Installation and Deployment

Enterprise

Bacula Enterprise Only

This solution is only available for Bacula Enterprise. For subscription inquiries, please reach out to sales@baculasystems.com.

This section explains how to install and configure OAuth2-Proxy for BWeb in two scenarios:

• New deployments (BWeb installed by Bacula Installation Manager)

• Existing deployments (install OAuth2-Proxy after BWeb is already running)

Before starting, ensure you already have values from your IdP configuration:

• client_id

• client_secret

• oidc_issuer_url

• oauth2_logout_url

• Admin role/group name (Bacula Admins by default)

New BWeb Deployment

New BWeb deployments should use Bacula Installation Manager (BIM) and include OAuth 2.0 configuration during installation.

BIM will prompt for all OAuth2/OIDC values. For complex values, you can provide a pre-created configuration file to run unattended.

1. Create /opt/bweb/etc/oauth2_proxy_install.conf by copying one of the provided templates (for example, /opt/bweb/etc/oauth2_proxy_install.conf.okta.template, /opt/bweb/etc/oauth2_proxy_install.conf.entraid.template, or /opt/bweb/etc/oauth2_proxy_install.conf.keycloak.template). These template files are distributed with the BWeb package. If you are installing BWeb for the first time and do not yet have the package contents locally, download the BWeb package and extract the templates before proceeding.

2. Edit the file with your values. Example:

# Public-facing address or hostname where OAuth2-Proxy will be served
address=your.hostname.or.ip

# Provider kind
# If Okta: oidc
# If Microsoft Entra ID: entra-id
oauth2_provider=oidc

# OIDC issuer URL
oidc_issuer_url=https://my-env.okta.com/oauth2/default

# Logout URL called after logging out of BWeb
oauth2_logout_url=https://my-env.okta.com/login/signout

# Application credentials from the IdP
client_id=0loijnmuy3478dnfPj609
client_secret=a3c3_tloijnm87yhdb2349dbP6tcJaer090cjfpes_A9g1-dDu7qrCIAD0398

# Default admin group or ID
default_admin_role="Bacula Admins"

# Optional helpers
configure_firewall=y
restart_services=y

Pay close attention to the values of oidc_issuer_url and oauth2_logout_url:

• Okta: https://[your.okta.domain]/oauth2/default and https://[your.okta.domain]/login/signout

• Microsoft Entra ID: https://login.microsoftonline.com/your-tenant-id/v2.0 and https://login.microsoftonline.com/your-tenant-id/oauth2/logout

• Keycloak: https://[keycloak.host]/realms/[realm-name] and https://[keycloak.host]/realms/[realm-name]/protocol/openid-connect/logout

The client_id and client_secret values come from your IdP configuration. See Okta Configuration or Microsoft Entra ID Configuration or Keycloak Configuration.

3. Run BIM to install BWeb and the OAuth2-Proxy module. Example output:

Install and setup OIDC/OAuth2 with BWeb? [y/N] y
...
Please answer the following questions to configure properly OAuth2 and BWeb:
address set from config: 192.168.1.102
oidc_issuer_url set from config: https://xxxxxxx.okta.com/oauth2/default
oauth2_logout_url set from config: https://xxxxxxx.okta.com/login/signout
client_id set from config: 9ijkn83klpr09iY87yd7
client_secret set from config: ****************
configure_firewall set from config: y
restart_services set from config: y
...
OAuth2 Proxy installation and configuration complete.

Existing BWeb Deployment

For existing BWeb installations, run the OAuth2-Proxy deployment script:

• Script path: /opt/bweb/bin/install_oauth2_proxy.sh

Before running the script, create /opt/bweb/etc/oauth2_proxy_install.conf as described above. If the file is not present, the script will prompt for each value interactively.

In change-controlled environments, keep a backup of:

• /opt/bweb/etc/httpd.conf

• /opt/bweb/etc/oauth2-proxy.cfg

• /opt/bweb/etc/bweb.conf

Example:

root@server:/opt/bweb/bin# bash install_oauth2_proxy.sh
...
Installing Go and OAuth2 Proxy...
Go and OAuth2 Proxy are installed now
...
Please answer the following questions to configure properly OAuth2 and BWeb:
address set from config: 192.168.1.136
oidc_issuer_url set from config: https://dev-24198306.okta.com/oauth2/default
oauth2_logout_url set from config: https://dev-24198306.okta.com/login/signout
client_id set from config: 0oaoqr389frDSgY5m5d7
client_secret set from config: ****************
configure_firewall set from config: y
restart_services set from config: y
...
OAuth2 Proxy installation and configuration complete.

Additional Configuration Options

The integration is flexible and supports additional customizations. The main configuration files are:

1. BWeb configuration (via the BWeb UI, or /opt/bweb/etc/bweb.conf). This is where you can adjust the sign-out URL and group-mapping behavior.

2. Web server configuration: /opt/bweb/etc/httpd.conf.

3. OAuth2-Proxy configuration: /opt/bweb/etc/oauth2-proxy.cfg (the file is commented to help with further changes).

4. Role ID association file: /opt/bweb/etc/bweb_external_roles.json (see BWeb Internal Group Matching).

Common customization examples include changing the service port, using different certificates, adjusting cookie timeouts, and tuning log location or verbosity.

Post-Deployment Validation

After installation, validate the integration end-to-end:

1. Confirm OAuth2-Proxy and BWeb services are running.

2. Open BWeb and verify redirection to the IdP login page.

3. Log in with an admin-mapped user and confirm dashboard access.

4. Log out and confirm redirection to the configured IdP logout URL.

5. Check logs for token, claim, or redirect warnings.

See also

Previous articles:

• Concepts and Background

• Architecture and Requirements

• Okta Configuration

• Microsoft Entra ID Configuration

• Keycloak Configuration

• Groups, Roles, and Mapping

Next articles:

• Usage and SSO Experience

• Troubleshooting and Recovery

Go back to: Authentication via OpenID Connect/OAuth 2.0 and Single Sign-On.