IdentityServer support for disabling SSL for proxy server and load balancing scenarios
October 23, 2013
By default, IdentityServer requires SSL (for obvious reasons). But there are scenarios where IdentityServer might be deployed behind a load balancer or proxy server. In those situations it might be desirable to relax the SSL requirement in IdentityServer. I’m pleased to announce that this is now supported (with some configuration). You can read the details of the configuration from the docs.
Enjoy.
8 Comments
leave one →
when will the next release of the IdentityServer be available that will incorporate this functionality?
Well, it’s checked in so you can always grab the latest. But if you want an official version, then I’ll get Dominick to put a label/tag/release on the code and you can pull from that.
an official version release sounds like a good idea. that would help to officialize this functionality with a release number.
thank you mr. allen.
Release 2.3 is now official: https://github.com/thinktecture/Thinktecture.IdentityServer.v2/releases
Reblogged this on http://www.leastprivilege.com and commented:
Available here: https://github.com/thinktecture/Thinktecture.IdentityServer.v2/releases/tag/v2.3
The DisableSSL flag removes the redirect filter, but what about the cookies? My goal is to set up a dev env wihtout SSL, and I found that to get this working I had to set requireSsl=”false” on the federationConfiguration cookieHandler in identityServices.config. This works great for signing in and SSO, but then there is the cookie holding global sign out endpoints. This is not configurable. Could it not be set to the same configuration value? I think these cookies should follow the same security settings.
See my related issue: https://github.com/thinktecture/Thinktecture.IdentityServer.v2/issues/812
I guess this works behind a load balancer terminating SSL, but it would be nice if we could configure it for dev, with no SSL at all.
Yes, good points and thanks for submitting an issue on github — we’ll track it there.
I added a pull request with a simple suggested solution. :-)