Deployment Overview
This section covers deployment options for the Arculus FIDO2 Server. The server can be deployed in various environments, from local development to production cloud platforms.
All components shown in the Cloud Infrastructure box (Load Balancer, Customer Backend Services, PyFIDO Server) are deployed and managed by the customer within their infrastructure. Customer backend services are typically deployed in a servlet container (e.g., Tomcat) and handle application logic while proxying FIDO2 requests to the PyFIDO Server. The identity provider may be external or part of the customer's internal infrastructure.
The core FIDO2 authentication engine, the PyFIDO Server, runs in a container platform (e.g., AWS ECS Fargate, Azure Container Instances, Google Cloud Run) and handles all FIDO2 protocol operations including credential registration, authentication challenges, and attestation verification. Customer backend services are deployed in a servlet container (e.g., Tomcat) and handle application-specific logic while optionally proxying FIDO2 requests to the PyFIDO Server in server-side deployments. All services are deployed in a scalable, containerized environment that can be hosted in any cloud provider or on-premises infrastructure.
Deployment Options
The PyFIDO Server supports multiple deployment approaches:
Local Docker Deployment: For development and testing
Cloud Container Platform: For production deployments (AWS ECS Fargate example provided)
On-Premises: Docker or container orchestration platforms
Deployment Architecture
Cloud Container Platform Deployment (Example: AWS ECS Fargate)
Components (AWS example shown):
Load Balancer
SSL/TLS termination, traffic routing
443, 5001, 8080
Application Load Balancer (ALB)
PyFIDO Service
FIDO2 authentication engine
5001
ECS Fargate Task
Tomcat Service
Web/desktop application portal
8080
ECS Fargate Task
MongoDB
Credential and user storage
27017
MongoDB Atlas or DocumentDB
Secrets Manager
Encrypted credential storage
-
AWS Secrets Manager
Container Registry
Container image storage
-
Amazon ECR
Monitoring Service
Logging and metrics
-
CloudWatch
Local Docker Deployment
For development and testing:
For production Docker deployment, see 3.2 Docker Configuration.
For local development setup, see 3.3 Local Development.
Configuration Options
Environment Variables
PORT
5001
Server listening port
PROTOCOL
wsgi
Server protocol (wsgi, http, cert)
THREADS
12
Number of worker threads
MONGOURL
mongodb://...
MongoDB connection string
LOGLEVEL
5
Logging verbosity (1-5)
AUTH
off
Enable JWT authentication
SESSION
60
Session timeout in seconds
EXCLUDE
on
Enable credential exclusion
REPLACE
on
Allow credential replacement
METADATA
off
Enable MDS verification
AAGUID
off
Enable AAGUID whitelist
SERVERID
SERV-notset
Server identifier for logging
Command Line Arguments
Health Monitoring
Health Check Endpoint
The PyFIDO Server provides a health check endpoint:
Returns 200 OK when the server is healthy.
Docker Health Check
Built-in health check for Docker containers:
30-second interval
10-second timeout
10-second start period
3 retries before unhealthy
Monitoring Service Integration
Container logs and metrics collection with container insights for performance monitoring. Configurable log retention.
Example (AWS CloudWatch):
Container logs at
/ecs/arculus-auth/ENVIRONMENT/pyfidoCloudWatch Container Insights for metrics
For platform-specific monitoring configuration, see the relevant deployment guide:
3.1 AWS ECS Configuration - CloudWatch integration
3.2 Docker Configuration - Production Docker deployment
3.3 Local Development - Local development setup
Security Considerations
For deployment-specific security configurations, see:
4. Security - Security overview
4.2 Deployment Security - Infrastructure and deployment security
3.1 AWS ECS Configuration - AWS-specific security settings
3.2 Docker Configuration - Container security best practices
Multi-Tenant Deployment
The PyFIDO Server supports multi-tenant deployments. For multi-tenant configuration in production environments, see the relevant deployment guide for your platform.
Last updated