Follow these steps to setup Genero SAML service.
Before you can use SAML Single sign-on (SSO) with the GAS, a circle of trust must be established between the service
providers (the GAS) and one
or more SAML identity providers (an entity in charge of managing and authenticating the users). This
is established via SAML metadata exchange, where each party imports the metadata from the other
party. Each party's metadata defines how to communicate with it.
An X.509 certificate authority file can also be exchanged in order to validate SAML signatures.
-
If the GAS is located
behind a proxy, configure the proxy in the SAML FGLPROFILE.
Uncomment and set correct values for the entries proxy.http.location
and
proxy.https.location
.
-
Create an X.509 Certificate and its private key.
SAML requires digital signatures. See the Create the client certificate page in
Genero Business Development Language User Guide for
information on creating the certificate and its private key.
-
Modify the SAML configuration file and enter the X.509 certificate and private key
information.
The SAML configuration file is located in
$FGLDIR/web_utilities/services/saml/res.
Set values for the entries xml.saml_signature.x509
and
xml.saml_signature.key
.
If your Genero Web application must be accessible in HTTP, you must also use that key and
certificate for XML-Encryption to be fully secure. Uncomment and set the same values for the entries
xml.saml_encryption.x509
and xml.saml_encryption.key
.
-
Create a circle of trust between the GAS and a SAML provider. Import the IdP metadata file into the GAS SAML service provider.
In this step you are configuring the GAS to trust the IdP you are going to access via
SAML.
-
Set the SAML environment.
On UNIX™ (using sh as shell
script):
cd $FGLDIR/web_utilities/services/saml
. ./envsaml.sh
On Windows®:
cd "%FGLDIR%\web_utilities\services\saml"
envsaml.bat
-
Register the SAML IdP with
Genero SAML by launching the ImportIdP application with the SAML IdP URL.
Refer to the IdP documentation for information on
generating the metadata file (or the URL) from the SAML identity provider.
Example:On UNIX:
cd $FGLDIR/web_utilities/services/saml/bin
fglrun ImportIdp --import http[
s]
://host:port/openam_954/saml2/jsp/exportmetadata.jsp
On
Windows:
cd "%FGLDIR%\web_utilities\services\saml\bin"
fglrun ImportIdp --import http[
s]
://host:port/openam_954/saml2/jsp/exportmetadata.jsp
-
Retrieve the SAML provider Certificate and add it
as a trusted certificate in the SAML configuration file (if needed).
Uncomment and set the correct values for the entry
xml.keystore.calist
; see Certificate authority for
more details.
Refer to the SAML Identity Provider (IdP) documentation for
information about retrieving its X.509 certificate.
-
Create a circle of trust between the SAML provider and the GAS.
In this step you are integrating the IdP with the GAS so
that trust is established.
-
Start the dispatcher (if needed).
-
Log in to your SAML provider and create a circle of trust based on
the GAS SAML metadata.
Generate the metadata from this URL:
http[
s]
://host:port/gas/ws/r/services/SAMLServiceProvider/Metadata
An XML descriptor page should open. If the page fails to open, make sure you
have the certificates (.crt and .pem) in
$FGLDIR/web_utilities/services/saml/res/crt as specified in the
$FGLDIR/web_utilities/services/saml/res/configuration file.
The GAS is ready to support SAML SSO.