Configure the GIP across multiple Genero Application Servers

You might find a distributed GAS environment supporting a cloud-based solution or where applications and services are on different servers. The GIP can provide a federated infrastructure when used in a distributed GAS environment.

Figure 1 shows an example of the GIP in a distributed GAS environment. In this distributed environment, applications running on GAS-2 access REST services on GAS-3 and GAS-4. The core services of the GIP install on GAS-1. The delegate services of the GIP install on GAS-2, GAS-3, and GAS-4. These services redirect all requests to the primary GIP core services on GAS-1.
Figure: Distributed GAS/GIP

The image shows an example of the GIP used in a distributed GAS environment. The primary GIP is installed on GAS-1. There are also REST services on GAS-3 and GAS-4 that are accessed by some Genero applications on GAS-2
The diagram represents the process of starting an application by performing SSO with the GAS hosting the GIP. The workflow is illustrated at a high level showing the servers involved. The communication paths are explained:
  1. The user requests the start of an application (previously deployed and secured using the Genero Deployment App).
  2. The SSO delegate service on the GAS where the application is deployed redirects the user agent to the primary GIP.
  3. The primary GIP queries the user directly for user login and password.
  4. If the login is ok, the primary GIP creates an ID token and an access token in its database and forwards them to the SSO delegate service callback URL (previously registered). On the callback, the delegate service requests the ID token directly from the primary GIP and checks its signature validity via the GIP's public key.
  5. If the ID token is valid, the delegate service starts the application on behalf of the authenticated user and redirects the user agent to the initial URL for the application (/ua/r/app1) .
Note:

If the application needs to access resources in REST services on another GAS, the access token received from the GIP in step 4 is forwarded in HTTP requests to authenticate the access.

Configuration

In this type of configuration the GIP is hosted on one GAS. Applications on other GAS servers that require authentication are directed to the GAS hosting the GIP. The installation is a two step process:
  1. Install the primary GIP on the host. This involves using the StarterApp to install the core components..
  2. Install external GIPs on other GAS servers. This involves using the StarterApp to install the delegate service component only, and to set the address of the GIP host (from the previous step). See Configure an external Genero Identity Provider.

Deployment services

You use the Deployment services to deploy, secure, and manage applications and web services, and deploy and manage Genero Browser Client (GBC) customizations. On your distributed GAS installation, you can configure one GAS server to provide the deployment service to the other GAS servers.

The Deployment App is installed on a single GAS and this interacts with the deployment services (if installed) on each GAS that requires application or GBC deployment services.

You can specify a configuration of the deployment services with the StarterApp when installing the GIP:
  1. On the GAS designated to host deployment:
    1. Select the option to install the Deployment App.
    2. Select the option to install the Deployment service.
      Note:

      The Deployment service option is selected by default.

  2. On other GAS servers:
    1. Select the option to install the Deployment service only.
When you run the Deployment App to deploy to a GAS on another server, you select the Deploy > Switch GAS option and enter its base URL endpoint in the form:
 https://host:port/gas