You can specify at the Genero Application Server level
how the Identity Provider must authenticate a user that wants
to access a Genero Web application via a browser.
See the SAML core specification for the list of supported
URNs. There are several methods (password protected, X509 certificate,
PGP) but not all work for Web-based Single Sign On.
Note: For
most Web Single Sign On, the default authentication method is password
protected.
SAML provides a mechanism that allows a service provider
(Genero Application Server) to define how a user must be athenticated
by the Identity Provider (IdP). The Genero Application Server
supports an optional tag (AUTHCONTEXT) that allows you to specify
which authentication method to use.
If the tag is not set,
the default mechanism set in the IdP is used.
Important: Do
not specify this tag unless you require a specific authentication
method.
Add an AUTHCONTEXT tag as a child of the
SAML DELEGATE element in the application
configuration (xcf) file. Enter a
valid authentication method in the AUTHCONTEXT tag.
<?xml version="1.0"?>
<APPLICATION Parent="defaultgwc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://www.4js.com/ns/gas/2.50/cfextwa.xsd">
<EXECUTION>
<PATH>$(res.path.qa)/applications/myapp</PATH>
<MODULE>App.42r</MODULE>
<DELEGATE service="services/SAMLServiceProvider">
<AUTHCONTEXT>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</AUTHCONTEXT>
</DELEGATE>
</EXECUTION>
</APPLICATION>
The authentication method is defined. If the IdP does not
support the specified method, or if it uses another mechanism,
the Genero Application Server will return an access denied page.