Activate Pocket Pass - Change authentication method

This document describes how to change authentication method (by default it's protected with username/password) for the Activate Pocket Pass application. This is done using an internal SAML federation flow where Activate Pocket Pass will act as a SAML SP connected to a SAML IdP.

Requirements

- PhenixID Pocket Pass activation application configured

Configure authentication method

  • Login to Configuration Manager
  • Set up a SAML IdP with the required authentication method using Scenarios->Federation-><Method>.
    (If you can't find the required method, please consult the documentation (http://document.phenixid.net -> Solutions -> Authentication flows -> SAML))
    • Set the entityID to ACTIVATEPP-IDP
    • Set NameID to the attribute containing the userID (such as userPrincipalName, sAMAccountName or mail)

 

Protect the Pocket Pass activation application with a SAML SP

Get keystore id

  • Login to Configuration Manager
  • Navigate to Advanced -> Keystores
  • Locate the the keystore object with "name":"Default auto generated server keystore"
  • Copy the id value from the keystore

Add SAML SP base configuration

  • Navigate to Advanced -> SAML 2 Service Providers
  • Add this object
{
		"id": "ACTIVATEPP-SP",
		"keystoreSign": "<REPLACE_THIS_WITH_THE_KEYSTORE_ID_COPIED_IN_PREVIOUS_STEP>",
		"entityID": "ACTIVATEPP-SP"
	}

Example:

{
		"id": "ACTIVATEPP-SP",
		"keystoreSign": "f2b90db8-b188-449b-8edc-163b8e3091cf",
		"entityID": "ACTIVATEPP-SP"
	}

Add SAML SP authenticator

  • Navigate to Advanced -> Authentication - HTTP
  • Add this object
{
		"id": "activateppsp",
		"alias": "activateppsp",
		"name": "SAMLServiceProviderAuthN",
		"description": "SAML service provider for activate Pocket Pass application",
		"configuration": {
			"successURL": "/activatepocketpass/",
			"sp": "ACTIVATEPP-SP",
			"pipeID": "pipeAssertionConsumerAP",
			"acsUrl": "/activatepocketpass/authenticate/activateppsp",
			"entityID": "ACTIVATEPP-SP",
			"targetIDP": "ACTIVATEPP-IDP"
		}
	}

Get the required role value

  • Navigate to Advanced -> Modules
  • Locate the module object with "name": "com.phenixidentity~phenix-prism-enroll-oath"
  • Copy the requires_role value

Add pipe

  • Navigate to Advanced -> Pipes
  • Add this pipe:
{
		"id": "pipeAssertionConsumerAP",
		"valves": [
			{
				"name": "AssertionConsumer",
				"config": {}
			},
			{
				"name": "FlowFailValve",
				"config": {
					"message": "User does not exist",
					"exec_if_expr": "flow.items().isEmpty()"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "roles",
					"value": "<REPLACE_WITH_PREVIOUSLY_FETCHED_REQUIRED_ROLE_VALUE>",
					"enable_multi_value": "true"
				}
			}
		]
	}

 

 

Example pipe:

{
		"id": "pipeAssertionConsumerAP",
		"valves": [
			{
				"name": "AssertionConsumer",
				"config": {}
			},
			{
				"name": "FlowFailValve",
				"config": {
					"message": "User does not exist",
					"exec_if_expr": "flow.items().isEmpty()"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "roles",
					"value": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93",
					"enable_multi_value": "true"
				}
			}
		]
	}

Enable the SAML SP authenticator

  • Navigate to Advanced -> Modules
  • Locate the module with "base_url": "/activatepocketpass"
  • Comment out the current auth_redirect_url parameter by adding another _ prefix
  • Add the parameter "auth_redirect_url": "/activatepocketpass/authenticate/activateppsp"

See example:

Test

Error tracing

Check the server.log file for errors.