This document explains the steps to be followed order to configure GeneXus Access Manager (GAM) to authenticate using SAML 2.0 Authentication type using Agesic.
As indicated in Agesic: Integración con el servicio de Autenticación in the section "Solicitud de alta en el servicio", you should send an email to ask for a form to complete all the necessary data to generate the partnership between the Service Provider (your application) and the Identity Provider (Agesic in this particular case).
In the second section of the form that you were given by Agesic (section "Información técnica del solicitante"), you are asked to complete the following information (among other fields):
In sum, in GAM, you'll have configured the following fields:
Force Authentication = TRUE means that each time a login is needed in a different Service Provider, the IdP will ask the user to enter the credentials again (SSO will not be used). It's supported by Agesic only. Take a look at the Agesic documentation and search for ForceAuth, for more details on this item.
Authentication Context: For Agesic, use "Both". Take a look at the Agesic documentation and search for RequestedAuthnContext, for more details on this item.
Local Site URL: Configure the URL used to register your application (Service Provider) in Agesic (e.g.: http://testgamagesic.com:8080/gamlogin).
In the third section of the form given by Agesic, you have the information to configure the SAML Endpoint Location and the Single Logout Endpoint in GAM SAML 2.0 Authentication type General tab.
- Http-redirect endpoint. Copy it to SAML Endpoint Location.
- Single logout endpoint. Copy it to Single Logout Endpoint.
For the credentials section of the GAM configuration, see HowTo: Generating certificates for authenticating using SAML 2.0 GAM Authentication.