Single sign-on (SSO) / SAML SSO and the Genero Application Server |
Follow these steps to define the ID format to receive from the IdP.
The SAML protocol allows federation of identities. This means that a single user can have different identities on different SAML IdPs. To federate a same user across several IdPs, the notion of ID format was introduced.
The default ID format is transient, meaning that the returned ID is only valid for the current session and has only a meaning for the IdP the GAS is connected to. Other formats exist such as email or persistent, but you must be sure that your IdP supports them otherwise you will get an error. The IdP decides which format they support. See SAML core specification for more details about the supported ID format.
The ID format allows you to specify how the user is represented to a Service Provider. For Genero Application Server, it defines what piece of data is sent from the IdP to the Genero Application Server to represent the user.
To define the ID format you want to receive from your IdP:
<?xml version="1.0"?> <APPLICATION Parent="defaultgwc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.4js.com/ns/gas/2.50/cfextwa.xsd"> <EXECUTION> <PATH>$(res.path.qa)/applications/myapp</PATH> <MODULE>App.42r</MODULE> <DELEGATE service="services/SAMLServiceProvider"> <IDFORMAT>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</IDFORMAT> </DELEGATE> </EXECUTION> </APPLICATION>