Quickstart: Set up SAML in the Genero Application Server

Follow these steps to quickly set up SAML for your Genero Application Server and Genero Web Client applications.

Preparation

Before using SAML with the Genero Application Server, you must perform following steps:
  1. If your GAS is located behind a proxy, configure the proxy in the SAML fglprofile, located in $FGLDIR/web_utilities/services/saml/res. Uncomment and set values for the entries proxy.http.location and proxy.https.location.
  2. SAML requires digital signatures. Create a X509 Certificate and its private key (see the Genero Business Development Language User Guide for details), then modify the SAML configuration file located in $FGLDIR/web_utilities/services/saml/res:
    • Uncomment and set values for the entries xml.saml_signature.x509 and xml.saml_signature.key
    • If your Genero Web Client applications must be accessible by HTTP, to be fully secured you must use that key and certificate for XML-Encryption. Uncomment and set the same value for the entries xml.saml_encryption.x509 and xml.saml_encryption.key.
  3. Create a circle of trust between the Genero Application Server and a SAML provider.
    • Go to $FGLDIR/web_utilities/services/saml.
    • Set the SAML environment using the scripts envsaml.bat or envsaml.sh.
    • Launch the ImportIdP application with the SAML Provider URL.
      • Example: fglrun ImportIdp http://host:port/openam_954/saml2/jsp/exportmetadata.jsp
      • See SAML provider documentation about how to retrieve the Metadata.
    • If needed, retrieve the SAML provider Certificate and add it as trusted certificate in the SAML configuration file.
      • Uncomment and set values for the entry xml.keystore.calist (see the Genero Business Development Language User Guide for more details).
      • See SAML provider documentation about how to retrieve its X509 certificate.
  4. Create a circle of trust between the SAML provider and the Genero Application Server.
    • Start the dispatcher (if needed).
    • Log into your SAML provider and create a circle of trust based on the Genero Application Server SAML metadata available at this URL: http[s]://host:port/[gas/]ws/r/services/SAMLServiceProvider/Metadata
      • See SAML provider documentation for information on creating the circle of trust.
      • Genero Application Server default SAML identity name is "urn:genero". If needed, you can change the identifier by modifying "saml.entityID" entry in FGLPROFILE.

Add SAML SSO to a Genero Web Client application

Do the following steps to add SAML SSO to a Genero Web Client application:
  1. Add the DELEGATE tag to all Genero Web Client applications requiring SSO.

    <DELEGATE service="services/SAMLServiceProvider" />

    Example:
    <APPLICATION Parent="defaultgwc">
      <EXECUTION>
        <PATH>$(res.path.mypath)/myapplication</PATH>
        <MODULE>myapp.42r</MODULE>
        <DELEGATE service="services/SAMLServiceProvider" />
      </EXECUTION>
    </APPLICATION>    

Execute a Genero Web Client application with SSO

To run your Genero Web Client application:

  1. Start your browser and enter the application URL.

    You are redirected to the SAML provider and prompted to enter your credentials.

  2. Enter your credentials and click the signin button.

    If your credentials are valid, your browser is redirected to the Genero Web Client application. The application starts and runs as the entered SAML user.

    The next time you start the same application - or any application delivered by the same Genero Application Server - you will not be prompted for your credentials. The application will start (and be authenticated for) the same SAML user.