PhenixID Verify User Identity for PAS 3.0 or later
Following the steps below creates a service to verify the identity of a user who is calling in to Help-desk or other functions in your organisation.
The users available verify methods will be displayed and the person handling the call can select one of the methods to verify the identity of the user.
Requirements
- A Keystore configured, used by the SAML function in this configuration
- Swedish BankID keystore should have been configured if Swedish BankID will be used
- All methods to be used shall be configure
Step 1 - Authentication - HTTP
Add the following configuration to “Authentication - HTTP”
{
"alias": "phxverify",
"name": "Registration",
"id": "phxverify",
"configuration": {
"stages": [
{
"pipeid": "phxverify-username",
"template": "phxverify",
"sessionValues": [
"roles",
"adminuser"
],
"translation": [
"phxverify.messages.information.title",
"phxverify.messages.information.searchuser",
"phxverify.messages.username",
"phxverify.messages.querybox",
"phxverify.messages.or",
"phxverify.messages.logout"
],
"templateVariables": {
"searchmethods": [
{
"type": "username",
"title": "phxverify.messages.username"
},
{
"type": "mail",
"title": "phxverify.messages.mail"
},
{
"type": "mobile",
"title": "phxverify.messages.mobile"
}
],
"settings": {
"sp_url": "/phxverify/authenticate/phxverifysp/"
}
},
"errorTranslation": [
{
"key": "User does not exist",
"value": "phxverify.error.usernotexist"
},
{
"key": "Multiple users found",
"value": "phxverify.error.multipleusersfound"
},
{
"key": "Login failed",
"value": "phxverify.error.loginfailed"
}
]
},
{
"pipeid": "phxverify-verifychoice",
"template": "phxverify",
"templateVariables": {
"useBid": "true",
"methods": [
{
"type": "ot",
"title": "phxverify.messages.ot"
},
{
"type": "token",
"title": "phxverify.messages.pp"
},
{
"type": "sms",
"title": "phxverify.messages.sms"
},
{
"type": "mail",
"title": "phxverify.messages.mail"
},
{
"type": "bid",
"title": "phxverify.messages.bid"
}
]
},
"sessionValues": [
"phxverify-disabled-token",
"phxverify-disabled-sms",
"phxverify-disabled-ot",
"phxverify-disabled-mail",
"phxverify-disabled-bid",
"givenname",
"sn",
"mobile",
"username",
"mail",
"roles",
"adminuser",
"pnrsub"
],
"translation": [
"phxverify.messages.information.title",
"phxverify.messages.username",
"phxverify.messages.givenname",
"phxverify.messages.snname",
"phxverify.messages.mobile",
"phxverify.messages.mail",
"phxverify.messages.information.choose_method",
"phxverify.messages.cancel",
"phxverify.messages.logout",
"phxverify.messages.bid"
],
"errorTranslation": [
{
"key": "Wrong verification code",
"value": "phxverify.error.wrongotp"
},
{
"key": "User does not exist",
"value": "phxverify.error.usernotexist"
},
{
"key": "Multiple users found",
"value": "phxverify.error.multipleusersfound"
},
{
"key": "Login failed",
"value": "phxverify.error.loginfailed"
},
{
"key": "alreadyInProgress",
"value": "phxverify.error.bid_alreadyinprogress"
}
]
},
{
"pipeid": "phxverify-verifyOTP",
"template": "phxverify",
"templateVariables": {
"useBid": "true"
},
"translation": [
"phxverify.messages.information.title",
