If you do not provide redirect URL for IDP login form it always redirects to the first service provider in cuba.idp.serviceProviderUrls property. See com.haulmont.idp.controllers.IdpController#authenticate.
So how to configure cuba.webPort in this case？ For example, tomcat run on http 8090, but the Nginx https port is 443. I am not sure what does cuba use this paramter for so dont know how to configure it.
And should cuba.connectionUrlList be configured to https? or http will be enough?
It is only internal port used for identification of the server. It is not used in any external links, so you need to set it to real port of the Tomcat instance. As for cuba.connectionUrlList you do not need HTTPs between web and core servers if they are deployed on the same server or if you use an isolated virtual network for your cluster.
We face one problem while try to set up https for the idp server.
The problem is about configure cuba.web.idp.baseUrl, when I set it to the http url, access to https is ok. but while I configure it to the https url, it seems happens endless loop while redirect to idp login form. Could you help check, please? Below are my configurations:
The only thing to know about cuba.web.idp.baseUrl is that it must be accessible using both for server-to-server communication with SP and using public network, as it is used in redirects. So, if you use internal IPs (it is usually bad practice any way) you have to map cuba.web.idp.baseUrl to the same server as public mapping.
Sorry, it takes so much time, I’ll not be able to reproduce your scenario. I’d strongly recommend that you set up the same configuration on test servers and debug your authentication flow thoroughly.
I never mentioned I user internal IPs. For several times, you misunderstood my points and reply on the misunderstanding:joy:. Maybe I should be sorry for my English, but nerver mind, let me try, will let you know the results. Thanks for your help and quick reply always.