2.4 Configuring the server settings
This section contains information on configuring the server settings in the appsettings.Production.json file.
2.4.1 FIDO configuration file options
The server settings are derived from the value you provided for the MyID Server URL in the MyID installation program, and are initially stored in the appsettings.json file. If you need to change these settings, you can edit the appsettings.Production.json file to override the settings in the appsettings.json file.
Note: If you subsequently install or upgrade MyID again and provide a different value in the MyID Server URL in the MyID installation program, and you have set the Origin, Origins, or ServerDomain options in the appsettings.Production.json file, the values you enter in the installation program are ignored; the appsettings.Production.json file is never updated by the installation program, and always takes precedence over the appsettings.json file.
-
ServerDomain is used when registering the FIDO to instruct the FIDO token the domain that may be used during authentication. It must be either:
-
The exact web domain name that will be used during authentication. In this case, only this domain may be used during authentication, or:
-
A registrable domain suffix of the web domain that will be used during authentication. In this FIDO authentication will be possible either using this exact domain, or any sub-domain of that domain
-
-
Origin or Origins specify the origins that are allowable to be used during FIDO authentication.
Use Origin if you have a single origin, or Origins if you have multiple origins; if you specify a value for Origins, it overrides any setting you provide for Origin.
For example: web.oauth2 is running on https://myid.customer.com
In this case, set Origin to https://myid.customer.com and ServerDomain to myid.customer.com – this allows tokens to be registered on the myid.customer.com domain so that they can authenticate only on myid.customer.com.
Alternatively: you intend to register FIDO tokens in web.oauth2 on https://customer.com and for those tokens to authenticate to that instance of MyID, but that instance of MyID is also reachable through a sub-domain https://subdomain.customer.com
In this case, on web.oauth2 set the Origins to:
["https://customer.com","https://subdomain.customer.com"]
This allows authentication on either of those origins. Then set ServerDomain to:
customer.com
That is, the registrable domain suffix, which means that the FIDO token can be used to authenticate on the customer.com domain or any sub-domain of customer.com, subject to the Origin also being listed in the Origin or Origins section.
2.4.2 Single origin
To configure the server settings for a single origin:
-
As an administrator, open the appsettings.Production.json file in a text editor.
By default, this is:
C:\Program Files\Intercede\MyID\web.oauth2\appsettings.Production.json
This file is the override configuration file for the appsettings.json file for the web service. If this file does not already exist, you must create it in the same folder as the appsettings.json file.
-
Edit the file to include the following:
Copy{
"Fido":{
"Config":{
"Origin":"https://<server>:<port>",
"ServerDomain":"<server>"
}
}
}where:
-
<server> – the name of the server to which users will authenticate.
- <port> – optionally, the port to which users will authenticate, if you are using a non-standard HTTPS port.
You must add the Origin and ServerDomain to any existing entries in the Fido:Config section. Your appsettings.Production.json file may already contain commented-out entries for these values; remove the double-slash // to uncomment the entries.
Important: The Origin and ServerDomain options are case sensitive, and must be consistent with the casing of the DNS Name in the web server's TLS certificate.
For example:
Copy{
"Fido":{
"Config":{
"Origin": "https://myserver.example.com:30443",
"ServerDomain": "myserver.example.com"
}
}
} -
- Save the appsettings.Production.json file.
-
Recycle the web service app pool:
- On the MyID web server, in Internet Information Services (IIS) Manager, select Application Pools.
- Right-click the myid.web.oauth2.pool application pool, then from the pop-up menu click Recycle.
This ensures that the web service has picked up the changes to the configuration file.
2.4.3 Multiple origins
MyID has support for multiple origins, where multiple sub-domains of a registrable domain can be used for authentication.
To configure the server settings for multiple origins:
-
As an administrator, open the appsettings.Production.json file in a text editor.
By default, this is:
C:\Program Files\Intercede\MyID\web.oauth2\appsettings.Production.json
This file is the override configuration file for the appsettings.json file for the web service. If this file does not already exist, you must create it in the same folder as the appsettings.json file.
-
Edit the file to include the following:
Copy{
"Fido":{
"Config":{
"Origins":["https://<server>:<port>", "https://<subdomain1>:<port>", "https://<subdomain2>:<port>" ... ],
"ServerDomain":"<server>"
}
}
}where:
-
<server> – the name of the server that contains the sub-domains to which users will authenticate.
-
<subdomainx> – A list of sub-domains of the server domain that will be allowed to authenticate.
- <port> – optionally, the port to which users will authenticate, if you are using a non-standard HTTPS port.
Important: The Origins and ServerDomain options are case sensitive, and must be consistent with the casing of the DNS Name in the web server's TLS certificate.
-
- Save the appsettings.Production.json file.
-
Recycle the web service app pool:
- On the MyID web server, in Internet Information Services (IIS) Manager, select Application Pools.
- Right-click the myid.web.oauth2.pool application pool, then from the pop-up menu click Recycle.
This ensures that the web service has picked up the changes to the configuration file.
Note: If Origins is specified then it overrides any value in Origin.