Once the Curity Identity Server has been installed, it is time to configure it for the first time. This tutorial will setup the basic configuration so that the following is running:
- An Authentication service
- A Token service for OAuth and OpenID Connect
We'll rely on the HSQL Database, which is a file based database that cannot be used in production but is contained in the installation, and is useful to quickly get up and running.
Log in to the Admin UI at https://localhost:6749/admin (or the host where the machine is deployed).
Enter the username
admin and the password you set during the installation.
When the system is unconfigured you'll see an option to use the basic setup wizard which we will be using in this tutorial.
- The sidebar will change depending on what section is visited.
- The System menu takes you to system wide settings such as deployments, events and procedures.
- The Profile menu defines the server functions.
- The Changes menu, here the configuration changes are applied, viewed or cancelled.
- The User menu, manage admin users.
- The Facilities menu, all helper services such as data sources, certificates and email or sms services.
To get started click the Run Basic Setup button and walk through the first wizard. All configuration is possible to set up and change after the wizard. It sets up the system in a good starting state.
First add your license by uploading an existing license file or import it directly from the Curity Developer Portal. If you don't have a license currently, this can be added later via the System screen and General page from the sidebar.
The second screen sets up the data source to store tokens and sessions. It can connect to a number of backends, but to get started quickly, just click next. This will setup an HSQL data source for tokens and sessions called
default-datasource. This cannot be used in production and will not work with clusters.
The users can be stored in different data stores such as SQL, LDAP, SCIM, REST APIs etc. If you don't have any user stores yet, you can use the same test db as the previous step and just click next.
The hashing algorithm will be used when storing user passwords. The default is ok for a new system.
If the system should be able to send emails for authentication or registration, configure an SMTP service here, otherwise just click next. If you don't know right now, this can be added via the Facilities menu later on.
If the system should be able to send SMS messages for authentication, configure an SMS service here, otherwise just click next. If you don't know right now, this can be added via the Facilities menu later on.
Curity Identity Server needs keys for SSL. Self signed keys have already been generated. For a fast set up choose "Use Existing SSL Keys" and then select "default-admin-ssl-keys". Alternatively upload existing keys or generate new keys with self signed certificates for testing. To generate keys click "Generate New" and enter the three fields. Then click next.
The Token Service profile is the heart of OAuth and OpenID Connect. The profile can be restricted as to which flows are allowed to run. By default, this wizard suggests all flows to be enabled. You can change this later from the "Token Service" General page.
Whenever changes are made in the UI they are not deployed to the server until the admin commits them. They are kept in a transaction, that will be validated when committed. This ensures that all new configuration states are correct and that no config is invalid. The wizard now lets you commit these directly, or later by selecting Changes menu -> Commit. If you're happy with the new setup, simply click Commit directly in the wizard.
All changes are now applied.
The basic setup wizard has now created a system that contains the following:
- An Authentication Profile for user authentication
- A Token profile for OAuth and OpenID Connect
- A deployment (
service-role): The runtime configuration needed by the runtime nodes
- One or two data-sources: one for tokens and optionally a second one for users
- An Email provider (if selected)
- An SMS provider (if selected)
- SSL certificates and signing keys
The system is now ready for OAuth and OpenID Connect. However, before we start making OAuth calls we should set up user authentication. In the next tutorial a username/password authenticator is configured using the data source we defined in this tutorial.