Delegate SSO to an external Identity Provider

Genero Identity Provider (GIP) can delegate user authentication to another Identity Provider (IdP), while continuing to manage user authorizations internally.

With delegated authentication, users log in using credentials from an external IdP (such as Azure AD, Okta, or another OIDC provider). This allows users to sign in with their existing identity provider, so they can use the same credentials and systems they already use. GIP retains control over permissions and group membership, while authentication is handled by the external IdP.

This feature is available from GIP version 6.
Important:

If not already done, update GIP to version 6.00 by running the StarterApp (running the StarterApp is required for the feature to take effect). See Migrate your Genero Identity Provider database.

Setup steps (high level):
  1. The Console App includes an ID providers menu for managing external IdPs, which is visible when you are logged in as administrator. In the ID providers > New menu, create and configure the external Identity Provider entry (Issuer URL, client ID, client secret, and endpoints). For details, go to Configure external IdP authentication.
  2. Register the GIP delegation service callback/redirect URL with the external IdP. For details, go to Register GIP callback URL with external IdP
  3. Verify the external IdP appears on the GIP sign-in page and test login.
  4. The following steps describe how users authenticate via the external IdP:
    1. User account: Users must have an account with the external IdP.
    2. Create account: Users must use the GIP sign-in page's Create Account functionality, as documented in Request account
    3. GIP validation: A GIP administrator must validate each user and assign the required roles and scopes, as documented in Manage users.
    4. Verify login and access: After validation, users should sign in with their external IdP credentials on the GIP sign-in page and confirm they can access the application.