PhenixID DocumentationPhenixID Authentication ServicesSolutionsFederationFederation - Add configuration to achieve Single-Sign-On (SSO)

Federation - Add configuration to achieve Single-Sign-On (SSO)

This document is written for PhenixID Server.

The reader should have some basic knowledge about PhenixID Server.

This document describes how to configure the system to redirect to different authentication methods based on the session authentication status. The typical use case for this is achieve Single-Sign-On for an already authenticated session.

Prerequisites

- Setup strong authentication federation scenario using guides in Configuration Manager

Collect IdP reference and alias

Log in to the configuration UI, go to the "Scenarios" tab

Click on the strong authentication federation scenario

Click Execution flow

Expand the last flow

Expand the AssertionProvider 

Copy the value of the targetEntityID parameter

 

Click AUTHENTICATOR

Copy the alias value

Change alias for strong authenticator

Click Advanced->HTTP Authenticators

Find the authenticator with the alias found in previous step

Change the alias value to "strong"

Add SSO authenticator

  1. Click Advanced->HTTP Authenticators
  2. Add a SAMLHeadlessSSO authenticator
    1. Change these values on the authenticator:
      1. Set idpID value to the targetEntityID value fetched in previous step
      2. Set the authURL value to https://<phenixid_server_domain>/saml/authenticate/strong
    2. Change these values on the pipe ( auth_sso_pipe):
      1. AssertionProvider->targetEntityID -> Change to targetEntityID value fetched in previous step
      2. Environment-specific changes such as SAML attributes, nameID, misc values. 

Test

Browse to the alias of the sso authenticator (..../authenticate/sso)

Verify that the strong authentication method is presented and that the authentication works

 

Keep the web browser open.

Browse to the alias of the sso authenticator (..../authenticate/sso)

You should not be prompted to authenticate again.

A SAML ticket should be created and sent to the service provider.