Import IdP metadata as OpenID Connect

To import an IdP metadata for OpenID Connect, you can execute the ImportOAuth command with the --import --discover options to register the metadata.

About this task:
Important:

If the IdP is using the OpenID Connect protocol, there is no need to use the ImportOAuth program as OpenID Connect has the metadata feature that allows Genero's OpenID Connect service to automatically fetch the metadata, including all the endpoint URLs, from the IdP. For more information on SSO implementation with OpenID Connect and OAuth2, see OpenID Connect/OAuth2 SSO.

The instructions described in this task typically do not need to be used. You may find them useful, if you need to fetch the metadata to discover the endpoints to import and then to manipulate the endpoints in the oidc database before setting up your GAS environment. For details about the ImportOAuth tool, go to ImportOAuth.

Steps

  1. Open a command prompt.
  2. Type the command to change to the Genero BDL installation directory:

    • On Linux®/UNIX®/macOS™:

      cd $FGLDIR/web_utilities/services/openid-connect

      On Windows®:

      cd %FGLDIR%\web_utilities\services\openid-connect
  3. Execute the script to set the environment.

    • On Linux/UNIX/macOS (using sh as shell script):

      ./envoidc.sh

      On Windows:

      envoidc.bat
  4. Run the ImportOAuth command to import the endpoints.
    This example provides the command for Google.
    fglrun ImportOAuth --import --discover https://accounts.google.com

    The two parameters --import and --discover and the URL of the IdP are mandatory.

    If successful, ...Done is ouptut to the standard out. If the IdP does not support the OpenID protocol, a message like this is written to the output.
    Importing idp_url as OpenID
Could not fetch metadata: ERROR(404) : Not Found
What to do next:
If you need get a list of IdPs registered in the database, run the ImportOAuth command to list them:
fglrun ImportOAuth --list
For details about a specific IdP in the list, run the ImportOAuth command to show its details. This example provides the command for Google registered in the database.
fglrun ImportOAuth --show https://accounts.google.com