Back to all tech specs
How To

Configuring OpenID Connect

Set up Azure, ADFS, Okta, Oracle, Google, and more for GO-Global OIDC authentication with this step-by-step identity provider configuration guide.

Published on:
May 5, 2026
Last updated on:
May 5, 2026
Author
GO-Global Team
Table of contents

Configuring OpenID Connect

Introduction

Configuring secure and reliable authentication is essential for any GO-Global deployment. This technical guide walks administrators through the complete process of setting up OpenID Connect (OIDC) across major identity providers—including Azure Entra ID, ADFS, Oracle Identity Cloud, Okta, ManageEngine Identity Manager Plus, KeyCloak, and Google Workspace. With clear, step-by-step instructions, it ensures your GO-Global Host is correctly integrated with modern identity platforms for seamless user access and improved security.

Azure

The following steps are required for creating an Azure application registration for use with Microsoft EntraID (formerly AzureAD) to authenticate users connecting to GO-Global Host(s). This will utilize OAuth2 for Microsoft Identity version 2.0.

Step 1: Register a New Application

  1. Navigate to: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade
  2. Register the new application:
  • Under Supported account types, select Accounts in this organizational directory only (Default Directory only - Single tenant)
  • Under Redirect URL, select Web as Type. For Value, enter a redirect URL for your domain. For example, https://example.com/callback.html

Step 2: Configure Branding and Properties

Under Branding and properties, verify that the publisher domain is set to the correct domain. For example, example.com

Step 3: Create a Client Secret

  1. Go to Certificates and secrets.
  2. Click New client secret. and configure the options.
  3. Copy the secret value and save it securely.

Step 4: Configure Token Settings

  1. Navigate to Token Configuration.
  2. Click Add optional claim.
  3. Configure:
    • Token type: ID
    • Claim: Select upn
  4. Click Add.
  5. Enable the option Turn on the Microsoft Graph profile permission.
  6. Click Add to save.

Note:

When setting up an app registration with Azure Active Directory B2C, there is no Token Configuration blade in the Azure Portal user interface. Instead, add optionalClaims via the manifest JSON.

For example:

 "optionalClaims": {
   "accessToken": [],
   "idToken": [
        {
           "additionalProperties": [],
           "essential": false,
           "name": "upn",
           "source": null
                 	} 
    ],
    "saml2Token": []
},

Step 5: Adjust API Permissions

GO-Global uses profile permission instead of User.Read. Remove unnecessary permissions:

  1. Go to API Permissions.
  2. Locate User.Read and click Remove Permission.
  3. Confirm by clicking Yes, Remove.


Verify that the Microsoft Graph profile delegated permission is listed. (It should be added automatically.)

Step 6: Configure Authentication

  1. In the Admin Console, go to Host Options | Authentication.
  2. Configure the following:
  • Unselect all other authentication options.
  • Select OpenID Connect authentication.
  • Select one:
    • Automatically sign users in to a local Windows account, or
    • Automatically sign users in to their domain accounts.
  • Client ID: Copy the Application (client) ID from the Azure App Registration overview page.
  • Client Secret: Paste the secret value copied earlier.
  • Authorize URL: Retrieve the Directory (TENANTID) ID from the Azure App Registration overview page. Replace TENANTID in: https://login.microsoftonline.com/TENANTID/oauth2/v2.0/authorize/?response_type=code&scope=openid%20email%20profile
  • Token URL: Retrieve the Directory (TENANTID) ID from the Azure App Registration overview page. Replace TENANTID in: https://login.microsoftonline.com/TENANTID/oauth2/v2.0/token
  • Redirect URL: Use the same URL entered during app registration (e.g., https://example.com/callback.html)


      3. Click OK to save.

Note:

In the Azure App Registration, under the Authentication menu, ensure that Implicit grant and hybrid flows settings are not enabled.

ADFS

The following steps and settings are required for creating an Enterprise application in ADFS to use with a GO-Global Host.

1.    On the ADFS Windows Server, open the ADFS management tool.
2.    From the navigation tree on the left, right-click on Application Groups and select Add Application Group to open the Wizard.
3.    Select Server application in the Standalone applications area of the Wizard and click Next.
4.    Provide a name for the application, copy and save the Client Identifier (Client ID).
5.    Enter the GO-Global callback URL in the Redirect URI field and click Next.
6.    Select Generate a shared secret and copy that to use in Shared Secret.
7.    Click Next.
8.    Click Next and save this new application group.

To configure the authorize and token Endpoint links, replace "server1.domain.com" in https://server1.domain.com/adfs/oauth2/authorize and https://server1.domain.com/adfs/oauth2/token with the FQDN of the ADFS server.

