Authorization and SAML SSO

Authorize whether an user already authenticated by SAML SSO can access a Genero application.

An external program to serve as the authorization application. This external program can be written in Genero, however it does not have to be written in Genero.

The authorization program expects two mandatory arguments and the list of SAML attributes received from the Identity Provider (IdP).

The first argument is the SAML identifier. It depends on the ID format specified in the Genero Application Server configuration and by the IdP.
The second argument is the application path.

Examples of parameters passed to a Genero authorization program:

fglrun AccessProgram AZEd3R4 "qa-test/application" "fullname" "genero test" "email" "genero@abc.com" "country" "France"

The application AccessProgram.4gl in $FGLDIR/web_utilities/services/saml/src provides an example of an authorization application written in Genero.

With a SAML SSO implementation, you can specify an external program to determine whether an already authenticated user can access a Genero Web application.

If the AUTHORIZATION tag is not defined, any user authenticated by an SAML provider can access the Genero Web application. If the application should not be authorized for all users registered in the SAML IdP, you should add an authorization program and that you implement rules to filter access.

Add an AUTHORIZATION element as a child of the SAML DELEGATE element in the application configuration (xcf) file.

Within the AUTHORIZATION tag, specify the external authorization program.

<?xml version="1.0"?>
<APPLICATION Parent="defaultgwc"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:noNamespaceSchemaLocation="http://www.4js.com/ns/gas/2.50/cfextwa.xsd">
  <EXECUTION>
    <PATH>$(res.path.qa)/applications/myapp</PATH>
    <MODULE>App.42r</MODULE>
    <DELEGATE service="services/SAMLServiceProvider">
      <ATTRIBUTES>email,fullname,country</ATTRIBUTES>
      <AUTHORIZATION>fglrun AccessProgram</AUTHORIZATION>
    </DELEGATE>
  </EXECUTION>
</APPLICATION>

The authorization program will be called before access to the Web application is granted. If the authorization program exits with an error code of zero (0), then access is granted for the user. Any exit code other than zero indicates access for the user is denied.