Configure the primary Genero Identity Provider
The Genero Identity Provider (GIP) must be configured and enabled on a Genero Application Server (GAS) before it can be used.
- Ensure that users using the ConsoleApp and DeploymentApp have write access to the openid-connect directory. See Provide access to the openid-connect directory.
- If in HTTPS, ensure that all certificates are installed in $FGLDIR/web_utilities/certs. For instance, during an SSO handshake, fglrun will fetch the GIP metadata that may be in HTTPS, thus all appropriate certificate authority must be set.
Apache discards the Authorization header if it is not a base64-encoded user/password combination. A rewrite rule can be used to rewrite it from the server variable to set HTTP Authorization for requests.
For an example configuration, see Configure FastCGI for Apache 2.4 page in Genero Application Server User Guide
For more information on Apache, see the Apache documentation.
Ensure that your IIS has the appropriate rights to access the GIP home directory.
- Add the HTTP authorization header:
fastcgi_param HTTP_AUTHORIZATION $http_authorization;
- As GIP requires a fully qualified name, the NGINX
SERVER_NAME
must be configured as follows:fastcgi_param SERVER_NAME $host;
- Open the $FGLDIR\web_utilities\services\gip\bin\starterapp\StarterApp.xcf file.
- Configure the
ALLOW_FROM
element with the IP address of the only machine that will be allowed to run the StarterApp. For example:<ALLOW_FROM>192.168.0.100</ALLOW_FROM>
ALLOW_FROM
back to the
default (NOBODY
) to prevent users, who normally should not have access, from
running the StarterApp.<ALLOW_FROM>NOBODY</ALLOW_FROM>
For more information on using ALLOW_FROM
, refer to the Genero Application Server User Guide
res.path.idp
resource in the GAS configuration file. If the GIP is started behind an Apache or IIS server, the user's home directory is not set. In a
production environment (behind Apache, nginx, or IIS), we recommend you set
res.path.idp
to a directory that is accessible when the GAS (and therefore the
fglrun command) is started from the web server.
These steps enable the local GIP on a GAS. You follow this procedure one time only. To enable an external GIP - where a GAS connects to the GIP already enabled on another GAS - see Configure an external Genero Identity Provider.
Any URL used with the GIP must contain a valid hostname; it cannot contain "localhost". The GIP uses cookies; cookies do not work well with "localhost". It is recommended to use the name of the machine for the hostname. Using the IP address is not recommended; if used at installation, it must be used in all its endpoints thereafter.