Sitecore 9.3 CM with reverse proxy and Identity Server

I published my last post a long time ago, but I faced new challenges while upgrading a Sitecore infrastructure from 9.0.1 to 9.3. As you all probably know, Identity Server is used as primary authenticator for CM environments by default.

In this particular infrastructure we have blue-green deployments enabled also for CM, therefore we use a reverse proxy to route the requests to blue or green IIS sites. Below, how our infrastructure looks like in a simple diagram.

To make this work I had to configure the reverse proxy, Sitecore and Identity Server a bit different compared to the default configuration.

1. Reverse proxy configuration

The reverse proxy is just an IIS site with the following web.config with cm.green active routing. The outbound rule is important to overwrite the Location variable in the response header, if this rule is not there then Sitecore will redirect you to cm.green or cm.blue after the login.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="https://cm.green/{R:1}" />
</rule>
</rules>
<outboundRules>
<rule name="ReverseProxyOutboundRule1" preCondition="IsRedirection">
<match serverVariable="RESPONSE_Location" pattern="^http(s)?://cm.green/(.*)" />
<action type="Rewrite" value="http{R:1}://public.cm.com/{R:2}" />
</rule>
<rule name="ReverseProxyOutboundRule2" preCondition="IsRedirection">
<match serverVariable="RESPONSE_Location" pattern="^http(s)?://cm.blue/(.*)" />
<action type="Rewrite" value="http{R:1}://public.cm.com/{R:2}" />
</rule>
<preConditions>
<preCondition name="IsRedirection">
<add input="{RESPONSE_STATUS}" pattern="3\d\d" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>

2. Sitecore configuration patch

To redirect the user after login to the correct domain, you need to have the following Sitecore config patch:

<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:role="http://www.sitecore.net/xmlconfig/role/" xmlns:set="http://www.sitecore.net/xmlconfig/set/" >
<sitecore role:require="Standalone or ContentDelivery or ContentManagement">
<sc.variable name="identityServerAuthority" value="https://identity.server" />
<settings>
<!-- Fill the FederatedAuthentication.IdentityServer.CallbackAuthority setting if you need another host to receive callbacks from IdentityServer. It is useful for reverse proxy configuration. -->
<setting name="FederatedAuthentication.IdentityServer.CallbackAuthority" value="https://public.cm.com" />
</settings>
</sitecore>
</configuration>

3. Identity Server configuration

The last step is to configure identity server to approve requests from the public.cm.com domain:

<?xml version="1.0" encoding="utf-8"?>
<Settings>
<Sitecore>
<IdentityServer>
...
<AccountOptions>
<PasswordRecoveryUrl>https://public.cm.com/sitecore/login?rc=1</PasswordRecoveryUrl>
</AccountOptions>
<Clients>
<DefaultClient>
<AllowedCorsOrigins>
<AllowedCorsOriginsGroup1>https://public.cm.com</AllowedCorsOriginsGroup1>
</AllowedCorsOrigins>
</DefaultClient>
...
</Clients>
</IdentityServer>
</Sitecore>
</Settings>

Thank you for Sitecore Support for pointing me to the right path to make this work! I hope it helps to you and to future me 🔮

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s