Identity Provider (IdP)

An IdP provides a secure identity information service for authenticating users accessing your applications and Web services. Using an IdP is recommended when implementing a single sign-on (SSO) solution.

Identity providers rely on specifications such as OpenID-Connect, OAuth, and Security Assertion Markup Language (SAML) to grant access to Web applications on behalf of an authenticated user, using access tokens of various kinds, but without providing the user's credentials to the application.

Genero comes with a ready-to-use Genero IdP, or you can use a third party IdP.

Providing authentication using the Genero IdP

Providing authentication using the Genero IdP is covered in these topics:

Providing authentication using a third-party IdP

To provide authentication for SSO using a third-party IdP:
  1. Set up an account with a trusted IdP provider (such as Google, see Configure OpenID Connect identity on Google.)

    As a third party registered on the authorization IdP server, you are issued with tokens (public and shared secret ids).

  2. Use the tokens provided and add delegation to your application configuration files requiring authentication.

    This allows you to provide access to the protected resources hosted by your Web application. See Add OpenID Connect SSO to Web application Add SAML SSO to a Genero Web application.

Genero supports the delegation of authentication services to the following types of identity providers:A Genero delegate service is delivered in $FGLDIR/web_utilities/services for SAML and OpenID Connect. These manage all delegated requests for applications or services run on the GAS.

How it works

Since the authentication process is relayed to an IdP provider, user access to your application or Web service is redirected to the IdP. Depending on the type of IdP provider, an HTTP accept/reject response is returned in either a signed XML assertion document (SAML) or a signed JSON document (OpenID Connect) via the Genero delegate service.

If access is allowed, the delegate service then extracts from the returned document some user data before starting the application on the GAS. Once an application has been started after user authentication by the IdP, environment variables are provided defining the user role and access. The environment can be retrieved in your Genero application via fgl_getenv() instructions. See Retrieve the OpenID Connect user identifier and Retrieve identity attributes with SAML.