Table of contents


Official Content

To set up the environment described in Single Sign On for Rest Services using GAM, consider following some configuration steps in the two GAM Application clients and the Identity Provider (IDP).

Here, note the client-side configuration.

For clarity, let's agree on some terms first.

  • Client A is an application that will be authenticated against an IDP and will call a REST service of another Application called Client B.
  • The Identity Provider IDP is an application that will give SSO REST tokens to the applications that authenticate from Client A to it.

Important

The application that initiates the Login (Client A) and obtains the SSO REST token for Cases A and B must comply with the following configurations.

1. Enable "Allow REST v2.0 authentication?" as shown below.

SSORestConfClient3

2. Select the "Enable SSO REST services?" checkbox. In the "SSO REST" tab, set "Mode" to None.
SSORestConfClient4

 

Note: Two possible configurations for implementing this scenario, Case A and Case B, are described below.

Case A

Defining GAM Applications in the Server where the REST Service is exposed

Configure a GAM Application for each application that you want to interact with Client A and Client B.

From Client A and Client B in the GAM Application, in the "OAuth Authentication" tab of the "Configuration" panel, set the "Client ID" and "Client Secret" of the Application that will interact with this client. 

SSORestClientConf1

From the "SSO REST" tab, do the following:

  1. Select the "Enable SSO REST services?" checkbox.
  2. Set "Mode" to Client.
  3. Set "User authentication type name in this server" to the Authentication Type that you want to impersonate in the application. It must be the name of an Authentication Type of this client, which you want to impersonate when the client sends an SSO Rest Token to the IDP to verify the validity of the token; the User is created in this GAM (and the GAM session is updated).
    For example, you can configure it to the name of the GAM Remote rest authentication that you'll be defining next (1).
  4. Set the Server URL to the IDP's URL.

SSORestConfClient2
 

Case B

Important:

This configuration case allows the application that logged in and obtained the SSO REST token to NOT be defined on the client that publishes the REST service. 

To have this behavior you must configure in the Repository the property "Enable SSO REST access for undefined ClientIDs in exposed REST services?" (&GAMRepository.EnableSSORESTAccessForUndefinedClientIDs: boolean).

SSORestConfClient5

Defining GAM Applications in the Server where the REST Service is exposed

The application that exposes the service (the one configured in the application.gam) must have SSO REST in Client mode.

AppLocalWWApplications

From this application, in the OAuth Authentication tab of the Configuration panel, set the Client ID and Client Secret of the Application that will interact with this client. 

SSORestClientConf1

From the SSO REST tab, do the following:

  1. Select the "Enable SSO REST services?" checkbox.
  2. Set "Mode" to Client.
  3. Set "User authentication type name in this server" to the Authentication Type that you want to impersonate in the application. It must be the name of an Authentication Type of this client, which you want to impersonate when the client sends an SSO REST Token to the IDP to verify the validity of the token; the User is created in this GAM (and the GAM session is updated).
    For example, you can configure it to the name of the GAM Remote REST authentication that you'll be defining next (1).
  4. Set the Server URL to the IDP's URL.

SSORestConfClient2

See Also

Server-side configuration for SSO in REST applications

Last update: April 2024 | © GeneXus. All rights reserved. GeneXus Powered by Globant