Configure for an external GIP
Complete this procedure to configure the Genero Application Server (GAS) to use an external Genero Identity Provider (GIP) installed on another GAS.
- Ensure that users using the ConsoleApp and DeploymentApp have write access to the openid-connect directory. See Provide access to the openid-connect directory.
- If in HTTPS, ensure that all certificates are installed in $FGLDIR/web_utilities/certs. For instance, during an SSO handshake, fglrun will fetch the GIP metadata that may be in HTTPS, thus all appropriate certificate authority must be set.
Apache discards the Authorization header if it is not a base64-encoded user/password combination. A rewrite rule can be used to rewrite it from the server variable to set HTTP Authorization for requests.
For an example configuration, see Configure FastCGI for Apache 2.4.
For more information on Apache, see the Apache documentation.
Ensure that your IIS has the appropriate rights to access the GIP home directory.
- Add the HTTP authorization header:
fastcgi_param HTTP_AUTHORIZATION $http_authorization;
- As GIP requires a fully qualified name, the NGINX
SERVER_NAME
must be configured as follows:fastcgi_param SERVER_NAME $host;
res.path.idp
resource in the GAS configuration file. If the GIP is started behind an Apache or IIS server, the user's home directory is not set. In a
production environment (behind Apache, nginx, or IIS), we recommend you set
res.path.idp
to a directory that is accessible when the GAS (and therefore the
fglrun command) is started from the web server.
This procedure is for a multi-GAS environment architecture, where the initial GIP configuration has already occurred on a different Genero Application Server. You follow this procedure one time only.