Applications that use GeneXus Access Manager can be Identity Providers. In a scenario with an Identity Provider and one or more client applications, the applications will use GAM Remote Authentication Type to authenticate using the Identity Provider (from now on, the server).
Each client application may be connected to a different GAM database and have Integrated Security enabled. Otherwise, depending on your solution, you can use the same GAM database for all. See SAC 43517 for more details on this topic.
When the client authenticates, its behavior is the same as when an application authenticates to Facebook or Twitter, because a session is generated in the Identity Provider and used by the application while it continues to be valid.
That's why this functionality is very useful for implementing Single Sign On in applications.
The necessary configuration for this authentication type to work is as follows:
- The Identity Provider (server) is configured using the Client Application URL, so this information will have to be given to the server's administrator.
- Given the Client Application URL information of the first step, a new GAM Application has to be defined in the Identity Provider. The administrator will configure the Application using some Client Id and Client Secret values. Afterward, these values have to be given to the Client's administrator to configure his GAM.
- In the GAM client, the GAM Remote Authentication Type is going to be configured, using the Application credentials (Client Id and Client Secret) given by the Identity Provider's administrator (obtained in the previous step). The Remote server URL will also be needed.
For more information see Identity Provider Configuration and Client Configuration.
See GAM Remote Authentication type for Smart Devices
- When authenticating through the Identity Provider, the user is created or updated in the client GAM database using the same GAM User GUID from the GAM of the Identity Provider. The password is stored only in the GAM of the Identity Provider.
- The default data transferred from the Identity Provider database to the client is: Guid, Username, EMail, First_Name, Last_name, External_id, Birthday, Gender, Url_image, Url_profile, Phone, Address, City, State, Post_code, Language, Timezone.
- When additional data must be passed (such as dynamic attributes of GAM User), we must then add "gam_user_additional_data" additional scope at the GAM remote Authentication Type configuration, and check the "Can get user additional data" at the Indentity Provider's configuration. As since GeneXus 16 upgrade 7 you have the &AuthenticationTypeGAMRemote.GAMRemote.AddUserAdditionalDataScope property, which sets the "gam_user_additional_data" automatically at the client.
- The password GAM Security Policies applicable are those of the Identity Provider GAM.
- The applicable security policies not related to the password are those of the client GAM database.
- The information required must be completed on the server and also on the client. So, if the email address is required by the server security policies, its entry will be requested. Likewise, when any other data is required in the client GAM, we will be asked to complete it as well.
See Logout options for Single Sign On using GAM
The Identity provider may use all authentication types (Local, Custom, OAuth 2.0, Google, etc.).
The solution of GAM Remote Authentication is based on OAuth 2.0.
Single Sign On in applications using GAM
Managing Roles in applications using SSO