Implement SSO using OpenID Connect

Implement Single sign-on using OpenID Connect for your JGAS and Genero web applications.

An identity provider using OAuth can provide an SSO service with either the core OAuth 2.0 or higher level OpenID Connect (OIDC) protocols. You will need to know which protocol the IdP uses in order to configure your application for delegation correctly. Refer to the IdP documentation for information about the protocol.

For information on how to detect the IdP protocol, see Identify the protocol in use by IdP.

Delegation in the GAS

The Genero OpenIDConnect service, based on the REST service, is a delegation service running on the GAS that acts as a proxy to the IdP; passing control to the IdP to perform authentication before granting access and starting the application or service. This service is delivered in the package under $FGLDIR/web_utilities/services/openid-connect/.

Create a circle of trust between the GAS and an IdP

An SSO implementation using OpenID Connect must create a circle of trust between the JGAS and an IdP. SSO implementation may vary depending on the IdP, refer to the IdP documentation for more information. Typically, it consists of the following:
  • Create an account with the IdP.
  • Register your application for SSO with the IdP.
  • Get OAuth2 credentials (public and share secret ids) from the IdP.
  • Provide the redirect URL of the GAS to the IdP. The redirect URL is the oauth2callback URL of the OpenIDConnect service on the GAS where the IdP will redirect the user-agent to provide the OAuth2 ID token. For more information about the oauth2callback URL, see SSO oauth2callback redirect URL.

For SSO implementation using OpenID Connect, Genero's OpenIDConnect service automatically fetches the metadata from the IdP to include all the endpoint URLs.

Once you have completed creating the circle of trust with the IdP, you just need to configure delegation in the application configuration file (xcf), specifying the IdP URL in the IDP element. See Add OpenID Connect SSO to web application. For an example using Google, see Configure OpenID Connect identity on Google.

Tip:

Read all of the OpenID Connect/OAuth2 topics in this section for details on features provided by OpenID Connect/OAuth2 SSO support in the Genero Application Server; including attributes gathering or authorization control.