Hi, Andy. >Being a SAML authenticated web application, Shibboleth is a given. As this will be the production environment (testing will be done on a temporary VM) it's assumed that oxAuth RP should not be installed. Does this sound correct? Sounds correct to me so far. >For self-registration, am I better off using the API provided by oxd and hosting the self-reg site on another server, or using the 'User Registration' custom script and modifying what is presented at <site>/identity/register? I'm leaning towards oxd, as I think this may provide greater control in a simpler manner for registering and enforcing certain criteria for doing so, and changing passwords and modifying account details. Unless you are fond with default registration capabilities Gluu offers out-of-the-box (they are quite basic), the recommended approach at the moment is to create your own app which will handle registration and then will push new users to Gluu either via SCIM or by directly writing to Gluu's (or your corporate) LDAP server. >If I am to choose the oxd method, I'm a little unclear as to the purpose of oxd-to-http; would this be used if gluu-oxd-server is installed on a different server to the self-reg web pages? Is that even possible? That's correct, this allows for one oxd server to be available for several apps running on different hosts. A default setup expects that app runs on the same host as oxd server.

Hi Aliaksandr, Thank you for the reply. Glad that I'm thinking along the right lines! > ...the recommended approach at the moment is to create your own app which will handle registration and then will push new users to Gluu either via SCIM or by directly writing to Gluu's (or your corporate) LDAP server. Thanks, yes, I should have been clearer that we would be using the built-in GluuLDAP server. In which case, I'll take a look at those methods first, then continue investigating oxd if necessary. It would be nice to host the registration web pages on the same server as the Gluu server; is it possible to change the ports on which the oxTrust web UI runs? At the moment it precludes running anything outside of the chroot on ports 80 or 443. I just went searching for more information on talking to Gluu's OpenLDAP server directly and found this: > [https://www.gluu.org/resources/documents/standards/ldap/](https://www.gluu.org/resources/documents/standards/ldap/) > _"LDAP should not be used as an application integration protocol though. Applications should stick to SAML or OpenID Connect for interacting with the Gluu Server."_ So is it okay to modify the LDAP contents directly? > ...[oxd-to-http] allows for one oxd server to be available for several apps running on different hosts. A default setup expects that app runs on the same host as oxd server. If it's the case that I shouldn't directly modify GluuLDAP contents (or can't host the registration site on the same server) then I think oxd may be my best option. Just so I'm clear, if I were to do it the oxd way, I could have _gluu-server-3.0.1, gluu-oxd-server_ and the _oxd-to-http_ components all installed on the same hardware - then use the oxd-to-http variation of the [oxd-php-library](https://github.com/GluuFederation/oxd-php-library) from a different server to perform user registration and account modification without needing anything more on that second server than PHP and Composer? That would be very handy indeed.

>> is it possible to change the ports on which the oxTrust web UI runs? At the moment it precludes running anything outside of the chroot on ports 80 or 443. Possible but not recommended. Need to put configurations in LDAP and web server settings. >> So is it okay to modify the LDAP contents directly? Pardon me, but question is not clear. What type of contents you are planning to modify? >> if I were to do it the oxd way, I could have gluu-server-3.0.1, gluu-oxd-server and the oxd-to-http components all installed on the same hardware No, Gluu-Server-3.0.1 will in one server. 'Gluu-oxd-server' and other components will be configured in your app server.

Thanks, Mohib - that makes things a lot clearer! Looks to me that oxd is the way to go for this. Cheers!

Closing.