Add OpenID Connect SSO to web application

Add OpenID Connect SSO to a Genero web application.

This task must be performed in the application configuration file (.xcf).

Before you begin, you must have an account with an OpenID Connect identity provider (such as Google) that will provide authentication services for you before you can configure applications for Single Sign On.

Ensure the IdP uses the OpenID Connect protocol, see Identify the protocol in use by IdP.

  1. Add the DELEGATE element to the application configuration file (.xcf) of the Genero web application requiring SSO.
  2. Set the SSO parameters for the IdP, and set the service attribute to the Genero OpenIDConnect service: <DELEGATE service="OpenIDConnectServiceProvider">.

    This example shows the application configuration for delegation. Within the DELEGATE element, some parameters are mandatory:

    • IDP (mandatory). Set the IDP element with the URL of the IdP.
    • SCOPE: (optional) the OpenID Connect attributes you want to get from the user at time of authentication (for example, email, phone, address).
    • CLIENT_PUBLIC_ID: (mandatory) the OAuth2 public ID provided by the IdP
    • CLIENT_SECRET_ID: (mandatory) the OAuth2 shared secret ID provided by the IdP.
      Important:

      Ensure the secret you configure here is what the IdP requires; some IdPs need the "client secret ID value", not the client secret ID.

    <?xml version="1.0"?>
<APPLICATION Parent="defaultgwc">
  <EXECUTION>
    <PATH>$(res.path.qa)/applications/myapp</PATH>
    <MODULE>App.42r</MODULE>
      <DELEGATE service="OpenIDConnectServiceProvider" >
          <IDP>https://accounts.myOIDCIdp.com</IDP>
          <SCOPE>email</SCOPE>        
          <CLIENT_PUBLIC_ID>XXXXXXXX.apps.myOIDCIdpusercontent.com</CLIENT_PUBLIC_ID>
          <CLIENT_SECRET_ID>XXXXXX-XXXXXX</CLIENT_SECRET_ID>        
      </DELEGATE>
  </EXECUTION>
</APPLICATION>

    With the above configuration and the default GAS configuration, the delegation points to the delegation REST Web service in the $FGLDIR.

The JGAS will handle the OpenID Connect protocol and start the web application only when the user has been authenticated, otherwise an HTML error page is returned.

Deploy your application on the JGAS

For details of deploying applications with the JGAS, see Launch OpenID Connect/OAuth2 SSO app in JGAS.