Applications that use GeneXus Access Manager can be Identity Providers. In a scenario with an Identity Provider and one or more client applications, the applications will use GAM Remote Authentication Type to authenticate using the Identity Provider (from now on, the server).
Each client application must be connected to a different GAM database and have Integrated Security enabled. It's required that each client application has its own GAM database so it can be specified a unique (1)Call Back URL. This is necessary to comply with the security specifications of an Identity Provider.
When the client authenticates, its behavior is the same as when an application authenticates to Facebook or Twitter, because a session is generated in the Identity Provider and used by the application while it continues to be valid.
That's why this functionality is very useful for implementing Single Sign On in applications.
The necessary configuration for this authentication type to work is as follows:
- The Identity Provider (server) is configured using the Client Application URL, so this information will have to be given to the server's administrator.
- Given the Client Application URL information of the first step, a new GAM Application has to be defined in the Identity Provider. The administrator will configure the Application using some Client Id and Client Secret values. Afterward, these values have to be given to the Client's administrator to configure his GAM.
- In the GAM client, the GAM Remote Authentication Type is going to be configured, using the Application credentials (Client Id and Client Secret) given by the Identity Provider's administrator (obtained in the previous step). The Remote server URL will also be needed.
For more information see Identity Provider Configuration and Client Configuration.
See GAM Remote Authentication type for Smart Devices
- When authenticating through the Identity Provider, the user is created or updated in the client GAM database using the same GAM User GUID from the GAM of the Identity Provider. The password is stored only in the GAM of the Identity Provider.
- The default data transferred from the Identity Provider database to the client is: Guid, Username, EMail, First_Name, Last_name, External_id, Birthday, Gender, Url_image, Url_profile, Phone, Address, City, State, Post_code, Language, Timezone.
- When additional data must be passed (such as dynamic attributes of GAM User), we must then add "gam_user_additional_data" additional scope to the configuration.
- The password GAM Security Policies applicable are those of the Identity Provider GAM.
- The applicable security policies not related to the password are those of the client GAM database.
- The information required must be completed on the server and also on the client. So, if the email address is required by the server security policies, its entry will be requested. Likewise, when any other data is required in the client GAM, we will be asked to complete it as well.
Logging out from the client does not log out from the server.
The Identity provider may use any of the following authentication types:
The solution of GAM Remote Authentication is based on OAuth 2.0.
Single Sign On in applications using GAM
Managing Roles in applications using SSO