Launch OpenID Connect/OAuth2 SSO app in JGAS

Deploy applications secured for OpenID Connect/OAuth2 Single sign-on (SSO) in the JGAS.

In this task you build a Genero Archive (gar) for deployment of your applications for OpenID Connect/OAuth2 Single sign-on (SSO) and embed the gar in a war file with the JGAS. Then you execute the applications in JGAS.

Important:

SSO requests require HTTPS, and as JGAS has limited HTTPS support (for instance, there is no option to use your own SSL certificate as in the standard GAS); therefore, it is only recommended to deploy the war in the standalone JGAS for testing. For development, deploy in any existing Java Enterprise Edition container such as Apache Tomcat®, Jetty, or Glassfish where HTTPS is configured.

You must have configured OpenID Connect/OAuth2 Single sign-on (SSO) for the applications you wish to deploy. For details of implementing applications with SSO, see OpenID Connect/OAuth2 SSO.

Create a directory where you build the Genero Archive (gar) for deployment of your applications.
For the purposes of our example, the directory is called work.
Copy the xcf file of the delegation REST web service, OpenIDConnectServiceProvider.xcf, from the FGLDIR\web_utilities\services to the work directory.

Important:
In JGAS it is recommended that you only embed the xcf file referencing the delegation REST web service in the $FGLDIR. This allows you to redeploy the war without having to recreate the circle of trust and reconfigure SSO each time.
Build the Genero Archive file (gar).
At the command line of your work directory type the fglgar command to build the archive with your application xcf files and the OpenID Connect service xcf file as shown:
```
fglgar gar --application myApp.xcf --service OpenIDConnectServiceProvider.xcf --output work.gar
```
The work.gar is created.
Package the Genero Archive and JGAS in a war archive.
Run the fglgar war command:
```
fglgar war --input-gar work.gar --output work.war
```
The work.war file is created.
Start the JGAS in standalone mode.
Run the fglgar run command:
```
fglgar run --war work.war
```
Test your application.
1. Start your browser and enter the application URL.
  By default JGAS listens on port 8080. The name of the war file, work in the example, provides the path to locate the deployed war.
  
  Open the browser at the following URL:
  http://localhost:8080/work
  
  The JGAS user interface home page opens showing the applications and services deployed in the war file.
2. Select your application to open.
  
  Your browser is redirected to the Identity Provider (IdP).
3. Enter your credentials in the IdP's log-in form.
  
  If your credentials are valid, your browser is redirected to the application. The JGAS will handle the OAuth2 protocol and start the web application only when the user has been authenticated; otherwise an HTML error page is returned.
  
  Once authenticated, the application can then get user information through environment variables such as OIDC_SUB.
  
  The fglrun process is executed in the context of the JGAS operating system user. For example, when using Apache, the program process will run in the context of the Apache user.

The next time you start the same application - or any application delivered by the same JGAS - you will not be prompted for your credentials. The application will start and be authenticated by the same OpenID Connect/OAuth2 user.