Define the ID format

Follow these steps to define the ID format to receive from the IdP.

The SAML protocol allows federation of identities. This means that a single user can have different identities on different SAML IdPs. To federate a same user across several IdPs, the notion of ID format was introduced.

The default ID format is transient, meaning that the returned ID is only valid for the current session and has only a meaning for the IdP the GAS is connected to. Other formats exist such as email or persistent, but you must be sure that your IdP supports them otherwise you will get an error. The IdP decides which format they support. See SAML core specification for more details about the supported ID format.

The ID format allows you to specify how the user is represented to a Service Provider. For Genero Application Server, it defines what piece of data is sent from the IdP to the Genero Application Server to represent the user.

To define the ID format you want to receive from your IdP:

Add an IDFORMAT tag with a valid SAML URN as a child of the SAML DELEGATE element in the application configuration (xcf) file. In this example, the IdP will return the email of the authenticated user to the Genero Application Server as SAML_ID environment variables

<?xml version="1.0"?>
<APPLICATION Parent="defaultgwc"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:noNamespaceSchemaLocation="http://www.4js.com/ns/gas/2.50/cfextwa.xsd">
  <EXECUTION>
    <PATH>$(res.path.qa)/applications/myapp</PATH>
    <MODULE>App.42r</MODULE>
    <DELEGATE service="services/SAMLServiceProvider">
      <IDFORMAT>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</IDFORMAT> 
    </DELEGATE>
  </EXECUTION>
</APPLICATION>

The Genero Application Server will use the specified IdP as its identity provider.