SAML IdP Discovery

This document describes how to consume an external SAML IdP Discovery Service when PhenixID is acting as a SAML Service Provider against an aggregated federation, such as SAMBI or Skolfederation.

The reader of this document should have some basic knowledge about PhenixID Server.

We will make changes to phenix-store.json, so make sure to have a recent  copy/backup of this file.

System requirements

- PhenixID Server v 2.7 or higher installed.

- PAS Authenticators SAMLServiceProviderAuthN or SAMLSPBroker (depending on your authentication scenario) setup against an aggregated federation which provides an IDP Discovery Service.

Overview

PhenixID Authentication Services (PAS) will act as a SAML Service Provider against an aggregated federation, such as SAMBI or Skolfederation.  

The PAS SAML Service Provider will send the browser to an external IDP Discovery Service where the user will select IDP / Organization. The IDP Discovery Service result (ie selected idp) will be sent back to the PAS SP. The PAS SP will pick up the selected IdP and start "ordinary" login.

Configure your authenticator

Set the parameter "discoveryUrl" on the authenticator to send the user to an IDP Discovery URL.

 

Example conf:

{
		"id": "sp",
		"alias": "sp",
		"name": "SAMLServiceProviderAuthN",
		"displayName": "eIDAS",
		"configuration": {
			"sp": "https://ubuntu.phenixid.local/saml/sp",
			"pipeID": "pipeAssertionConsumer",
			"successURL": "/saml/selfservice/",
			"acsUrl": "https://ubuntu.phenixid.local:8443/saml/authenticate/sp",
			"entityID": "https://ubuntu.phenixid.local/saml/sp",
			"targetIDP": "https://phenixid.se/samlidp",
"discoveryUrl": "https://apache.phenixid.se/discovery/DS",
			"addsignature": "true"
		}
	}

Extract your metadata

1. Fetch your sp metadata by opening the URL:
For a SAMLServiceProviderAuthN authenticator : <acsUrl_in_authenticator_conf>?getSPMeta
For a SAMLSPBroker authenticator : <acsUrl_in_authenticator_conf>?getMeta

2. Save the produced metadata to a xml file.

3. Open the xml file in a text editor.

4. Manually add an extension block with an idp disco response. This is used for the IDP Discovery services as the return url.  The location value must be the same as the acsUrl value. This block should be added in the SPSSODescriptor tag. Example:

<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

       <md:Extensions>

            <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://ubuntu.phenixid.local:8443/saml/authenticate/sp" index="1"/>
        </md:Extensions>

5. Save the file

6. The metadata for your SP must now be provided to the IDP Discovery service (or the aggregated federation).

Test

Test it out by browsing to the service you protect. The PhenixID SAML Service Provider (ie the authenticator SAMLServiceProviderAuthN or SAMLSPBroker) should now redirect the browser to the idp discovery service. After selecting and IDP, the browser should be redirected back to the PhenixID SAML Service Provider which should then start the "normal" login flow by sending an authentication request to the selected IdP.