<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:Calibri;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal;
        font-family:Calibri;
        color:windowtext;}
span.EmailStyle18
        {mso-style-type:personal;
        font-family:Calibri;
        color:windowtext;}
span.EmailStyle19
        {mso-style-type:personal-reply;
        font-family:Calibri;
        color:windowtext;}
span.msoIns
        {mso-style-type:export-only;
        mso-style-name:"";
        text-decoration:underline;
        color:teal;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Indeed, the RemoteIpValve configuration in Tomcat, along with the update to the server-config.xml issuer seems to be working as expected, both for logging in to the server itself and performing the OAuth protocol.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">The only restriction I found is that the application name within Tomcat has to match the path in the API Manager. Not ideal but workable.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Luiz<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:black">From: </span></b><span style="color:black">Luiz Omori <luiz.omori@duke.edu><br>
<b>Date: </b>Friday, June 23, 2017 at 5:59 PM<br>
<b>To: </b>"mitreid-connect@mit.edu" <mitreid-connect@mit.edu><br>
<b>Subject: </b>Re: [mitreid-connect] MitreID Connect Server behind an API Manager<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Times New Roman""><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt">Oh, perhaps it’s better to address this at Tomcat level using the RemoteIpValve...</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:black">From: </span></b><span style="color:black"><mitreid-connect-bounces@mit.edu> on behalf of Luiz Omori <luiz.omori@duke.edu><br>
<b>Date: </b>Friday, June 23, 2017 at 4:15 PM<br>
<b>To: </b>"mitreid-connect@mit.edu" <mitreid-connect@mit.edu><br>
<b>Subject: </b>[mitreid-connect] MitreID Connect Server behind an API Manager</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Times New Roman""> </span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt">We are investigating the possibility of putting an MitreID instance behind an API Manager. The latter for the purpose of this discussion would be just a reverse proxy.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">We had some success by changing the issuer in server-config.xml, and the login-page/authentication-failure configurations in user-context.xml:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><security:form-login login-page="https://hmp-catsbuild01.dhe.duke.edu:8643/patient-openid-connect/login" authentication-failure-url="https://hmp-catsbuild01.dhe.duke.edu:8643/patient-openid-connect/login?error=failure"
authentication-success-handler-ref="authenticationTimeStamper" /></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Is that OK? Also, we found an issue and are stuck. The login page is loaded correctly from the API Manager, however the approval page is loaded straight from the server where MitreID is running. Interesting
that if the user is already authenticated in the browser, the server will redirect straight to the approval page and correctly uses the API Manager address. Does anybody know where the code is that after a successful authentication sends the client to the
approval page? I’m curious about the logic to figured out the approval page address.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Regards,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Luiz</span><o:p></o:p></p>
</div>
</body>
</html>