SAML - Windows SSO authentication

The purpose of this document is to describe how to configure PhenixID server for federation with SAML2 using Windows SSO (Kerberos or NTLM) authentication.

Prerequisites

  • PhenixID Server configured according to this instruction: "Federation - Username and password"

  • Windows settings:
  • –  Install PAS on a Windows Server that is member of an active directory domain.
– Create service account
CN=phxid,CN=Users,DC=company,DC=local
  • – Change the service “PhenixID service” to be run by CN=phxid,CN=Users,DC=company,DC=local
  • – Register a DNS A record: 
A    phenixid.company.local    127.0.0.1
  • – Register SPN from a command prompt
:
    C:\Users\Administrator>Setspn -S HTTP/phenixid.company.local phxid

    Checking domain DC=company,DC=local
    Registering ServicePrincipalNames for CN=phxid,CN=Users,DC=company,DC=local

    HTTP/phenixid.company.local
    
Updated object

    C:\Users\Administrator>Setspn -S HTTPS/phenixid.company.local phxid

    Checking domain DC=company,DC=local
    Registering ServicePrincipalNames for CN=phxid,CN=Users,DC=company,DC=local
    
HTTPS/phenixid.company.local
    
Updated object
  • – If testing with web browser directly on server, Loopback checks must be disabled. Do not use in prod environments!
    
https://support.microsoft.com/en-us/kb/896861, Workaround method 2

    Example values used in the description above:
    http domain: phenixid.company.local
    
Service account: CN=phxid,CN=Users,DC=company,DC=local
    
(Change the above to match your environment)

Convert the Federation - Username and Password scenario to SAMLWindowsSSO

Open the Advanced tab and locate the Authentication - HTTP entry that was configured in the previous "Federation - Username and password" scenario.

  • Change the value of the name parameter from PostUidAndPasswordSAML to SAMLWindowsSSO
  • Copy the alias value
  • Change the value of the alias parameter to myWinSSO
  • In the configuration part, keep the pipeID and idpID parameters
  • Add the required configuration parameters for this authenticator by viewing the article for this authenticator type.
  • Copy the idpID value
  • Copy the id value

Click Stage changes and then Commit changes

Add SAMLDataSave authenticator

  • Login to Configuration Manager
  • Advanced
  • Click the plus sign next to Authenticators - HTTP
  • Add a SAMLDataSave authenticator:

 

{
 "alias": "REPLACE_THIS_WITH_alias_VALUE_COPIED_IN_PREVIOS_STEP",
 "name": "SAMLDataSave",
 "configuration": {
   "idpID": "REPLACE_THIS_WITH_idpID_VALUE_COPIED_IN_PREVIOS_STEP",
    "nextAuthenticator": "REPLACE_THIS_WITH_id_VALUE_COPIED_IN_PREVIOS_STEP"
 }
}
Click to copy

Click Stage Changes and Commit Changes.

Configure the execution flow used for the SAML assertion to suit your needs

  1. Open the Execution flow tab and expand the flow.
  2. Delete the valve #1 (InputParameterExistsValidatorValve) and valve #3 (LDAPBindValve)
  3. Click Save

Number of group membership restrictions

Users with a large number of group memberships may encounter problems with Kerberos authentication. Please view this article for more information: https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-authentication-problems-if-user-belongs-to-groups