Genero SAML configuration

Specify entries in the configuration file to configure the Genero SAML service provider.

The Genero SAML implementation provides a list of entries to configure the Genero SAML service provider. The file is located in $FGLDIR/web_utilities/services/saml/res/configuration.
Table 1. SAML-related configuration entries
Entry Description
saml.entityID Defines the SAML entity name for the Genero Application Server, which is how the GAS is represented to other SAML partners. Mandatory. Default is urn:genero.
saml.allowUnsecure Defines whether the GAS accepts unsecured authentication mechanisms. Default is false (recommended).

A SAML authentication mechanism is unsecured if communication between the Identity Provider (IdP) and the GAS is not performed either over HTTPS or with XML encryption.

To secure a SAML communication, use HTTPS (via ISAPI or FastCGI) or use XML-Encryption by setting the xml.saml_encryption entries as described in Assertion encryption.

saml.wantAssertionsSigned Defines whether SAML assertion coming from Identity Providers (IdPs) must be signed. Be aware that there is no guarantee that setting this attribute will change how the IdP returns its response. The configuration of the IdP may not be affected.
Important:

After changing the attribute, you must recreate the circle of trust so the IdP takes the attribute into account.

Default is true (recommended).

Setting this attribute to false does not stop the GAS validating signed assertions.

It is recommended to have either (or both) saml.wantAssertionsSigned and saml.wantResponseSigned set to true, to ensure the request was not altered.
  • If not signed and entry is set to true, the GAS returns an access denied HTML page.

  • If signed and entry is set to false, the GAS validates the signature and an error is raised if the signature is invalid.

This entry also adds the wantAssertionsSigned attribute to the SAML metadata describing the SAML needs of the GAS.

saml.wantResponseSigned Defines whether SAML requests coming from the Identity Providers (IdPs) must be signed. Be aware that there is no guarantee that setting this attribute will change how the IdP returns its response. The configuration of the IdP may not be affected.
Important:

After changing the attribute, you must recreate the circle of trust so the IdP takes the attribute into account.

Default is false. It is recommended to have either (or both) saml.wantAssertionsSigned and saml.wantResponseSigned set to true, to ensure the request was not altered.
  • If not signed and entry is set to true, the GAS returns an access denied HTML page.

  • If signed and entry is set to false, the GAS validates the signature and an error is raised if the signature is invalid.

This entry does not add any attribute to the SAML metadata.

Assertion encryption

To support assertion encryption, you must add an X.509 certificate and its RAS private key to handle XML-Encryption using the Genero Web Services XML key mapping. There are two entries to be set:
  • xml.saml_encryption.x509: path to the X.509 certificate
  • xml.saml_encryption.key: path to the RSA private key

You can use the same X.509 certificate and RSA private key for signature, encryption, and metadata signature.

Authentication signature

To sign the authenticate request the GAS sends to the Identity Provider (IdP), you must add an X.509 certificate and its RSA private key to handle XML-Signature using the Genero Web Services XML key mapping. There are two entries to be set:
  • xml.saml_signature.x509: path to the X.509 certificate
  • xml.saml_signature.key: path to the RSA private key

You can use the same X.509 certificate and RSA private key for signature, encryption, and metadata signature.

Metadata signature

To sign the generated SAML metadata, add an X.509 certificate and its RSA private key in charge of XML-Signature using the Genero Web Services XML key mapping. There are two entries to be set:
  • xml.saml_metadata_signature.x509: path to the X.509 certificate
  • xml.saml_metadata_signature.key: path to the RSA private key

You can use the same X.509 certificate and RSA private key for signature, encryption, and metadata signature.

Certificate authority

As XML-Signature and XML-Encryption are in use to secure SAML communication, you must specify the list of trusted certificate authorities. This is done via the Genero Web Services key mapping mechanism, where this entry must be added, containing the list of trusted X.509 certificates (coming from the Identity Provider).
  • xml.keystore.calist: paths to the CA certificates, in order of preference, separated by semicolons. For instance, the list would contain the names of files like ca.crt, cert-signed-by-ca.crt, and so on. The certificate files should be located in the same directory as the SAML configuration file, or you must specify the relative or absolute path to them.