Authorize URL example:
https://[ADFS SERVER FQDN]/adfs/oauth2/authorize

Token URL example:
https://[ADFS SERVER FQDN]/adfs/oauth2/token 

Note:
On the Authentication tab of the Admin Console’s Host Options dialog, you must select either Automatically sign users in to a local Windows account or Automatically sign users in to their domain accounts. If one of these OpenID Connect authentication options is not selected, the logon will not complete.  

Oracle

The following steps and settings are required for creating an application in Oracle Identity Cloud for use with a GO-Global Host.

1.    Log in to Oracle Identity Cloud Service.
2.   Go to Applications and click Add and choose Confidential Application.
3.   Enter a Name for the application.
4.    For the Linking callback URL, use the URL to the GO-Global callback.html. (For example:  http://GO-GlobalHost.MyDomain.com:491/callback.html)
5.    Click Next to configure the Client.
6.    For Allowed Grant Types, select Authorization Code.
7.    If you need to use non-HTTPS URLs, select the option Allow non-HTTPS URLs.
8.    For the Redirect URL use the GO-Global Host callback.html.
(For example: http://GO-GlobalHost.MyDomain.com:491/callback.html)
9.    Set Bypass Consent to Enabled.

All other options can use the defaults set by Oracle.  

After creating the application, click the application to view the details. The Client ID and Client Secret can be found at Configuration tab | General Information. These will need to be copied to the OpenID Connect Settings on the GO-Global Host.

Authorize URL example:
https://tenant-base-url/oauth2/v1/authorize?scope=openid%20email&response_type=code

Token URL example:
https://tenant-base-url/oauth2/v1/token?

Note:
On the Authentication tab of the Admin Console’s Host Options dialog, you must select either Automatically sign users in to a local Windows account or Automatically sign users in to their domain accounts. If one of these OpenID Connect authentication options is not selected, the logon will not complete.  

Okta Identity Cloud

The following steps and settings are required for creating an application in Okta Identity Cloud for use with a GO-Global Host. Any settings not mentioned can be left at their default value.

For more information about Okta, visit:
https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_OIDC.htm

1.    From the Okta Identity Cloud dashboard, go to Applications.
2.    Click the button Create App Integration.
3.    For Sign-in method, select OIDC - OpenID Connect.
4.    Select Web Application, which will appear after selecting OIDC in step 3.
5.    For Application type, select Web Application.
6.    Click Next
7.    Enter a name in the Name field.
8.    Select Client acting on behalf of itself and check the box for Client Credentials.
9.    Select Client acting on behalf of a user and check the box for Authorization Code. Do not select Implicit (hybrid).
10.    For Sign-in redirect URIs use your host FQDN here:  http://MyHost.MyDomain.com:491/callback.html
11.    Assignments: Use this to configure which users will have access. Or this can be skipped and configured later, after the app is created.
12.    In Assignments, choose to Limit access to selected groups or Skip group assignment for now and create the app without assigning a group.
13.    Click Save to create this new app integration.
14.    Select the new Web App to bring up the edit pages.
15.    From the General tab, copy and save the Client ID and the Client Secret. These will need to be copied to the OpenID Connect Settings on the GO-Global Host.

GO-Global Host Settings
In the GO-Global Admin Console for the OIDC settings, use the following Okta Authorize and Token URLs and your Okta Custom Domain for YOUR-OKTA-Domain.
https://YOUR-OKTA-Domain.okta.com/oauth2/default/v1/authorize
https://YOUR-OKTA-Domain.okta.com/oauth2/default/v1/token

Authorize URL example:
https://dev-111222.okta.com/oauth2/default/v1/authorize

Token URL example:
https://dev-111222.okta.com/oauth2/default/v1/token

Note:

On the Authentication tab of the Admin Console’s Host Options dialog, you must select either Automatically sign users in to a local Windows account or Automatically sign users in to their domain accounts. If one of these OpenID Connect authentication options is not selected, the logon will not complete.  

For more information about Okta, visit: https://help.okta.com/en/prod/Content/Topics/Directory/ad-agent-main.htm.

ManageEngine - Identity Manager Plus

The following steps are required for creating an application in Identity Manager Plus for use with a GO-Global Host.

1.    From the IdentityManager admin page, go to the Application tab.
2.    Click Add Application.
3.    Enter an Application Name and Domain Name.
4.    Select the OAuth/OpenID Connect tab.
5.    Enable the option for Enable OAuth/OpenID Connect.
6.    Set Supported SSO Flow to SP Initiated.
7.    Use the GO-Global Host callback.html URL for the Login Redirect URL(s).
8.    For Response Type, ensure only Authorization Code is selected.

9.    Enable Allow Refresh Token.
10.    Set Access Token Validity to 3600 Seconds.
11.    Set Key Algorithm to HS256.
12.    Set Client Authentication Mode to Select Client Secret Basic, Client Secret Post.
13.    Click Add Application.

The Client ID and Client Secret and the token and authorize URLs can be found in Identity Manager Plus | Applications. Click the Details link in the IdP Details column.

