Configure an external Genero Identity Provider
Complete this procedure to configure an external Genero Identity Provider (GIP) that uses a primary GIP installed on a separate Genero Application Server (GAS).
- Ensure that users using the ConsoleApp and DeploymentApp have write access to the openid-connect directory. See Provide access to the openid-connect directory.
- If in HTTPS, ensure that all certificates are installed in $FGLDIR/web_utilities/certs. For instance, during an SSO handshake, fglrun will fetch the GIP metadata that may be in HTTPS, thus all appropriate certificate authority must be set.
Apache discards the Authorization header if it is not a base64-encoded user/password combination. A rewrite rule can be used to rewrite it from the server variable to set HTTP Authorization for requests.
For an example configuration, see Configure FastCGI for Apache 2.4 page in Genero Application Server User Guide
For more information on Apache, see the Apache documentation.
Ensure that your IIS has the appropriate rights to access the GIP home directory.
- Add the HTTP authorization header:
fastcgi_param HTTP_AUTHORIZATION $http_authorization;
- As GIP requires a fully qualified name, the NGINX
SERVER_NAME
must be configured as follows:fastcgi_param SERVER_NAME $host;
res.path.idp
resource in the GAS configuration file. If the GIP is started behind an Apache or IIS server, the user's home directory is not set. In a
production environment (behind Apache, nginx, or IIS), we recommend you set
res.path.idp
to a directory that is accessible when the GAS (and therefore the
fglrun command) is started from the web server.
This procedure is for a multi-GAS environment architecture, where configuration of the primary GIP has been completed on a different GAS. You follow this procedure one time only.
Any URL used with the GIP must contain a valid hostname; it cannot contain "localhost". The GIP uses cookies; cookies do not work well with "localhost". It is recommended to use the name of the machine for the hostname. Using the IP address is not recommended; if used at installation, it must be used in all its endpoints thereafter.