At the Genero Application Server level, you can specify how the Identity Provider must
authenticate a user that wants to access a Genero Web application via a browser.
As a prerequisite, see the SAML core specification for the list of supported URNs. There are
several methods -- password protected, X509 certificate, PGP -- but not all work for Web-based
Single sign-on (SSO).
Note: For most Web Single sign-on, the default authentication method is
password protected.
SAML provides a mechanism that allows a service provider (Genero Application Server) to
define how a user must be authenticated by the Identity Provider (IdP). The Genero Application
Server supports an optional element (
AUTHCONTEXT) that allows you to specify which
authentication method to use.
If the
AUTHCONTEXT element is not defined, the
default mechanism set in the IdP is used.
Important: Do not specify this tag unless you
require a specific authentication method.
Add an AUTHCONTEXT element as a child of the SAML DELEGATE
element in the application configuration (xcf) file. Enter a valid
authentication method in the text of the AUTHCONTEXT element.
<?xml version="1.0"?>
<APPLICATION Parent="defaultgwc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://www.4js.com/ns/gas/2.50/cfextwa.xsd">
<EXECUTION>
<PATH>$(res.path.qa)/applications/myapp</PATH>
<MODULE>App.42r</MODULE>
<DELEGATE service="services/SAMLServiceProvider">
<AUTHCONTEXT>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</AUTHCONTEXT>
</DELEGATE>
</EXECUTION>
</APPLICATION>
When set, the authentication context method is defined. If the IdP does not support the
specified method, or if it uses another mechanism, the Genero Application Server will return an
access denied page.