Connect2id server deployment checklist

The following steps describe the minimum configuration required to run a Connect2id server deployment in production.

1. Enable production mode

   Set the Java system property env to prod. This enables additional configuration and security checks when the server starts.

   -Denv=prod
   

2. Generate the key store encryption key

   Generate an AES key to encrypt sensitive material in the Connect2id server key store (since v17.0).

   Deployments using the static key store mode must also manually generate a new server JWK set with the provided tool.

3. Set the server issuer URL

   Configure the issuer URL that identifies the Connect2id server as an OpenID provider and OAuth 2.0 authorisation server.

4. Configure the login page URL

   Set the URL of the login page used by the Connect2id server to authenticate users.

5. Configure the logout page URL

   If logout functionality is required, configure the URL of the logout page.

6. Generate master tokens for the server web APIs

   Generate master access tokens for the Connect2id server web APIs and store their SHA-256 hashes (in hex) in the configuration.

   Each token must consist of at least 32 random characters.

   • Master token for the client registration endpoint.

   • Master token for the authorisation session endpoint.

   • Master token for the logout session endpoint.

   • Master token for the session store API.

   • Master token for the authorisation store API.

   • Master token for the key store API.

   • Master token for the monitoring endpoint.

   • Master token for the tenants endpoint (multitenant Connect2id server edition only).

   On Linux, a token can be generated with pwgen and hashed with sha256sum:

   #! /bin/sh
   TOKEN=`pwgen 32 1`
   echo "Access token: $TOKEN"
   TOKEN_SHA256=`echo -n $TOKEN | sha256sum`
   echo "Access token SHA-256: $TOKEN_SHA256"
   

7. Configure the expected local user ID length

   Set the maximum expected length of local subject identifiers.

   This parameter is required for computing pairwise subject identifiers.

8. Configure persistent storage

   Set up a database for the Connect2id server to persist its data, such as client registrations, authorisation records and session data.

9. Configure user claims (attribute) sources

   Configure one or more OpenID claims sources.

   The Connect2id server includes ready-to-use connectors for:

   • LDAP directories
   • HTTP endpoints (web hook)
   • claims stored in the subject session

   Other sources can be integrated by implementing a custom claims source connector.

10. Deploy the server in a secure network zone

    Deploy to a DMZ if the client applications are going to access the Connect2id server from the Internet (recommended).

To support a FAPI security profile, additional configuration is required.