PhenixID web apps authentication – SAML SP
The purpose of this document is to describe how to configure PhenixID server internal web applications for authentication using SAML Service Provider Authentication. This is used when the user authentication is performed on an SAML Identity Provider.
Prerequisites
- SAML IdP Metadata (url or file)
Modules Required
- auth-http
- phenix-saml
Configure SAML IdP trust and SAML SP
- Follow the scenario: Federation / SAML SP Metadata Upload in order to configure trust with the SAML IdP.
- Add a keystore to use for the SAML signing and/or encryption. Keystore
- Open the Advanced tab. Define your sp in the SAMLSP section. Note that the id and entityID must have the same value.
https://document.phenixid.net/searches?utf8=%E2%9C%93&text=federation+Keystore&commit=Search
{
"id" : "<create_a_sp_name_and_put_it_here>",
"keystoreSign" : "<point_to_the_keystore_id_added_in_previous_step>",
"keystoreEncrypt" : "<point_to_the_keystore_id_added_in_previous_step>",
"entityID" : "<create_a_sp_name_and_put_it_here>",
"ForceAuthn" : "<Set to true if ForceAuthn should be used in authnReq, otherwise false or omit parameter">
}
Example:
{
"id" : "sp.phenixid.se",
"keystoreSign" : "bhull",
"keystoreEncrypt" : "bhull",
"entityID" : "sp.phenixid.se",
"ForceAuthn" : "false"
}
Configuration - add SAMLServiceProviderAuthN authenticator and pipe
Configuration properties with descriptions can be found here.
Example configuration
The configuration must be added in the Advanced section of Configuration Manager.
HTTP Authenticators
{
"id" : "samlsp",
"alias" : "samlsp",
"name" : "SAMLServiceProviderAuthN",
"displayName" : "External IdP",
"configuration" : {
"successURL" : "/selfservice/",
"sp" : "sp.phenixid.se",
"pipeID" : "assertionConsumer",
"targetIDP" : "https://demo.phenixid.net/idp_rdweb_demo",
"acsUrl" : "https://sp.phenixid.se/selfservice/authenticate/samlsp",
"entityID" : "sp.phenixid.se"
}
}
Pls note that entityID and sp must have the same value configured (id of SAMLSP created in earlier step).
Value set for "targetIDP" is the entityid of the IdP.
The "acsUrl"is the where we redirect after successful login.
Pipe example 1
This example covers the use case when the incoming SAML assertion should be validated and the NameID should be used as identifier for the web application.
{
"id": "assertionConsumer",
"valves": [{
"name": "AssertionConsumer",
"config": {
"clock_skew_minutes": "2"
}
},
{
"name": "FlowFailValve",
"config": {
"message": "User does not exist",
"exec_if_expr": "flow.items().isEmpty()"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "roles",
"value": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93",
"enable_multi_value": "true"
}
}
]
}
Read this article to get the correct value for the roles property.
Pipe example 2
This example covers how to map the userid from the incoming SAML assertion to a different value used by the web application.
In this particular example, the value will be replaced by the sn attribute from an LDAP directory.
{
"id": "assertionConsumer",
"valves": [{
"name": "AssertionConsumer",
"config": {
"clock_skew_minutes": "2"
}
},
{
"name": "FlowFailValve",
"config": {
"message": "User does not exist",
"exec_if_expr": "flow.items().isEmpty()"
}
},
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "LDAPSearchValve",
"config": {
"connection_ref": "d26b9745-f213-4740-a5f1-7b966c732a3a",
"base_dn": "DC=company,dc=local",
"scope": "SUB",
"size_limit": "0",
"filter_template": "sAMAccountName={{session.user_id}}",
"attributes": "sn"
}
},
{
"name": "FlowFailValve",
"config": {
"message": "User does not exist in LDAP",
"skip_if_expr": "flow.isMulti()"
}
},
{
"name": "ItemMergeValve",
"config": {
"dest_id": "{{session.user_id}}"
}
},
{
"name": "SessionBindToUidValve",
"config": {
"userid": "{{item.sn}}"
}
},
{
"name": "SessionPersistValve",
"config": {}
},
{
"name": "PropertyAddValve",
"config": {
"name": "roles",
"value": "auth:972421be-7bac-4b02-b7bb-77d970eecc0e",
"enable_multi_value": "true"
}
}
]
}