Enabling REST when using SSO with IDM November 08, 2024 10:57 Updated Enabling REST connections for ADOxx with Single-Sign On (SSO) using IDM Authentication. Important: This guide provides a possible approach to setting up IIS/IDM, based on best practice. However, please note that we cannot take any legal responsibility for the implementation and the possible consequences resulting from it. It is mandatory to involve an IT specialist on your side to verify and maintain the connection. This scenario involves an authentication server such as Microsoft Internet Information Services (IIS) that is used to handle SSO between the client (typically the web browser) and ADOxx. The ISAPI redirector module is used to connect IIS to the Apache Tomcat web server running the ADOxx web client. See ISAPI redirector for Microsoft (IIS) HowTo (apache.org) On how to enable the REST interface in your BOC product, please follow the ADONIS (up to Version 15), ADOIT and ADOGRC administration manual, or ADONIS 16 manual. Specific additional configuration steps are required to enable REST in the scenario described above. Option 1: Direct connection to Apache Tomcat web server REST requests are directly sent to the Apache Tomcat web server hosting the ADOxx web application, bypassing the Microsoft Internet Information Services (IIS) web server used for Single Sign On (SSO).In this scenario the Apache Tomcat web server needs to be directly accessible over the network by users, sending the REST requests.A HTTP/HTTPS Connector needs to be configured in the Apache Tomcat web servers configuration, for details, please see your BOC product Tomcat's server.xml configuration manual. Please note: If you are hosted by us, please open a support request. A short downtime will be necessary. Option 2: Configure IIS to pass through REST requests In this scenario, all requests, targeting the URL for ADOxx's REST endpoint (/rest/*), need to be redirected to the Apache Tomcat's HTTP/HTTPS Connector. Following modules and configuration is used on Microsoft Internet Information Services (IIS) web server: Application Request Routing module, with activated proxy. Disable "Include TCP port from client IP" URL Rewrite module, with an inbound rule on the default site, which forwards <ADOxx Base URL>/rest/ to the Apache Tomcat's HTTP/HTTPS Connector. For example: Pattern: ADONIS16_0/rest/Rewrite URL: http://hostname:portnumber{PATH_INFO} Enable "anonymous authentication" on IIS's default site. This is required, as the IIS is not able to authenticate authentication methods used by ADOxx's REST interface. For SSO with IDP, the "ISAPI Redirector" module is used to connect the IIS web server to the Tomcat's "AJP Connector".An exception rule for URL targeting ADOxx's REST endpoint (<ADOxx web application's name>*/rest/*) needs to be set in the "ISAPI Redirectors" configuration, so that no REST requests are forwarded to to that "AJP Connector". For example:In uriworkermap.properties - See uriworkermap documentation (apache.org) !/ADONIS16_0*/rest/* = <workername> Documentation on configuration of The AJP Connector (apache.org) Related articles BOC Product Installation & Update Process (on premise) How to generate a PostgreSQL Database Backup How to fix REST status codes 401 and 500? How do I set up my MS Entra ID (Azure) for a BOC product? How do I create an SQL Server database backup?