Set the authentication context

At the GAS/JGAS level, you can specify how the Identity Provider must authenticate a user that wants to access a Genero web application via a browser.

As a prerequisite, see the SAML core specification for the list of supported URNs. There are several methods -- password protected, X509 certificate, PGP -- but not all work for web-based Single sign-on (SSO).

For most web Single sign-on, the default authentication method is password protected.

SAML provides a mechanism that allows a service provider (Genero Application Server/JGAS) to define how a user must be authenticated by the Identity Provider (IdP). The GASJGAS supports an optional element (AUTHCONTEXT) that allows you to specify which authentication method to use.

SAML uses a Uniform Resource Name (URN) namespace to specify the protocol and the authentication context. Examples are shown for the X509 and Password formats:
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
urn:oasis:names:tc:SAML:2.0:ac:classes:X509
If the AUTHCONTEXT element is not defined, the default mechanism set in the IdP is used.
Important:

Do not specify this tag unless you require a specific authentication method.

The application configuration is slightly different for GAS and JGAS, choose the appropriate step.

  1. In the GAS application configuration file, add an AUTHCONTEXT element as a child of the SAML DELEGATE element in the application configuration (xcf) file. Enter a valid authentication method in the text of the AUTHCONTEXT element. 
    <?xml version="1.0"?>
<APPLICATION Parent="defaultgwc"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:noNamespaceSchemaLocation="http://4js.com/ns/gas/5.00/cfextws.xsd">
  <EXECUTION>
    <PATH>$(res.path.qa)/applications/myapp</PATH>
    <MODULE>App.42r</MODULE>
    <DELEGATE service="services/SAMLServiceProvider">
       # ...
      <AUTHCONTEXT>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</AUTHCONTEXT>
    </DELEGATE>
  </EXECUTION>
</APPLICATION>
  2. In the JGAS application configuration file, add an AUTHCONTEXT element as a child of the SAML DELEGATE element in the application configuration (xcf) file. Enter a valid authentication method in the text of the AUTHCONTEXT element. 
    <?xml version="1.0"?>
<APPLICATION Parent="defaultgwc">
  <EXECUTION>
    <PATH>$(res.path.qa)/applications/myapp</PATH>
    <MODULE>App.42r</MODULE>
    <DELEGATE service="SAMLServiceProvider">
      # ...
      <AUTHCONTEXT>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</AUTHCONTEXT>
    </DELEGATE>
  </EXECUTION>
</APPLICATION>

When set, the authentication context method is defined. If the IdP does not support the specified method, or if it uses another mechanism, the GAS/JGAS will return an access denied page.