Hosting
NGINX
Once the solution is installed via Copy and paste on your server, you can configure a reverse proxy, such as NGINX, to redirect incoming HTTP traffic to the SimpleIdServer solution.
In a Linux environment, three systemd daemons will be installed, each running a different part of the SimpleIdServer solution.
There are three services hosted on different ports :
Service | Port |
---|---|
IdServer | 5001 |
Website | 5002 |
Scim | 5003 |
CredentialIssuer | 5005 |
CredentialIssuerWebsite | 5006 |
They share the same characteristics:
- Hosted under HTTPS.
- They use Forwarded Headers; these HTTP headers are employed to modify the Redirection URL returned by the Discovery endpoint. For example, when the parameter
X-Forwarded-Proto
equals http, the OPENID Well-Known configuration endpoint will return a redirection URL with an http scheme.
You can choose one of the following options to host the solution.
Each service is hosted on a subdomain.
Each service is hosted on a subpath.
Subdomain hosting
In the NGINX configuration, for each service, replicate the server
block with the following content.
Each block corresponds to a subdomain and handles one service.
Replace the <SERVICE_URL>
variable with the URL of your service, and the <SERVICE_NAME>
variable with the name of your service.
For example, for the IdServer service, replace the variables as follows:
Parameter | Value |
---|---|
SERVICE_NAME | openid |
SERVICE_URL | https://localhost:5001 |
DOMAIN | simpleidserver.com |
server {
listen 443 ssl;
listen [::]:443 ssl;
gzip on;
gzip_types text/plain text/css application/xml application/json application/javascript;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
large_client_header_buffers 4 32k;
server_name <SERVICE_NAME>.<DOMAIN>;
ssl_verify_client optional_no_ca;
location / {
proxy_pass <SERVICE_URL>;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_pass_header Set-Cookie;
proxy_pass_request_headers on;
proxy_cache_bypass $http_upgrade;
proxy_cookie_domain localhost $host;
proxy_set_header X-Scheme https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-URL-SCHEME https;
client_max_body_size 1M;
client_body_buffer_size 4096k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 128k;
proxy_buffers 32 256k;
}
}
Subpath hosting
In the NGINX configuration, add one server
block for each service and replicate the location
block with the following content.
For example, for the IdServer service, replace the variables as follows:
Parameter | Value |
---|---|
PATH | openid |
SERVICE_URL | https://localhost:5001 |
DOMAIN | simpleidserver.com |
server {
listen 443 ssl;
listen [::]:443 ssl;
gzip on;
gzip_types text/plain text/css application/xml application/json application/javascript;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
large_client_header_buffers 4 32k;
server_name <DOMAIN>;
ssl_verify_client optional_no_ca;
location /<PATH> {
proxy_pass <SERVICE_URL>;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_pass_header Set-Cookie;
proxy_pass_request_headers on;
proxy_cache_bypass $http_upgrade;
proxy_cookie_domain localhost $host;
proxy_set_header X-Scheme https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-URL-SCHEME https;
client_max_body_size 1M;
client_body_buffer_size 4096k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 128k;
proxy_buffers 32 256k;
}
}
SSL Certificate
An SSL Certificate must be installed on your NGINX Server.
You can use Let's Encrypt to generate SSL Certificates valid for all your domains and/or subdomains.
For example, the following command line generates a certificate valid for three domains:
sudo certbot certonly -d openid.simpleidserver.com -d scim.simpleidserver.com -d website.simpleidserver.com credentialissuer.simpleidserver.com credentialissuerwebsite.simpleidserver.com
Once the certificate is generated, you must update the server
blocks add the ssl_certificate
and ssl_certificate_key
directives.
ssl_certificate /etc/letsencrypt/live/<DOMAIN>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<DOMAIN>/privkey.pem;
Additionally, add a new server block to redirect all HTTP traffic to HTTPS:
server {
listen 80;
server_name <DOMAIN>;
return 301 https://$host$request_uri;
}
For more information about NGINX, you can refer to the official website: https://www.nginx.com/blog/using-free-ssltls-certificates-from-lets-encrypt-with-nginx/
Load balancer
If the NGINX server is configured as a load balancer, there is a chance that a user's session may be recognized by one Identity Server instance but not by another. Therefore, you can edit the NGINX configuration to enable sticky sessions. For more information, please refer to the chapter 'Enabling Session Persistence' on the official website: https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/.
IIS
The zip file downloaded from here, contains all of SimpleIdServer's services.
They are ready to be run on IIS, and each of them has a web.config
filer with a reference to the executable service to run.
To deploy the application under IIS, follow these steps:
- Add a new application pool named
SimpleIdServer
. - Enable the
Load User Profile
and check if the identity specified for the application pool is a member of theCryptographic perators
groups. his setting is required; otherwise, you'll encounter cryptographic exceptions such as:
Microsoft.AspNetCore.Server.IIS.Core.IISHttpServer[2]
Connection ID "17942340921349636565", Request ID "800001d7-0001-f900-b63f-84710c7967bb": An unhandled exception was thrown by the application.
System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
at System.Security.Cryptography.CngKey.Import(ReadOnlySpan1 keyBlob, String curveName, CngKeyBlobFormat format, CngProvider provider) at System.Security.Cryptography.CngPkcs8.ImportPkcs8(ReadOnlySpan1 keyBlob)
- Add a new
SimpleIdServer
site, select your application pool, and specify the directory of your service.
If the application is deployed on Azure, add the application setting WEBSITE_LOAD_PROFILE
and set its value to 1
.