The following is the configuration of the GAM Identity Provider for GAM Remote Authentication Type.
First, define a GAM Application on the server for each web application that is going to be a client of the Identity Provider. The credentials of this Application are going to be used for defining the GAM Remote Authentication type in the client's GAM database, as explained in Client Configuration for GAM Remote Authentication.
When the GAM Web Backoffice is used, Applications are added using the Application menu item. Go through "Applications", "Add" button - that calls the Web panel GAMExampleEntryApplication.
In the General tab, you enter the name, description, and other basic information of the Application.
In the Remote Authentication tab, you can enter the Application credentials and other information needed when you are configuring GAM remote.
In sum, the client application information that must be provided is as follows:
- Client ID. Client ID of the Application. It has to be a valid GUID.
- Client Secret. Client Secret of the Application. It has to be a valid GUID.
The "Allow authentication" check box - under the section Web (Identity Provider, SSO) must be selected to enter the following information (*):
- Can get user roles. See Managing Roles in applications using SSO
- Can get user additional data. When additional data must be passed (such as dynamic attributes of GAM User), we must then check this option. The same has to be enabled at the client's.
- Can get session initial properties. If true, the Application is enabled to send the initial properties to the clients. This corresponds to the &GAMApplication.ClientAllowGetSessionInitialProperties property.
For more information see Howto: sending and receiving properties set at the login.
- Local Login URL. URL of the server application login (e.g: /TestGAMSSOServer.NetEnvironment/gamremotelogin.aspx). The format is: /<BaseURL>/[<package>.]gamremotelogin. The GAMRemoteLogin object is distributed in the GAM Examples.
- Callback URL. URL of the client application (e.g: http://server:8080/TestGAMRemoteJavaSQLServer). The format is: Http://<Server>:<Port>/<BaseURL>. For Java, do not include "/servlet". Since GeneXus 16 Upgrade 7, it is possible to set more than one callback URL. The URLs must be separated by ";". This scenario is useful for the case when many clients have to connect to the same Identity Provider using the same GAM Application. For example, in the case of converting an application and wanting to keep both the old and the new version (each one is in a different URL), it is not necessary to define a new GAM Application within the repository in order to specify each Callback URL, it's enough to define both URLs in the Callback URLs property of the same Application.
- Image URL. URL of the image logo of the client application.
- Private Encryption Key. By using this private encryption key, we encrypt the communication between client applications and the server application; however, the use of HTTPs is recommended.
(*) If "Allow authentication" is not checked, the following error is thrown when the user tries to authenticate to the Identity Provider:
Remote authentication is not allowed in this application. Please contact the administrator. (GAM230)
Client Configuration for GAM Remote Authentication
The following error:
Error code 222
Error message Callback URL doesnt match the one configured in the application (http://<server>/<baseURL>/oauth/gam/callback)
Is due to misconfiguring the callback URL in the Identity Provider. Note that in The Provider, the callback URL is http://<server>/<baseURL>.