Configuring your system for web proxies/load balancing

3.12 Configuring your system for web proxies/load balancing

If there is a web proxy between the mobile device and the MyID server, you must ensure that the proxy does not modify the http host header when communicating with the rest.provision and web.oauth2 web services. The MyID server needs to receive the http host header that contains the web domain of the proxy, not the web domain of the MyID server.

If you are using Intune for mobile device management, when you configure the application proxy, to prevent the proxy from changing the http host header so that it no longer matches the web domain of the proxy, ensure that the Translate Urls in headers setting is not selected within the Azure Application Proxy settings.

3.12.1 Setting the AuthServerUrlExternal option

The rest.provision web service is used for the issuance of mobile identities using the Identity Agent Framework (for example, for MDMs), mobile identity documents, or soft certificates issued through the MyID Operator Client. This web service connects to the web.oauth2 web service using an origin that is resolvable on the server.

However, the mobile device must connect to the web.oauth2 web service using an origin that is resolvable on the mobile device; if you are using a web proxy, these two addresses are not the same.

Accordingly, if you are using a web proxy, you must set the AuthServerUrlExternal option in the rest.provision application settings file to a location that the mobile device can resolve; the rest.provision web service sends this location to the mobile device.

To set the AuthServerUrlExternal option:

As an administrator, open the appsettings.Production.json file in a text editor.

By default, this is:

C:\Program Files\Intercede\MyID\rest.provision\appsettings.Production.json

This file is the override configuration file for the appsettings.json file for the web service. If this file does not already exist, you must create it in the same folder as the appsettings.json file.

In the MyID section, edit the Auth section.

If this section does not exist, you must add it. You can copy the existing settings from the appsettings.json file.

Add a new option called AuthServerUrlExternal to the MyID:Auth section.

The format is:

Copy

{
  "MyID": {
    "Auth": {
      "AnonymousAccess": false,
      "AuthServerUrl": "https://<internal>/web.oauth2",
      "AuthServerUrlExternal": "https://<external>/web.oauth2",
      "AllowUnsafeHttp": false
    }
}

where:

<internal> – the internal address of the web server, resolvable by the rest.provision web service.
<external> – the external address, resolvable by the mobile device.

For example, if your internal address is:

https://myserver.intranet.local

and the external address is:

https://myserver.external.com

You must include the following:

Copy

{
  "MyID": {
    "Auth": {
      "AnonymousAccess": false,
      "AuthServerUrl": "https://myserver.intranet.local/web.oauth2",
      "AuthServerUrlExternal": "https://myserver.external.com/web.oauth2",
      "AllowUnsafeHttp": false
    }
}

Save the appsettings.Production.json file.
Recycle the web service app pool:
1. On the MyID web server, in Internet Information Services (IIS) Manager, select Application Pools.
2. Right-click the myid.rest.provision.pool application pool, then from the pop-up menu click Recycle.
This ensures that the web service has picked up the changes to the configuration file.

You must also carry out the following:

Set the IssuerUri option in the web.oauth2 configuration file.

See the Setting the issuer in web.oauth2 section in the MyID Operator Client guide.
Ensure that the IIS TLS certificate has both the external address and internal address in the SAN DNSName.