Single sign-on (SSO) overview

Single sign‑on (SSO) is a common form of authentication that lets a user authenticate once to access one or more protected applications.

To use SSO, a user must have an account with the Identity Provider (IdP) that grants access to your applications.

Using SSO provides several advantages:
  • It provides a better user experience. Users authenticate with their existing IdP credentials and can then access many Genero web applications without re-entering those credentials.
  • It allows you to rely on the IdP to manage user registration and authentication. This service can be provided by a third‑party IdP or by Genero’s own Identity Provider – Genero Identity Provider (GIP).

SSO authenticates by delegation; therefore, two components must combine to provide SSO – a delegation service and an identity provider.

If you are configuring SSO, you should have a basic understanding of web authentication and authorization standards such as SAML, OAuth 2.0 and OpenID Connect. These specifications are maintained by OASIS Security Assertion Markup Language (SAML), OpenID Foundation and Internet Engineering Task Force (IETF) (external links), which publish the standards used by modern SSO implementations.

Delegation service

The delegation service redirects the start of an application configured for SSO to the IdP that authenticates the user. The Genero Application Server (GAS) includes a delegation service that acts as a proxy for the IdP, passing control to the IdP to perform authentication before granting access and starting the application or service. The delegation service manages the scope—permissions for access to resources—granted in the tokens provided by the IdP. The delegation service is part of the FGLGWS package. For details, go to The services directory

Identity Provider (IdP)

The IdP is the entity in charge of managing and authenticating users. It handles the user log in and grants access to web applications and services on behalf of an authenticated user, providing access tokens of various kinds but without providing the user's credentials to the application. For more information on using an IdP, whether the Genero IdP or a third‑party provider, go to Identity Provider (IdP). This topic also highlights the key steps for providing authentication with a third‑party IdP, such as setting up an account with a trusted IdP provider and using the tokens they issue.

How it works

When a user accesses your application or web service, they are redirected to the IdP for authentication. Depending on the IdP type, the IdP returns an accept or reject response either as a signed XML assertion (SAML) or a signed JSON document (OpenID Connect) to the Genero delegate service (SAMLServiceProvider or OpenIDConnectServiceProvider).

If access is allowed, the delegate service extracts user information from the returned document and starts the application on the GAS. After the application starts, environment variables are provided to define the user’s roles and access rights. Your Genero application can retrieve these values using fgl_getenv().

For a detailed step-by-step illustration, see the OpenID Connect SSO workflow topic. For background information on delegation, read How delegation works in the Genero Application Server User Guide. To configure your application for SSO, go to the Configure applications for SSO delegation topic.