You are viewing limited content. For full access, please sign in.

Question

Question

When using LFDS for authentication, is setting up an STS on the DMZ actually necessary?

Directory Server
Updated June 11, 2019
asked on October 9, 2017

I'm reading this page.

It says "This allows administrators to install an instance of the Security Token Service in the DMZ while allowing the Directory Server to remain within the internal network."

That's actually our setup, but I'm wondering: what is the difference between having an STS set up on the DMZ and having that talk to LFDS on the internal network, vs. having the LF modules talk to the STS on the LFDS machine?

For example, let's say that LFDSSTS is installed on https://internalServer/LFDSSTS and Forms is installed on https://dmz/Forms.

Can't we just point FormsConfig to https://internalServer/LFDSSTS, as opposed to pointing it to https://localhost/LFDSSTS and having that talk to LFDS?

0 0

Answer

APPROVED ANSWER SELECTED ANSWER
replied on October 9, 2017 Show version history

The LFDSSTS URI is what Forms uses for the redirect to the STS authentication page, and presumably external users are not able to resolve https://internalServer/LFDSSTS. If they could resolve it, that would imply a hole in the internal firewall allowing traffic from the public internet to the internalServer, as opposed to the far more limited dmzServer to internalServer rule (excluding reverse proxies, etc.).

The envisioned flow is as follows:

  1. User navigates to https://dmzServer/Forms
  2. Forms redirects user to https://dmzServer/LFDSSTS
  3. User enters auth credentials
  4. The DMZ LFDSSTS service passes the credentials to the internal LFDS instance though a limited firewall hole between dmzServer and internalServer, and receives an auth response back.
  5. If successful, STS generates an SSO token and redirects the user back to https://dmzServer/Forms, which checks for the token and logs them in. 
5 0
View 1 previous reply
replied on October 9, 2017

Thanks. That is very helpful.

0 0
replied on October 9, 2017

Welcome!

0 0
replied on June 11, 2019

What about the WebClient and Mobile App? if both installed in DMZ area.

0 0
replied on June 11, 2019

Hi Shiraj,

The Laserfiche web client and App both follow the same login flow with LFDS/STS as Forms. The guidance I provided above holds true for any Laserfiche web app that uses SSO logins through LFDS.

1 0

Replies

You are not allowed to reply in this post.
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...