# Setting up Authentication via Reverse Proxy using Open iT Identity Server

Recommended reading: Open iT Identity Server

1. In the Open iT Identity Server installation directory, open appsettings.json. This is by default in C:\Program Files\OpeniT\IdentityServer

2. Check that the RedirectUris, PostLogoutRedirectUris, and BaseUri fields have correct values.

   appsettings.json

   18|"IdentityServer": {
   19|    "Clients": [
   20|    {
   21|        "Enabled": true,
   22|        "ClientId": "135b2ada-a586-4274-9806-9a3ade3feb63",
   23|        "ClientSecrets": [ { "Value": "fi+ieKPT/oUwUbL8viLk7IbJ0yRf+tkqnVxAFSQ00nM=" } ],
   24|        "ClientName": "Caddy Authentication Client",
   25|        "AlwaysIncludeUserClaimsInIdToken": true,
   26|        "AllowAccessTokensViaBrowser": true,
   27|        "AllowOfflineAccess": true,
   28|        "AllowedGrantTypes": [ "authorization_code" ],
   29|        "AllowedScopes": [ "openid", "profile", "email", "roles", "offline_access" ],
   30|        "RedirectUris": [ "http://<core_server_uri>:<core_server_port>/auth/oauth2/generic/authorization-code-callback" ],
   31|        "PostLogoutRedirectUris": [ "http://<core_server_uri>:<core_server_port>/auth/logout" ],
   32|        "BaseUri": "http://<core_server_uri>:<core_server_port>",
   33|        "RequirePkce": false,
   34|        "AllowPlainTextPkce": false,
   35|        "Icon": "adminportal.svg"
   36|    }
   37|    ]
   38|},    

   Make sure the <core_server_uri> and <core_server_port> are properly replaced. This is usually provided out of the box.

   For example:

   appsettings.json

   18|"IdentityServer": {
   19|    "Clients": [
   20|    {
   21|        "Enabled": true,
   22|        "ClientId": "135b2ada-a586-4274-9806-9a3ade3feb63",
   23|        "ClientSecrets": [ { "Value": "fi+ieKPT/oUwUbL8viLk7IbJ0yRf+tkqnVxAFSQ00nM=" } ],
   24|        "ClientName": "Caddy Authentication Client",
   25|        "AlwaysIncludeUserClaimsInIdToken": true,
   26|        "AllowAccessTokensViaBrowser": true,
   27|        "AllowOfflineAccess": true,
   28|        "AllowedGrantTypes": [ "authorization_code" ],
   29|        "AllowedScopes": [ "openid", "profile", "email", "roles", "offline_access" ],
   30|        "RedirectUris": [ "http://MNL3174WIN:8080/auth/oauth2/generic/authorization-code-callback" ],
   31|        "PostLogoutRedirectUris": [ "http://MNL3174WIN:8080/auth/logout" ],
   32|        "BaseUri": "http://MNL3174WIN:8080",
   33|        "RequirePkce": false,
   34|        "AllowPlainTextPkce": false,
   35|        "Icon": "adminportal.svg"
   36|    }
   37|    ]
   38|},    

3. Update the Authentications section properly, and remove the double slashes (//) at the beginning of the lines under Connections.

   appsettings.json

   39|"Authentications": {
   40|    "LDAP": {
   41|        "IncludeLdapGroups": true,
   42|        "Connections": [
   43|            {
   44|            "FriendlyName": "MyLdap",
   45|            "Url": "10.0.0.1",
   46|            "Ssl": false,
   47|            "Port": 389,
   48|            "BindDn": "CN=<demo>,CN=<demo>,DC=<demo>,DC=<demo>,DC=<demo>",
   49|            "BindCredentials": "Pass123!",
   50|            "SearchBase": "CN=Users,DC=<demo>,DC=<demo>,DC=<demo>",
   51|            "SearchFilter": "(&(objectClass=User)(objectClass=Person)(uid={0}))"
   52|            }
   53|        ]
   54|    }
   55|},

   • FriendlyName - unique name of the LDAP connection
   • Url - Active Directory domain
   • Ssl - status of the SSL (whether enabled or disabled). The default value is false.
   • Port - port for LDAP. The default is 389.
   • BindDn - contains the credentials to be bound inside the LDAP
   • BindCredentials - password of the specified username in BindDn
   • SearchBase - specified where the search starts in the Active Directory structure for user account entries. Usually has the same value as the last four entries in BindDn.
   
   

   For example:

   appsettings.json

   39|"Authentications": {
   40|    "LDAP": {
   41|        "IncludeLdapGroups": true,
   42|        "Connections": [
   43|            {
   44|            "FriendlyName": "Open iT LDAP",
   45|            "Url": "svg101win.svg.openit.local",
   46|            "Ssl": false,
   47|            "Port": 389,
   48|            "BindDn": "CN=Bob The Builder,CN=Users,DC=svg,DC=openit,DC=local",
   49|            "BindCredentials": "Pass123!",
   50|            "SearchBase": "CN=Users,DC=svg,DC=openit,DC=local",
   51|            "SearchFilter": "(&(objectClass=User)(objectClass=Person)(uid={0}))"
   52|            }
   53|        ]
   54|    }
   55|},

4. Open the Task Manager, go to the Services tab, then restart the OpeniTIdentityServer service.

5. On a browser, go to http(s)://<core_server_uri>:<core_server_port>.

   • <core_server_uri> - hostname of the machine with Core Server installation
   • <core_server_port> - port number used by the Apache web service; this is specified upon installation
   
   

6. On the login page, provide valid credentials, then click Login.

   

   Core Server Login
   
   

   Change the password if you are logging in for the first time.

   

   Core Server Change Password
   
   

7. On the Core Server web interface, go to Administration > Settings, then scroll down to the Authentication Settings.

   

   Core Server Administration Settings
   
   

8. Change the Authentication Type value to Authentication via Reverse Proxy, then click Save.

   

   Core Server Change Authentication Type
   
   

   Wait for the page to redirect to the login page while the Caddy server restarts.

   

   Core Server Change Authentication Manager