SAML - Windows SSO authentication

The purpose of this document is to describe how to configure PhenixID server for federation with SAML2 using Windows SSO (Kerberos or NTLM) authentication.

Prerequisites

  • PhenixID Server configured according to this instruction: "Federation - Username and password"

  • Windows settings:
  • –  Install PAS on a Windows Server that is member of an active directory domain.
– Create service account
CN=phxid,CN=Users,DC=company,DC=local
  • – Change the service “PhenixID service” to be run by CN=phxid,CN=Users,DC=company,DC=local
  • – Register a DNS A record: 
A    phenixid.company.local    127.0.0.1
  • – Register SPN from a command prompt
:
    C:\Users\Administrator>Setspn -S HTTP/phenixid.company.local phxid

    Checking domain DC=company,DC=local
    Registering ServicePrincipalNames for CN=phxid,CN=Users,DC=company,DC=local

    HTTP/phenixid.company.local
    
Updated object

    C:\Users\Administrator>Setspn -S HTTPS/phenixid.company.local phxid

    Checking domain DC=company,DC=local
    Registering ServicePrincipalNames for CN=phxid,CN=Users,DC=company,DC=local
    
HTTPS/phenixid.company.local
    
Updated object
  • – If testing with web browser directly on server, Loopback checks must be disabled. Do not use in prod environments!
    
https://support.microsoft.com/en-us/kb/896861, Workaround method 2

    Example values used in the description above:
    http domain: phenixid.company.local
    
Service account: CN=phxid,CN=Users,DC=company,DC=local
    
(Change the above to match your environment)

Convert the Federation - Username and Password scenario to SAMLWindowsSSO

Open the Advanced tab and locate the Authentication - HTTP entry that was configured in the previous "Federation - Username and password" scenario.

Change the value of the name parameter from "PostUidAndPasswordSAML" to "SAMLWindowsSSO"

Click the plus sign next to "configuration" to add new parameters

Set "authProtocol" = "<Type of Windows SSO Protocol>"

<Type of Windows SSO Protocol> can either be set to "NTLM" or "Negotiate" (Kerberos).

Click Stage changes

Click Commit changes

Configure the execution flow used for the SAML assertion to suit your needs

  1. Open the Execution flow tab and expand the flow.
  2. Delete the valve #1 (InputParameterExistsValidatorValve) and valve #3 (LDAPBindValve)
  3. Click Save