Follow these steps to establish a circle of trust between the service provider (the
Genero Application Server) and the SAML identity provider (the entity in charge of managing and
authenticating the users).
Before you can use SAML SSO with the Genero Application Server, a circle of trust must
be established between the service providers (the Genero Application Servers) and one or more
SAML identity providers (an entity in charge of managing and authenticating the users). This
is established via SAML metadata exchange, where each party imports the metadata from the
other party. Each party's metadata defines how to communicate with it.
Note: An X509
certificate authority file can also be exchanged in order to validate SAML signatures. See
Certificate authority.
-
If the Genero Application Server is located behind a proxy, configure the proxy in the
SAML FGLPROFILE.
Uncomment and set correct values for the entries proxy.http.location
and proxy.https.location.
-
Create an X509 Certificate and its private key.
SAML requires digital signatures. See the Genero Business Development Language
User Guide for information on creating the certificate and its private
key.
-
Modify the SAML configuration file and enter the X509 certificate and private key
information.
The SAML configuration file is located in
$FGLDIR/web_utilities/services/saml/res.
Remove the comment and set correct values for the entries
xml.saml_signature.x509 and xml.saml_signature.key.
If your Genero Web application must be accessible in HTTP, you must also use that key
and certificate for XML-Encryption to be fully secure. Uncomment and set the same values
for the entries xml.saml_encryption.x509 and
xml.saml_encryption.key.
-
Create a circle of trust between the Genero Application Server and a SAML provider.
Import the IdP metadata file into the Genero Application Server SAML service
provider.
-
Go to $FGLDIR/web_utilities/services/saml.
-
Set SAML environment via envsaml.bat or
envsaml.sh.
-
Launch the ImportIdP application using the SAML Provider
URL.
Refer to the IdP documentation for information on generating the metadata file (or
the url) from the SAML identity provider.
$fglrun ImportIdP
http://host:port/openam_954/saml2/jsp/exportmetadata.jsp
-
Retrieve the SAML provider Certificate and add it as a trusted certificate in the
SAML configuration file (if needed).
Uncomment and set the correct values for the entry
xml.keystore.calist. Refer to the Genero Business Development
Language User Guide for more information.
Refer to the SAML Identity Provider (IdP) documentation for information about
retrieving its X509 certificate.
-
Create a circle of trust between the SAML provider and the Genero Application
Server.
-
Start the dispatcher (if needed).
-
Log in to your SAML provider and create a circle of trust based on the Genero
Application Server SAML metadata.
Generate the metadata from this URL:
http[s]://host:port/[gas/]ws/r/services/SAMLServiceProvider/Metadata
Refer to the SAML Identity Provider (IdP) documentation for information about
importing the Genero Application Server SAML metadata.
The Genero Application Server is ready to support SAML SSO.