Secure all endpoints

All LDAP and HTTP endpoints that make up the CUE User Manager & IAM system should be protected with TLS. It's worth creating a good strategy for how to create and maintain such certificates for all environments, including development, test and staging. This way you can ensure that all environments are as production-like as possible. Turning off CUE User Manager in non-production systems is not advisable as problems with login, single sign on and authorization will then first be discovered in production.

As a starting point the following endpoints should be secured with TLS:

  • The ODIC discovery document and all URIs it lists: https://iam.mycompany.com/.well-known/openid-configuration

  • The SCIM endpoint and all its URIs: https://iam.mycompany.com/scim/v2/

  • CUE User Manager itself: https://um.mycompany.com

  • The LDAP server holding the master source of users and groups. In many cases, this will mean Active Directory.

  • The IAM system will have its own storage of users, and the communication between the OIDC and SCIM services and that storage should also go over TLS.

    For instance, Gluu's internal storage for users and application configuration is an LDAP server. This server has its own TLS certificate to ensure that communication between the SCIM component (called oxTrust or identity) and the OIDC component (called oxAuth) and this storage backend can be performed securely.

Copyright © 2019 CCI Europe AS