HowTo: Configuring SAML 2.0 GAM Authentication type using Agesic

Official Content

This document explains the steps to be followed order to configure GeneXus Access Manager (GAM) to authenticate using SAML 2.0 Authentication type using Agesic.

As indicated in Agesic: Integración con el servicio de Autenticación in the section "Solicitud de alta en el servicio", you should send an email to ask for a form to complete all the necessary data to generate the partnership between the Service Provider (your application) and the Identity Provider (Agesic in this particular case).

In the second section of the form that you were given by Agesic (section "Información técnica del solicitante"), you are asked to complete the following information (among other fields):

  • Entity ID. It's the Service Provider id, and has to be used to complete the field Service Provider Entity ID in the GAM SAML 2.0 Authentication type Login General tab configuration.
     
  • Assertion Consumer Service Location. It's the URL which will receive the SAML responses from the Identity Provider (e.g.:https://testgamagesic.com:8080/gamlogin/saml/gam/signin)
     
     Important: The URL has to be of the format https://<domain>/<url_base>/saml/gam/signin
  • Single Logout Location. It's the URL which will receive the SAML requests from the Identity Provider, to execute a local logout (e.g.:https://testgamagesic.com:8080/gamlogin/saml/gam/signout)
     
     Important: The URL has to be of the format https://<domain>/<url_base>/saml/gam/signout

In sum, in GAM, you'll have configured the following fields:

image_20181112154922_1_png

Force Authentication = TRUE means that each time a login is needed in a different Service Provider, the IdP will ask the user to enter the credentials again (SSO will not be used). It's supported by Agesic only. Take a look at the Agesic documentation and search for ForceAuth, for more details on this item.

Authentication Context: For Agesic, use "Both". Take a look at the Agesic documentation and search for RequestedAuthnContext, for more details on this item.

Local Site URL: Configure the URL used to register your application (Service Provider) in Agesic (e.g.: http://testgamagesic.com:8080/gamlogin).

In the third section of the form given by Agesic, you have the information to configure the SAML Endpoint Location and the Single Logout Endpoint in GAM SAML 2.0 Authentication type General tab.

  • Http-redirect endpoint. Copy it to SAML Endpoint Location.
  • Single logout endpoint. Copy it to Single Logout Endpoint.

For the credentials section of the GAM configuration, see HowTo: Generating certificates for authenticating using SAML 2.0 GAM Authentication.

Was this page helpful?
What Is This?
Your feedback about this content is important. Let us know what you think.