Authorization and SAML SSO
Authorize whether an user already authenticated by SAML Single sign-on (SSO) can access a Genero application.
The GAS/JGAS must be configured for SAML SSO. The application configuration is slightly different for GAS and JGAS, choose the appropriate step.
With the Genero SAML implementation, you can add an external program to determine whether an already authenticated user can access a Genero web application.
This external program can be written in Genero or in another programming language.
access-program saml-userid app-xcf-path [
attribute value [...] ]
- The first argument is the SAML identifier. It depends on the ID format specified in the GAS/JGAS configuration and by the IdP.
- The second argument is the application path.
- Next arguments are optional and define SAML attributes/value pairs.
fglrun AccessProgram
"AZEd3R4" \
"qa-test/application" \
"fullname" "genero test" \
"email" "genero@4js.com" \
"country" "France"
The application AccessProgram.4gl in $FGLDIR/web_utilities/services/saml provides an example of an authorization application written in Genero.
The external program is specified in the application configuration element by adding a
AUTHORIZATION
element in the DELEGATE
element.
If the AUTHORIZATION
element is not defined, any user registered in the SAML IdP
can access the Genero web application. It is recommended that you add an authorization program to
filter the access to your application.
The external program must be deployed beside the SAMLServer.42r program, because it will be executed by that service program. This is by default under $FGLDIR/web_utilities/services/saml/bin.
The authorization program will be called before access to the web application is granted. If the authorization program exits with an error code of zero (0), then access is granted for the user. Any exit code other than zero indicates access for the user is denied. In the last case, the end user will be warned with an error page in the web browser, generated by the SAML service.