.

    aws cloudformation create-stack \
        --stack-name testrp.security.allizom.org \
        --template-url https://s3.us-west-2.amazonaws.com/public.us-west-2.iam.mozilla.com/testrp/92b69a50c761826ed71d2447912f637c319ea3c0/testrp.92b69a50c761826ed71d2447912f637c319ea3c0.yaml \
        --capabilities CAPABILITY_IAM \
        --parameters \
            ParameterKey=SSHKeyName,ParameterValue='jdoe-key'

ssh -i ~/.ssh/id_rsa_infosec_us-west-2 [email protected]

The Route53 records for testrp.security.allizom.org and *.testrp.security.allizom.org are A records which resolve to an Elastic IP (EIP). As a result, the EC2 instance will retain it's IP if stopped and started again and the DNS names will continue to resolve correctly.

The Route53 zone security.allizom.org is hosted in the infosec-dev AWS account. It would be good if the testrp service was transitioned to something in a zone in the mozilla-iam AWS account

Logs for the webserver are located in

/usr/local/openresty/nginx/logs/error.log /usr/local/openresty/nginx/logs/access.log

These logs are rotated with a manually provisioned /etc/logrotate.d/openresty configuration file to prevent them from filling the 8GB disk.