PhenixID web apps authentication – SAML SP

The purpose of this document is to describe how to configure PhenixID server internal web applications for authentication using SAML Service Provider Authentication. This is used when the user authentication is performed on an external SAML Identity Provider.

Prerequisites

  • External SAML IdP Metadata (url or file)

Modules Required

  • auth-http
  • phenix-saml

Configure SAML IdP trust and SAML SP

  1. Follow the scenario: Federation / SAML SP Metadata Upload in order to configure trust with the SAML IdP.
  2. Add a keystore to use for the SAML signing and/or encryption. Keystore
  3. Open the Advanced tab. Define your sp in the SAMLSP section. Note that the id and entityID must have the same value.




{
 "id" : "<create_a_sp_name_and_put_it_here>",
 "keystoreSign" : "<point_to_the_keystore_id_added_in_previous_step>",
"keystoreEncrypt" : "<point_to_the_keystore_id_added_in_previous_step>",
"entityID" : "<create_a_sp_name_and_put_it_here>",
"ForceAuthn" : "<Set to true if ForceAuthn should be used in authnReq, otherwise false or omit parameter">
}

Example:

{
 "id" : "sp.phenixid.se",
 "keystoreSign" : "bhull",
 "keystoreEncrypt" : "bhull",
 "entityID" : "sp.phenixid.se",
 "ForceAuthn" : "false"
 }

Configuration - add SAMLServiceProviderAuthN authenticator and pipe

Configuration properties with descriptions can be found here.

Example configuration

The configuration must be added in the Advanced section of Configuration Manager.

HTTP Authenticators

{
 "id" : "samlsp",
 "alias" : "samlsp",
 "name" : "SAMLServiceProviderAuthN",
 "displayName" : "External IdP",
 "configuration" : {
 "successURL" : "/selfservice/",
 "sp" : "sp.phenixid.se",
 "pipeID" : "assertionConsumer",
 "targetIDP" : "https://demo.phenixid.net/idp_rdweb_demo",
 "acsUrl" : "https://sp.phenixid.se/selfservice/authenticate/samlsp",
 "entityID" : "sp.phenixid.se"
 }
 }

 

Pls note that entityID and sp must have the same value configured.

Pipe

{
 "id" : "assertionConsumer",
 "valves" : [ {
 "name" : "AssertionConsumer",
 "config" : {
      "clock_skew_minutes":"2"
    }
 },
{
 "name" : "FlowFailValve",
"config" : {
     "message":"User does not exist",
     "exec_if_expr" : "flow.items().isEmpty()"
   }
 },
{
		"name": "PropertyAddValve",
		"config": {
			"name": "roles",
			"value": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93",
			"enable_multi_value": "true"
		}
	}
	] }

Read this article to get the correct value for the roles property.