next »

[Sisavanh S.]

Hi,

Some customers would like to configure SAML SSO with Genero and ADFS but encountered some issues.

Our American support center did a "how to" some time ago.
We can think that could help some of you. So we would like to share it.
Please read this document.

Feel free to give us feedbacks.

Thanks and best regards,

[David H.]

Thanks for sharing. I think documents of this type are very useful as the manuals only take you so far. Hopefully this will be the first of many such studies on some of the more advanced facilities available in the Genero suite...

[Najmi N.]

Hi

Thanks for the nice document.

I want to share my case. The client have 4 running application. They want all appliation been SSO using ADFS(Web SSO).
From 4 apps, 3 of them are .NET application while another left was Genero Web application ran on Window 2012.

The client want by login any of the application, only the 1st been prompt with login while by choose other application next , eg: the Genero apps, it wont ask the login anymore, as well as it open the menu with the the ID login from 1st application.

Is that what Genero 2.5 SAML talked about?. 

Please confirm .. really need to finalize this.

//

[Sisavanh S.]

Hi,

My undestanding is that should work if all the applications use one of the identity provider (IdP) of a same federation:
https://technet.microsoft.com/en-us/library/dd807050.aspx
Your Genero app is able to authenticate against one of this identity provider using SAML.

In the simple case, if the applications use the same IdP then they will share the same token/cookie.

In any case, the user is prompted for login/pass only once.

If there are additional information to retrieve, you can create you own web service to manage SSO based on the samples provided in $FGLDIR/web_utilities/services: saml or simplesso.

If you need help, feel free to contact your local support center.

Best regards,
Sisa.

[Najmi N.]

Thanks Sisa for your prompt feedback.

Existing I'm using Genero 2.4x (GAS and  BDL) without ADFS, by default GAS didnt do authentication. We used IIS webserver to do authentication using IIS  Basic auth. This will default using browser plain form login. To be better look and feel we used IIS Form Auth by developed the .NET program for the proper form login with extra logo, coloring and font option.

I have 2 questions :-

1. By remain Genero 2.4x with the  above scenario what I need to do to integrate with ADFS WebSSO. Many search propose to modify the web.config and .NET form login to claim IdP credential. My concern does it able to pass back the credential to GAS?

2. If I used Genero 2.5x as what your document do I still need to have .NET kind of program to claim the IdP credential and integrate with ADFS Web SSO. Or was it all done by Genero ? What authentication type should I set at IIS webserver ?

//

[Laurent G.]

I think you are better off using the Genero SSO Delegate feature because of the cookie management.
As you pointed out if you do it upfront and independently from the Genero application, the challenge is going to be about the app knowing about it.

This requires an upgrade to >= 2.50. By reading your previous post it seems ADFS is a requirement. Is it really ?
You need to be able to expose AD as a SAML, OpenID or OpenID Connect IDP. This needs to be done independently from Genero.

From there, Genero will pick it up where GWS will establish a trusted link with the AD Web Service

https://4js.com/online_documentation/fjs-gas-2.50.00-manual-html/?path=fjs-gas-2.50.00-manual#c_gas_sso.html

Note also that OpenID seems to be deprecated in favor of OpenID connect, which we only seem to support in 3.00.

I hope this is helpful. In order to provide better guidelines, a better understand of the environment/architecture could help.

Good luck, contact your local support if you are getting stuck in the details.

Laurent