PhenixID DocumentationPhenixID Authentication ServicesSolutions Authentication flowsConfigure a fail over authenticator for Integrated Windows Authentication

Configure a fail over authenticator for Integrated Windows Authentication

This solution document describes how to configure a solution when the primary authentication is failing and the user is redirected to a username and password authenticator.

Please note that this solution document only describes how this can be accomplished. Adjust the configuration to match your environment

This instruction should only be used by a certified PhenixID Server administrator.


Prerequisities

The IWA authenticator (SAMLWindowsSSO) is configured and working

The Username and password authenticator (PostUidAndPasswordSAML) is configured and working

PAS 3.x or later has to be installed

Configuration

Authenticator

Add the parameter errorRedirect to redirect all failed authentications from the IWA authenticator to the Username Password authenticator.

<p>{
        "id": "4781eb6b-a840-4f90-b1e1-8f234bc84898",
        "alias": "iwa",
        "name": "SAMLWindowsSSO",
        "displayName": "IWA",
        "configuration": {
            "pipeID": "f2b899c6-f3b2-4457-8085-2b2f8d5046bf",
            "idpID": "dc528f2b-ca43-4f69-8a57-721a8b5b9551",
            "authProtocol": "Negotiate",
            "errorRedirect": "/saml/authenticate/noiwa"
        }
    }
</p>

Add the parameter sessionValues to the username and password authenticator, to allow the session from the IWA authentication to be fetched.

<p>{
        "id": "8ff489c6-74b5-4540-b1b0-54c3ae73b364",
        "alias": "noiwa",
        "name": "PostUidAndPasswordSAML",
        "displayName": "NoIWA",
        "configuration": {
            "pipeID": "e2258d3d-964f-44a7-b384-7dbbfce7514f",
            "idpID": "dc528f2b-ca43-4f69-8a57-721a8b5b9551",
            "loginTemplate": "loginNoIWA.template",
            "sessionValues": [
                "mySession"
            ]
        }
  }
</p>

Template

The default login template has been modified in order to work with this scenario.


Pipes

The pipe for IWA has to be modified to also add the value of the current session as "mySession", which will be used by the Username and Password authenticator.

<p>[{
        "id": "IWA-PIPE",
        "valves": [{
            "name": "LDAPSearchValve",
            "config": {
                "connection_ref": "53b1fa60-31c2-4f35-9d86-767a73df4e28",
                "base_dn": "DC=company,DC=local",
                "scope": "SUB",
                "size_limit": "0",
                "filter_template": "samAccountName={{request.username}}"
            }
        }, {
            "name": "SessionLoadValve",
            "config": {
                "id": "{{request.session_id}}"
            }
        }, {
            "name": "SessionPropertyReplaceValve",
            "config": {
                "name": "mySession",
                "value": "{{request.session_id}}"
            }
        }, {
            "name": "SessionPersistValve",
            "config": {}
        }, {
            "name": "FlowFailValve",
            "config": {
                "message": "Everything should fail in this scenario"
            }
        }, {
            "name": "AssertionProvider",
            "config": {
                "targetEntityID": "dc528f2b-ca43-4f69-8a57-721a8b5b9551",
                "nameIDAttribute": "sAMAccountName",
                "sourceID": "https://apache.phenixid.se/saml"
            }
        }]
    }
</p>

The Username and password pipe has to be modified to be able to handle all scenarios.

<p>{
        "id": "NOIWA-PIPE",
        "valves": [{
            "name": "InputParameterExistValidatorValve",
            "config": {
                "param_name": "password",
                "skip_if_expr": "request.authenticatedrequest === 'true'"
            }
        }, {
            "name": "LDAPSearchValve",
            "config": {
                "connection_ref": "53b1fa60-31c2-4f35-9d86-767a73df4e28",
                "base_dn": "DC=company,DC=local",
                "scope": "SUB",
                "size_limit": "0",
                "filter_template": "samAccountName={{request.username}}"
            }
        }, {
            "name": "ItemCreateValve",
            "config": {
                "exec_if_expr": "flow.isEmpty()",
                "dest_id": "dummy"
            }
        }, {
            "name": "SessionLoadValve",
            "config": {
                "id": "{{request.session_id}}",
                "skip_if_expr": "request.get('session_id') === request.get('mySession')"
            }
        }, {
            "name": "SessionPropertyReplaceValve",
            "config": {
                "name": "mySession",
                "value": "{{request.session_id}}",
                "skip_if_expr": "request.get('session_id') === request.get('mySession')"
            }
        }, {
            "name": "SessionPersistValve",
            "config": {
                "skip_if_expr": "request.get('session_id') === request.get('mySession’)"
            }
        }, {
            "name": "SessionLoadValve",
            "config": {
                "id": "{{request.mySession}}",
                "skip_if_expr": "request.get('session_id') === request.get('mySession')"
            }
        }, {
            "name": "PropertyAddValve",
            "config": {
                "name": "SAMLRequest",
                "value": "{{session.SAMLRequest}}",
                "skip_if_expr": "request.get('session_id') === request.get('mySession')"
            }
        }, {
            "name": "PropertyAddValve",
            "config": {
                "name": "RelayState",
                "value": "{{session.RelayState}}",
                "skip_if_expr": "request.get('session_id') === request.get('mySession')"
            }
        }, {
            "name": "SessionLoadValve",
            "config": {
                "id": "{{request.session_id}}",
                "skip_if_expr": "request.get('session_id') === request.get('mySession')"
            }
        }, {
            "name": "SessionPropertyReplaceValve",
            "config": {
                "name": "SAMLRequest",
                "value": "{{item.SAMLRequest}}",
                "skip_if_expr": "request.get('session_id') === request.get('mySession')"
            }
        }, {
            "name": "SessionPropertyReplaceValve",
            "config": {
                "name": "RelayState",
                "value": "{{item.RelayState}}",
                "skip_if_expr": "request.get('session_id') === request.get('mySession')"
            }
        }, {
            "name": "SessionPersistValve",
            "config": {
                "skip_if_expr": "request.get('session_id') === request.get('mySession')"
            }
        }, {
            "name": "ItemRemoveValve",
            "config": {
                "item_include_expr": "item.getId() === 'dummy'"
            }
        }, {
            "name": "LDAPBindValve",
            "config": {
                "connection_ref": "53b1fa60-31c2-4f35-9d86-767a73df4e28",
                "password_param_name": "password"
            }
        }, {
            "name": "PropertyRemoveValve",
            "config": {
                "name": "SAMLRequest,RelayState"
            }
        }, {
            "name": "AssertionProvider",
            "config": {
                "targetEntityID": "dc528f2b-ca43-4f69-8a57-721a8b5b9551",
                "sourceID": "",
                "nameIDAttribute": "sAMAccountName",
                "additionalAttributes": "sAMAccountName"
            }
        }]
    }
</p>

Testing

1: Browse to the SP protected by this IdP.

2: User is redirected to the IWA Authenticator

3a: User is authenticated by the IWA  Authenticator. 

3b: User is NOT authenticated by the IWA Authenticator.

4b: User is redirected to the Username and Password Authenticator.

5b :User  is authenticated by the Username and Password Authenticator.

6: User is redirected to the SP with a SAML Assertion.