Implement SSO using OpenID Connect

Implement Single sign-on using OpenID Connect for your Genero Application Server and Genero web applications.

An identity provider using OAuth can provide an SSO service with either the core OAuth 2.0 or higher level OpenID Connect (OIDC) protocols. You will need to know which protocol the IdP uses in order to configure your application for delegation correctly. Refer to the IdP documentation for information about the protocol.

For information on how to detect the IdP protocol, see Identify the protocol in use by IdP.

Delegation in the GAS

The Genero OpenIDConnect service, based on the REST service, is a delegation service running on the GAS that acts as a proxy to the IdP; passing control to the IdP to perform authentication before granting access and starting the application or service. This service is delivered in the package under $FGLDIR/web_utilities/services/openid-connect/. For details, go to Genero delegation and GIP service.

Create a circle of trust between the GAS and an IdP

An SSO implementation using OpenID Connect must create a circle of trust between the GAS/JGAS and an IdP. SSO implementation may vary depending on the IdP, refer to the IdP documentation for more information. Typically, it consists of the following:
  • Create an account with the IdP.
  • Register your application for SSO with the IdP.
  • Get OAuth2 credentials (public and share secret ids) from the IdP.
  • Provide the redirect URL of the GAS to the IdP. The redirect URL is the oauth2callback URL of the OpenIDConnect service on the GAS where the IdP will redirect the user-agent to provide the OAuth2 ID token. For more information about the oauth2callback URL, go to GAS SSO oauth2callback redirect URL.

For SSO implementation using OpenID Connect, Genero's OpenIDConnect service automatically fetches the metadata from the IdP to include all the endpoint URLs.

There is also an option to import the metadata manually, without starting the GAS and the OpenIDConnect service, which involves using the importOAuth command's --discover option. This option may be useful in some specific cases when you need to fetch the metadata to discover the endpoints to import and then to manipulate the endpoints in the oidc database before setting up your GAS environment. For an example getting metadata for Google, go to Import IdP metadata as OpenID Connect. For details about the ImportOAuth tool, go to importOAuth

Once you have completed creating the circle of trust with the IdP, you just need to configure delegation in the application configuration file (xcf), specifying the IdP URL in the IDP element. For an example, go to Add OpenID Connect SSO to web application. For an example configurating an application for Google IdP, go to Configure OpenID Connect identity on Google.

Tip:

Read all of the OpenID Connect/OAuth2 topics in this section for details on features provided by OpenID Connect/OAuth2 SSO support in the Genero Application Server; including attributes gathering or authorization control.