Authorize whether an user already authenticated by OpenID SSO can access a Genero
application.
With the Genero OpenID implementation, you can add an external program to determine whether
an already authenticated user can access a Genero Web application.
This external program can be written in Genero or in another programming language.
The authorization program expects two mandatory arguments and the list of OpenID attributes
received from the OpenID provider:
access-program openid-userid app-xcf-path [ attribute value [...] ]
- The first argument is the OpenID identifier.
- The second argument is the application path.
- Next arguments are optional and define OpenID attributes/value pairs.
Example with a Genero authorization
program:
fglrun AccessProgram
"genero-user.pip.verisignlabs.com" \
"qa-test/application" \
"fullname" "genero test" \
"email" "genero@4js.com" \
"country" "France"
The application AccessProgram.4gl in
$FGLDIR/web_utilities/services/openid provides an example of an
authorization application written in Genero.
The external program is specified in the application configuration element by adding a
AUTHORIZATION element in the DELEGATE element.
If the
AUTHORIZATION element is not defined, any user authenticated by an
OpenID provider can access the Genero Web application. It is recommended that you add an
authorization program to filter the access to your applications.
Note: The external program
must be deployed beside the OpenIDServer.42r program, because it will
be executed by that service program. This is by default under
$FGLDIR/web_utilities/services/openid/bin.
The authorization program will be called before access to the Web application is
granted. If the authorization program exits with an error code of zero (0), then access is
granted for the user. Any exit code other than zero indicates access for the user is denied.
In the last case, the end user will be warned with a error page in the web browser, generated
by the OpenID service.