Follow these steps to quickly set up SAML for your Genero
Application Server and Genero Web Client applications.
Preparation
Before using SAML with the
Genero Application Server, you must perform following steps:
- If your GAS is located behind a proxy, configure the proxy in
the SAML fglprofile, located in $FGLDIR/web_utilities/services/saml/res.
Uncomment and set values for the entries proxy.http.location and proxy.https.location.
- SAML requires digital signatures. Create a X509 Certificate and
its private key (see the Genero Business Development Language
User Guide for details), then modify the SAML configuration
file located in $FGLDIR/web_utilities/services/saml/res:
- Uncomment and set values for the entries xml.saml_signature.x509 and xml.saml_signature.key
- If your Genero Web Client applications must be accessible by HTTP,
to be fully secured you must use that key and certificate for XML-Encryption.
Uncomment and set the same value for the entries xml.saml_encryption.x509 and xml.saml_encryption.key.
- Create a circle of trust between the Genero Application Server
and a SAML provider.
- Go to $FGLDIR/web_utilities/services/saml.
- Set the SAML environment using the scripts envsaml.bat or envsaml.sh.
- Launch the ImportIdP application with the SAML Provider URL.
- Example: fglrun ImportIdp http://host:port/openam_954/saml2/jsp/exportmetadata.jsp
- See SAML provider documentation about how to retrieve the Metadata.
- If needed, retrieve the SAML provider Certificate and add it as
trusted certificate in the SAML configuration file.
- Uncomment and set values for the entry xml.keystore.calist (see
the Genero Business Development Language User Guide for
more details).
- See SAML provider documentation about how to retrieve its X509
certificate.
- Create a circle of trust between the SAML provider and the Genero
Application Server.
- Start the dispatcher (if needed).
- Log into your SAML provider and create a circle of trust based
on the Genero Application Server SAML metadata available at this URL: http[s]://host:port/[gas/]ws/r/services/SAMLServiceProvider/Metadata
- See SAML provider documentation for information on creating the
circle of trust.
- Genero Application Server default SAML identity name is "urn:genero".
If needed, you can change the identifier by modifying "saml.entityID"
entry in FGLPROFILE.
Add SAML SSO to a Genero Web Client application
Do
the following steps to add SAML SSO to a Genero Web Client application:
- Add the DELEGATE tag to all Genero Web Client applications requiring
SSO.
<DELEGATE service="services/SAMLServiceProvider"
/>
Example:
<APPLICATION Parent="defaultgwc">
<EXECUTION>
<PATH>$(res.path.mypath)/myapplication</PATH>
<MODULE>myapp.42r</MODULE>
<DELEGATE service="services/SAMLServiceProvider" />
</EXECUTION>
</APPLICATION>
Execute a Genero Web Client application with SSO
To
run your Genero Web Client application:
- Start your browser and enter the application URL.
You are redirected
to the SAML provider and prompted to enter your credentials.
- Enter your credentials and click the signin button.
If
your credentials are valid, your browser is redirected to the Genero
Web Client application. The application starts and runs as the entered
SAML user.
The next time you start the same application - or
any application delivered by the same Genero Application Server -
you will not be prompted for your credentials. The application will
start (and be authenticated for) the same SAML user.