Deployment checklist
These are the minimum required steps to setup a Connect2id server for use in production:
-
Generate a new JSON Web Key (JWK) set for the Connect2id server to cryptographically secure the tokens it issues as well as other objects.
-
Set the URL which identifies the Connect2id server as an OpenID provider and OAuth 2.0 authorisation server.
-
Set the URL of the login page for the Connect2id server.
-
Set the URL of the logout page, if one is required.
-
Generate the master tokens for the Connect2id server web APIs and save their SHA-256 hashes in the configuration. Each token must consist of at least 32 random characters. On Linux you can generate a token with
pwgen 32and compute its hash withsha256sum-
The master token for the tenants endpoint (multi-tenant Connect2id server edition only).
Script to generate a 32 character token and compute its SHA-256 hash in hex:
#! /bin/sh TOKEN=`pwgen 32 1` echo "Access token: $TOKEN" TOKEN_SHA256=`echo -n $TOKEN | sha256sum` echo "Access token SHA-256: $TOKEN_SHA256" -
Set the maximum expected length of the local user IDs, required for the computation of pairwise subject IDs.
-
Set up a database for the Connect2id server to persist its own data, such as client registrations and authorisations.
-
Connect one or more OpenID claims sources, required for the UserInfo endpoint. The Connect2id server comes with ready connectors for sourcing user attributes from an LDAP directory, an HTTP endpoint or the user session object. To use a different source create your own connector.
-
Deploy to a DMZ if the client applications are going to access the Connect2id server from the Internet (recommended).
If you intend to support the FAPI security profiles several extra configurations are needed.