Authorize URL example:
https://identitymanager.manageengine.com/sso/oauth/[manageengine_ID]/authorize

Token URL example:
https://identitymanager.manageengine.com/sso/oauth/[manageengine_ID]/token

KeyCloak

GO-Global supports KeyCloak with the standard Authorize URL.

Administrators can specify the field in the ID token that contains the username. By default, GO-Global tries to obtain the username from the email field provided by KeyCloak, but it can be configured to obtain the username from other fields via the OpenIDConnectUserNameField property in the HostProperties.xml file.

To set the OpenIDConnectUserNameField property


1.    Stop the Application Publishing Service.
2.    Open %PROGRAMDATA%\GraphOn\GO-Global\HostProperties.xml in a text editor.
3.    Find the OpenIDConnectUserNameField property and change the value to the name of the claim in the user's OIDC ID token which contains the UPN that GO-Global should use to authenticate the user on Windows.
4.    Save the HostProperties.xml file.
5.    Restart the Application Publishing Service.

Google Workspace/Cloud Identity

Before getting started, ensure that you have either Premium Google Workspace with a custom domain or Cloud Identity Premium with a custom domain. Verify that your organization exists in Google Admin Console. For new accounts, it may take some time to auto-create for your custom domain. Create new users if necessary. GraphOn recommends enforcing 2-Step Verification for all users.


Google Cloud Console Guide
A. Create a new project (e.g., GG-OIDC-Project) and navigate to the newly created project.

B. Set up an OAuth consent screen
1.    Go to APIs & Services. Select OAuth consent screen from the left navigation bar. Alternatively, from the new Google Auth Platform page, select Branding on the left.
2.    Select User Type: Internal.
3.    Set App Name (e.g., GG-Auth-Consent).
4.    In the Application home page box, type the URL of the GO-Global Host or load balancer. (For example, https://myapp.example.com)
5.    In the Authorized domain box, type the top-level domain (TLD) of the GO-Global Host. (For example, example.com)
6.    Click Save and Continue.
7.    Skip adding scopes unless required by your organization's policy.
8.    Click Save and Continue.

C.  Create an OAuth client ID
1.    Go to APIs & Services | Credentials | Create credentials | OAuth client ID. Alternatively, from the new Google Auth Platform page, select Clients on the left.
2.    For Application type, select Web application.
3.    Name the OAuth client. (e.g., GG-Auth-Client)
4.    Add an Authorized redirect URI, using your GO-Global web server URL or load balancer URL with the suffix /callback.html (For example, https://myapp.example.com:491/callback.html). Omit :491 if the load balancer front end is listening on port 443.
5.    Create the client.
6.    Securely store the generated Client ID and Client Secret.

GO-Global Host Configuration

Configure the following settings in your GO-Global Host(s):
1.    Navigate to Tools | Host Options | Authentication.
2.    Un-check all check boxes.
3.    Enable OpenID Connect authentication.
4.    Select either Automatically sign users in to local Windows accounts or Automatically sign users in to their domain accounts.
5.    Type the Client ID string from your OpenID Connect server configuration in the Client ID box.
6.    Type the Client Secret string from your OpenID Connect server configuration in the Client Secret box.
7.    Type the authorize URL used to authenticate users with your OpenID Connect server in the Authorize URL box. For example,
https://accounts.google.com/o/oauth2/v2/auth?response_type=code&scope=openid+email
8.    Type the token URL used to authenticate users with your OpenID Connect server in the Token URL box. For example, https://oauth2.googleapis.com/token
9.    In the Redirect URL box, type the URL of your GO-Global web server, third party web server or load balancer, with the suffix /callback.html.
(For example,  https://myapp.example.com:491/callback.html). Omit :491 if your load balancer front end is listening on port 443.
10.    Click OK.

Conclusion

Configuring secure and reliable authentication is essential for any GO-Global deployment. This technical guide walks administrators through the complete process of setting up OpenID Connect (OIDC) across major identity providers—including Azure Entra ID, ADFS, Oracle Identity Cloud, Okta, ManageEngine Identity Manager Plus, KeyCloak, and Google Workspace. With clear, step-by-step instructions, it ensures your GO-Global Host is correctly integrated with modern identity platforms for seamless user access and improved security.

Are you an ISV exploring cloud-based application delivery? Contact us to learn how GO-Global can help you streamline software access for your end users. Or download a free trial to test it yourself.

Related Technical Specifications

How To
How To: GO-Global Single Sign-On Support for Okta
How To
How To: GO-Global Single Sign-On Support for ADFS
Browse all tech specs

Learn More About GO-Global

Read our FAQs - GO-Global
Read our FAQs
Customer support - GO-Global
Case studies
Release notes - GO-Global
Technical specs

Reduce the Cost and Complexity of Delivering Your Windows App

Subscribe to our Newsletter
Thanks for joining our newsletter.
Oops! Something went wrong while submitting the form.