PhenixID web apps authentication – SAML SP

The purpose of this document is to describe how to configure PhenixID server internal web applications for authentication using SAML Service Provider Authentication. This is used when the user authentication is performed on an external SAML Identity Provider.

Prerequisites

  • External SAML IdP Metadata (url or file)

Modules Required

  • auth-http
  • phenix-saml

Configure SAML IdP trust and SAML SP

  1. Follow the scenario: Federation / SAML SP Metadata Upload in order to configure trust with the SAML IdP.
  2. Add a keystore to use for the SAML signing and/or encryption. Keystore
  3. Open the Advanced tab. Define your sp in the SAMLSP section. Note that the id and entityID must have the same value.




{
 "id" : "<create_a_sp_name_and_put_it_here>",
 "keystoreSign" : "<point_to_the_keystore_id_added_in_previous_step>",
"keystoreEncrypt" : "<point_to_the_keystore_id_added_in_previous_step>",
"entityID" : "<create_a_sp_name_and_put_it_here>",
"ForceAuthn" : "<Set to true if ForceAuthn should be used in authnReq, otherwise false or omit parameter">
}

Example:

{
 "id" : "sp.phenixid.se",
 "keystoreSign" : "bhull",
 "keystoreEncrypt" : "bhull",
 "entityID" : "sp.phenixid.se",
 "ForceAuthn" : "false"
 }

Configuration - add SAMLServiceProviderAuthN authenticator and pipe

Configuration properties with descriptions can be found here.

Example configuration

The configuration must be added in the Advanced section of Configuration Manager.

HTTP Authenticators

{
 "id" : "samlsp",
 "alias" : "samlsp",
 "name" : "SAMLServiceProviderAuthN",
 "displayName" : "External IdP",
 "configuration" : {
 "successURL" : "/selfservice/",
 "sp" : "sp.phenixid.se",
 "pipeID" : "assertionConsumer",
 "targetIDP" : "https://demo.phenixid.net/idp_rdweb_demo",
 "acsUrl" : "https://sp.phenixid.se/selfservice/authenticate/samlsp",
 "entityID" : "sp.phenixid.se"
 }
 }

 

Pls note that entityID and sp must have the same value configured.

Pipe example 1

This example covers the use case when the incoming SAML assertion should be validated and the NameID should be used as identifier for the web application.

{
    "id": "assertionConsumer",
    "valves": [{
            "name": "AssertionConsumer",
            "config": {
                "clock_skew_minutes": "2"
            }
        },
        {
            "name": "FlowFailValve",
            "config": {
                "message": "User does not exist",
                "exec_if_expr": "flow.items().isEmpty()"
            }
        },
        {
            "name": "PropertyAddValve",
            "config": {
                "name": "roles",
                "value": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93",
                "enable_multi_value": "true"
            }
        }
    ]
}

Read this article to get the correct value for the roles property.

Pipe example 2

This example covers how to map the userid from the incoming SAML assertion to a different value used by the  web application.

In this  particular example, the value will be replaced by the sn attribute from an LDAP directory.

{
	"id": "assertionConsumer",
	"valves": [{
			"name": "AssertionConsumer",
			"config": {
				"clock_skew_minutes": "2"
			}
		},
		{
			"name": "FlowFailValve",
			"config": {
				"message": "User does not exist",
				"exec_if_expr": "flow.items().isEmpty()"
			}
		},
		{
			"name": "SessionLoadValve",
			"config": {
				"id": "{{request.session_id}}"
			}
		},
		{
			"name": "LDAPSearchValve",
			"config": {
				"connection_ref": "d26b9745-f213-4740-a5f1-7b966c732a3a",
				"base_dn": "DC=company,dc=local",
				"scope": "SUB",
				"size_limit": "0",
				"filter_template": "sAMAccountName={{session.user_id}}",
				"attributes": "sn"
			}
		},
        {
			"name": "FlowFailValve",
			"config": {
				"message": "User does not exist in LDAP",
				"skip_if_expr": "flow.isMulti()"
			}
		},
		{
			"name": "ItemMergeValve",
			"config": {
				"dest_id": "{{session.user_id}}"
			}
		},
		{
			"name": "SessionBindToUidValve",
			"config": {
				"userid": "{{item.sn}}"
			}
		},
		{
			"name": "SessionPersistValve",
			"config": {}
		},
		{
			"name": "PropertyAddValve",
			"config": {
				"name": "roles",
				"value": "auth:972421be-7bac-4b02-b7bb-77d970eecc0e",
				"enable_multi_value": "true"
			}
		}
	]
}