Follow these steps to set up OpenID Connect for your JGAS and Genero Web
applications.
Before you begin, you must have an account with an OpenID Connect provider (such as Google) that
will provide authentication services for you before you can configure JGAS for OpenID Connect Single
Sign On.
In this quick start, you configure Genero Browser Client applications for OpenID Connect Single
sign-on (SSO), and add them to a gar file that is embedded in a
war file with the JGAS. Then you execute the applications with SSO in JGAS.
-
Copy OpenIDConnectServiceProvider.xcf from the
FGLDIR\web_utilities\services to your work
directory.
Note:
In JGAS it is recommended that you only embed the xcf file referencing the
delegation REST Web service in the $FGLDIR you will use. This allows you to
redeploy the war without having to recreate the circle of trust and reconfigure
SSO each time.
-
Add a
DELEGATE
element to all Genero Web applications requiring SSO.
The first three parameters are mandatory:
- IDP: the provider of the IdP account (for example, https://accounts.google.com)
- CLIENT_PUBLIC_ID: the OAuth2 public ID provided by the IdP
- CLIENT_SECRET_ID: the OAuth2 shared secret ID provided by the IdP
- SCOPE: (optional) the OpenID Connect attributes you want to get from the user at time of
authentication (for example, email, phone, address).
<APPLICATION Parent="defaultgwc">
<EXECUTION>
<PATH>$(res.path.mypath)/myapplication</PATH>
<MODULE> myapp.42r</MODULE>
<DELEGATE service="OpenIDConnectServiceProvider">
<IDP>https://accounts.google.com</IDP>
<SCOPE>email</SCOPE>
<CLIENT_PUBLIC_ID>XXXXXXXX.apps.googleusercontent.com</CLIENT_PUBLIC_ID>
<CLIENT_SECRET_ID>XXXXXX-XXXXXX</CLIENT_SECRET_ID>
</DELEGATE>
</EXECUTION>
</APPLICATION>
-
Build the Genero Archive file (gar) using the fglgar
tool.
At the command line of your
work directory type the command that includes
your application files and the OpenID Connect service
xcf file as
shown:
fglgar gar --application myApp.xcf --service OpenIDConnectServiceProvider.xcf --output work.gar
The work.gar is created.
-
Run the fglgar war command to package the Genero Archive and JGAS in a war
archive.
fglgar war --input-gar work.gar --output work.war
The work.war file is created.
The war is ready to be deployed.
-
Run the fglgar run command to start the JGAS in standalone mode.
fglgar run --war work.war
Note:
SSO requests require HTTPS, and as JGAS has limited HTTPS support (for instance, there is no
option to use your own SSL certificate as in the standard GAS), therefore it is only recommended to
deploy the war in the standalone JGAS for testing. For development, deploy in
any existing Java Enterprise Edition container such as Apache Tomcat®, Jetty, or Glassfish where HTTPS is
configured.
-
Execute a Genero Browser Client application with SSO.
-
Start your browser and enter the application URL. See Run an application in JGAS.
You are prompted to enter your OpenID Connect credentials.
-
Click the signin button.
Your browser is redirected to the Identity Provider (IdP).
-
Enter your credentials.
If your credentials are valid, your browser is redirected to the Genero Browser Client
application. The application can then get OpenID Connect user information through environment
variables such as OIDC_SUB.
Note:
The fglrun
process is executed in the context of the JGAS operating system user.
For example, when using Apache, the program process will run in the context of the Apache user.
The next time you start the same application - or any application delivered by the same JGAS -
you will not be prompted for your credentials. The application will start and be authenticated by
the same OpenID Connect user.
Tip:
Read all of the OpenID Connect topics in this section for details on features provided by OpenID
Connect SSO support in the JGAS; including attributes gathering or authorization control.