Follow these steps to quickly set up SAML for your Genero Application Server and Genero
Web applications.
In this quick start, you add SAML Single sign-on (SSO) to a Genero Web application, then execute
the application with SSO.
-
Configure the GAS for SAML SSO:
-
If your GAS is located behind a proxy, configure the proxy in the SAML FGLPROFILE file, located
in $FGLDIR/web_utilities/services/saml/res. Uncomment and set values for the
entries
proxy.http.location
and proxy.https.location
.
-
SAML requires digital signatures. Create a X509 Certificate and its private key (see the Genero Business Development Language User Guide for details),
then modify the SAML configuration file located in
$FGLDIR/web_utilities/services/saml/res:
- Uncomment and set values for the entries
xml.saml_signature.x509
and
xml.saml_signature.key
.
- If your Genero Web applications must be accessible by HTTP, to be fully secured you must use
that key and certificate for XML-Encryption. Uncomment and set the same value for the entries
xml.saml_encryption.x509
and xml.saml_encryption.key
.
-
Create a circle of trust between the Genero Application Server and a SAML provider.
- Go to $FGLDIR/web_utilities/services/saml.
- Set the SAML environment using the scripts envsaml.bat or
envsaml.sh.
- Launch the ImportIdP application with the SAML Provider URL.
- Example:
fglrun ImportIdp
http://host:port/openam_954/saml2/jsp/exportmetadata.jsp
- See SAML provider documentation about how to retrieve the Metadata.
- If needed, retrieve the SAML provider Certificate and add it as trusted certificate in the SAML
configuration file.
- Uncomment and set values for the entry
xml.keystore.calist
; see the Genero Business Development Language User Guide for more
details.
- See SAML provider documentation about how to retrieve its X509 certificate.
-
Create a circle of trust between the SAML provider and the Genero Application Server.
- Start the dispatcher (if needed).
- Log into your SAML provider and create a circle of trust based on the Genero Application Server
SAML metadata available at this URL:
http[s]://host:port/[gas/]ws/r/services/SAMLServiceProvider/Metadata
- See SAML provider documentation for information on creating the circle of trust.
- Genero Application Server default SAML identity name is "urn:genero". If needed, you can change
the identifier by modifying the
saml.entityID
entry in the fglprofile file.
-
Add SAML SSO to a Genero Web application:
-
Add the
DELEGATE
tag to all Genero Web applications requiring SSO.
<DELEGATE service="services/SAMLServiceProvider" />
For
example:
<APPLICATION Parent="defaultgwc">
<EXECUTION>
<PATH>$(res.path.mypath)/myapplication</PATH>
<MODULE>myapp.42r</MODULE>
<DELEGATE service="services/SAMLServiceProvider" />
</EXECUTION>
</APPLICATION>
-
Execute a Genero Web application with SSO:
-
Start your browser and enter the application URL.
You are redirected to the SAML provider and prompted to enter your
credentials.
-
Enter your credentials and click the signin button.
If your credentials are valid, your browser is redirected to the Web application. The
application starts and runs as the entered SAML user.
The next time you start the same application - or any application delivered by the same Genero
Application Server - you will not be prompted for your credentials. The application will start (and
be authenticated for) the same SAML user.