I published my last post a long time ago, but I faced new challenges while upgrading a Sitecore infrastructure from 9.0.1 to 9.3. As you all probably know, Identity Server is used as primary authenticator for CM environments by default.
In this particular infrastructure we have blue-green deployments enabled also for CM, therefore we use a reverse proxy to route the requests to blue or green IIS sites. Below, how our infrastructure looks like in a simple diagram.
To make this work I had to configure the reverse proxy, Sitecore and Identity Server a bit different compared to the default configuration.
1. Reverse proxy configuration
The reverse proxy is just an IIS site with the following web.config with cm.green active routing. The outbound rule is important to overwrite the Location variable in the response header, if this rule is not there then Sitecore will redirect you to cm.green or cm.blue after the login.
| <?xml version="1.0" encoding="UTF-8"?> | |
| <configuration> | |
| <system.webServer> | |
| <rewrite> | |
| <rules> | |
| <rule name="ReverseProxyInboundRule" stopProcessing="true"> | |
| <match url="(.*)" /> | |
| <action type="Rewrite" url="https://cm.green/{R:1}" /> | |
| </rule> | |
| </rules> | |
| <outboundRules> | |
| <rule name="ReverseProxyOutboundRule1" preCondition="IsRedirection"> | |
| <match serverVariable="RESPONSE_Location" pattern="^http(s)?://cm.green/(.*)" /> | |
| <action type="Rewrite" value="http{R:1}://public.cm.com/{R:2}" /> | |
| </rule> | |
| <rule name="ReverseProxyOutboundRule2" preCondition="IsRedirection"> | |
| <match serverVariable="RESPONSE_Location" pattern="^http(s)?://cm.blue/(.*)" /> | |
| <action type="Rewrite" value="http{R:1}://public.cm.com/{R:2}" /> | |
| </rule> | |
| <preConditions> | |
| <preCondition name="IsRedirection"> | |
| <add input="{RESPONSE_STATUS}" pattern="3\d\d" /> | |
| </preCondition> | |
| </preConditions> | |
| </outboundRules> | |
| </rewrite> | |
| </system.webServer> | |
| </configuration> |
2. Sitecore configuration patch
To redirect the user after login to the correct domain, you need to have the following Sitecore config patch:
| <?xml version="1.0" encoding="utf-8"?> | |
| <configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:role="http://www.sitecore.net/xmlconfig/role/" xmlns:set="http://www.sitecore.net/xmlconfig/set/" > | |
| <sitecore role:require="Standalone or ContentDelivery or ContentManagement"> | |
| <sc.variable name="identityServerAuthority" value="https://identity.server" /> | |
| <settings> | |
| <!-- Fill the FederatedAuthentication.IdentityServer.CallbackAuthority setting if you need another host to receive callbacks from IdentityServer. It is useful for reverse proxy configuration. --> | |
| <setting name="FederatedAuthentication.IdentityServer.CallbackAuthority" value="https://public.cm.com" /> | |
| </settings> | |
| </sitecore> | |
| </configuration> |
3. Identity Server configuration
The last step is to configure identity server to approve requests from the public.cm.com domain:
| <?xml version="1.0" encoding="utf-8"?> | |
| <Settings> | |
| <Sitecore> | |
| <IdentityServer> | |
| ... | |
| <AccountOptions> | |
| <PasswordRecoveryUrl>https://public.cm.com/sitecore/login?rc=1</PasswordRecoveryUrl> | |
| </AccountOptions> | |
| <Clients> | |
| <DefaultClient> | |
| <AllowedCorsOrigins> | |
| <AllowedCorsOriginsGroup1>https://public.cm.com</AllowedCorsOriginsGroup1> | |
| </AllowedCorsOrigins> | |
| </DefaultClient> | |
| ... | |
| </Clients> | |
| </IdentityServer> | |
| </Sitecore> | |
| </Settings> |
Thank you for Sitecore Support for pointing me to the right path to make this work! I hope it helps to you and to future me 🔮
Tamás Tárnok 🥧 Sitecore & .NET 