IIS website configuration
SSL/HTTPS setup instructions
At this point Salto IDM will be installed and accessible via the port configured during the installation.
- By default, the installer uses port 81 and HTTP.
- The port and protocol can be changed using the steps below, and depending on your requirements and infrastructure additional steps might be necessary.
- It is highly recommended to configure an HTTPS binding and remove the default HTTP.
To change your website bindings to use HTTPS, first open Internet Information Services (IIS) Manager.
In the left menu, click on the computer name, and then in the IIS section click on Server Certificates.
Use the Actions menu on the right to add the website certificate you want to use with Salto IDM.
- You can import your website certificate here if you have the necessary .pfx file.
- Make sure that the imported certificate is issued by a trusted authority and that the name matches the host name you will use.
- Using this method will allow you to have a secure website and avoid browser errors.
- You will have to manually update your certificate when it expires.
- Or you can create a self-signed certificate using PowerShell.
- Using the Create Self-Signed Certificate option from IIS can generate errors when using modern browsers (for example, ERR_SSL_KEY_USAGE_INCOMPATIBLE), so open PowerShell as Administrator and run New-SelfSignedCertificate -Subject subdomain.domain.com.
- Using this step will help you configure HTTPS, but you will receive browser errors, and your website will be marked as non-secure.
- This method is only recommended for testing or demo environments, not for production.
- Optionally you can create a certificate using Let's Encrypt.
- This is the recommended method as it uses a fully trusted certificate that automatically renews.
- The only requirement is that the Salto IDM website must be accessible from the internet, so this is not possible with fully on-premises installations.
- You should create an HTTPS binding with a DNS record pointing to your server public IP (explained below).
- If you want to use this method, first configure HTTPS using a self-signed certificate, and then follow this Installation Manual to install the Let's Encrypt certificate.
- You can import your website certificate here if you have the necessary .pfx file.
Once the certificate is installed on the server, use the left menu to expand the submenu under the computer name, expand Sites, and select the website you created for Salto IDM.
In the Actions menu on the right, click on Bindings… and the following window will open.
Click on Add… to create a new HTTPS binding using the following parameters:
- Use HTTPS for Type.
- IP address and Port can be left unchanged.
- Add the host name you want to use to browse to Salto IDM (for example, saltoidm.yourcompany.com).
- The checkboxes can be left unchanged.
- Select the previously imported or created SSL certificate from the dropdown.
Click OK.
It is recommended that you remove the default HTTP binding by selecting it and clicking Remove.
Click Close. Salto IDM should now be accessible using the hostname, protocol, and port you configured (for example,
https://saltoidm.com
).- When using HTTP and port 80, or HTTPS and port 443 you do not have to add the port to the browser URL.
- When using non-default ports you need to write the port in the URL.
http://saltoidm.com:80
is the same ashttp://saltoidm.com
.https://saltoidm.com:443
is the same ashttps://saltoidm.com
.
Optional: Configure host name for internet or intranet access
When you want to use the previously created host name via the internet or inside a local network (for example, for production environments), you must add a DNS record to your domain that points to your server IP so that the website can be reached and the SSL certificate can be validated.
Using your domain name provider (contact your IT department if needed), add a new A-Record to your domain, pointing to the public or private IP of the web server that hosts Salto IDM.
- If you configured a subdomain when setting up the host name in IIS, make sure to specify this as well when creating the DNS record.
- Publicly accessible DNS records might take some time to propagate (up to 48 hours depending on your provider).
Make sure that there are firewall rules configured to access your web server either from the public internet or inside your corporate network.
- This can be both at hardware level (for example, a physical firewall to the network where the server is hosted) and at software level (for example, using Windows Firewall to allow web traffic on that port).
After the DNS records propagate, you should be able to browse Salto IDM using the provided domain name from any PC.
- When configured to be accessible over the internet, Salto IDM can be browsed from any device with internet access.
- Access can be restricted to certain IPs or IP ranges only (see Salto IDM -- Product Configuration guide for further reference).
- This is the best scenario for use cases where users need to interact with the system from their own devices or from any location (for example, visitors who must fill in their details from home, or employees that are not always on a corporate network).
- When the DNS records are under a corporate network, Salto IDM can only be reachable if the device is connected to the intranet (for example, via VPN or corporate Wi-Fi).
- This scenario is most compatible with use cases when it is not necessary to expose the application to the public, or when certain features are not required (for example, when employees with intranet access are the only ones that need access to Salto IDM, or when visitors use the kiosk to register instead of their own devices).
Optional: Configure host name for local access
When you want to use the previously created host name on your own PC or server (for example, for testing or demo environments), add a record to the hosts file on that computer, which will allow you to use that host name on your browser to access Salto IDM.
Open Notepad as Administrator.
Open file (Ctrl + O).
Browse to the folder C:/Windows/System32/drivers/etc.
Select All Files (bottom right).
Open the file hosts to edit it.
Add a rule at the bottom of the file with the name of your website (for example, 127.0.0.1 yourcompany.saltoidm.com).
Close Notepad and save the file when asked.
After the hosts file is saved, you should be able to browse Salto IDM using the provided domain name from this PC.
- When using this setup, no other devices will be able to reach the host name you configured.
- This is mainly used for demo or testing purposes when no other users need to browse Salto IDM.