PhenixID web apps authentication – Windows SSO

The purpose of this document is to describe how to configure PhenixID server internal web applications for authentication using Windows SSO (Kerberos or NTLM) authentication.

Prerequisites

Follow the prerequisites for Windows SSO in this document:
SAML - Windows SSO authentication

Modules Required

  • auth-http

Configuration

Configuration Properties:

Name Description Default value Mandatory
successURL The URL to redirect the browser to after successful authentication Yes
includeQueryString Enable to append query string (passed to authenticator) to successURL. false No
pipeID Id of pipe to be executed Yes
authProtocol Type of Windows SSO protocol. Can be set to NTLM or Negotiate. (For Kerberos, use Negotiate) NTLM No
errorURL The URL to redirect the browser to if an error occurs. No

Example configuration

The configuration must be added in the Advanced section of Configuration Manager.

HTTP Authenticators

{
"id" : "winsso",
"alias" : "winsso",
"name" : "WindowsSSO",
"configuration" : {
"authProtocol" : "Negotiate",
"pipeID" : "pipewinsso",
"successURL" : "/selfservice/"
}
}

Pipe

{
"id" : "pipewinsso",
"valves" : [ {
"name" : "LDAPSearchValve",
"config" : {
"connection_ref" : "local_ldap",
"base_dn" : "CN=Users,DC=company,DC=local",
"scope" : "SUB",
"size_limit" : 0,
"filter_template" : "(&(objectclass=person)(sAMAccountName={{request.username}}))",
"attributes" : "sAMAccountName"
}
},{
		"name": "PropertyAddValve",
		"config": {
			"name": "roles",
			"value": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93",
			"enable_multi_value": "true"
		}
	}
	 ]
}

Read this article to get the correct value for the roles property.