Genero SAML configuration

Specify entries in the FGLPROFILE file to configure the Genero SAML service provider.

The Genero SAML implementation provides a list of FGLPROFILE file entries to configure the Genero SAML service provider. The configuration file is located in $FGLDIR/web_utilities/services/saml/res.

Table 1. SAML-related FGLPROFILE entries
FGLPROFILE file entry	Description
`saml.entityID`	Defines the SAML entity name for the Genero Application Server, which is how the GAS is represented to other SAML partners. Mandatory. Default is `urn:genero`.
`saml.allowUnsecure`	Defines whether the GAS accepts unsecured authentication mechanisms. Default is `false` (recommended). A SAML authentication mechanism is unsecured if communication between the Identity Provider (IdP) and the GAS is not performed either over HTTPS or with XML encryption. To secure a SAML communication, use HTTPS (via ISAPI or FastCGI) or use XML-Encryption by setting the `xml.saml_encryption` entries as described in Assertion encryption.
`saml.wantAssertionsSigned`	Defines whether SAML assertions coming from Identity Providers (IdPs) must be signed. Default is `true` (recommended). It is recommended to have either (or both) `saml.wantAssertionsSigned` and `saml.wantResponseSigned` set to true, to ensure the request was not altered. If not signed and entry is set to true, the GAS returns an access denied HTML page. This entry also adds the `wantAssertionsSigned` attribute to the SAML metadata describing the SAML needs of the GAS.
`saml.wantResponseSigned`	Defines whether SAML requests coming from the Identity Providers (IdPs) must be signed. Default is `false`. It is recommended to have either (or both) `saml.wantAssertionsSigned` and `saml.wantResponseSigned` set to true, to ensure the request was not altered. You must also take into account the configuration of the Identity Provider (IdP). If not signed and entry is set to true, the GAS returns an access denied HTML page.

Assertion encryption

To support assertion encryption, you must add an X509 certificate and its RAS private key to handle XML-Encryption using the Genero Web Services XML key mapping. There are two entries to be set:

xml.saml_encryption.x509: path to the X509 certificate
xml.saml_encryption.key: path to the RSA private key

You can use the same X509 certificate and RSA private key for signature, encryption, and metadata signature.

Authentication signature

To sign the authenticate request the GAS sends to the Identity Provider (IdP), you must add an X509 certificate and its RSA private key to handle XML-Signature using the Genero Web Services XML key mapping. There are two entries to be set:

xml.saml_signature.x509: path to the X509 certificate
xml.saml_signature.key: path to the RSA private key

You can use the same X509 certificate and RSA private key for signature, encryption, and metadata signature.

Metadata signature

To sign the generated SAML metadata, add an X509 certificate and its RSA private key in charge of XML-Signature using the Genero Web Services XML key mapping. There are two entries to be set:

xml.saml_metadata_signature.x509: path to the X509 certificate
xml.saml_metadata_signature.key: path to the RSA private key

You can use the same X509 certificate and RSA private key for signature, encryption, and metadata signature.

Certificate authority

As XML-Signature and XML-Encryption are in use to secure SAML communication, you must specify the list of trusted certificate authorities. This is done via the Genero Web Services key mapping mechanism, where this entry must be added, containing the list of trusted X509 certificates (coming from the Identity Provider (IdP)).

xml.keystore.calist: path of colon-separated certificate authorities the Genero SAML service provider trusts.