The following is the configuration of the GAM Identity Provider for GAM Remote Authentication Type.
First, define a GAM Application on the server for each web application that is going to be a client of the Identity Provider. The credentials of this Application are going to be used for defining the GAM Remote Authentication type in the client's GAM database, as explained in Client Configuration for GAM Remote Authentication.
When the GAM Web Backoffice is used, Applications are added using the Application menu item. Go through "Applications", "Add" button - that calls the Web panel GAMExampleEntryApplication.
In the Client Application Data tab, you can enter the Application credentials.
Additional information has to be added to the Remote Authentication tab:
In sum, the client application information that must be provided is as follows:
- Client ID. Client ID of the Application. It has to be a valid GUID.
- Client Secret. Client Secret of the Application. It has to be a valid GUID.
The "Allow remote authentication" check box must be selected to enter the following information (*):
- Can get user roles. See Managing Roles in applications using SSO
- Can get user additional data. When additional data must be passed (such as dynamic attributes of GAM User), we must then check this option. The "gam_user_additional_data" additional scope has to be added in the client configuration.
- Local Login URL. URL of the server application login (e.g: /TestGAMSSOServer.NetEnvironment/gamremotelogin.aspx). The format is: /<BaseURL>/[<package>.]gamremotelogin. The GAMRemoteLogin object is distributed in the GAM Examples.
- Call Back URL. URL of the client application (e.g: http://server:8080/TestGAMRemoteJavaSQLServer). The format is: Http://<Server>:<Port>/<BaseURL>. For Java, do not include "/servlet".
- Image URL. URL of the image logo of the client application.
- Private Encryption Key. By using this private encryption key, we encrypt the communication between client applications and the server application; however, the use of HTTPs is recommended.
(*) If "Allow remote authentication" is not checked, the following error is thrown when the user tries to authenticate to the Identity Provider:
Remote authentication is not allowed in this application. Please contact the administrator. (GAM230)
Client Configuration for GAM Remote Authentication
The following error:
Error code 222
Error message Callback URL doesnt match the one configured in the application (http://<server>/<baseURL>/oauth/gam/callback)
Is due to misconfiguring the callback URL in the Identity Provider. Note that in The Provider, the callback URL is http://<server>/<baseURL>.