"phxverify.messages.username",
"phxverify.messages.enterotp",
"phxverify.messages.givenname",
"phxverify.messages.snname",
"phxverify.messages.mobile",
"phxverify.messages.mail",
"phxverify.messages.ot",
"phxverify.messages.otstatus",
"phxverify.messages.sms",
"phxverify.messages.mail",
"phxverify.messages.pp",
"phxverify.messages.verify",
"phxverify.messages.information.verifyotp",
"phxverify.messages.information.otpending",
"phxverify.messages.information.bidpending",
"phxverify.messages.information.ot_timedout",
"phxverify.messages.information.bid_timedout",
"phxverify.messages.cancel",
"phxverify.messages.logout",
"phxverify.messages.bid"
],
"sessionValues": [
"phxverify-disabled-token",
"phxverify-disabled-sms",
"phxverify-disabled-ot",
"phxverify-disabled-mail",
"phxverify-disabled-bid",
"givenname",
"sn",
"mobile",
"username",
"mail",
"roles",
"phxverify-verifyotp",
"phxverify-otpending",
"phxverify-bidpending",
"adminuser",
"pnrsub"
],
"errorTranslation": [
{
"key": "Wrong verification code",
"value": "phxverify.error.wrongotp"
},
{
"key": "User does not exist",
"value": "phxverify.error.usernotexist"
},
{
"key": "User rejected",
"value": "ot_rejected"
},
{
"key": "Pending user confirmation",
"value": "ot_pending"
},
{
"key": "User confirmation in progress",
"value": "ot_inprogress"
},
{
"key": "bid-outstandingTransaction",
"value": "bid_outstandingTransaction"
},
{
"key": "bid-noClient",
"value": "bid_noClient"
},
{
"key": "phxverify.messages.bid_startbankid",
"value": "bid_startbankid"
},
{
"key": "bid-started",
"value": "bid_started"
},
{
"key": "phxverify.messages.bid_usersign",
"value": "bid_userSign"
},
{
"key": "bid-expiredTransaction",
"value": "bid_expiredTransaction"
},
{
"key": "bid-certificateErr",
"value": "bid_certificateErr"
},
{
"key": "bid-userCancel",
"value": "bid_userCancel"
},
{
"key": "bid-cancelled",
"value": "bid_cancelled"
},
{
"key": "bid-startFailed",
"value": "bid_startFailed"
},
{
"key": "bid-unknown",
"value": "bid_unknown"
},
{
"key": "Multiple users found",
"value": "phxverify.error.multipleusersfound"
},
{
"key": "Login failed",
"value": "phxverify.error.loginfailed"
}
]
},
{
"pipeid": "phxverify-complete",
"template": "phxverify",
"templateVariables": {
"useBid": "true"
},
"translation": [
"phxverify.messages.information.title",
"phxverify.messages.username",
"phxverify.messages.enterotp",
"phxverify.messages.givenname",
"phxverify.messages.snname",
"phxverify.messages.mobile",
"phxverify.messages.mail",
"phxverify.messages.ot",
"phxverify.messages.otstatus",
"phxverify.messages.sms",
"phxverify.messages.mail",
"phxverify.messages.pp",
"phxverify.messages.cancel",
"phxverify.messages.userverified",
"phxverify.messages.logout",
"phxverify.messages.bid"
],
"sessionValues": [
"phxverify-disabled-token",
"phxverify-disabled-sms",
"phxverify-disabled-ot",
"phxverify-disabled-mail",
"givenname",
"sn",
"mobile",
"username",
"mail",
"phxverify-newstatus",
"roles",
"adminuser",
"pnrsub"
],
"errorTranslation": [
{
"key": "Wrong verification code",
"value": "phxverify.error.wrongotp"
},
{
"key": "User does not exist",
"value": "phxverify.error.usernotexist"
},
{
"key": "Multiple users found",
