Official Content


Have all the users defined as local GAM users in the GAM database, regardless of whether the login is local or external. See GAM Impersonation for an explanation about the purpose of this feature.

Impersonate configuration in GAM

When defining Custom Authentication, or External Web Services Authentication, the impersonate property can be set to indicate another Authentication Type that it's going to be impersonated.

Impersonate is a property of the GAMAuthenticationTypeCustom and the GAMAuthenticationTypeWebService external objects (which are part of the GAM API).


1. Define External Authentication Type using impersonate property.

In this example we define a Custom Authentication type that impersonates local authentication type.

&AuthenticationTypeCustom.Name    = "Custom" //&AuthenticationTypeCustom is GAMAuthenticationTypeCustom data type.
&AuthenticationTypeCustom.FunctionId  =  GAMAuthenticationFunctions.AuthenticationAndRoles
&AuthenticationTypeCustom.IsEnable   = TRUE
&AuthenticationTypeCustom.Description  = "Custom"
&AuthenticationTypeCustom.Custom.Version   = GAMAutExtWebServiceVersions.GAM20
&AuthenticationTypeCustom.Custom.FileName   = 'agamwslogin_v20test.dll'
&AuthenticationTypeCustom.Custom.Package   = 'GeneXus.Programs'
&AuthenticationTypeCustom.Custom.ClassName   = 'agamwslogin_v20test'
&AuthenticationTypeCustom.Impersonate = "local" <<<-----

if &AuthenticationTypeCustom.Success()
        msg("Custom Authentication added ok", status)
       &Errors = GAMRepository.GetLastErrors()
For &Error in &Errors
       Msg(Format(!"%1 (GAM%2)", &Error.Message, &Error.Code), status)
Figure 1.

Note: When you assign a string value for the impersonate property, it is checked that it corresponds to the name of any Authentication type defined in the Repository.

2. Login using the external authentication defined.

The login code using external authentication type with and without impersonate have no difference.

In SD applications, it should be as follows:

Event 'ExternalLogin'

In Web applications:

&AdditionalParameter.AuthenticationTypeName = &LogOnTo
//&LogOnTo is a combo box where the user selects the authentication type he wants to use.
// This is the Authentication Type name. Using the example shown in figure 1 it would be "Custom".

&LoginOK = GAMRepository.Login(&UserName, &UserPassword, &AdditionalParameter, &Errors )
//&Errors is collection of GAMError

In this case, suppose that a user whose username is "test6" is already defined as a local user in GAM.


Figure 2.


Using impersonate, after the end user logs in using Custom authentication type, no other user is defined in the GAM database, but it is recognized to be the local user already defined, whose username is "test6".


1. The external service associated to the External Authentication Type can return information of the user. This information is updated for the local user.
That is, if the external service returns any data related to the user (as First Name, Last Name, Roles, etc), it is assigned to the local user. The same happens with dynamic attributes. For more information see External Authentication: version 2.0.

2. An ExternalId is assigned to the local user, which is obtained from the output data of the external service. See External ID property of GAMUser object for details.

3. The local user's Password is not reset, so that the user can log in as a local user as well as using external authentication.

If the user logs in using external authentication first, the local user is created with an empty password and the Repositoryadministrator has to reset his password.

4. Even if the user who has logged in using this mechanism is registered as local, you can get information about the authentication type he used to log in by reading the session details.

The following example uses the Methods for handling sessions in GAM.
The AuthenticatedLogin property of GAMSessionLog object returns the  user's login data, referencing the Authentication type that was actually used

&UserGUID = &GAMUser.GUID //Get the UserGUID. &GAMUser is GAMUser data type.
&GAMSessionLogFilter.UserGUID = &UserGUID //&GAMSessionLogFilter is GAMSessionLogFilter data type.

for &GAMSessionLog in GAMRepository.GetSessionLogsOrderBy(&GAMSessionLogFilter,GAMSessionLogListOrder.Date_Desc,&Errors) 
//&GAMSessionLog is GAMSessionLog data type. &Erros is collection of GAMError.
     &AuthenticatedLogin = &GAMSessionLog.AuthenticatedLogin

In the example above, where user "test6" has been defined as local, the previous code returns "testimpersonate\custom\test6". The first part, "testimpersonate" is the user namespace in this example; the second, "custom", is the actual Authentication Type used and the third, test6 is the username.


This feature is available as from GeneXus X Evolution 2 Upgrade 5.

See Also

GAM - Users
HowTo: Reference GAM users using the GAM API
GAM - External Authentication Type

Last update: November 2023 | © GeneXus. All rights reserved. GeneXus Powered by Globant