RP & IDP Orchestrators
A Relying Party (RP) Orchestrator is a like-for-like replacement of web server modules. It includes module-style configuration and an integration with the Orchestrator’s OIDC auth provider. It solves the problem of customers needing to make sure that unauthenticated side-channel traffic cannot reach a web server hosted application or having to change networking to accommodate Maverics as a proxy. This communication uses the OIDC protocol with custom claims for defining App Gateway policies.
This scenario requires a
fabricof connected orchestrators:
- Know the environment: Host and port of webserver, host and port of app, host and port of IdP orchestrator pool
- Know where TLS is being used, which folder the certificates are located, and whether or not the Maverics user can access the folder
- Ensure maverics IDP configuration is valid
- Ensure proposed Maverics RP config is valid based on the IDP config
The following options must be set:
- authEndpoint: /auth
- clientID: rp-orchestrator-1
consumerssection contains settings for:
- a simple proxy configuration
- settings for a Relying Party (RP) OIDC client
upstream: (Required) The url of app that is being protected and proxied to. This could be an IP address or hostname and the port the application listens on. Required.
basePath: (Optional. Default is "/") A path on the application. When combined with
hostthis creates the listen address.
host: (Optional) A hostname or fully qualified domain name the RP Orchestrator is listening for. Use this to differentiate between multiple provider configurations that behave differently depending on the hostname in the HTTP request (i.e. if the Orchestrator receives requests on different virtual hostnames).
preserveHost: (Optional. Default is
false) A boolean field used to determine if the Host header should be preserved on outbound requests. By default, the Orchestrator will set the host header to match the upstream's host. This field is often used when the Orchestrator is forwarding traffic to another reverse proxy such as Apache.
authEndpoint: the registered auth endpoint exposed by the IdP Orchestrator.
clientID: the client identifier (OIDC client ID) for this RP orchestrator instance, matching a
clientIDin the IdP Orchestrator's Fabric configuration.
clientSecret: a secret shared between the IdP Orchestrator and RP Orchestrator (OIDC client secret), matching a
clientSecretin the Fabric configuration.
providerIssuer: the OIDC Provider issuer identifier. This should match the
issuerin the Fabric configuration (if set).
redirectURL: the URL that the browser is redirected to in order to pass the authentication JWT back to the RP Orchestrator. This field is required and must be a full URL (e.g.
unauthorizedPageis the URL a user is redirected to when a policy evaluation denies access to the app.
appgatewayMappings: a list of
locationpaths on the protected applications with their corresponding
ignoredPaths: a list of paths to ignore on the protected applications. The orchestrator will pass the connection through to the target web server without applying any policy or headers. Supports regular expressions (e.g.
# Proxy Config
- basePath: / # Optional. Defaults to "/"
upstream: http://127.0.0.1:8080 # Required
host: app.sonarsystems.com # Optional
preserveHost: false # Optional
# OIDC Config
- location: /
- location: /resources