Setting up the Genero Identity Provider
The Genero Identity Provider (GIP) must be configured and enabled before it can be used. This procedure configures and enables the GIP on a Genero Application Server (GAS).
- Ensure that users using the ConsoleApp and DeploymentApp have write access to the openid-connect directory. See Provide access to the openid-connect directory.
- If in HTTPS, ensure that all certificates are installed in $FGLDIR/web_utilities/certs. For instance, during an SSO handshake, fglrun will fetch the GIP metadata that may be in HTTPS, thus all appropriate certificate authority must be set.
Apache discards the Authorization header if it is not a base64-encoded user/password combination. A rewrite rule can be used to rewrite it from the server variable to set HTTP Authorization for requests.
For an example configuration, see Configure FastCGI for Apache 2.4.
For more information on Apache, see the Apache documentation.
Ensure that your IIS has the appropriate rights to access the GIP home directory.
- Add the HTTP authorization header:
fastcgi_param HTTP_AUTHORIZATION $http_authorization;
- As GIP requires a fully qualified name, the nginx
SERVER_NAME
must be configured as follows:fastcgi_param SERVER_NAME $host;
res.path.idp
resource in the GAS configuration file. res.path.idp
to a
directory that is accessible when the GAS (and therefore the fglrun command) is
started from the Web server.These steps enable the local GIP on a GAS. You follow this procedure one time only. To enable an external GIP - where a GAS connects to the GIP already enabled on another GAS - see Configure for an external GIP.