06 February 2026

Single Sign-On for Service Grid

Single Sign-On (SSO Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.) is a concept that allows a user to log in once with a single set of credentials and access multiple applications without re-authenticating.

OpenID Connect (OIDC OpenID Connect (OIDC) is an open authentication protocol that works on top of the OAuth 2.0 framework. Targeted toward consumers, OIDC allows individuals to use single sign-on (SSO) to access relying party sites using OpenID Providers (OPs), such as an email provider to authenticate their identities.) is an authentication protocol built on top of the OAuth 2.0 authorization framework that enables SSO. It's the technical standard that makes "Sign in with Google" or "Sign in with Facebook" possible.

Since version 17.1.5, SSO is also available in the service grid installation.

To use SSO you must first define the IDP An identity provider, or IDP, stores and manages users' digital identities. IDP and SSO can work together to authenticate users. and use the groups field for specifying roles.

See SpaceDeck - SSO IDP Setup for IDP setup example.

Setting up a cluster with SSO in Service Grid

Edit gs-home/config/security/openid-security.properties:

com.gs.security.security-manager.class=com.gigaspaces.security.openid.OpenIdSecurityManager

# OpenID Provider Configuration
com.gs.openid.clientId=com.gs.openid.clientSecret=com.gs.openid.issueURL=com.gs.openid.redirectUris=http://<xap-manager-host>:9000/oauth2/authorization-code/callbackcom.gs.openid.authorityClaim=groups (default roles fields)com.gs.openid.id=1com.gs.openid.spacedeckUrl=https://<xap-manager-host>:8888/api/auth/logincom.gs.openid.providerType=OKTA (as example)spring-security-config-location=../config/security/security-config-openid.xmlspring.config.additional-location=file:../config/security/security-openid.yaml
Edit gs-home/bin/setenv-overrides.sh to point to the openid security properties and turn on security:

export GS_OPTIONS_EXT="-Dcom.gs.security.enabled=true -Dcom.gs.security.properties-file=$HOME/config/security/openid-security.properties -Dcom.gs.manager.rest REpresentational State Transfer. Application Programming Interface An API, or application programming interface, is a set of rules that define how applications or devices can connect to and communicate with each other. A REST API is an API that conforms to the design principles of the REST, or representational state transfer architectural style..ssl.enabled=false"
As a result of starting the service grid with the above settings a new security service will be started on the manager machine with default port 9000

You can see the available REST API REpresentational State Transfer. Application Programming Interface An API, or application programming interface, is a set of rules that define how applications or devices can connect to and communicate with each other. A REST API is an API that conforms to the design principles of the REST, or representational state transfer architectural style. for this service at:

http://<xap-manager-host>:9000/swagger-ui/index.html
In order to use XAP GigaSpaces eXtreme Application Platform. Provides a powerful solution for data processing, launching, and running digital services manager api in the secured environment, a token from the security service is required.

To obtain a token - http://<xap-manager-ip>:9000/oauth2/authorize

If the user is already logged in, token will be retrieved directly; otherwise, a step redirecting to IDP login will be performed. (use https://www.jwt.io/ for debug tokens)

The token should be used in xap manager Rest API to access the APIs.
Service accounts are used for long-running services, both for internal services as pipelines and can also be created for external pus or long-running space clients

See more at: https://docs.gigaspaces.com/latest/security/security-service-account-privilege-mgmt.html