Configure how the OpenIDConnect service handles the client's remote IP address at
authentication request.
In a single sign-on (SSO) handshake, the Genero OpenIDConnect service redirects the client to the
Identity Provider (IdP) for authentication. Afterwards the IdP redirects the client back to the
OpenIDConnect service. For security reasons, you can have the OpenIDConnect service verify that all
requests for the same SSO workflow come from the same client IP address.
How the OpenID Connect service gets the client's remote IP address will depend on the setting of
the oidc.client.check
entry in the OpenID Connect configuration file. The correct
configuration setting will depend on your network.
-
Open the configuration file
$FGLDIR/web_utilities/services/openid-connect/res/configuration.
-
Locate the entry
oidc.client.check
.
-
Do one of the following:
- Set
oidc.client.check = "Remote-Addr"
.The SSO authentication service uses
the
REMOTE_ADDR
variable set by the web server to verify if different requests come
from the same client. This is the default option.
Note:
In a cloud or reverse proxy environment, this option may not be valid, as requests may be rooted
from several different proxies.
- Set
oidc.client.check = "X-Forwarded-For"
.The SSO authentication service
uses the X-Forwarded-For
headers sent by the web server to verify if different
requests are from the same client, based on the IP address defined in the
X-Forwarded-For
header. Select this option if your network uses reverse proxies or
if your configuration supports a cloud solution.
- Remove or comment out
oidc.client.check
if you do not want the SSO
authentication service to check the client remote IP address.