IdentityServer support for disabling SSL for proxy server and load balancing scenarios

October 23, 2013

By default, IdentityServer requires SSL (for obvious reasons). But there are scenarios where IdentityServer might be deployed behind a load balancer or proxy server. In those situations it might be desirable to relax the SSL requirement in IdentityServer. I’m pleased to announce that this is now supported (with some configuration). You can read the details of the configuration from the docs.

Enjoy.

8 Comments leave one →

Sam permalink

October 23, 2013 1:14 pm

when will the next release of the IdentityServer be available that will incorporate this functionality?

Reply
- brockallen permalink*
  
  October 23, 2013 1:40 pm
  
  Well, it’s checked in so you can always grab the latest. But if you want an official version, then I’ll get Dominick to put a label/tag/release on the code and you can pull from that.
  
  Reply
  - Sam permalink
    
    October 23, 2013 1:42 pm
    
    an official version release sounds like a good idea. that would help to officialize this functionality with a release number.
    
    thank you mr. allen.
    
    Reply
    - brockallen permalink*
      
      October 23, 2013 3:16 pm
      
      Release 2.3 is now official: https://github.com/thinktecture/Thinktecture.IdentityServer.v2/releases
      
      Reply
Dominick Baier permalink

October 24, 2013 1:38 am

Reblogged this on http://www.leastprivilege.com and commented:
Available here: https://github.com/thinktecture/Thinktecture.IdentityServer.v2/releases/tag/v2.3

Reply
Hans Arne permalink

October 14, 2014 1:02 pm

The DisableSSL flag removes the redirect filter, but what about the cookies? My goal is to set up a dev env wihtout SSL, and I found that to get this working I had to set requireSsl=”false” on the federationConfiguration cookieHandler in identityServices.config. This works great for signing in and SSO, but then there is the cookie holding global sign out endpoints. This is not configurable. Could it not be set to the same configuration value? I think these cookies should follow the same security settings.

See my related issue: https://github.com/thinktecture/Thinktecture.IdentityServer.v2/issues/812

I guess this works behind a load balancer terminating SSL, but it would be nice if we could configure it for dev, with no SSL at all.

Reply
- brockallen permalink*
  
  October 17, 2014 9:22 am
  
  Yes, good points and thanks for submitting an issue on github — we’ll track it there.
  
  Reply
  - Hans Arne permalink
    
    October 17, 2014 9:30 am
    
    I added a pull request with a simple suggested solution. :-)
    
    Reply