Implement SSO using OAuth2
Implement Single sign-on using OAuth2 for your GAS and Genero Web applications.
An identity provider using OAuth can provide an SSO service with either the core OAuth 2.0 or higher level OpenID Connect (OIDC) protocols. You will need to know which protocol the IdP uses in order to configure your application for delegation correctly. Refer to the IdP documentation for information about the protocol.
For information on how to detect the IdP protocol, see Identify the protocol in use by IdP.
Delegation in the GAS
The Genero OpenIDConnect service, based on the REST service, is a delegation service running on the GAS that acts as a proxy to the IdP; passing control to the IdP to perform authentication before granting access and starting the application or service. This service is delivered in the package under $FGLDIR/web_utilities/services/openid-connect/.
Create a circle of trust between the GAS and an IdP
- Create an account with the IdP.
- Register your application for SSO with the IdP.
- Get OAuth2 credentials (public and share secret ids) from the IdP.
- Provide the redirect URL of the GAS to the IdP. The redirect URL is
the
oauth2callback
URL of the OpenIDConnect service on the GAS where the IdP will redirect the user-agent to provide the OAuth2 ID token. For more information about the oauth2callback URL, see SSO oauth2callback redirect URL. - Use the ImportOAuth program to register the IdP's OAuth2 endpoints in the GAS.
- Set the OAuth request format in the OpenIDConnect service configuration file.
Once you have completed creating the circle of trust with the IdP, configure delegation in the
application configuration file specifying the IdP URL in the OAUTH
element. See
Add OAuth2 SSO to web application. For more examples, see How to integrate Facebook SSO in the GAS or How to integrate Instagram SSO in the GAS
Read all of the OpenID Connect/OAuth2 topics in this section for details on features provided by OpenID Connect/OAuth2 SSO support in the Genero Application Server; including attributes gathering or authorization control.