Skip to main content
Version: 10.2

Setting up Authentication via Reverse Proxy using Open iT Identity Server

Recommended reading: Open iT Identity Server

  1. In the Open iT Identity Server installation directory, open appsettings.json. This is by default in C:\Program Files\OpeniT\IdentityServer

  2. Check that the RedirectUris, PostLogoutRedirectUris, and BaseUri fields have correct values.

    appsettings.json
    "IdentityServer": {
        "Clients": [
        {
            "Enabled": true,
            "ClientId": "135b2ada-a586-4274-9806-9a3ade3feb63",
            "ClientSecrets": [ { "Value": "fi+ieKPT/oUwUbL8viLk7IbJ0yRf+tkqnVxAFSQ00nM=" } ],
            "ClientName": "Caddy Authentication Client",
            "AlwaysIncludeUserClaimsInIdToken": true,
            "AllowAccessTokensViaBrowser": true,
            "AllowOfflineAccess": true,
            "AllowedGrantTypes": [ "authorization_code" ],
            "AllowedScopes": [ "openid", "profile", "email", "roles", "offline_access" ],
            "RedirectUris": [ "http://<core_server_uri>:<core_server_port>/auth/oauth2/generic/authorization-code-callback" ],
            "PostLogoutRedirectUris": [ "http://<core_server_uri>:<core_server_port>/auth/logout" ],
            "BaseUri": "http://<core_server_uri>:<core_server_port>",
            "RequirePkce": false,
            "AllowPlainTextPkce": false,
            "Icon": "adminportal.svg"
        }
        ]
    },
    NOTE

    Make sure the <ingress_hostname> and <port_number> are properly replaced. This is usually provided out of the box.

    For example:

    appsettings.json
    "IdentityServer": {
        "Clients": [
        {
            "Enabled": true,
            "ClientId": "135b2ada-a586-4274-9806-9a3ade3feb63",
            "ClientSecrets": [ { "Value": "fi+ieKPT/oUwUbL8viLk7IbJ0yRf+tkqnVxAFSQ00nM=" } ],
            "ClientName": "Caddy Authentication Client",
            "AlwaysIncludeUserClaimsInIdToken": true,
            "AllowAccessTokensViaBrowser": true,
            "AllowOfflineAccess": true,
            "AllowedGrantTypes": [ "authorization_code" ],
            "AllowedScopes": [ "openid", "profile", "email", "roles", "offline_access" ],
            "RedirectUris": [ "http://DESKTOP123WIN:8080/auth/oauth2/generic/authorization-code-callback" ],
            "PostLogoutRedirectUris": [ "http://DESKTOP123WIN:8080/auth/logout" ],
            "BaseUri": "http://DESKTOP123WIN:8080",
            "RequirePkce": false,
            "AllowPlainTextPkce": false,
            "Icon": "adminportal.svg"
        }
        ]
    },

  3. Update the Authentications section properly, and remove the double slashes (//) at the beginning of the lines under Connections.

    appsettings.json
    "Authentications": {
        "LDAP": {
            "IncludeLdapGroups": true,
            "Connections": [
                {
                "FriendlyName": "MyLdap",
                "Url": "10.0.0.1",
                "Ssl": false,
                "Port": 389,
                "BindDn": "CN=<demo>,CN=<demo>,DC=<demo>,DC=<demo>,DC=<demo>",
                "BindCredentials": "Pass123!",
                "SearchBase": "CN=Users,DC=<demo>,DC=<demo>,DC=<demo>",
                "SearchFilter": "(&(objectClass=User)(objectClass=Person)(uid={0}))"
                }
            ]
        }
    },
    PropertyDescription
    FriendlyNameUnique name of the LDAP connection
    UrlActive Directory domain
    SslStatus of the SSL (whether enabled or disabled). The default value is false.
    PortPort for LDAP. The default is 389.
    BindDnContains the credentials to be bound inside the LDAP
    BindCredentialsPassword of the specified username in BindDn
    SearchBaseSpecifies where the search starts in the Active Directory structure for user account entries. Usually has the same value as the last four entries in BindDn.
    appsettings.json Authentications

    For example:

    appsettings.json
    "Authentications": {
        "LDAP": {
            "IncludeLdapGroups": true,
            "Connections": [
                {
                "FriendlyName": "Open iT LDAP",
                "Url": "host557win.svg.openit.local",
                "Ssl": false,
                "Port": 389,
                "BindDn": "CN=Bob The Builder,CN=Users,DC=svg,DC=openit,DC=local",
                "BindCredentials": "Pass123!",
                "SearchBase": "CN=Users,DC=svg,DC=openit,DC=local",
                "SearchFilter": "(&(objectClass=User)(objectClass=Person)(uid={0}))"
                }
            ]
        }
    },

  4. Open the Task Manager, go to the Services tab, then restart the OpeniTIdentityServer service.

  5. On a browser, go to http(s)://<ingress_hostname>:<port_number>.

    • <ingress_hostname> - hostname of the machine with Ingress installation
    • <port_number> - port number used by the Apache web service; this is specified upon Ingress installation

  6. On the login page, provide valid credentials, then click Login.

    Login

    Login

    Change the password if you are logging in for the first time.

    Change Password

    Change Password

  7. On the Core Server web interface, go to Administration > Settings, then scroll down to the Authentication Settings.

    Administration Settings

    Administration Settings

  8. Change the Authentication Type value to Authentication via Reverse Proxy, then click Save.

    Change Authentication Type

    Change Authentication Type

    Wait for the page to redirect to the login page while the Caddy server restarts.

    Change Authentication Manager

    Change Authentication Manager