GAM: Impersonate Authentication

When the GAM Repository allows end users to authenticate with different identity providers (for example using a web service and Twitter), by default they are mapped to different GAM Users.

Due to security concerns, users may authenticate using different mechanisms depending, for example, on whether they are accessing from an intranet. However, the login information has to be mapped to the same GAM logical User.

In this paper, we will explain what to do when a single GAM User is required regardless of whether users enter the system using one authentication type or the other.

Let's consider the following scenarios:

Scenario I: Impersonate External Authentication to Local Authentication

Consider a scenario where we need to have all the users defined as local GAM users in the GAM database, regardless of whether the login is local or external.

In other words, users should be able to authenticate using an external mechanism, such as a certificate, as well as one local to GAM (depending on the physical location of the user). In both cases, the login should map to the same GAM User.

A user who has logged into the application using an external mechanism shouldn't be defined as a different user in the GAM database. Instead, this user should impersonate the local user who has the same username (or email) in GeneXus Access Manager, if it exists. If a user logs in using external authentication, and it does not exist in GAM, it will be registered in GAM as a local user.

The article Impersonate external authentication to local authentication, explains in more detail the scenario where any GAM External Authentication Type impersonates to local authentication.

Scenario II: Impersonate External Authentication to any other type of external authentication

Any user who logs in using GAM External Authentication Type (GAM External Web Services Authentication Type, or GAM Custom Authentication Type) can be impersonated to a google userFacebook user, or Twitter user.

Suppose that the Custom Authentication Type defined in the Repository impersonates to Twitter. This means that end users use their Twitter login to authenticate to Custom external authentication, and after a successful login they are mapped to Twitter users in GAM.

Therefore, the possible combinations are that GAM External WS authentication type and GAM Custom Authentication type impersonate any authentication type available in the Repository.


This feature is available as from GeneXus X Evolution 2 Upgrade 5.

See also

GAM API: How to reference GAM users
GAM External Authentication Type