HowTo: Configuring SAML 2.0 GAM Authentication type using Agesic

Official Content

This document explains the steps to be followed in order to configure GeneXus Access Manager (GAM) to authenticate using SAML 2.0 Authentication type using Agesic.

As indicated in Agesic: Integración con el servicio de Autenticación, in section "Solicitud de alta en el servicio", you should send an email requesting a form to complete all data necessary to generate the partnership between the Service Provider (your application) and the Identity Provider (Agesic in this specific case).

In the second section of the form that you receive from Agesic ("Información técnica del solicitante" section), you are required to complete, among other fields, the following information:

  • Entity ID: it is the Service Provider id that must be used to complete the field Service Provider Entity ID in the GAM SAML 2.0 Authentication type Login General tab configuration.
     
  • Assertion Consumer Service Location: it is the URL that will receive the SAML responses from the Identity Provider

    Java apps:

    If the application is generated using Java,
 The format of the URL must be https://<domain>/<url_base>/saml/gam/signin

(e.g.:https://testgamagesic.com:8080/gamlogin/saml/gam/signin)

.Net apps:

If the application is generated using .Net,

 The format of the URL must be https://<domain>/<url_base>/Saml2/Acs

e.g.: https://gamtestnet.com/kbaux.NetEnvironment/Saml2/Acs

  • Single Logout Location: it is the URL that will receive the SAML requests from the Identity Provider to execute a local logout (e.g.:https://testgamagesic.com:8080/gamlogin/saml/gam/signout)
 Important: The format of the URL must be https://<domain>/<url_base>/saml/gam/signout

In sum, in GAM, you will have configured the following fields:

image_2019322115511_1_png

Force Authentication = TRUE means that every time that a login is needed in a different Service Provider, the IdP will request the user to enter credentials again (SSO will not be used). It's supported by Agesic only. For further details on this item, take a look at the Agesic documentation, and search for ForceAuth.

Authentication Context: for Agesic, use "Both". For further details on this item, take a look at the Agesic documentation, and search for RequestedAuthnContext.

Local Site URL: configure the URL used to register your application (Service Provider) in Agesic (e.g.: http://testgamagesic.com:8080/gamlogin).

In the third section of the form provided by Agesic you will find the information necessary to configure the SAML Endpoint Location and the Single Logout Endpoint in GAM SAML 2.0 Authentication type General tab.

  • SAML Endpoint Location in GAM Backend

For Java apps, copy the contents of Http-redirect endpoint to that field. For .Net apps, copy the contents of  Http-Post endpoint.

  •  Single Logout Endpoint in GAM Backend

Copy the contents of Single logout endpoint to that field.

For the credentials section of the GAM configuration, see HowTo: Generating certificates for authenticating using SAML 2.0 GAM Authentication.

Was this page helpful?
What Is This?
Your feedback about this content is important. Let us know what you think.