Set the authentication context

At the GAS level, you can specify how the Identity Provider must authenticate a user that wants to access a Genero Web application via a browser.

As a prerequisite, see the SAML core specification for the list of supported URNs. There are several methods -- password protected, X509 certificate, PGP -- but not all work for Web-based Single sign-on (SSO).

For most Web Single sign-on, the default authentication method is password protected.

SAML provides a mechanism that allows a service provider (Genero Application Server) to define how a user must be authenticated by the Identity Provider (IdP). The GAS supports an optional element (AUTHCONTEXT) that allows you to specify which authentication method to use.

SAML uses a Uniform Resource Name (URN) namespace to specify the protocol and the authentication context. Examples are shown for the X509 and Password formats:

urn:oasis:names:tc:SAML:2.0:ac:classes:Password
urn:oasis:names:tc:SAML:2.0:ac:classes:X509

If the AUTHCONTEXT element is not defined, the default mechanism set in the IdP is used.

Important:

Do not specify this tag unless you require a specific authentication method.

Add an AUTHCONTEXT element as a child of the SAML DELEGATE element in the application configuration (xcf) file. Enter a valid authentication method in the text of the AUTHCONTEXT element.

<?xml version="1.0"?>
<APPLICATION Parent="defaultgwc"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:noNamespaceSchemaLocation="http://www.4js.com/ns/gas/4.01/cfextwa.xsd">
  <EXECUTION>
    <PATH>$(res.path.qa)/applications/myapp</PATH>
    <MODULE>App.42r</MODULE>
    <DELEGATE service="services/SAMLServiceProvider">
      <AUTHCONTEXT>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</AUTHCONTEXT>
    </DELEGATE>
  </EXECUTION>
</APPLICATION>

When set, the authentication context method is defined. If the IdP does not support the specified method, or if it uses another mechanism, the GAS will return an access denied page.