Import IdP metadata as OAuth2

To import an IdP metadata for OAuth2, you must execute the ImportOAuth command with the --import option to register the metadata.

About this task:
This is a once-off operation to register the IdP's OAuth2 endpoints in the GAS. Once the endpoints are registered in the database, you can continue to configure your applications to use the IdP. For details about the ImportOAuth tool, go to ImportOAuth.
Important:

If the IdP is using the OpenID Connect protocol, there is no need to use the ImportOAuth program as OpenID Connect has the metadata feature that allows Genero's OpenID Connect service to automatically fetch the metadata, including all the endpoint URLs, from the IdP. For more information on SSO implementation with OpenID Connect and OAuth2, see OpenID Connect/OAuth2 SSO.

Steps

  1. Open a command prompt.
  2. Type the command to change to the Genero BDL installation directory:

    • On Linux®/UNIX®/macOS™:

      cd $FGLDIR/web_utilities/services/openid-connect

      On Windows®:

      cd %FGLDIR%\web_utilities\services\openid-connect
  3. Execute the script to set the environment.

    • On Linux/UNIX/macOS (using sh as shell script):

      ./envoidc.sh

      On Windows:

      envoidc.bat
  4. Run the ImportOAuth command to import the endpoints.
    This example provides the command for Instagram. (Line breaks have been added to improve readability.)
    fglrun ImportOAuth --import 
            --authz https://api.instagram.com/oauth/authorize 
            --token https://api.instagram.com/oauth/access_token 
            --logout https://instagram.com/accounts/logout 
            --profile https://api.instagram.com/v1/users/self?
            https://www.instagram.com
    The first two parameters --authz and --token are mandatory, and the endpoint URLs of the IdP are required:
    1. --authz URL: mandatory authorization endpoint URL.
    2. --token URL: mandatory token endpoint URL.
    3. --logout URL: optional logout endpoint URL.
    4. --profile URL: optional user profile endpoint URL.
      Important:

      The profile URL requires an access_token to get user profile information. In some cases, the access_token must be provided via the query string (for example, Instagram requires it). Therefore, you must add an ending question mark (?) during importation so that OpenID-Connect service providers know how to generate that request.

    5. URL of the IdP: mandatory
What to do next:
If you need to add an extra parameter for authentication, such as a domain, you can configure the custom parameter --parameter. For example, the following command will add the "domain=mydomain.com" string as an additonal parameter in the request sent to the Instagram identity provider.
fglrun ImportOAuth --parameter domain=mydomain.com https://www.instagram.com
For details, go to ImportOAuth .