Authorization and OpenID Connect SSO
Authorize whether a user already authenticated by OpenID Connect SSO can access a Genero application.
The Genero Application Server must be configured for OpenID Connect Single sign-on (SSO). See Configure GAS for OpenID Connect SSO.
With the Genero OpenID Connect implementation, you can add an external program to determine whether an already authenticated user can access a Genero Web application. For example, you may need to restricted access to certain applications or to certain specific email addresses; otherwise any user authenticated by an OpenID Connect provider can access your Genero Web application. It is therefore recommended that you add an authorization program to filter access to your applications.
access-program oidc-userid app-xcf-path [ attribute value [...] ]
- The first argument is the OpenID Connect identifier (typically an opaque value returned by the IdP)
- The second argument is the application path.
- Next arguments are optional and define OpenID attributes/value pairs.
fglrun AccessProgram
"101516043183449889392" \
"qa-test/application" \
"fullname" "genero test" \
"email" "genero@4js.com" \
"country" "France"
The external authorization program is specified in the application configuration element by
adding an AUTHORIZATION
element in the DELEGATE
element.
The authorization program will be called before access to the Web application is granted. If the authorization program exits with an error code of zero (0), then access is granted for the user. Any exit code other than zero indicates access for the user is denied. In the latter case, the end user will be warned with an error page in the web browser, generated by the OpenID Connect service.