Authorization and SAML SSO

Authorize whether an user already authenticated by SAML Single sign-on (SSO) can access a Genero application.

The GAS/JGAS must be configured for SAML SSO. The application configuration is slightly different for GAS and JGAS, choose the appropriate step.

With the Genero SAML implementation, you can add an external program to determine whether an already authenticated user can access a Genero web application.

This external program can be written in Genero or in another programming language.

The authorization program expects two mandatory arguments and the list of SAML attributes received from the Identity Provider (IdP):
access-program saml-userid app-xcf-path [ attribute value [...] ]
  • The first argument is the SAML identifier. It depends on the ID format specified in the GAS/JGAS configuration and by the IdP.
  • The second argument is the application path.
  • Next arguments are optional and define SAML attributes/value pairs.
Example with a Genero authorization program:
fglrun AccessProgram
       "AZEd3R4" \
       "qa-test/application" \
       "fullname" "genero test" \
       "email" "genero@4js.com" \
       "country" "France"

The application AccessProgram.4gl in $FGLDIR/web_utilities/services/saml provides an example of an authorization application written in Genero.

The external program is specified in the application configuration element by adding a AUTHORIZATION element in the DELEGATE element.

If the AUTHORIZATION element is not defined, any user registered in the SAML IdP can access the Genero web application. It is recommended that you add an authorization program to filter the access to your application.

The external program must be deployed beside the SAMLServer.42r program, because it will be executed by that service program. This is by default under $FGLDIR/web_utilities/services/saml/bin.

  1. In the GAS application configuration file, add an AUTHORIZATION element as a child of the SAML DELEGATE element in the application configuration (xcf) file. Within the AUTHORIZATION tag, specify the external authorization program.
    <?xml version="1.0"?>
    <APPLICATION Parent="defaultgwc"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:noNamespaceSchemaLocation="http://4js.com/ns/gas/5.00/cfextws.xsd">
      <EXECUTION>
        <PATH>$(res.path.qa)/applications/myapp</PATH>
        <MODULE>App.42r</MODULE>
        <DELEGATE service="services/SAMLServiceProvider">
           # ...
          <AUTHORIZATION>fglrun AccessProgram</AUTHORIZATION>
        </DELEGATE>
      </EXECUTION>
    </APPLICATION>
  2. In the JGAS application configuration file, add an AUTHORIZATION element as a child of the SAML DELEGATE element in the application configuration (xcf) file. Within the AUTHORIZATION tag, specify the external authorization program.
    <?xml version="1.0"?>
    <APPLICATION Parent="defaultgwc">
      <EXECUTION>
        <PATH>$(res.path.qa)/applications/myapp</PATH>
        <MODULE>App.42r</MODULE>
        <DELEGATE service="SAMLServiceProvider">
           # ...
          <AUTHORIZATION>fglrun AccessProgram</AUTHORIZATION>
        </DELEGATE>
      </EXECUTION>
    </APPLICATION>

The authorization program will be called before access to the web application is granted. If the authorization program exits with an error code of zero (0), then access is granted for the user. Any exit code other than zero indicates access for the user is denied. In the last case, the end user will be warned with an error page in the web browser, generated by the SAML service.