Single sign-on (SSO) overview

Single sign-on is user authentication that permits a user to log in once when accessing Genero applications and services delivered by a Genero Application Server (GAS).

Single sign-on is a common form of authentication that allows a user to enter one name and password to access one or more applications. To use SSO, a user must have a user account with the Identity Provider (IdP) providing access to your protected applications.

Using SSO provides several advantages:
  • It provides a better user experience. Users use their existing credentials to access many Genero web applications without having to re-enter their credentials each time.
  • It provides you with the services of an IdP to manage registering and authenticating users. This service can be provided by a third party IdP or Genero's own identity provider – the Genero Identity Provider (GIP).

SSO authenticates by delegation; therefore, two components must combine to provide SSO – a delegation service and an identity provider:

Delegation service

The delegation service redirects the start of an application configured for SSO to the IdP that authenticates the user. The GAS has a delegation service running that acts as a proxy to the IdP, passing control to the IdP to perform authentication before granting access and starting the application or service. The delegation service manages the scope – permissions for access to resources – granted in tokens provided by the IdP. The delegation service is provided as part of the FGLGWS package. For details, go to Genero delegation and GIP service.

For an illustration of how the SSO process works, go to the Single sign-on workflow page. For more details, read the How delegation works page in the Genero Application Server User Guide.

Identity Provider (IdP)

The IdP is the entity in charge of managing and authenticating users. It handles the user log in and grants access to web applications and services on behalf of an authenticated user, providing access tokens of various kinds but without providing the user's credentials to the application. For more information on using an IdP, go to Identity Provider (IdP)

Configure applications for delegation

You need to configure your Genero applications to use delegation. This configuration will vary slightly depending on whether you are using the GIP – which supports OpenID-Connect SSO – or using a third-party IdP that may support OpenID-Connect, OAuth2, or Security Assertion Markup Language (SAML).
  • For the Genero Idenity Provider, you register applications and services that require authentication with the GIP. When you deploy and secure applications and services in a Genero Archive using the Deployment App, the registration of applications with the GIP is managed for you, to include the creation of a CLIENT_ID and SERVICE_ID for the deployed Genero Archive and the addition of the GIP details to the generated application configuration files. For details, go to Deploying and securing applications and Web services for the GIP.
  • For the identity provider using OpenID Connect SSO, you must configure your Genero web application configuration file with details provided by the IdP. For details, go to Add OpenID Connect SSO to web application.
  • For the identity provider using OAuth2 SSO, you must configure your Genero web application configuration file with details provided by the IdP. For details, go to Add OAuth2 SSO to web application.
  • For the identity provider using SAML SSO, you must configure your Genero web application configuration file with details provided by the IdP. For details, go to Add SAML SSO to a Genero web application.