Follow these steps to setup Genero SAML service.
Before you can use SAML Single sign-on (SSO) with the
JGAS, a circle of trust must be established between the service providers (the
JGAS) and one or more SAML
identity providers (an entity in charge of managing and authenticating the users). This is
established via SAML metadata exchange, where each party imports the metadata from the other party.
Each party's metadata defines how to communicate with it.
Note: An X509 certificate authority file
can also be exchanged in order to validate SAML signatures. See
Certificate authority.
-
If the JGAS is located behind a proxy,
configure the proxy in the SAML FGLPROFILE.
Uncomment and set correct values for the entries proxy.http.location
and
proxy.https.location
.
-
Create an X509 Certificate and its private key.
SAML requires digital signatures. See the Genero Business Development Language User Guide for information
on creating the certificate and its private key.
-
Modify the SAML configuration file and enter the X509 certificate and private key
information.
The SAML configuration file is located in
$FGLDIR/web_utilities/services/saml/res.
Remove the comment and set correct values for the entries
xml.saml_signature.x509
and xml.saml_signature.key
.
If your Genero Web application must be accessible in HTTP, you must also use that key and
certificate for XML-Encryption to be fully secure. Uncomment and set the same values for the entries
xml.saml_encryption.x509
and xml.saml_encryption.key
.
-
Create a circle of trust between the JGAS and
a SAML provider. Import the IdP metadata file into the JGAS SAML service provider.
-
Go to $FGLDIR/web_utilities/services/saml.
-
Set SAML environment via envsaml.bat or
envsaml.sh.
-
Launch the ImportIdP application using the SAML Provider URL.
Refer to the IdP documentation for information on generating the metadata file (or the URL)
from the SAML identity provider.
$fglrun ImportIdP
http://host:port/openam_954/saml2/jsp/exportmetadata.jsp
-
Retrieve the SAML provider Certificate and add it as a trusted certificate in the SAML
configuration file (if needed).
Uncomment and set the correct values for the entry xml.keystore.calist
. Refer
to the Genero Business Development Language User Guide for
more information.
Refer to the SAML Identity Provider (IdP) documentation for information about retrieving its
X509 certificate.
-
Create a circle of trust between the SAML provider and the JGAS.
-
Start the dispatcher (if needed).
-
Log in to your SAML provider and create a circle of trust based on the JGAS SAML metadata.
Generate the metadata from this URL: http[s]://host:port/jgas/ws/r/SAMLServiceProvider/Metadata
Refer to the SAML Identity Provider (IdP) documentation for information about importing the
Genero Application Server SAML metadata.
The JGAS is ready to support SAML SSO.