Self-Hosting SSOReady
Self-Hosting SSOReady
How to manage SAML and SCIM entirely in your cloud or your customer's cloud
Self-Hosting SSOReady
SSOReady is a free, MIT-licensed way to add SAML and SCIM support to your app. A free hosted version of SSOReady is available online at app.ssoready.com. This article explains how to run SSOReady on your own machines, instead of using the public, free version of SSOReady at app.ssoready.com.
This article focuses on running SSOReady in your own cloud. You can also run SSOReady in your customer’s cloud, so that SSOReady becomes a component of your larger on-premises offering to your customers; the only difference is that you’ll need to follow these instructions for each customer.
SSOReady requires four essential components:
ssoready-app is the webapp for SSOReady. In the free hosted version, this lives at https://app.ssoready.com.ssoready-api is what ssoready-app and your code (either directly, or using the SSOReady SDKs) talks to. In the free hosted version, this lives at https://api.ssoready.com.ssoready-auth is proxy for SAML and SCIM interactions. In the free hosted version, this lives at https://auth.ssoready.com.ssoready-db is a PostgreSQL database that ssoready-api and ssoready-auth talk to. This is where SSOReady keeps state.An additional fifth component is optional:
ssoready-admin is the webapp that powers the self-serve setup UI. In the free hosted version, this lives at https://admin.ssoready.com.To that end, SSOReady maintains four Docker containers you can use to self-host:
ssoready/ssoready-app runs the webappssoready/ssoready-api runs the SSOReady APIssoready/ssoready-auth runs the public-facing SSOReady SAML and SCIM proxyssoready/ssoready-migrate runs SSOReady’s database migrations against a Postgres databasessoready/ssoready-admin runs the public-facing self-serve setup UIHere’s an example of how you can self-host SSOReady using docker compose. You can copy-paste this into
docker-compose.yml and run docker compose up to test it yourself right now.
(The example above requires localhost ports 5432, 8080, 8081, 8082, and 8083.)
Now, you’ll need to set up the database tables that SSOReady requires. Do so by running:
From here, you can visit localhost:8082, log in via Google, and then start using SSOReady as usual. To use the
SSOReady SDKs with your locally-running instance of SSOReady, see “Configuring SDKs to talk to self-hosted SSOReady
instances” below.
The example setup above is meant for use in localhost. There are a few things you need to do to make it work in
production:
id_token signing keyssoready-appThe sections below detail how you’ll do this.
In the example configuration above, ssoready-auth and ssoready-api both have a “SAML State Signing Key” set to all
zeroes. That’s a value that’s adequate for development, but in production you must use a random value. Generate this
random value by running:
ssoready-auth and ssoready-api must use the same value for this secret. It is safe to rotate this value at any time
by using a new random, 64-digit hex number.
id_token Signing KeyThis section is only required if you use SAML-over-OAuth.
SSOReady’s SAML-over-OAuth integration has ssoready-auth act as an OIDC-compliant server. Such servers need to issue
id_token values, which are RSA-signed JSON Web Tokens. ssoready-auth by default generates a new, random RSA keypair
to sign these id_token values. This default doesn’t work well if you’re running multiple ssoready-auth instances
behind a load balancer, or if ssoready-auth instances are frequently being recreated.
To configure an id_token signing key, generate a new base64-encoded RSA private key like so:
And then update ssoready-auth’s AUTH_OAUTH_ID_TOKEN_PRIVATE_KEY to be that value.
To log into ssoready-app, you need to configure at least one of the following login methods:
If you don’t configure any of these, then there’s no way to log into SSOReady. The simplest login method to add is Google, followed by email, followed by Microsoft.
To configure Google-based social logins into ssoready-app, you need to populate the following env vars:
APP_GOOGLE_OAUTH_CLIENT_ID in ssoready-appAPI_GOOGLE_OAUTH_CLIENT_ID in ssoready-apiTo do so, you need to create a Google OAuth client. Follow Google’s docs for creating an OAuth
client. You’ll want to configure the
same “Authorized Javascript origin” as the value you chose for APP_APP_URL. From there, the client ID (ending in
apps.googleusercontent.com) is the value you’ll want to put in the two env vars.
Configuring log in with email is optional. Most users only set up Google.
To configure email-based logins into ssoready-app, you need to populate the following env vars:
API_RESEND_API_KEY in ssoready-apiAPI_EMAIL_CHALLENGE_FROM in ssoready-apiAPI_EMAIL_VERIFICATION_ENDPOINT in ssoready-apiSSOReady uses Resend to send transactional emails. Resend’s free tier is more than enough here; you will not need to pay for Resend. To get an API key, you will:
From there, configure:
API_RESEND_API_KEY to be your Resend API key. It starts with re_....API_EMAIL_CHALLENGE_FROM to be noreply@DOMAIN, where DOMAIN is the domain you configured in step (2) above.API_EMAIL_VERIFICATION_ENDPOINT to be the same value you chose for APP_APP_URL in ssoready-app, but followed by /verify-email.Configuring log in with Microsoft is optional. Most users only set up Google.
To configure Microsoft-based logins into ssoready-app, you need to populate the following env vars:
API_MICROSOFT_OAUTH_CLIENT_ID in ssoready-apiAPI_MICROSOFT_OAUTH_CLIENT_SECRET in ssoready-apiAPI_MICROSOFT_OAUTH_REDIRECT_URI in ssoready-apiAPP_MICROSOFT_OAUTH_CLIENT_ID in ssoready-appAPP_MICROSOFT_OAUTH_REDIRECT_URI in ssoready-appSet API_MICROSOFT_OAUTH_REDIRECT_URI and APP_MICROSOFT_OAUTH_REDIRECT_URI to be the same value as APP_APP_URL in
ssoready-app, but followed by /internal/microsoft-callback.
To get the CLIENT_ID and CLIENT_SECRET vars, you need to create a Microsoft OAuth client. Follow Microsoft’s docs
for creating an OAuth app.
REDIRECT_URI env vars above.API_MICROSOFT_OAUTH_CLIENT_ID and APP_MICROSOFT_OAUTH_CLIENT_ID.API_MICROSOFT_OAUTH_CLIENT_SECRET.The SSOReady Management API lets you programmatically automate everything that would otherwise require a human to click around in the SSOReady web application. If you don’t need the Management API, skip this section.
To enable the Management API in a self-hosted instance of SSOReady, you must
first log into the SSOReady web application a first time. That will create a
app_organizations row in the SSOReady database, upon which you can enable the
Management API.
Once you have logged into SSOReady, you can next connect to your your SSOReady
database (using psql or any other tool you’re comfortable with), and run:
To determine the appropriate id to run in the SQL command above, you may run:
In the common case where nobody else has logged into the SSOReady web
application, there will only be one app_organizations row to choose from.
By default, the SSOReady SDKs expect to talk to https://api.ssoready.com. When you’re running SSOReady self-hosted,
you need to point it to your own instance of ssoready-api. Here’s how you do that, supposing your ssoready-api lives
at localhost:8081 like in the example above:
ssoready-dbSSOReady requires ssoready-db to be a Postgres database. The ssoready/ssoready-migrate docker image can take any
Postgres database, and set it up to have the database tables SSOReady requires. ssoready-migrate is idempotent; it is
safe to run it multiple times or at any time.
The -d (--database-url) parameter requires a postgres:// URI, of the form: