Identity Provider (IdP)
An IdP provides a secure identity information service for authenticating users accessing your applications and Web services. Using an IdP is recommended when implementing a single sign-on (SSO) solution.
Identity providers rely on specifications such as OpenID-Connect, OAuth, and Security Assertion Markup Language (SAML), to grant access to Web applications on behalf of an authenticated user, using access tokens of various kinds, but without providing the user's credentials to the application.
- Setting up an account with a trusted IdP provider, such as Google. See Configure OpenID Connect identity on Google. As a third party registered on the authorization IdP server, you are issued with tokens (public and shared secret ids).
- Adding delegation to your application configuration files requiring authentication, using the tokens provided. This allows you to provide access to the protected resources hosted by your Web application. See Add OpenID Connect SSO to Web application, Add SAML SSO to a Genero Web application.
- OpenID Connect (OIDC) identity provider.
- SAML identity provider.
Since the authentication process is relayed to an IdP provider, user access to your application or Web service is redirected to the IdP. Depending on the type of IdP provider, an HTTP accept/reject response is returned in either a signed XML assertion document (SAML) or a signed JSON document (OpenID Connect) via the Genero delegate service.
If access is allowed, the delegate service then extracts from the returned document some user
data before starting the application on the GAS. Once an application has been started after user
authentication by the IdP, environment variables are provided defining the user role and access. The
environment can be retrieved in your Genero application via fgl_getenv()
instructions. See Retrieve the OpenID Connect user identifier and Retrieve identity attributes with SAML.