Add OpenID Connect SSO to web application

Add OpenID Connect SSO to a Genero web application.

This task must be performed in the application configuration file (.xcf).

Before you begin, you must have an account with an OpenID Connect identity provider (such as Google) that will provide authentication services for you before you can configure applications for Single Sign On.

Ensure the IdP uses the OpenID Connect protocol, see Identify the protocol in use by IdP.

  1. Add the DELEGATE element to the application configuration file (.xcf) of the Genero web application requiring SSO.
  2. Set the SSO parameters for the IdP, and set the service attribute to the Genero OpenIDConnect service: <DELEGATE service="services/OpenIDConnectServiceProvider">.

    This example shows the application configuration for delegation. Within the DELEGATE element, some parameters are mandatory:

    • IDP (mandatory). Set the IDP element with the URL of the IdP.
    • SCOPE: (optional) the OpenID Connect attributes you want to get from the user at time of authentication (for example, email, phone, address).
    • CLIENT_PUBLIC_ID: (mandatory) the OAuth2 public ID provided by the IdP
    • CLIENT_SECRET_ID: (mandatory) the OAuth2 shared secret ID provided by the IdP.
      Important:

      Ensure the secret you configure here is what the IdP requires; some IdPs need the "client secret ID value", not the client secret ID.

    <?xml version="1.0"?>
<APPLICATION Parent="defaultgwc"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:noNamespaceSchemaLocation="http://www.4js.com/ns/gas/4.01/cfextwa.xsd">
  <EXECUTION>
    <PATH>$(res.path.qa)/applications/myapp</PATH>
    <MODULE>App.42r</MODULE>
      <DELEGATE service="services/OpenIDConnectServiceProvider" >
          <IDP>https://accounts.myOIDCIdp.com</IDP>
          <SCOPE>email</SCOPE>        
          <CLIENT_PUBLIC_ID>XXXXXXXX.apps.myOIDCIdpusercontent.com</CLIENT_PUBLIC_ID>
          <CLIENT_SECRET_ID>XXXXXX-XXXXXX</CLIENT_SECRET_ID>        
      </DELEGATE>
  </EXECUTION>
</APPLICATION>

    With the above configuration and the default GAS configuration, the delegation points to the delegation REST Web service in the $FGLDIR.

The GAS will handle the OpenID Connect protocol and start the web application only when the user has been authenticated, otherwise an HTML error page is returned.

Test your application

Start your browser and enter the application URL. Your browser is redirected to the Identity Provider (IdP), where you must enter your credentials. If your credentials are valid, your browser is redirected back to the application; otherwise an HTML error page is returned.

Once authenticated, the application can then get user information through environment variables such as OIDC_SUB.

The fglrun process is executed in the context of the GAS operating system user. For example, when using Apache, the program process will run in the context of the Apache user.