PhenixID DocumentationPhenixID Authentication ServicesSolutionsOpenIDConnect (OIDC) / OAuthHow to setup the HTTP API for ticket translation oAuth2 Bearer token - SAML2 (eHM SAML Token use case)

How to setup the HTTP API for ticket translation oAuth2 Bearer token - SAML2 (eHM SAML Token use case)

Prerequisites

- PAS 2.7 installed

- Previous authentication must have returned an access_token, which value is bound to the session as an alias.

- User information must have been stored in the session during authentication (using session* valves in the pipe). Consult the valves documentation for usage examples.

- Proxy (such as apache) in front of the PAS server

- PhenixID Authentication Services SAML IdP configured

- SAML SP Metadata uploaded

Proxy config

Add this rule to the your proxy server (example below is for Apache) and restart the proxy to make it effective.

<Location /api/authentication/ehmSAMLToken>
SetEnvIfNoCase Authorization "(.{36}\z)" HTTP_AUTHORIZATION=$1
RequestHeader set session_id "%{HTTP_AUTHORIZATION}e"
RequestHeader unset Authorization
</Location>

Add local http-api module

- Login to configuration manager

- Click the Advanced tab

- Open Modules (click on the pen)

- Add this module (if module is already added, only add tenant and/or allowedOperation):

{
		"module": "com.phenixidentity~phenix-api-authenticate",
		"enabled": "true",
		"config": {
			"tenant": [
				{
					"id": "t1",
					"displayName": "Tenant1",
					"allowedOperation": [
						"ehmSAMLToken"
					]
}
			]
		},
		"id": "authapi_module"
	}

- Click Stage Changes and Commit Changes

- Open NODE_GROUPS (click on the pen)

- Add id of the newly added module to module_refs. Example below. (You can skip this step if the module was already added)

{
		"name": "WIN-DHB3ICNDG4E",
		"description": "Default node (created automatically)",
		"config": {
			"module_refs": "authapi_module,sealapp,signapp_1,......"
		},
		"created": "2017-07-03T11:38:03.135Z",
		"id": "493afd0e-0fe8-40e4-b1a1-a24a5e2df6e2",
		"modified": "2017-07-03T14:39:43.257Z"
	}

- Click Stage Changes and Commit Changes

 

Add pipes to fetch SAML response from oAuth2 Bearer access_token

In this example, no client certificate is used. Please read the Valves documentation on how to configure a client certificate to the pipe.

- Click the Advanced tab

- Open Pipes (click on the pen)

- Add this pipe.

{
		"id": "ehmSAMLToken",
		"description": "Get SAML Token from oAuth2 access_token",
		"valves": [
			{
				"name": "ItemCreateValve",
				"config": {
					"dest_id": "samlToken"
				}
			},
			{
				"name": "SessionLoadValve",
				"config": {
					"id": "{{request.session_id}}"
				}
			},
			{
				"name": "PropertyFromSessionToItem",
				"config": {
					"source": "givenName"
				}
			},
			{
				"name": "PropertyFromSessionToItem",
				"config": {
					"source": "surName"
				}
			},
			{
				"name": "PropertyFromSessionToItem",
				"config": {
					"source": "saml_authn_context"
				}
			},
			{
				"name": "PropertyFromSessionToItem",
				"config": {
					"source": "personalNumber"
				}
			},
			{
				"name": "PropertyCopyValve",
				"config": {
					"source": "personalNumber",
					"dest": "http://sambi.se/attributes/1/personalIdentityNumber"
				}
			},
			{
				"name": "PropertyCopyValve",
				"config": {
					"source": "givenName",
					"dest": "http://sambi.se/attributes/1/givenName"
				}
			},
			{
				"name": "PropertyCopyValve",
				"config": {
					"source": "surName",
					"dest": "http://sambi.se/attributes/1/surname"
				}
			},
			{
				"name": "AssertionProvider",
				"config": {
					"targetEntityID": "ec676be5-d967-4ffe-ba28-b98b51117512",
					"nameIDAttribute": "http://sambi.se/attributes/1/personalIdentityNumber",
					"additionalAttributes": "http://sambi.se/attributes/1/personalIdentityNumber,http://sambi.se/attributes/1/givenName,http://sambi.se/attributes/1/surname",
					"sourceID": "https://www6.example.se/authenticate/validateeleglogin-PROD-FED",
					"authMetod": "urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig"
				}
			},
			{
				"name": "PropertyKeepValve",
				"config": {
					"name": "SAMLResponse"
				}
			}
		]
	}

- Change targetEntityID - this must point to the id of your defined SAML Identity Provider

- Change sourceID - this must be the entityID of the SAML SP

- Click Stage Changes and Commit Changes

Test

Use a HTTP rest client for testing and debugging. Follow the document Using PhenixID HTTP API for ticket translation oAuth2 Bearer token - SAML2 (eHM SAML Token use case) to structure the HTTP requests properly.