Authorization and SAML SSO
Authorize whether an user already authenticated by SAML Single sign-on (SSO) can access a Genero application.
The GAS must be configured for SAML SSO. See Configure GAS to support SAML SSO.
With the Genero SAML implementation, you can add an external program to determine whether an already authenticated user can access a Genero Web application.
This external program can be written in Genero or in another programming language.
access-program saml-userid app-xcf-path [ attribute value [...] ]
- The first argument is the SAML identifier. It depends on the ID format specified in the Genero Application Server configuration and by the IdP.
- The second argument is the application path.
- Next arguments are optional and define SAML attributes/value pairs.
fglrun AccessProgram
"AZEd3R4" \
"qa-test/application" \
"fullname" "genero test" \
"email" "genero@4js.com" \
"country" "France"
The application AccessProgram.4gl in $FGLDIR/web_utilities/services/saml provides an example of an authorization application written in Genero.
The external program is specified in the application configuration element by adding a
AUTHORIZATION
element in the DELEGATE
element.
If the AUTHORIZATION
element is not defined, any user registered in the
SAML IdP can access the Genero Web application. It is recommended that you add an
authorization program to filter the access to your application.
The authorization program will be called before access to the Web application is granted. If the authorization program exits with an error code of zero (0), then access is granted for the user. Any exit code other than zero indicates access for the user is denied. In the last case, the end user will be warned with an error page in the web browser, generated by the SAML service.