"value": "phxverify.error.multipleusersfound"
},
{
"key": "Login failed",
"value": "phxverify.error.loginfailed"
}
]
}
]
}
},
{
"id": "phxverifysp",
"alias": "phxverifysp",
"name": "SAMLServiceProviderAuthN",
"displayName": "PHXVerify IdP",
"configuration": {
"successURL": "/phxverify/authenticate/phxverify/",
"sp": "https://replace_phxverify_address",
"pipeID": "PHXVerifySPPipe",
"targetIDP": "https://replace_phxverify_address/phxverify/authenticate/phxverifyidp",
"acsUrl": "https://replace_phxverify_address/phxverify/authenticate/phxverifysp",
"entityID": "https://replace_phxverify_address"
}
},
{
"id": "e93a1158-b7b4-4491-9770-24901c3b0296",
"alias": "phxverifyidp2",
"name": "PostUidAndPasswordSAML",
"displayName": "PHXVerifyiDP",
"configuration": {
"pipeID": "d449c9a9-0601-484f-ac62-a273f5a4ecc9",
"idpID": "9602d813-76c5-4ab7-b1f8-4ff51b40c3ff",
"translation": [
{
"mapKeyTo": "phxverify.messages.information.title",
"key": "login.messages.information.title"
},
{
"mapKeyTo": "phxverify.messages.information.header",
"key": "login.messages.information.header"
},
{
"mapKeyTo": "phxverify.messages.information.body",
"key": "login.messages.information.body"
}
]
}
},
{
"id": "002cd990-af32-4a27-9dc0-815eff7a717a",
"alias": "phxverifysso",
"name": "PostUidAndPasswordSAML",
"displayName": "PHXVerifySSO",
"configuration": {
"pipeID": "951af7c4-0772-4030-b90a-c3f53c3332fb",
"idpID": "1c650882-8e14-4bd6-9f6a-ef3553c5a43c"
}
},
{
"name": "Dispatch",
"id": "phxverifyidp",
"alias": "phxverifyidp",
"configuration": {
"idpID": "9602d813-76c5-4ab7-b1f8-4ff51b40c3ff",
"mapping": [
{
"authenticator": "e93a1158-b7b4-4491-9770-24901c3b0296",
"expression": "!request.getParameter('authenticatedrequest').equals('true')"
},
{
"authenticator": "002cd990-af32-4a27-9dc0-815eff7a717a",
"expression": "request.getParameter('authenticatedrequest').equals('true')"
}
]
}
}Replace the following settings :
"replace_phxverify_address" with the address to your PhenixID Server and port to use, example "phxverify.phenixid.se:8443"
Disable Swedish BankID as an option to verify user :
- Change all "useBid": "true" to "useBid": "" in the configuration above
- Remove the following from "methods" sections in the configuration above
{
"type": "bid",
"title": "phxverify.messages.bid"
}
Step 2 - Guide configuration
Add the following configuration to "Guide configuration”
{
"id" : "ba6e71aa-4e32-4a5c-88df-a2ed6ee1709e",
"name" : "PHXVerifyIdP",
"description" : "PHXVerifyIdP",
"type" : "guides.authentication.saml.samluidpwd2",
"config" : {
"pipeID" : "d449c9a9-0601-484f-ac62-a273f5a4ecc9",
"idp_ref" : "9602d813-76c5-4ab7-b1f8-4ff51b40c3ff",
"auth_ref" : "e93a1158-b7b4-4491-9770-24901c3b0296",
"ldap_connection_ref" : "replace_ldap_id"
}
},
{
"id": "51265e65-b112-4948-a285-4851d772ec5c",
"name": "PHXVerifySSO",
"description": "PHXVerifySSO",
"type": "guides.authentication.saml.samluidpwd2",
"config": {
"pipeID": "951af7c4-0772-4030-b90a-c3f53c3332fb",
"idp_ref": "1c650882-8e14-4bd6-9f6a-ef3553c5a43c",
"auth_ref": "002cd990-af32-4a27-9dc0-815eff7a717a",
"ldap_connection_ref": "replace_ldap_id"
}
}"replace_ldap_id" with the LDAP Scenario ID.
