Hello,
I want to configure WebSEAL as OIDC RP. But I found these restriction in the webseald.conf

[oidc]
# Enable authentication using the OIDC RP mechanism
# One of <https, none>
oidc-auth = none

which makes it impossible for us to use these functionality, because we are terminate the SSL on the loadbalancer in front of WebSEAL and talking http to the WebSEALs.

Is this restirction realy nessecarry?

Regards
Andreas

------------------------------
Andreas Rühl
------------------------------

Hello Andreas,

If your WebSEAL is behind a load-balancer that is terminating TLS, you should have these configuration parameters in WebSEAL so that it knows this is the case:

[server]
web-http-port = 443
web-http-protocol = https

This tells WebSEAL that traffic received on its HTTP port should be considered HTTPS traffic (and that any links generated should use port 443).  This allows authentication mechanisms set for https to work and also does other things (like set Secure flag in cookies).

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Mon March 23, 2020 04:21 AM
From: Andreas Rühl
Subject: WebSEAL as OIDC RP

Hello,
I want to configure WebSEAL as OIDC RP. But I found these restriction in the webseald.conf

[oidc]
# Enable authentication using the OIDC RP mechanism
# One of <https, none>
oidc-auth = none

which makes it impossible for us to use these functionality, because we are terminate the SSL on the loadbalancer in front of WebSEAL and talking http to the WebSEALs.

Is this restirction realy nessecarry?

Regards
Andreas

------------------------------
Andreas Rühl
------------------------------