How to setup the HTTP API for ticket translation oAuth2 Bearer token - SAML2 (eHM SAML Token use case)
Prerequisites
- PAS 2.7 installed
- Previous authentication must have returned an access_token, which value is bound to the session as an alias.
- User information must have been stored in the session during authentication (using session* valves in the pipe). Consult the valves documentation for usage examples.
- Proxy (such as apache) in front of the PAS server
- PhenixID Authentication Services SAML IdP configured
- SAML SP Metadata uploaded
Proxy config
Add this rule to the your proxy server (example below is for Apache) and restart the proxy to make it effective.
<Location /api/authentication/ehmSAMLToken>
SetEnvIfNoCase Authorization "(.{36}\z)" HTTP_AUTHORIZATION=$1
RequestHeader set session_id "%{HTTP_AUTHORIZATION}e"
RequestHeader unset Authorization
</Location>Add local http-api module
- Login to configuration manager
- Click the Advanced tab
- Open Modules (click on the pen)
- Add this module (if module is already added, only add tenant and/or allowedOperation):
{
"module": "com.phenixidentity~phenix-api-authenticate",
"enabled": "true",
"config": {
"tenant": [
{
"id": "t1",
"displayName": "Tenant1",
"allowedOperation": [
"ehmSAMLToken"
]
}
]
},
"id": "authapi_module"
}- Click Stage Changes and Commit Changes
- Open NODE_GROUPS (click on the pen)
- Add id of the newly added module to module_refs. Example below. (You can skip this step if the module was already added)
{
"name": "WIN-DHB3ICNDG4E",
"description": "Default node (created automatically)",
"config": {
"module_refs": "authapi_module,sealapp,signapp_1,......"
},
"created": "2017-07-03T11:38:03.135Z",
"id": "493afd0e-0fe8-40e4-b1a1-a24a5e2df6e2",
"modified": "2017-07-03T14:39:43.257Z"
}- Click Stage Changes and Commit Changes
Add pipes to fetch SAML response from oAuth2 Bearer access_token
In this example, no client certificate is used. Please read the Valves documentation on how to configure a client certificate to the pipe.
- Click the Advanced tab
- Open Pipes (click on the pen)
- Add this pipe.
{
"id": "ehmSAMLToken",
"description": "Get SAML Token from oAuth2 access_token",
"valves": [
{
"name": "ItemCreateValve",
"config": {
"dest_id": "samlToken"
}
},
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "PropertyFromSessionToItem",
"config": {
"source": "givenName"
}
},
{
"name": "PropertyFromSessionToItem",
"config": {
"source": "surName"
}
},
{
"name": "PropertyFromSessionToItem",
"config": {
"source": "saml_authn_context"
}
},
{
"name": "PropertyFromSessionToItem",
"config": {
"source": "personalNumber"
}
},
{
"name": "PropertyCopyValve",
"config": {
"source": "personalNumber",
"dest": "http://sambi.se/attributes/1/personalIdentityNumber"
}
},
{
"name": "PropertyCopyValve",
"config": {
"source": "givenName",
"dest": "http://sambi.se/attributes/1/givenName"
}
},
{
"name": "PropertyCopyValve",
"config": {
"source": "surName",
"dest": "http://sambi.se/attributes/1/surname"
}
},
{
"name": "AssertionProvider",
"config": {
"targetEntityID": "ec676be5-d967-4ffe-ba28-b98b51117512",
"nameIDAttribute": "http://sambi.se/attributes/1/personalIdentityNumber",
"additionalAttributes": "http://sambi.se/attributes/1/personalIdentityNumber,http://sambi.se/attributes/1/givenName,http://sambi.se/attributes/1/surname",
"sourceID": "https://www6.example.se/authenticate/validateeleglogin-PROD-FED",
"authMetod": "urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig"
}
},
{
"name": "PropertyKeepValve",
"config": {
"name": "SAMLResponse"
}
}
]
}- Change targetEntityID - this must point to the id of your defined SAML Identity Provider
- Change sourceID - this must be the entityID of the SAML SP
- Click Stage Changes and Commit Changes
Test
Use a HTTP rest client for testing and debugging. Follow the document Using PhenixID HTTP API for ticket translation oAuth2 Bearer token - SAML2 (eHM SAML Token use case) to structure the HTTP requests properly.