GeneXus Access Manager (GAM)
Table of contents


Official Content
Note: As of July 2023, Microsoft has changed the name of its Azure Active Directory product to Microsoft Entra ID.

This tutorial explains how to authenticate your users using the OpenID Connect protocol with Azure Active Directory and GAM.

You need to use OAuth 2.0 Authentication Type and do some settings on the Azure Active Directory (Azure AD) Admin Center and the GAM's backend.

Configuration in the Azure AD Admin Center

1. Define and register an application. See this guide from Microsoft.

2. Get the app's Application Id, since you'll need it later on:

AADClientId

3. Configure a Redirect URI. Go through the Authentication menu option (Panel on the left) and create a new Web platform. Then add a Redirect URI of the form:

AADRedirectURI

http://<server>:<port>/<BackendBaseURL>/oauth/gam/callback   

4. Go through the Certificates & secrets option, and create a NewSecret. You should copy the value of the secret, as it will be needed later.

AADSecret

5. In the API permissions tab, verify that you have added the following:

AADAPIPermissions

The following steps will help you to obtain the certificate that you will later use in the GAM backend configuration.

6. From the endpoints panel, make a request to this URL: https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration in the browser or Postman:

AADConfigurationsOpenIDEndpoint

Take this URL and make a request in the browser or Postman.

AADConfigurationsOpenIDEndpoint2Step

In this screen, Azure AD will give you six certificates and you can use any of them.

7. Go to Format Certificate Web Tool and paste the certificate you choose in the last step.

FormatCertificate

8. Create a .crt file in a folder (For example: C:/YourKB/NetSql/web/Certs), and paste the resulting certificate from the Certificate Web Tool.

9. Finally, upload this .crt certificate in the Upload certificate option:

AADCertificatesUpload

Configuration in the GAM Backend

In the GAM Backend go to "Settings" and "Authentication Types" and create an OAuth 2.0 Authentication Type.

Go to the General tab and configure the following:

AzureOIDCGAMGeneral

1. The Client Id value from the second step of the Azure AD portal configuration.

2. The Client Secret value from the fourth step of the Azure AD portal configuration.

Go to the Authorization Tab and configure the following:

AzureOIDCGAMAuthorization1

Note: The {tenant} value must be obtained from the application's Overview Panel.

AzureOIDCGAMAuthorization2

Important: For the OpenID connect authentication type to work correctly, make sure that you have checked "Enable OpenID Connect Protocol?" and "Validate ID Token".

Issuer URL: The value for this field must be obtained from the request to this URL: https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration in the browser or Postman.

Tip: To find the value in the request result, use Ctrl + F and type "issuer".

Go to Token Tab and configure the following:

AzureOIDCGAMToken

AzureOIDCGAMToken2

Configuration in the User Information Tab

For the OpenID Connect authentication type, you do not have to configure anything in the user information tab.

See Also

GAM - OpenID Connect Authentication Type

Last update: 11 September 2023 by vdeambrosi
Last update: February 2024 | © GeneXus. All rights reserved. GeneXus Powered by Globant