Quick start: Set up OpenID Connect in JGAS

Follow these steps to set up OpenID Connect for your JGAS and Genero Web applications.

Before you begin, you must Configure JGAS for OpenID Connect SSO.

In this quick start, you configure Genero Browser Client applications for OpenID Connect Single sign-on (SSO), and add them to a gar file that is embedded in a war file with the JGAS. Then you execute the applications with SSO in JGAS.

  1. Copy OpenIDConnectServiceProvider.xcf from the FGLDIR\web_utilities\services to your work directory.
    Note: In JGAS it is recommended that you only embed the xcf file referencing the delegation REST Web service in the $FGLDIR you will use. This allows you to redeploy the war without having to recreate the circle of trust and reconfigure SSO each time.
  2. Add a DELEGATE element to all Genero Web applications requiring SSO.

    The first three parameters are mandatory:

    • IDP: the provider of the IdP account (for example, https://accounts.google.com)
    • CLIENT_PUBLIC_ID: the OAuth2 public ID provided by the IdP
    • CLIENT_SECRET_ID: the OAuth2 shared secret ID provided by the IdP
    • SCOPE: (optional) the OpenID Connect attributes you want to get from the user at time of authentication (for example, email, phone, address).
    <APPLICATION Parent="defaultgwc">
      <EXECUTION>
        <PATH>$(res.path.mypath)/myapplication</PATH>
        <MODULE> myapp.42r</MODULE>
        <DELEGATE service="OpenIDConnectServiceProvider">
          <IDP>https://accounts.google.com</IDP>        
          <SCOPE>email</SCOPE>        
          <CLIENT_PUBLIC_ID>XXXXXXXX.apps.googleusercontent.com</CLIENT_PUBLIC_ID>
          <CLIENT_SECRET_ID>XXXXXX-XXXXXX</CLIENT_SECRET_ID>        
        </DELEGATE>
      </EXECUTION>
    </APPLICATION>
  3. Build the Genero Archive file (gar) using the fglgar tool.
    At the command line of your work directory type the command that includes your application files and the OpenID Connect service xcf file as shown:
    fglgar gar --application myApp.xcf --service OpenIDConnectServiceProvider.xcf --output work.gar
    The work.gar is created.
  4. Run the fglgar war command to package the Genero Archive and JGAS in a war archive. 
    fglgar war --input-gar work.gar --output work.war

    The work.war file is created.

    The war is ready to be deployed.

  5. Run the fglgar run command to start the JGAS in standalone mode. 
    fglgar run --war work.war
    Note: SSO requests require HTTPS, and as JGAS has limited HTTPS support (for instance, there is no option to use your own SSL certificate as in the standard GAS), therefore it is only recommended to deploy the war in the standalone JGAS for testing. For development, deploy in any existing Java Enterprise Edition container such as Apache Tomcat®, Jetty, or Glassfish where HTTPS is configured.
  6. Execute a Genero Browser Client application with SSO.
    1. Start your browser and enter the application URL. See Run an application in JGAS.
      You are prompted to enter your OpenID Connect credentials.
    2. Click the signin button.
      Your browser is redirected to the Identity Provider (IdP).
    3. Enter your credentials.
      If your credentials are valid, your browser is redirected to the Genero Browser Client application. The application can then get OpenID Connect user information through environment variables such as OIDC_SUB.
      Note: The fglrun process is executed in the context of the JGAS operating system user. For example, when using Apache, the program process will run in the context of the Apache user.

The next time you start the same application - or any application delivered by the same JGAS - you will not be prompted for your credentials. The application will start and be authenticated by the same OpenID Connect user.

Tip: Read all of the OpenID Connect topics in this section for details on features provided by OpenID Connect SSO support in the JGAS; including attributes gathering or authorization control.