Genero SAML configuration

Specify FGLPROFILE entries to configure the Genero SAML service provider.

The Genero SAML implementation provides a list of FGLPROFILE entries to configure the Genero SAML service provider. The configuration file is located in $FGLDIR/web_utilities/services/saml/res.
Table 1. SAML-related FGLPROFILE entries
FGLPROFILE entry Description
saml.entityID Defines the SAML entity name for the Genero Application Server, which is how the Genero Application Server is represented to other SAML partners. Mandatory. Default urn:genero.
saml.allowUnsecure

Defines whether the GAS accepts unsecured authentication mechanisms. Default false (recommended).

A SAML authentication mechanism is unsecured if communication between the Identity Provider (IdP) and the Genero Application Server is not performed either over HTTPS or with XML encryption.

To secure a SAML communication, use HTTPS (via ISAPI or FastCGI) or use XML-Encryption by setting the xml.saml_encryption entries as described in Assertion encryption.

saml.wantAssertionsSigned Defines whether SAML assertions coming from Identity Providers (IdPs) must be signed. Default true (recommended). It is recommended to have either (or both) saml.wantAssertionsSigned and saml.wantResponseSigned set to true, to ensure the request was not altered.

If not signed and entry is set to true, the Genero Application Server returns an access denied HTML page.

This entry also adds the wantAssertionsSigned attribute to the SAML metadata describing the SAML needs of the Genero Application Server.

saml.wantResponseSigned Defines whether SAML requests coming from the Identity Providers (IdPs) must be signed. Default false. It is recommended to have either (or both) saml.wantAssertionsSigned and saml.wantResponseSigned set to true, to ensure the request was not altered. You must also take into account the configuration of the Identity Provider (IdP).

If not signed and entry is set to true, the Genero Application Server returns an access denied HTML page.

Assertion encryption

To support assertion encryption, you must add an X509 certificate and its RAS private key to handle XML-Encryption using the Genero Web Services xml key mapping. There are two entries to be set:
  • xml.saml_encryption.x509: path to the X509 certificate
  • xml.saml_encryption.key: path to the RSA private key

You can use the same X509 certificate and RSA private key for signature, encryption and metadata signature.

Authentication signature

To sign the authenticate request the Genero Application Server sends to the Identity Provider (IdP), you must add an X509 certificate and its RSA private key to handle XML-Signature using the Genero Web Services xml key mapping. There are two entries to be set:
  • xml.saml_signature.x509: path to the X509 certificate
  • xml.saml_signature.key: path to the RSA private key

You can use the same X509 certificate and RSA private key for signature, encryption and metadata signature.

Metadata signature

To sign the generated SAML metadata, add an X509 certificate and its RSA private key in charge of XML-Signature using the Genero Web Services xml key mapping. There are two entries to be set:
  • xml.saml_metadata_signature.x509: path to the X509 certificate
  • xml.saml_metadata_signature.key: path to the RSA private key

You can use the same X509 certificate and RSA private key for signature, encryption and metadata signature.

Certificate authority

As XML-Signature and XML-Encryption are in use to secure SAML communication, you must specify the list of trusted certificate authorities. This is done via the Genero Web Services key mapping mechanism, where this entry must be added, containing the list of trusted X509 certificates (coming from the Identity Provider (IdP)).
  • xml.keystore.calist: path of colon-separated certificate authorities the Genero SAML service provider trusts.