Set the authentication context
At the JGAS level, you can specify how the Identity Provider must authenticate a user that wants to access a Genero Web application via a browser.
As a prerequisite, see the SAML core specification for the list of supported URNs. There are several methods -- password protected, X509 certificate, PGP -- but not all work for Web-based Single sign-on (SSO).
For most Web Single sign-on, the default authentication method is password protected.
SAML provides a mechanism that allows a service provider (JGAS) to define how a user
must be authenticated by the Identity Provider (IdP). The JGAS supports an optional element
(AUTHCONTEXT
) that allows you to specify which authentication method to use.
X509
and
Password
formats:urn:oasis:names:tc:SAML:2.0:ac:classes:Password
urn:oasis:names:tc:SAML:2.0:ac:classes:X509
AUTHCONTEXT
element is not defined, the default mechanism set in
the IdP is used. Do not specify this tag unless you require a specific authentication method.
AUTHCONTEXT
element as a child of the SAML DELEGATE
element in the application configuration (xcf) file. Enter a valid
authentication method in the text of the AUTHCONTEXT
element.
<?xml version="1.0"?>
<APPLICATION Parent="defaultgwc"
>
<EXECUTION>
<PATH>$(res.path.qa)/applications/myapp</PATH>
<MODULE>App.42r</MODULE>
<DELEGATE service="SAMLServiceProvider">
<AUTHCONTEXT>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</AUTHCONTEXT>
</DELEGATE>
</EXECUTION>
</APPLICATION>
When set, the authentication context method is defined. If the IdP does not support the specified method, or if it uses another mechanism, the JGAS will return an access denied page.