The following guide is about the Client configuration steps for GAM Remote Authentication Type.
By using the GAM Web Backoffice, add the Authentication Type through the Authentication Types menu item.
Then add the information as explained below:
Picture #1. Defining GAM Remote Authentication Type. Web panel GAMExampleEntryAuthenticationType.
- Client ID. Client ID of the Application. The same as the one specified in the Identity Provider.
- Client Secret. Client Secret of the Application - the same as the one specified in the Identity Provider.
- Local Site URL. URL of the client application - the same as the one specified in the Call Back URL in the server.
- Add gam_user_additional_data scope? When additional data must be passed (such as dynamic attributes of GAM User), we must check this attribute. When this property is set, the "gam_user_additional_data" scope is automatically sent to the server. This corresponds to the property &Application.ClientAllowGetUserAdditionalData that has to be set to TRUE.
At the server side, the "Allow Authentication" check box - under the section Web (Identity Provider, SSO) must be selected.
- Additional Scope. The additional scope can be any string. This is to support the GAM Events subscription for Remote Authentication: User_GetCustomInfo and User_SaveCustomInfo.
If no additional scope is added, the following basic information is transferred from the server to the client: Guid, Username, EMail, First_Name, Last_name, External_id, Birthday, Gender, Url_image, Url_profile, Phone, Address, City, State, Post_code, Language, Timezone. To send additional data, we must check the option "Get user additional data" in the server application.
- Add gam_session_initial_prop scope?
It is to ask the Identity Provider to return the initial properties set dynamically at the login, to the client. At the Identity Provider, it has to be configured also that these information should be sent.
For more details see Howto: sending and receiving properties set at the login.
- Remote Server URL. URL of the server application (e.g: http://server/TestGAMSSOServer.NetEnvironment). The format is: Http://<Server>:<Port>/<BaseURL>. For Java, do not include "/servlet".
- Private Encryption Key. By using this private encryption key, we encrypt the communication between client applications and the server application. It must be configured with the same value as the one specified for the GAM application defined in the Identity Provider (the server). If they are different, an error "javax.servlet.ServletException: java.lang.InternalError: invalid key" is thrown.
- Repository GUID. Connect to this Repository in the Identity Provider.
- Validate External Token. Validate the session expiration using the Token Expiration and Token renovations of the Identity Provider. The property is AutovalidateExternalTokenAndRefresh. E.g: &AuthenticationTypeGAMRemote.GAMRemote.AutovalidateExternalTokenAndRefresh = TRUE
Identity Provider Configuration for GAM Remote Authentication