Single sign-on (SSO) / SAML SSO and the Genero Application Server |
Specify FGLPROFILE entries to configure the Genero SAML service provider.
FGLPROFILE entry | Description |
---|---|
saml.entityID | Defines the SAML entity name for the Genero Application Server, which is how the Genero Application Server is represented to other SAML partners. Mandatory. Default urn:genero. |
saml.allowUnsecure |
Defines whether the GAS accepts unsecured authentication mechanisms. Default false (recommended). A SAML authentication mechanism is unsecured if communication between the Identity Provider (IdP) and the Genero Application Server is not performed either over HTTPS or with XML encryption. To secure a SAML communication, use HTTPS (via ISAPI or FastCGI) or use XML-Encryption by setting the xml.saml_encryption entries as described in Assertion encryption. |
saml.wantAssertionsSigned | Defines whether SAML assertions coming from Identity Providers (IdPs) must be signed. Default
true (recommended). It is recommended to have either (or
both) saml.wantAssertionsSigned and saml.wantResponseSigned set to true, to ensure the request was
not altered. If not signed and entry is set to true, the Genero Application Server returns an access denied HTML page. This entry also adds the wantAssertionsSigned attribute to the SAML metadata describing the SAML needs of the Genero Application Server. |
saml.wantResponseSigned | Defines whether SAML requests coming from the Identity Providers (IdPs) must be signed.
Default false. It is recommended to have either (or
both) saml.wantAssertionsSigned and saml.wantResponseSigned set to true, to ensure the request was
not altered. You must
also take into account the configuration of the Identity Provider (IdP). If not signed and entry is set to true, the Genero Application Server returns an access denied HTML page. |
You can use the same X509 certificate and RSA private key for signature, encryption and metadata signature.
You can use the same X509 certificate and RSA private key for signature, encryption and metadata signature.
You can use the same X509 certificate and RSA private key for signature, encryption and metadata signature.