You are viewing the documentation for Blueriq 15. Documentation for other versions is available in our documentation directory.
This page describes what needs to be configured so that Keycloak can be used in combination with HTTPS.
It is assumed that
- Blueriq version 15.4 or later is used (earlier versions do not support HTTPS with Keycloak)
- HTTPS for the Studio is already configured and working in IIS
- The Studio is configured to use the OIDC authentication mode
- All internal requests between IIS and Keycloak will be plain HTTP
IIS Configuration
The main goal of this section is to add HTTP headers to the requests that are forwarded to Keycloak, these headers are:
- X-Forwarded-For
- X-Forwarded-Host
- X-Forwarded-Proto
Keycloak requires these headers to be available to function correctly behind a HTTPS proxy.
Server
Server > Application Request Routing Cache > Server Proxy Settings:
- Check "Enable Proxy"
- Check "Reverse rewrite host in response headers"
- Set "Preserve client IP in the following header:" to X-Forwarded-For
- Check "Include TCP port from client IP"
Blueriq site
URL Rewrite > View Server Variables
- Add HTTP_X_Forwarded_Host
- Add HTTP_X_Forwarded_Proto
URL Rewrite > ReverseProxy_Keycloak > Server variables
- Add HTTP_X_Forwarded_Host = {HTTP_HOST}
- Add HTTP_X_Forwarded_Proto = https (TODO)
Identity folder > URL Rewrite > Identity_Keycloak > Server variables
- Add HTTP_X_Forwarded_Host = {HTTP_HOST}
- Add HTTP_X_Forwarded_Proto = https (TODO)
Keycloak Configuration
In this section we configure Keycloak so that it is aware that it is being hosted behind a HTTPS domain, for example so that any URLs it returns in responses contain the correct protocol, hostname and port. After this configuration, Keycloak will only be available via the configured hostname and port, and not via the internal port.
First, from the Services control panel, stop the Blueriq Keycloak Service
Update configuration
Edit [INSTALL_FOLDER]\tools\Keycloak\conf\keycloak.conf
:
Remove property
- hostname
Add properties
- hostname=[HOSTNAME]
- hostname-port=[PORT]
- hostname-admin=[HOSTNAME]
In the [INSTALL_FOLDER]\tools\Keycloak\bin
folder:
- From the command line run
kc build
Update service
In the [INSTALL_FOLDER]\tools\Keycloak\bin
folder:
Update kc-service.xml
- Replace
<arguments>start-dev</arguments>
with<arguments>start</arguments>
From the Services control panel, start the Blueriq Keycloak Service.