FoxIDs

Deployment

Deploy FoxIDs in your Azure tenant.

Deploy to Azure

The Azure deployment include:

  • Two App Services one for FoxIDs and one for the FoxIDs Control (Client and API). Both App Services is hosted in the same App Service plan and the App Services has both a production and test slot.
  • FoxIDs is deployed to the two App Services test slots from the master branch with Kudu. When the branch is updated an automatically deployment update is initiated with webhooks. Deployment updates is automatically promoted from the test slots to the production slots. In a production environment It is recommended to chanting the production promotion to manually initiated.
  • Key vault. Secrets are placed in Key vault.
  • Cosmos DB.
  • Redis cache.
  • Application Insights.

Send emails with Sendgrid

FoxIDs relay on Sendgrid to send emails to the users for account verification and password reset.
You can optionally configure a Sendgrid from email address and Sendgrid API key in the Azure deployment configuration. You can either create Sendgrid in Azure or directly on Sendgrid, there are more free emails in an Azure manage Sendgrid.

Remember to setup up domain authentication in Sendgrid for the from email.

A Sendgrid from email address and API Key can at a later time be configure per track.

First login and admin users

After successfully deployment open FoxIDs Control Client on https://foxidscontrolxxxxxxxxxx.azurewebsites.net (the app service starting with foxidscontrol...) which brings you to the master tenant.

The default admin user is: [email protected] with password: FirstAccess! (you are required to change the password on first login)

FoxIDs Control Client - Master tenant

Create your one admin users with a valid email address and grant the users the admin role 'foxids:tenant.admin'.

FoxIDs Control Client - Master tenant admin user

Troubleshooting deployent errors

Key Vault soft deleted If you have deleted a previous deployment the Key Vault is only soft deleted and sill exist with the same name for some months. In this case you can experience getting a 'ConflictError' with the error message 'Exist soft deleted vault with the same name.'.

The solution is to delete (purge) the old Key Vault, which will release the name.

Seed

Upload risk passwords

You can upload risk passwrods in FoxIDs Control Client master tenant on the Risk Passwords tap.

FoxIDs Control Client - Upload risk passwrods

Download the SHA-1 pwned passwords ordered by prevalence from haveibeenpwned.com/passwords.

Be aware that it takes some time to upload all risk passwords. This step can be omitted and postponed to later.
The risk passwords are uploaded as bulk which has a higher consumption. Please make sure to adjust the Cosmos DB provisioned throughput (e.g. to 20000 RU/s) temporarily.

Add sample configuration to a track

It is possible to run the sample applications after they are configured in a FoxIDs track. The sample configuration can be added with the sample seed tool.

Custom domains

The FoxIDs and FoxIDs Control domains can be customized.

Important: change the primary domain before adding tenants.

FoxIDs default domain is https://foxidsxxxx.azurewebsites.net which can be changed to a custom a domain like e.g. https://foxidsxxxx.com or https://foxids.xxxx.com
FoxIDs Control default domain is https://foxidscontrolxxxx.azurewebsites.net which can be changed to a domain like e.g. https://control.foxidsxxxx.com or https://foxidscontrol.xxxx.com

Custom domains are configured in Azure portal on the FoxIDs App Service and the FoxIDs Control App Service production slot under the Custom domains tab and by clicking the Add custom domain link. The FoxIDs site support one primary domain and multiple secondary domains, where the FoxIDs Control only support one primary domain.

Additionally primary custom domain configuration:

  1. First login to the FoxIDs Control client using the default/old primary domain. Select the Parties menu and under Down Parties select click OpenID Connect - foxids_control_client and click Show advanced settings.
  • Add the FoxIDs Control sites new primary custom domain to the Allow CORS origins list without a trailing slash.
  • Add the FoxIDs Control Client sites new primary custom domain login and logout redirect URIs to the Redirect URIs list including the trailing /master/authentication/login_callback and /master/authentication/logout_callback.

If you have added tenants before changing the primary domain, the OpenID Connect - foxids_control_client configuration have to be done in each tenant.

  1. Then configure the FoxIDs and FoxIDs Control sites new primary custom domains in the FoxIDs Control App Service under the Configuration tab and Applications settings sub tab:
  • The setting Settings:FoxIDsEndpoint is changed to the FoxIDs sites primary custom domains.
  • The setting Settings:FoxIDsControlEndpoint is changed to the FoxIDs Control sites primary custom domains.