Connect2id server deployment checklist

These are the minimum required steps to setup a Connect2id server for use in production:

  1. Generate a new JSON Web Key (JWK) set for the Connect2id server to cryptographically secure the issued tokens and other objects.

  2. Set the URL which identifies the Connect2id server as an OpenID provider and OAuth 2.0 authorisation server.

  3. Set the URL of the login page for your Connect2id server.

  4. Set the URL of the logout confirmation page if you have one.

  5. Generate the master tokens for the Connect2id server web APIs and save their SHA-256 hashes in the configuration. Each token must consist of at least 32 random characters. On Linux you can generate a token with pwgen 32 and compute its hash with sha256sum

    Script to generate a 32 character token and compute its SHA-256 hash in hex:

    #! /bin/sh
    TOKEN=`pwgen 32 1`
    echo "Access token: $TOKEN"
    TOKEN_SHA256=`echo -n $TOKEN | sha256sum`
    echo "Access token SHA-256: $TOKEN_SHA256"
  6. Set the maximum expected length of the local user IDs, needed for the computation of pairwise subject IDs.

  7. Set up a database for the Connect2id server to persist its own data, such as client registrations and authorisations.

  8. Provide the details of your OpenID claims source(s), needed for the UserInfo endpoint. The Connect2id server comes with ready connectors for sourcing user attributes from an LDAP directory or an HTTP endpoint. If you intend to use a different source create your own connector.

  9. Deploy to a DMZ if the client applications are going to access the Connect2id server from the Internet (recommended).

If you intend to support the FAPI security profiles several extra configurations are needed.