To set up the environment described in Single Sign-on for Rest Services using GAM, you should consider following some configuration steps in both the GAM of clients and the Identity Provider (IDP).
Here, note the client-side configuration.
For clarity, let's agree on some terms first.
- The "client" is an application that will be authenticated against an IDP and will be calling a Rest service of another Application.
- The Identity Provider (IDP) is an application that will be giving SSO Rest tokens to the applications that authenticate to it.
At each client app, you have to configure:
- A GAM Application for each Application that you want to interact with from this client.
- The GAM Remote Rest Authentication type (Oauth 2.0) to authenticate to the IDP.
As said before, you have to define a GAM Application for each application that you want to interact with (i.e.: call a Rest Service using the SSO Rest Token given by the Identity Provider).
From the GAM Application configuration (Remote Authentication tab), set the Client ID and Client Secret of the Application that will be interacting with this client.
From the SSO Rest tab, do the following:
- Set Enable SSO Rest services to TRUE.
- Configure Mode SSO Rest to Client.
- Set "User Authentication Name in this server" to the Authentication Type that you want to impersonate in the application. It has to be the name of some Authentication Type of this client, which you want to impersonate when the client sends an SSO Rest Token to the IDP to verify the validity of the token; the User is created in this GAM (and the GAM session is updated).
For example, you can configure it to the name of the GAM Remote rest authentication that you'll be defining next (1).
- Set Server URL to the IDP's URL.
Create a GAM Remote Rest Authentication type (Oauth 2.0) and define, at least:
- Client ID and Client Secret of this client.
- Remote Server URL (the URL of the IDP).
- The "Remote server authentication type name" if it's not local. This is the Authentication type of the IDP. The IDP can use another IDP (it can authenticate to any GAM External Authentication Type if desired).
- Impersonate. This has to be set as an alternative to setting the "User Authentication Name in this server" in the GAM Application configuration. You can configure it to local, for example, if you want the users who authenticate using GAM remote rest to impersonate as local users (1).
Server-side configuration for SSO in Rest applications
(1) If you don't configure the impersonation, you may get an error like the following:
This happens if you authenticate from App B using GAM remote Rest for the first time (so the user is created with Authentication Type = GAM Remote Rest), and then try to call a Rest Service from App A sending to App B an SSO Rest Token for that user. After the validation of the token in the IDP, GAM tries to upsert the user in the GAM tables using the Authentication type configured in the GAM Application (User Authentication Name in this server). If it's not set (or it's set to local), the conflict occurs.