SAML - Header based authentication

The purpose of this document is to describe how to configure PhenixID server for federation with SAML2 using Header Based authentication as an authentication method for PhenixID server.

This authenticator is used in a scenario where you have another security front end, such as a reverse proxy, that stands in front of PhenixID server. The front end server is also responsible of validating the user. The front end proxy needs to pass the username (or other attribute identifying the user) to the back end server (PhenixID server) as a request header.

Prerequisites

Convert the Federation - Username and Password scenario to HeaderSAML

Open the Advanced tab and locate the Authentication - HTTP entry that was configured in the previous "Federation - Username and password" scenario.

Change the value of the name parameter from "PostUidAndPasswordSAML" to "HeaderSAML"

Click the plus sign next to "configuration" to add new parameters

Set "header" = "<Name of the header containing the user identifier>"

Click Stage changes

Click Commit changes

Example how this could look once completed

Configure the execution flow used for the SAML assertion to suit your needs

  1. Open the Execution flow tab and expand the flow.
  2. Delete the valve #1 (InputParameterExistsValidatorValve) and valve #3 (LDAPBindValve)
  3. Expand (Show) the LDAPSearchValve and modify the search filter to fetch users where uid=<Header value>:
    filter_template: uid={{request.USERID}}
  4. Add a parameter for attributes to fetch for the matched LDAP entry: attributes = uid
  5. Expand (Show) the AssertionProvider and modify nameIDAttribute parameter: nameIDAttribute = uid
  6. Click Save