Operating scenarios

This page describes the different operating scenarios that are possible with the Identity Service in combination with con terra Technologies products and which settings must be configured for them.

Identical hostname

In this scenario the Identity Service and the con terra Technologies product (for example map.apps) run on the same host under different paths.

Examples:

  • Identity Service: https://www.example.com/identity

  • map.apps: https://www.example.com/mapapps

This scenario does not require any special configuration changes in either the Identity Service or the con terra Technologies product.

Different hostnames under one domain

You can connect the Identity Service with con terra Technologies products that are reachable under a different hostname but under the same domain.

Example:

  • Identity Service is reachable at https://identity.example.com.

  • map.apps is reachable at https://mapapps.example.com.

Follow the instructions in Cookie configuration and Client configuration when you use different hostnames.

You want to connect a con terra Technologies product, for example map.apps, with the Identity Service that is reachable under a different hostname but under the same domain as the Identity Service. In this case you must configure the cookie settings in the Identity Service so that the browser also sends the authentication cookie to the product. Check the following configuration settings:

  • If you have not configured a cookie domain in the Identity Service so far, the browser only sends the cookie to the host through which the Identity Service was reached, for example identity.example.com. Configure the shared cookie domain in the Identity Service in this case, for example example.com. Check the value of security.session.cookieDomain in the Identity Service and adjust it if needed:

    application.properties
    security.session.cookieDomain=example.com

  • If you explicitly configure the cookie name in the Identity Service and it does not have the default value ctIDENTITY, you must specify it in the product accordingly. Check the value of security.session.cookieName in the Identity Service and set the configuration property security.session.cookieName in the product to the same value.

Client configuration

This step is only necessary if the product that you want to connect with the Identity Service acts as a client. You ensure that the client can obtain tokens from the Identity Service and forward them to trusted services.

To configure a product as a client, set the following settings in the application.properties of the Identity Service:

application.properties (Identity Service)
security.login.redirect.trusted.hosts=mapapps.example.com
cors.allowed.origins=https://mapapps.example.com

Replace mapapps.example.com with the hostname of the product that acts as the client.

If you configure a con terra Technologies product as a client, additionally set the following configuration setting in the product:

application.properties (Product)
cors.request.trustedServers=https://identity.example.com

Replace identity.example.com with the actual hostname of the Identity Service.

Different domains

Using the Identity Service with con terra Technologies products that are reachable under different domains is not supported.