This document explains the steps to be followed in order to configure GeneXus Access Manager (GAM) to authenticate using SAML 2.0 Authentication type using Agesic.
As indicated in Agesic: Integración con el servicio de Autenticación, in section "Solicitud de alta en el servicio", you should send an email requesting a form to complete all data necessary to generate the partnership between the Service Provider (your application) and the Identity Provider (Agesic in this specific case).
In the second section of the form that you receive from Agesic ("Información técnica del solicitante" section), you are required to complete, among other fields, the following information:
In sum, in GAM, you will have configured the following fields:
Force Authentication = TRUE means that every time that a login is needed in a different Service Provider, the IdP will request the user to enter credentials again (SSO will not be used). It's supported by Agesic only. For further details on this item, take a look at the Agesic documentation, and search for ForceAuth.
Authentication Context: for Agesic, use "Both". For further details on this item, take a look at the Agesic documentation, and search for RequestedAuthnContext.
Local Site URL: configure the URL used to register your application (Service Provider) in Agesic (e.g.: http://testgamagesic.com:8080/gamlogin).
In the third section of the form provided by Agesic you will find the information necessary to configure the SAML Endpoint Location and the Single Logout Endpoint in GAM SAML 2.0 Authentication type General tab.
- Http-redirect endpoint. Copy it to SAML Endpoint Location.
- Single logout endpoint. Copy it to Single Logout Endpoint.
For the credentials section of the GAM configuration, see HowTo: Generating certificates for authenticating using SAML 2.0 GAM Authentication.