Set the authentication context
At the GAS level, you can specify how the Identity Provider must authenticate a user that wants to access a Genero Web application via a browser.
As a prerequisite, see the SAML core specification for the list of supported URNs. There
are several methods -- password protected, X509 certificate, PGP -- but not all work for
Web-based Single sign-on (SSO).
Note: For most Web Single sign-on, the default
authentication method is password protected.
SAML provides a mechanism that allows a service provider (Genero Application Server) to define how a user
must be authenticated by the Identity Provider (IdP). The GAS supports an optional element
(AUTHCONTEXT
) that allows you to specify which authentication method to use.
If the
AUTHCONTEXT
element is not defined, the default mechanism set in
the IdP is used. Important: Do not specify this tag unless you require a
specific authentication method.
Add an
AUTHCONTEXT
element as a child of the SAML DELEGATE
element in the application configuration (xcf) file. Enter a valid
authentication method in the text of the AUTHCONTEXT
element.
<?xml version="1.0"?>
<APPLICATION Parent="defaultgwc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://www.4js.com/ns/gas/3.10/cfextwa.xsd">
<EXECUTION>
<PATH>$(res.path.qa)/applications/myapp</PATH>
<MODULE>App.42r</MODULE>
<DELEGATE service="services/SAMLServiceProvider">
<AUTHCONTEXT>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</AUTHCONTEXT>
</DELEGATE>
</EXECUTION>
</APPLICATION>
When set, the authentication context method is defined. If the IdP does not support the specified method, or if it uses another mechanism, the GAS will return an access denied page.