Step 3 - Pipes
Add the following configuration to “Pipes”
{ "id": "phxverify-username", "valves": [ { "name": "SessionLoadValve", "config": { "id": "{{request.session_id}}" } }, { "name": "FlowFailValve", "config": { "message": "Login failed", "skip_if_expr": "request.get('authenticatedrequest').equals('true')" } }, { "name" : "SessionPropertyRemoveValve", "config": { "name":"username,generated_otp,phxverify-verifyotp,ot_verify,phxverify-otpending,phxverify-bidpending,phxverify-disabled-bid,phxverify-newstatus,phxverify-disabled-sms,phxverify-disabled-mail,phxverify-disabled-token,phxverify-disabled-ot,givenname,OATH,PKI,username,mobile,sn,mail,pnr,pnrsub" } }, { "name": "LDAPSearchValve", "config": { "connection_ref": "replace_ldap_id", "base_dn": "replace_ldap_base_dn", "scope": "SUB", "size_limit": "0", "filter_template": "replace_phxverify_user_attrib={{request.username}}", "attributes": "mobile,givenName,sn,mail,replace_phxverify_bankid_attrib", "exec_if_expr": "request.get('username')!=null" } }, { "name": "LDAPSearchValve", "config": { "connection_ref": "replace_ldap_id", "base_dn": "replace_ldap_base_dn", "scope": "SUB", "size_limit": "0", "filter_template": "mail={{request.mail}}", "attributes": "mobile,givenName,sn,mail,replace_phxverify_user_attrib,replace_phxverify_bankid_attrib", "exec_if_expr": "request.get('mail')!=null" } }, { "name": "LDAPSearchValve", "config": { "connection_ref": "replace_ldap_id", "base_dn": "replace_ldap_base_dn", "scope": "SUB", "size_limit": "0", "filter_template": "mobile={{request.mobile}}", "attributes": "mobile,givenName,sn,mail,replace_phxverify_user_attrib,replace_phxverify_bankid_attrib", "exec_if_expr": "request.get('mobile')!=null" } }, { "name": "FlowFailValve", "config": { "message": "User does not exist", "exec_if_expr": "flow.items().isEmpty()" } }, { "name": "FlowFailValve", "config": { "message": "Multiple users found", "skip_if_expr": "flow.isSingle()" } }, { "config": { "name": "username", "value": "{{request.username}}", "exec_if_expr": "request.get('username')!=null" }, "name": "SessionPropertyAddValve" }, { "config": { "name": "username", "value": "{{item.replace_phxverify_user_attrib}}", "exec_if_expr": "request.get('mail')!=null || request.get('mobile')!=null" }, "name": "SessionPropertyAddValve" }, { "name": "GetTokenExistsValve", "config": { "username_attribute": "{{session.username}}", "token_type": "OATH", "get_value_attribute_key": "OATH" } }, { "name": "GetTokenExistsValve", "config": { "username_attribute": "{{session.username}}", "token_type": "PKI", "get_value_attribute_key": "PKI" } }, { "name": "SessionPropertyAddValve", "config": { "name": "OATH", "value": "{{item.OATH}}" } }, { "name": "SessionPropertyAddValve", "config": { "name": "PKI", "value": "{{item.PKI}}" } }, { "name": "SessionPropertyAddValve", "config": { "name": "mobile", "value": "{{item.mobile}}" } }, { "name": "SessionPropertyAddValve", "config": { "dest_id": "{{session.pki_user}}", "name": "givenname", "value": "{{item.givenName}}" } }, { "name": "SessionPropertyAddValve", "config": { "name": "sn", "value": "{{item.sn}}" } }, { "name": "SessionPropertyAddValve", "config": { "name": "mail", "value": "{{item.mail}}" } }, { "name": "SessionPropertyAddValve", "config": { "name": "pnr", "value": "{{item.replace_phxverify_bankid_attrib}}" } }, { "name": "PropertyAddValve", "config": { "name": "pnr2sub", "value": "{{item.replace_phxverify_bankid_attrib}}" } }, { "name": "PropertySubstringValve", "config": { "source": "pnr2sub", "end_index": "8", "begin_index": "0", "exec_if_expr": "request.get('replace_phxverify_bankid_attrib')!