Add OpenID Connect SSO to Web application

Add OpenID Connect SSO to a Genero Web application.

This task must be performed in the .xcf application configuration file.

Add <DELEGATE service="services/OpenIDConnectServiceProvider"> to the application configuration (.xcf) file.

Add the DELEGATE tag to all Genero Browser Client applications requiring Single sign-on (SSO), plus the 3 mandatory parameters :

  • IDP : the IdP account (for example, https://accounts.google.com)
  • CLIENT_PUBLIC_ID : the OAuth2 public id from the IdP
  • CLIENT_SECRET_ID : the OAuth2 shared secret id from the IdP
  • SCOPE : (optional) the OpenID Connect attributes you want to get at authentication (for example, email, phone, address)
<?xml version="1.0"?>
<APPLICATION Parent="defaultgwc"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:noNamespaceSchemaLocation="http://www.4js.com/ns/gas/3.20/cfextwa.xsd">
  <EXECUTION>
    <PATH>$(res.path.qa)/applications/myapp</PATH>
    <MODULE>App.42r</MODULE>
      <DELEGATE service="services/OpenIDConnectServiceProvider" >
          <IDP>https://accounts.google.com</IDP>        
          <SCOPE>email</SCOPE>        
          <CLIENT_PUBLIC_ID>XXXXXXXX.apps.googleusercontent.com</CLIENT_PUBLIC_ID>
          <CLIENT_SECRET_ID>XXXXXX-XXXXXX</CLIENT_SECRET_ID>        
      </DELEGATE>
  </EXECUTION>
</APPLICATION>

With the above configuration and default GAS configuration, the delegation points to the delegation REST Web service in the $FGLDIR.

For more information about the DELEGATE configuration element, see How to implement delegation.

The Genero Application Server will handle the OpenID Connect protocol and start the Web application only when the user has been authenticated, otherwise an HTML error page is returned.