Connecting to an External Identity Provider for Web Login

Web login means connecting to GENESIS with an external identity provider using OpenID Connect (OIDC) or SAML 2.0. Learn more

Web login does not automatically populate the GENESIS Security database with users from the identity provider. To automatically populate users, use Active Directory or Entra ID security mode. Learn more

The example below uses the identity provider Okta to log into GENESIS as a user named John Doe. Setting up web login for this example requires the following prerequisites:

GENESIS Security in testing mode.
A user named John Doe defined in GENESIS Security.
A correctly configured public origin. Learn more

To configure web login for Okta:

Set up Okta, add a user named John Doe, and get your issuer URI, client ID, and client secret. Learn how
These settings may change over time. See Okta's documentation if you are having trouble following these steps.

To set up Okta and getting issuer URI, client ID, and client secret:
1. Register on the Okta website and take a look at the sample configuration that is generated for new users.
2. If you do not have a user named John Doe, create one.
3. Under API > Authorization Servers, take note of your Issuer URI, which might look something like this: https://dev-randomizedid.okta.com/oauth2/default
4. Go to Applications.
5. Create a Web Application Platform with these details:
  1. Login URL: https://YourGenesisServer.com/fwxserverweb/security/signin-oidc
  2. Logout URL: https://YourGenesisServer.com/fwxserverweb/security/signout-callback-oidc
6. Take note of your Client ID and Client secret.
Open Workbench and in Project Explorer, expand your project > Security and double-click Global Settings to open the configuration dialog.

On the Web Login tab, complete the following settings, and then click Apply.

In General Settings, select the Enabled checkbox.
In the next section in Signing credentials type, select Auto-generated temporary key.
In the Authentication section in Type, select OpenID Connect.

In the OIDC-specific settings that appear, enter the following:

Setting Name	Value
Issuer URL	The issuer URI from your identity provider, obtained in step 1.
Client ID	The client ID from your identity provider, obtained in step 1.
Client Secret	The client secret from your identity provider, obtained in step 1.
Use PKCE	Selected
OIDC scope to request	profile
Use this OIDC claim	name
Find existing users by	Display name Learn more

Wait a moment for the changes to propagate, and then test your connection by clicking the hyperlink next to Show list of claims. If this list populates, you have a good connection.
In the General Settings section, select In-house applications use web login, and then click Apply.
On the Tools ribbon, select Login/Logout. The GENESIS security login dialog appears briefly, and then is redirected to the Okta login page.
Log into Okta as John Doe and verify that Workbench displays John Doe as the logged-in user.