=null" } }, { "config": { "name": "pnrsub", "value": "{{item.pnr2sub}}xxxx" }, "name": "SessionPropertyAddValve" }, { "name": "SessionPropertyAddValve", "config": { "name": "phxverify-disabled-bid", "value": "disabled", "exec_if_expr": "", "skip_if_expr": "flow.items().get(0).containsProperty('replace_phxverify_bankid_attrib')" } }, { "name": "SessionPropertyAddValve", "config": { "name": "phxverify-disabled-sms", "value": "disabled", "exec_if_expr": "", "skip_if_expr": "flow.items().get(0).containsProperty('mobile')" } }, { "name": "SessionPropertyAddValve", "config": { "name": "phxverify-disabled-mail", "value": "disabled", "exec_if_expr": "", "skip_if_expr": "flow.items().get(0).containsProperty('mail')" } }, { "name": "SessionPropertyAddValve", "config": { "name": "phxverify-disabled-token", "value": "disabled", "exec_if_expr": "flow.property('OATH').equals('false')" } }, { "name": "SessionPropertyAddValve", "config": { "name": "phxverify-disabled-ot", "value": "disabled", "exec_if_expr": "flow.property('PKI').equals('false')" } }, { "name": "SessionPersistValve", "config": {} } ] }, { "id": "phxverify-verifychoice", "valves": [ { "name": "SessionLoadValve", "config": { "id": "{{request.session_id}}" } }, { "name" : "SessionPropertyRemoveValve", "config": { "name":"ot_verify, phxverify-otpending,phxverify-bidpending,phxverify-verifyotp,generated_otp,transactionID" } }, { "name": "ItemCreateValve", "config": { "dest_id": "{{request.session_id}}" } }, { "name": "OTPGeneratorValve", "config": { "length": "6", "alpha_numeric": "false", "name": "generated_otp", "valid_time_in_seconds": "300", "exec_if_expr": "", "skip_if_expr": "" } }, { "name": "SessionPropertyAddValve", "config": { "name": "generated_otp", "value": "{{item.generated_otp}}", "skip_if_expr": "" } }, { "name": "OTPBySMSValve", "config": {"message_gateway_settings" : "replace_gw_id","recipient_param_name": "{{session.mobile}}", "generated_otp_name": "generated_otp", "use_flash": "true", "exec_if_expr": "request.get('type') != null && request.get('type').contains('sms')", "skip_if_expr": "" } }, { "name": "OTPBySMTPValve", "config": { "smtp_settings": "replace_smtp_settings", "start_tls_enabled": "true", "userid_param_name": "{{session.username}}", "mail_param_name": "{{session.mail}}", "exec_if_expr": "request.get('type') != null && request.get('type').contains('mail')" } }, { "name": "SessionPropertyAddValve", "config": { "name": "phxverify-verifyotp", "value": "true", "exec_if_expr": "request.get('type') != null && (request.get('type').contains('sms') || request.get('type').contains('token') || request.get('type').contains('mail'))" } }, { "name": "IssueAssignmentValve", "config": { "userNameParameter": "{{session.username}}", "serviceName": "Phenixid", "authMessage": "Verify your user ID", "serviceMessage": "", "exec_if_expr": "request.get('type') != null && request.get('type').contains('ot')" } }, { "name": "SessionPropertyAddValve", "config": { "name": "ot_verify", "value": "{{item.assignmentid}}", "exec_if_expr": "request.get('type') != null && request.get('type').contains('ot')", "skip_if_expr": "" } }, { "name": "BankIDAuthenticateValve", "config": { "bankid_keystore": "replace_phxverify_bankid_keystore", "mode": "test", "pnr": "{{session.pnr}}", "client_ip_request_param": "X-Forwarded-For", "exec_if_expr": "request.get('type') != null && request.get('type').contains('bid')" } }, { "name": "ItemMergeValve", "config": { "dest_id": "{{request.session_id}}" } }, { "name": "FlowFailValve", "config": { "message": "alreadyInProgress", "exec_if_expr": "flow.property('errorCode').equals('alreadyInProgress')", "item_include_expr" : "item.containsProperty('errorCode')" } }, { "name": "SessionPropertyAddValve", "config": { "name": "transactionID", "value": "{{item.transactionID}}" } }, { "name": "SessionPropertyAddValve", "config": { "name": "phxverify-otpending", "value": "true", "exec_if_expr": "request.get('type') != null && request.get('type').contains('ot')", "skip_if_expr": "" } }, { "name": "SessionPropertyAddValve", "config": { "name": "phxverify-bidpending", "value": "true", "exec_if_expr": "request.get('type') != null && request.get('type').contains('bid')", "skip_if_expr": "" } }, { "name": "SessionPersistValve", "config": {} } ] }, { "id": "phxverify-verifyOTP", "valves": [ { "name": "SessionLoadValve", "config": { "id": "{{request.session_id}}" } }, { "name": "ItemCreateValve", "config": { "dest_id": "{{request.session_id}}" } }, { "name": "PropertyAddValve", "config": { "name": "username", "value": "{{session.username}}" } }, { "name": "OTPValidationValve", "config": { "provided_otp_param_name": "{{request.otp}}", "generated_otp_param_name": "generated_otp", "proceed_on_error": "true", "exec_if_expr": "request.get('type').contains('sms')" } }, { "name": "OTPValidationValve", "config": { "provided_otp_param_name": "{{request.otp}}", "generated_otp_param_name": "generated_otp", "proceed_on_error": "true", "exec_if_expr": "request.get('type').contains('mail')" } }, { "name": "TokenValidationValve", "config": { "provided_otp_param_name": "{{request.otp}}", "otp_length": "6", "userid_param_name": "{{item.username}}", "exec_if_expr": "request.get('type').contains('token')" } }, { "name": "FlowFailValve", "config": { "message": "Wrong verification code", "exec_if_expr": "attributes.user_authenticated === false" } }, { "name": "AssignmentStatusValve", "config": { "id": "{{session.ot_verify}}", "dest": "userverifiedot", "exec_if_expr": "request.get('type').contains('ot')" } }, { "name": "BankIDCollectAuthenticationStatusValve", "config": { "bankid_keystore": "replace_phxverify_bankid_keystore", "mode": "test", "transactionID": "{{session.transactionID}}", "customerID": "{{session.tenant}}", "exec_if_expr": "request.get('type').contains('bid')" } }, { "name": "ItemMergeValve", "enabled": "true", "config": { "dest_id": "{{request.session_id}}" } }, { "name": "FlowFailValve", "config": { "message": "User rejected", "exec_if_expr": "flow.property('userverifiedot').equals('REJECTED') && request.get('type').contains('ot')" } }, { "name": "FlowFailValve", "config": { "message": "Pending user confirmation", "exec_if_expr": "flow.property('userverifiedot').equals('PENDING') && request.get('type').contains('ot')" } }, { "name": "FlowFailValve", "config": { "message": "User confirmation in progress", "exec_if_expr": "flow.property('userverifiedot').equals('IN_PROGRESS') && request.get('type').contains('ot')" } }, { "config": { "message": "bid-outstandingTransaction", "exec_if_expr": "request.get('type') != null && request.get('type').contains('bid') && flow.property('hintCode').equals('outstandingTransaction')" }, "name": "FlowFailValve" }, { "config": { "message": "bid-noClient", "exec_if_expr": "request.get('type') != null && request.get('type').contains('bid') && flow.property('hintCode').equals('noClient')" }, "name": "FlowFailValve" }, { "config": { "message": "bid-started", "exec_if_expr": "request.get('type') != null && request.get('type').contains('bid') && flow.property('hintCode').equals('started')" }, "name": "FlowFailValve" }, { "config": { "message": "bid-userSign", "exec_if_expr": "request.get('type') != null && request.get('type').contains('bid') && flow.property('hintCode').equals('userSign')" }, "name": "FlowFailValve" }, { "config": { "message": "bid-expiredTransaction", "exec_if_expr": "request.get('type') != null && request.get('type').contains('bid') && flow.property('hintCode').equals('expiredTransaction')" }, "name": "FlowFailValve" }, { "config": { "message": "bid-certificateErr", "exec_if_expr": "request.get('type') != null && request.get('type').contains('bid') && flow.property('hintCode').equals('certificateErr')" }, "name": "FlowFailValve" }, { "config": { "message": "bid-userCancel", "exec_if_expr": "request.get('type') != null && request.get('type').contains('bid') && flow.property('hintCode').equals('userCancel')" }, "name": "FlowFailValve" }, { "config": { "message": "bid-cancelled", "exec_if_expr": "request.get('type') != null && request.get('type').contains('bid') && flow.property('hintCode').equals('cancelled')" }, "name": "FlowFailValve" }, { "config": { "message": "bid-startFailed", "exec_if_expr": "request.get('type') != null && request.get('type').contains('bid') && flow.property('hintCode').equals('startFailed')" }, "name": "FlowFailValve" }, { "config": { "message": "bid-unknown", "exec_if_expr": "request.get('type') != null && request.get('type').contains('bid') && flow.property('hintCode').equals('unknown')" }, "name": "FlowFailValve" }, { "name": "SessionPropertyAddValve", "config": { "name": "phxverify-newstatus", "value": "ok" } }, { "name": "SessionPersistValve", "config": {} } ] }, { "id": "phxverify-complete", "valves": [ { "name": "SessionLoadValve", "config": { "id": "{{request.session_id}}" } }, { "name": "SessionRemoveValve", "config": {} } ] }, { "id" : "PHXVerifySPPipe", "valves" : [ { "name" : "AssertionConsumer", "config" : {} }, { "name" : "FlowFailValve", "config" : { "message" : "User does not exist", "exec_if_expr" : "flow.items().isEmpty()" } }, { "name": "PropertyAddValve", "config": { "name": "roles", "value": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93", "enable_multi_value": "true" } } ] }, { "id" : "d449c9a9-0601-484f-ac62-a273f5a4ecc9", "name" : "Find user and validate password", "description" : "Pipe performing username and password authentication", "enabled" : "true", "config" : { "valve_refs" : "a3d20fa0-b556-41aa-985d-aa30d4dc993c,1073e906-05ec-48ea-8888-1cde79e40219,28309e6a-b1cb-479e-8432-fb7e9ec28771,phxverifyadm1,phxverifyadm2,phxverifyadm3,cf0cbbde-597f-4ecd-85e3-72a46903d727" } }, { "id": "951af7c4-0772-4030-b90a-c3f53c3332fb", "name": "Find user and validate password", "description": "Pipe performing username and password authentication", "enabled": "true", "config": { "valve_refs": "a6920bf0-b1a3-473e-b669-20cbedf2e8af,878b91e8-a4c0-42ef-b963-9fd0c437b0e0,phxverifyadm1,phxverifyadm2,phxverifyadm3,88a8b3be-2e54-4294-92ad-8ba88c40e427" }, "guide_ref": "4cd62bf9-a01d-4a3d-aa55-2dda957e26cc" }
Replace the following settings :
"replace_ldap_id" with your LDAP connection id, example “731c93fb-f123-403a-9b4f-45720eeed474”
"replace_ldap_base_dn" with your “base_dn”, example “DC=phenixid,DC=local”
"replace_phxverify_user_attrib" with either "sAMAccountName" if you have Active Directory or "uid" for other LDAP catalogs
"replace_phxverify_bankid_attrib" with the attribute used for Swedish BankID in the LDAP directory, example "employeeID"
"replace_gw_id" with the Scenario ID for the Message Gateway
"replace_phxverify_bankid_keystore" with the Swedish BankID keystore ID, example "22962990-a11a-4f3e-b6b4-2554b9b9072e"
Step 4 - SAML 2 Identity providers
Add the following configuration to “SAML 2 Identity providers”
{
"id" : "9602d813-76c5-4ab7-b1f8-4ff51b40c3ff",
"name" : "SAML IDP",
"description" : "PHXVerifyIdP",
"keystore" : "replace_keystore_id",
"entityID" : "https://"replace_phxverify_idp"/phxverify/authenticate/phxverifyidp",
"requireSigned" : "true",
"postSSOURL" : "https://"replace_phxverify_idp"/phxverify/authenticate/phxverifyidp"
},
{
"id": "1c650882-8e14-4bd6-9f6a-ef3553c5a43c",
"name": "SAML IDP",
"description": "PHXVerifySSO",
"keystore": "replace_keystore_id",
"entityID": "https://"replace_phxverify_idp"/phxverify/authenticate/phxverifysso",
"requireSigned": "true",
"postSSOURL": "https://"replace_phxverify_idp"/phxverifysaml/authenticate/phxverifysso"
}Replace the following settings :
"replace_phxverify_idp" with the address to your PhenixID Server and port to use, example "phxverify.phenixid.se:8443"
"replace_keystore_id" with the id for the keystore to use.
