Virtual Machine (VM) Deployment
This deployment option is ideal for teams running Identity Broker on a single server or traditional infrastructure without container orchestration.
It provides a simple, production-ready setup using a standalone Java process with optional HTTPS via Nginx.
System Requirements
- OS: Linux (Ubuntu 22.04 LTS, RHEL 8+, Amazon Linux 2023) or Windows Server 2019+
- Java: OpenJDK 21 or higher
- Memory: Minimum 512MB RAM (1GB+ recommended)
- Storage: 2GB minimum (application + logs + database)
- Network:
- Port 8080 (HTTP)
- Port 443 (HTTPS via reverse proxy)
Installation Steps
1. Install Java 21
sudo apt update
sudo apt install openjdk-21-jre-headless -y
java -version
2. Create Application Directories
sudo mkdir -p /opt/idp-broker
sudo mkdir -p /opt/idp-broker/data
sudo mkdir -p /opt/idp-broker/logs
3. Download Identity Broker
cd /opt/idp-broker
sudo wget https://github.com/adroitts/identix/releases/download/v1.0.7-beta/idp-broker-1.0.7-beta.war
4. Create Dedicated Application User (Recommended)
sudo useradd -r -s /bin/false idpbroker
sudo chown -R idpbroker:idpbroker /opt/idp-broker
5. Create Environment Configuration
sudo tee /opt/idp-broker/application.env > /dev/null <<EOF
# Broker Configuration
BROKER_ISSUER=https://idp.yourdomain.com
BROKER_ISSUER_DYNAMIC=false
# Database Path
DB_PATH=/opt/idp-broker/data/idp-broker.db
# Logs Directory
APP_LOGS_DIRECTORY=/opt/idp-broker/logs
# Secret Encryption
# Generate using: openssl rand -base64 32
# NOTE: also keys the trial anchor — keep it stable and identical across all instances.
SECRET_ENCRYPTION_KEY=YOUR_BASE64_ENCRYPTION_KEY_HERE
# Licensing — vendor public key (PEM) to verify .lic files. Empty ⇒ 30-day trial, then FREE tier.
# Must be the Licenser's keys/public.pem. Optional online activation: LICENSE_SERVER_ENABLED=true
# with LICENSE_SERVER_BASE_URL=https://your-licenser-host
LICENSE_PUBLIC_KEY=
# Secure cookies — REQUIRED in production (HTTPS). Also required for cross-site SAML POST-binding:
# the IdP-correlation cookie is only sent SameSite=None;Secure when this is true, else SP-initiated
# SAML login fails to correlate the session. The broker warns at startup if a SAML IdP is configured
# while this is off.
SERVER_SERVLET_SESSION_COOKIE_SECURE=true
# Optional: Redis for session clustering
REDIS_ENABLED=false
# SPRING_DATA_REDIS_HOST=localhost
# SPRING_DATA_REDIS_PORT=6379
# SPRING_DATA_REDIS_PASSWORD=
# Optional: Azure Key Vault
# SECRET_MANAGER_TYPE=azure
# AZURE_KEYVAULT_URI=https://your-vault.vault.azure.net/
# AZURE_TENANT_ID=your-tenant-id
# Optional: AWS Secrets Manager
# SECRET_MANAGER_TYPE=aws
# AWS_REGION=us-east-1
# AWS_SECRETS_PREFIX=idp-broker/
# Optional: HashiCorp Vault
# SECRET_MANAGER_TYPE=vault
# VAULT_ADDR=http://localhost:8200
# VAULT_TOKEN=your-vault-token
EOF
6. Create systemd Service
sudo tee /etc/systemd/system/idp-broker.service > /dev/null <<EOF
[Unit]
Description=Identity Broker Service
After=network.target
[Service]
Type=simple
User=idpbroker
WorkingDirectory=/opt/idp-broker
EnvironmentFile=/opt/idp-broker/application.env
ExecStart=/usr/bin/java -Xms512m -Xmx1024m -jar /opt/idp-broker/idp-broker-1.0.7-beta.war
Restart=on-failure
RestartSec=10
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=multi-user.target
EOF
7. Enable and Start Service
sudo systemctl daemon-reload
sudo systemctl enable idp-broker
sudo systemctl start idp-broker
8. Verify Status and Logs
sudo systemctl status idp-broker
sudo journalctl -u idp-broker -f
Nginx Reverse Proxy (HTTPS)
# Install Nginx
sudo apt install nginx certbot python3-certbot-nginx -y
# Create Nginx configuration
sudo tee /etc/nginx/sites-available/idp-broker > /dev/null <<EOF
server {
listen 80;
server_name idp.yourdomain.com;
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_set_header X-Forwarded-Host \$host;
proxy_set_header X-Forwarded-Port \$server_port;
}
client_max_body_size 10M;
}
EOF
# Enable site
sudo ln -s /etc/nginx/sites-available/idp-broker /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl restart nginx
# Obtain SSL certificate
sudo certbot --nginx -d idp.yourdomain.com