Configure how the OpenID Connect service handles the client's remote IP address at
authentication request.
In a single sign-on (SSO) handshake, the OpenID Connect service redirects the client to the
Identity Provider (IdP) for authentication. Afterwards the IdP redirects the client back to the
OpenID Connect service. For security reasons, you can have the OpenID Connect service verify that
all requests for the same SSO workflow come from the same client IP address.
How the OpenID Connect service gets the client's remote IP address will depend on the setting of
the oidc.client.check entry in the OpenID Connect configuration file. The correct
configuration setting will depend on your network.
-
Open the configuration file
$FGLDIR/web_utilities/services/openid-connect/res/configuration.
-
Locate the entry
oidc.client.check.
-
Do one of the following:
- Set
oidc.client.check = "Remote-Addr".The SSO authentication service uses the
REMOTE_ADDR variable set by the Web
server to verify if different requests come from the same client. This is the default option.
Note:
In a cloud or reverse proxy environment, this option may not be valid, as requests may be rooted
from several different proxies.
- Set
oidc.client.check = "X-Forwarded-For".The SSO authentication service
uses the X-Forwarded-For headers sent by the Web server to verify if different
requests are from the same client, based on the IP address defined in the
X-Forwarded-For header. Select this option if your network uses reverse proxies or
if your configuration supports a cloud solution.
- Remove or comment out
oidc.client.check if you do not want the SSO
authentication service to check the client remote IP address.