Step 5 - SAML 2 Service providers
Add the following configuration to “SAML 2 Service providers”
{
"id" : "replace_phxverify_sp",
"keystoreSign" : "replace_sp_keystore",
"keystoreEncrypt" : "replace_sp_keystore",
"entityID" : "replace_phxverify_sp"
}Replace the following settings :
"replace_phxverify_sp" with the address to your PhenixID Server and port to use, example "https://phxverify.phenixid.se:8443"
"replace_sp_keystore" with the keystore ID to be used by the Service Provider (SP), example "44962990-a11a-4f3e-b6b4-2554b9b9072f"
Step 6 - Pipe valves
Add the following configuration to “Pipe valves"
{
"id" : "a3d20fa0-b556-41aa-985d-aa30d4dc993c",
"name" : "InputParameterExistValidatorValve",
"enabled" : "true",
"config" : {
"param_name" : "password",
"skip_if_expr" : "request.authenticatedrequest === 'true'"
}
},
{
"id" : "1073e906-05ec-48ea-8888-1cde79e40219",
"name" : "LDAPSearchValve",
"enabled" : "true",
"config" : {
"connection_ref" : "replace_ldap_id",
"base_dn" : "replace_ldap_base_dn",
"scope" : "SUB",
"size_limit" : "0",
"_filter_template" : "replace_phxverify_user_attrib={{request.username}}",
"filter_template": "(&(replace_phxverify_user_attrib={{request.username}})(replace_phxverify_group_member))",
"guide_ref" : "4a3714f3-99dd-49fe-8154-8beded40d0d0"
}
},
{
"id" : "28309e6a-b1cb-479e-8432-fb7e9ec28771",
"name" : "LDAPBindValve",
"enabled" : "true",
"config" : {
"connection_ref" : "replace_ldap_id",
"password_param_name" : "password",
"lockout_enabled" : "false",
"lockout_login_attempts" : "3",
"lockout_login_window" : "30",
"lockout_time" : "60",
"guide_ref" : "4a3714f3-99dd-49fe-8154-8beded40d0d0"
}
},
{
"id" : "cf0cbbde-597f-4ecd-85e3-72a46903d727",
"name" : "AssertionProvider",
"enabled" : "true",
"config" : {
"targetEntityID" : "9602d813-76c5-4ab7-b1f8-4ff51b40c3ff",
"sourceID" : "replace_phxverify_sp",
"nameIDAttribute" : "replace_phxverify_user_attrib",
"guide_ref" : "4a3714f3-99dd-49fe-8154-8beded40d0d0"
}
},
{
"id": "a6920bf0-b1a3-473e-b669-20cbedf2e8af",
"name": "FlowFailValve",
"enabled": "true",
"config": {
"skip_if_expr": "request.get('authenticatedrequest').equals('true')",
"proceed_on_error": "false",
"message": "common.messages.failure"
},
"pipe_ref": "951af7c4-0772-4030-b90a-c3f53c3332fb"
},
{
"id": "878b91e8-a4c0-42ef-b963-9fd0c437b0e0",
"name": "LDAPSearchValve",
"enabled": "true",
"config": {
"connection_ref": "replace_ldap_id",
"base_dn": "replace_ldap_base_dn",
"scope": "SUB",
"size_limit": "0",
"filter_template": "replace_phxverify_user_attrib={{request.username}}",
"guide_ref": "4cd62bf9-a01d-4a3d-aa55-2dda957e26cc"
}
},
{
"id": "phxverifyadm1",
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"id": "phxverifyadm2",
"name": "SessionPropertyAddValve",
"config": {
"name": "adminuser",
"value": "{{item.givenName}} {{item.sn}}"
}
},
{
"id": "phxverifyadm3",
"name": "SessionPersistValve",
"config": {}
},
{
"id": "88a8b3be-2e54-4294-92ad-8ba88c40e427",
"name": "AssertionProvider",
"enabled": "true",
"config": {
"targetEntityID": "9602d813-76c5-4ab7-b1f8-4ff51b40c3ff",
"sourceID": "replace_phxverify_sp",
"nameIDAttribute": "replace_phxverify_user_attrib",
"guide_ref": "4cd62bf9-a01d-4a3d-aa55-2dda957e26cc"
}
}Replace the following settings :
"replace_ldap_id" with your LDAP connection id, example “731c93fb-f123-403a-9b4f-45720eeed474”
"replace_ldap_base_dn" with your “base_dn”, example “DC=phenixid,DC=local”
"replace_phxverify_user_attrib" with either "sAMAccountName" if you have Active Directory or "uid" for other LDAP catalogs
"replace_phxverify_group_member" with the security group used to control who can use this service, example "memberOf=CN=PhenixID-PhxVerifyAdmin,OU=Groups,DC=phenixid,DC=se"
"replace_phxverify_sp" with the address to your PhenixID Server and port to use, example "https://phxverify.phenixid.se:8443"