Connecting to an External Identity Provider for Web Login

Connecting with external identity providers using OpenID Connect (OIDC) or SAML 2.0 is referred to as web login.

When web login is activated, users who log into GENESIS will instead be redirected to the login page of the identity provider. Once they have successfully logged in, the identity provider will pass a token called a claim to GENESIS security that identifies the user that logged in. GENESIS will match that claim to a user in the security configuration and that user will be logged into GENESIS security.

Web login does not automatically populate the GENESIS security database with users from the identity provider. To automatically populate users, use Active Directory or Entra ID security mode. Learn more

The example below uses the identity provider Okta to log into GENESIS as a user named John Doe.

This example requires the following prerequisites:

Basic knowledge of GENESIS security and Workbench
GENESIS security in testing mode with a user named John Doe
A public origin that is correctly configured Learn more

To configure web login for Okta:

Set up Okta, add a user named John Doe, and get your issuer URI, client ID and client secret. Learn how
These settings may change over time. See Okta's documentation if you are having trouble following these steps.

Setting up Okta and getting issuer URI, client ID, and client secret
1. Register on the Okta website and take a look at the sample configuration that is generated for new users.
2. If you do not have a user named John Doe, create one.
3. Under API > Authorization Servers, take note of your Issuer URI, which might look something like this: https://dev-randomizedid.okta.com/oauth2/default
4. Go to Applications.
5. Create a Web Application Platform with these details:
  1. Login URL: https://YourGenesisServer.com/fwxserverweb/security/signin-oidc
  2. Logout URL: https://YourGenesisServer.com/fwxserverweb/security/signout-callback-oidc
6. Take note of your Client ID and Client secret.

In Workbench, go to Security > Global Settings > Web Login tab, make these changes, then click Apply.

Setting Name	Value
Enabled	checked
Signing credentials type	Auto-generated temporary key
Authentication Type	OpenID Connect
Issuer URL	the issuer URI from your identity provider
Client ID	the client ID from your identity provider
Client Secret	the client secret from your identity provider
Use PKCE	checked
OIDC scope to request	profile
Use this OIDC claim	name
Find existing users by	Display name Learn more

Wait a moment for the changes to propagate, then test your connection by visiting the hyperlink next to Show list of claims. If this list populates, you have a good connection.
Go to the General Settings section, check In-house applications use web login, then click Apply.
Go to Tools > Login/Logout. The GENESIS login dialog appears briefly, then the Okta login page appears.
Log into Okta as John Doe. Workbench displays John Doe as the logged-in user.