Quick start: Set up SAML in the GAS

Follow these steps to quickly set up SAML for your Genero Application Server and Genero Web applications.

In this quick start, you add SAML Single sign-on (SSO) to a Genero Web application, then execute the application with SSO.

  1. Configure the GAS for SAML SSO:
    1. If your GAS is located behind a proxy, configure the proxy in the SAML FGLPROFILE file, located in $FGLDIR/web_utilities/services/saml/res. Uncomment and set values for the entries proxy.http.location and proxy.https.location.
    2. SAML requires digital signatures. Create a X509 Certificate and its private key (see the Genero Business Development Language User Guide for details), then modify the SAML configuration file located in $FGLDIR/web_utilities/services/saml/res:
      • Uncomment and set values for the entries xml.saml_signature.x509 and xml.saml_signature.key.
      • If your Genero Web applications must be accessible by HTTP, to be fully secured you must use that key and certificate for XML-Encryption. Uncomment and set the same value for the entries xml.saml_encryption.x509 and xml.saml_encryption.key.
    3. Create a circle of trust between the Genero Application Server and a SAML provider.
      • Go to $FGLDIR/web_utilities/services/saml.
      • Set the SAML environment using the scripts envsaml.bat or envsaml.sh.
      • Launch the ImportIdP application with the SAML Provider URL.
        • Example: fglrun ImportIdp http://host:port/openam_954/saml2/jsp/exportmetadata.jsp
        • See SAML provider documentation about how to retrieve the Metadata.
      • If needed, retrieve the SAML provider Certificate and add it as trusted certificate in the SAML configuration file.
        • Uncomment and set values for the entry xml.keystore.calist; see the Genero Business Development Language User Guide for more details.
        • See SAML provider documentation about how to retrieve its X509 certificate.
    4. Create a circle of trust between the SAML provider and the Genero Application Server.
      • Start the dispatcher (if needed).
      • Log into your SAML provider and create a circle of trust based on the Genero Application Server SAML metadata available at this URL: http[s]://host:port/[gas/]ws/r/services/SAMLServiceProvider/Metadata
        • See SAML provider documentation for information on creating the circle of trust.
        • Genero Application Server default SAML identity name is "urn:genero". If needed, you can change the identifier by modifying the saml.entityID entry in the fglprofile file.
  2. Add SAML SSO to a Genero Web application:
    1. Add the DELEGATE tag to all Genero Web applications requiring SSO.

      <DELEGATE service="services/SAMLServiceProvider" />

      For example:
      <APPLICATION Parent="defaultgwc">
        <EXECUTION>
          <PATH>$(res.path.mypath)/myapplication</PATH>
          <MODULE>myapp.42r</MODULE>
          <DELEGATE service="services/SAMLServiceProvider" />
        </EXECUTION>
      </APPLICATION> 
  3. Execute a Genero Web application with SSO:
    1. Start your browser and enter the application URL.
      You are redirected to the SAML provider and prompted to enter your credentials.
    2. Enter your credentials and click the signin button.
      If your credentials are valid, your browser is redirected to the Web application. The application starts and runs as the entered SAML user.

The next time you start the same application - or any application delivered by the same Genero Application Server - you will not be prompted for your credentials. The application will start (and be authenticated for) the same SAML user.