SSO 6.00 upgrade guide

These topics describe product changes you must be aware of when upgrading to version 6.00.

Important:

This is an incremental upgrade guide that covers only topics related to the Single sign-on version specified in the page title. Check prior upgrade guides if you migrate from an earlier version, and complete the migration tasks for all versions between your existing version and the target version in order. Make sure to also read about the new features for this version.

Corresponding new features page: SSO 6.00 new features.

Previous upgrade guide: SSO 5.01 upgrade guide.

Upgrade to GIP 6.00

When migrating from an earlier version, you must upgrade the GIP database. For details, go to Migrate your Genero Identity Provider database.

If you attempt to access GIP apps before upgrading your GIP database, you will receive the error: Invalid configuration parameter

The IdentityProviderService.log will contain:

ERROR : 3128 - [Server] "Database" Bad database version : you must run StarterApp to upgrade

Prometheus metrics for GIP (via GAS)

Genero Identity Provider (GIP) services now support Prometheus metrics collection. When GAS is configured to enable metrics, GIP metrics are processed through GAS. These metrics let you monitor GIP usage and reliability — for example, authentication request counts, authentication error counts, and active session counts. For configuration details and information on the specific metrics collected, refer to the Monitoring the GAS with Prometheus section in the Genero Application Server User Guide.

Prometheus metrics for delegation services (via GAS)

GAS now processes Prometheus metrics from the Genero delegation services included with FGLGWS (OpenID Connect, OAuth2, and SAML). When GAS is configured to enable metrics collection, delegation metrics are forwarded and can be monitored using standard Prometheus tools. For configuration details and information on the specific metrics collected, refer to the Monitoring the GAS with Prometheus section in the Genero Application Server User Guide.

Using an external Identity Provider — GIP upgrade

A new external IdP delegation feature is available in GIP 6.00. To enable it:

Upgrade GIP to v6.00 and run the StarterApp (required). For details, go to Migrate your Genero Identity Provider database.
Configure the external IdP in the GIP Console App and allow the external IdP to redirect responses to the GIP.

Authentication is delegated to the external IdP while GIP retains authorization (roles and scopes). For more information, go to Delegate SSO to an external Identity Provider.

Create account request — GIP

A new account-request feature is available in Genero Identity Provider (GIP) v6.00. To enable it:

Upgrade GIP to v6.00 and run the StarterApp (required). For details, go to Migrate your Genero Identity Provider database.
Configure these fglprofile entries: oidc.account.creation.allow and oidc.account.creation.end_url.

When enabled, the GIP sign-in page shows a button allowing users (or users via external IdPs) to submit account requests (username, email, other required fields). Requests require administrator approval.

For configuration and approval details, refer to Configure the account request feature and Manage user account requests; for instructions on how to request an account, refer to Request account.

SAML config update — use true/false (no quotes)

Three SAML keys now require unquoted booleans (true/false) instead of strings: saml.allowUnsecure, saml.wantAssertionsSigned, saml.wantResponseSigned.

The strings "true" and "false" are now treated as FALSE (unlike prior FGL behavior where "true" was TRUE). This prevents accidentally enabling insecure behavior (especially saml.allowUnsecure).

If you changed these in your Genero SAML configuration config file, update them to use unquoted booleans (for example, saml.allowUnsecure: true) and verify after deployment.

Hide GIP local login when external IdPs are configured

A new configuration key, oidc.form.hide_gip_login (default: false), has been added to the GIP fglprofile. If set to true and one or more external IdPs are configured, the GIP login page hides the local username/password fields and shows only external provider options. If omitted or left false, local login fields remain visible.

This setting does not affect ConsoleApp — ConsoleApp will always display local login fields. For more information on fglprofile settings, go to GIP fglprofile.

ConsoleApp UI: new menus

The GIP ConsoleApp UI has been redesigned. The sign-in screen now supports create-account requests and external IdP sign-in.

New menus:

Id Providers — manage external IdPs (add/edit/remove, client IDs/secrets, redirect URIs).
User Requests — view, approve, or deny create-account requests.

Upgrade to GIP v6.00 and run the StarterApp (required). Sign in as an administrator, confirm the new menus appear, and update admin roles/permissions as needed.

For details, go to Delegate SSO to an external Identity Provider and Configure the account request feature.

Changes in earlier versions

Make sure to check the upgrade notes of earlier versions, to not miss changes introduced in maintenance releases. For more details, see SSO 5.01 upgrade guide.