Configure Traefik between Self-Service and Identity Manager

This article is valid for Smart ID 21.04 and later.

This article describes how to configure Traefik when connecting Smart ID Self-Service to Smart ID Identity Manager using its public URL (default configuration in the Self-Service compose file).

<SMARTIDHOME>

In this article, <SMARTIDHOME> refers to /home/nexus, but this can be different depending on the setup.

Setting IDM_URL to Identity Manager's public URL works fine for normal usage (connecting to Self-Service using user/password, or running processes), but you'll face issues when you configure SAML.

When you send a request using the public URL, the request first reaches Traefik, and is then forwarded to Identity Manager. When doing so, Traefik re-writes the Host and X-Forwarded-Host headers with the IDM_URL. Since SAML relies on the host to determine from where the request originates, this leads to the SAML response redirecting to Identity Manager.

In order to prevent this, you have to configure Traefik to trust the VM from where the request originates from.

1. Make sure that the public IP of the VM where Self-Service is deployed is static.

2. Go to <SMARTIDHOME>/docker/compose/traefik/docker-compose.yml
   If you have multiple Traefik instances, you need to make this change only inside the instance of the one handling Identity Manager. (For example if Self-Service is deployed on a different VM, outside the network of your Identity Manager VM)

3. In the compose file, go the the command section and add following entry (See traefik documentation for more info.)

   traefik/docker-compose.yml
   "--entryPoints.websecure.forwardedHeaders.trustedIPs=w.x.y.z"

   Where w.x.y.z is the static public IP of your VM.

4. Restart Traefik.

For Development purpose

If you are deploying in a development environment, instead of adding a trusted IP (or list of IPs), you can simply set the insecure property

"--entryPoints.websecure.forwardedHeaders.insecure"