Impersonate external authentication to local authentication

Official Content

Purpose

Have all the users defined as local GAM users in the GAM database, regardless of whether the login is local or external. See GAM Impersonation for an explanation about the purpose of this feature.

Impersonate configuration in GAM

When defining Custom Authentication, or External Web Services Authentication, the impersonate property can be set to indicate another Authentication Type that it's going to be impersonated.

Impersonate is a property of the GAMAuthenticationTypeCustom and the GAMAuthenticationTypeWebService external objects (which are part of the GAM API).

Example

1. Define External Authentication Type using impersonate property.

In this example we define a Custom Authentication type that impersonates local authentication type.

&AuthenticationTypeCustom.Name    = "Custom" //&AuthenticationTypeCustom is GAMAuthenticationTypeCustom data type.
&AuthenticationTypeCustom.FunctionId  =  GAMAuthenticationFunctions.AuthenticationAndRoles
&AuthenticationTypeCustom.IsEnable   = TRUE
&AuthenticationTypeCustom.Description  = "Custom"
&AuthenticationTypeCustom.Custom.Version   = GAMAutExtWebServiceVersions.GAM20
&AuthenticationTypeCustom.Custom.FileName   = 'agamwslogin_v20test.dll'
&AuthenticationTypeCustom.Custom.Package   = 'GeneXus.Programs'
&AuthenticationTypeCustom.Custom.ClassName   = 'agamwslogin_v20test'
&AuthenticationTypeCustom.Impersonate = "local" <<<-----
&AuthenticationTypeCustom.Save()

if &AuthenticationTypeCustom.Success()
        commit 
        msg("Custom Authentication added ok", status)
else
       &Errors = GAMRepository.GetLastErrors()
For &Error in &Errors
       Msg(Format(!"%1 (GAM%2)", &Error.Message, &Error.Code), status)
EndFor
endif
CustomImpersonate
Figure 1.

Note: When you assign a string value for the impersonate property, it is checked that it corresponds to the name of any Authentication type defined in the Repository.

2. Login using the external authentication defined.

The login code using external authentication type with and without impersonate have no difference.

In SD applications, it should be as follows:

Event 'ExternalLogin'
    SDActions.LoginExternal("Custom",&User,&Password)
EndEvent

In Web applications:

&AdditionalParameter.AuthenticationTypeName = &LogOnTo
//&LogOnTo is a combo box where the user selects the authentication type he wants to use.
// This is the Authentication Type name. Using the example shown in figure 1 it would be "Custom".

&LoginOK = GAMRepository.Login(&UserName, &UserPassword, &AdditionalParameter, &Errors )
//&Errors is collection of GAMError

In this case, suppose that a user whose username is "test6" is already defined as a local user in GAM.

 

localusergam
Figure 2.

 

Using impersonate, after the end user logs in using Custom authentication type, no other user is defined in the GAM database, but it is recognized to be the local user already defined, whose username is "test6".

Notes

1. The external service associated to the External Authentication Type can return information of the user. This information is updated for the local user.
That is, if the external service returns any data related to the user (as First Name, Last Name, Roles, etc), it is assigned to the local user. The same happens with dynamic attributes. For more information see External Authentication: version 2.0.

2. An ExternalId is assigned to the local user, which is obtained from the output data of the external service. See ExternalId property of GAMUser object for details.

3. The local user's Password is not reset, so that the user can log in as a local user as well as using external authentication.

If the user logs in using external authentication first, the local user is created with an empty password and the Repositoryadministrator has to reset his password.

4. Even if the user who has logged in using this mechanism is registered as local, you can get information about the authentication type he used to log in by reading the session details.

The following example uses the Methods for handling sessions in GAM.
The AuthenticatedLogin property of GAMSessionLog object returns the  user's login data, referencing the Authentication type that was actually used

&UserGUID = &GAMUser.GUID //Get the UserGUID. &GAMUser is GAMUser data type.
&GAMSessionLogFilter.UserGUID = &UserGUID //&GAMSessionLogFilter is GAMSessionLogFilter data type.

for &GAMSessionLog in GAMRepository.GetSessionLogsOrderBy(&GAMSessionLogFilter,GAMSessionLogListOrder.Date_Desc,&Errors) 
//&GAMSessionLog is GAMSessionLog data type. &Erros is collection of GAMError.
     &AuthenticatedLogin = &GAMSessionLog.AuthenticatedLogin
endfor

In the example above, where user "test6" has been defined as local, the previous code returns "testimpersonate\custom\test6". The first part, "testimpersonate" is the user namespace in this example; the second, "custom", is the actual Authentication Type used and the third, test6 is the username.

Availability

This feature is available as from GeneXus X Evolution 2 Upgrade 5.

See Also

GAM - Users
GAM API: How to reference GAM users
GAM - External Authentication Type