Follow these steps to set up OpenID Connect for your JGAS and Genero Web
applications.
In this quick start, you configure Genero Browser Client applications for OpenID Connect Single
sign-on (SSO), and add them to a gar file that is embedded in a
war file with the JGAS. Then you execute the applications with SSO in JGAS.
-
Copy OpenIDConnectServiceProvider.xcf from the
FGLDIR\web_utilities\services to your work
directory.
Note: In JGAS it is recommended that you only embed the
xcf file referencing the delegation REST Web service in the
$FGLDIR you will use. This allows you to redeploy the war
without having to recreate the circle of trust and reconfigure SSO each time.
-
Add a
DELEGATE
element to all Genero Web applications requiring SSO.
The first three parameters are mandatory:
- IDP: the provider of the IdP account (for example, https://accounts.google.com)
- CLIENT_PUBLIC_ID: the OAuth2 public ID provided by the IdP
- CLIENT_SECRET_ID: the OAuth2 shared secret ID provided by the IdP
- SCOPE: (optional) the OpenID Connect attributes you want to get from the user at time of
authentication (for example, email, phone, address).
<APPLICATION Parent="defaultgwc">
<EXECUTION>
<PATH>$(res.path.mypath)/myapplication</PATH>
<MODULE> myapp.42r</MODULE>
<DELEGATE service="OpenIDConnectServiceProvider">
<IDP>https://accounts.google.com</IDP>
<SCOPE>email</SCOPE>
<CLIENT_PUBLIC_ID>XXXXXXXX.apps.googleusercontent.com</CLIENT_PUBLIC_ID>
<CLIENT_SECRET_ID>XXXXXX-XXXXXX</CLIENT_SECRET_ID>
</DELEGATE>
</EXECUTION>
</APPLICATION>
-
Build the Genero Archive file (gar) using the fglgar
tool.
At the command line of your
work directory type the command that includes
your application files and the OpenID Connect service
xcf file as
shown:
fglgar gar --application myApp.xcf --service OpenIDConnectServiceProvider.xcf --output work.gar
The work.gar is created.
-
Run the fglgar war command to package the Genero Archive and JGAS in a war
archive.
fglgar war --input-gar work.gar --output work.war
The work.war file is created.
The war is ready to be deployed.
-
Run the fglgar run command to start the JGAS in standalone mode.
fglgar run --war work.war
Note: SSO requests require HTTPS, and as JGAS has limited HTTPS support
(for instance, there is no option to use your own SSL certificate as in the standard GAS), therefore
it is only recommended to deploy the war in the standalone JGAS for testing.
For development, deploy in any existing Java Enterprise Edition container such as Apache Tomcat®,
Jetty, or Glassfish where HTTPS is configured.
-
Execute a Genero Browser Client application with SSO.
-
Start your browser and enter the application URL. See Run an application in JGAS.
You are prompted to enter your OpenID Connect credentials.
-
Click the signin button.
Your browser is redirected to the Identity Provider (IdP).
-
Enter your credentials.
If your credentials are valid, your browser is redirected to the Genero Browser Client
application. The application can then get OpenID Connect user information through environment
variables such as OIDC_SUB.
Note: The fglrun
process is executed in the context of
the JGAS operating system user. For example, when using Apache, the program process will run in the
context of the Apache user.
The next time you start the same application - or any application delivered by the same JGAS -
you will not be prompted for your credentials. The application will start and be authenticated by
the same OpenID Connect user.
Tip: Read all of the OpenID Connect topics in this section for details on features
provided by OpenID Connect SSO support in the JGAS; including attributes gathering or authorization
control.