Configure management of client remote IP address

Configure how the OpenID Connect service handles the client's remote IP address at authentication request.

In a single sign-on (SSO) handshake, the OpenID Connect service redirects the client to the Identity Provider (IdP) for authentication. Afterwards the IdP redirects the client back to the OpenID Connect service. For security reasons, you can have the OpenID Connect service verify that all requests for the same SSO workflow come from the same client IP address.

How the OpenID Connect service gets the client's remote IP address will depend on the setting of the oidc.client.check entry in the OpenID Connect configuration file. The correct configuration setting will depend on your network.

  1. Open the configuration file $FGLDIR/web_utilities/services/openid-connect/res/configuration.
  2. Locate the entry oidc.client.check.
  3. Do one of the following:
    • Set oidc.client.check = "Remote-Addr".
      The SSO authentication service uses the REMOTE_ADDR variable set by the Web server to verify if different requests come from the same client. This is the default option.
      Note:

      In a cloud or reverse proxy environment, this option may not be valid, as requests may be rooted from several different proxies.

    • Set oidc.client.check = "X-Forwarded-For".

      The SSO authentication service uses the X-Forwarded-For headers sent by the Web server to verify if different requests are from the same client, based on the IP address defined in the X-Forwarded-For header. Select this option if your network uses reverse proxies or if your configuration supports a cloud solution.

    • Remove or comment out oidc.client.check if you do not want the SSO authentication service to check the client remote IP address.