PhenixID DocumentationPhenixID Authentication ServicesSolutionsVerify UserPhenixID Verify User Identity for PAS 3.0 or later

PhenixID Verify User Identity for PAS 3.0 or later

Following the steps below creates a service to verify the identity of a user who is calling in to Help-desk or other functions in your organisation.

The users available verify methods will be displayed and the person handling the call can select one of the methods to verify the identity of the user.

Requirements

  • A Keystore configured, used by the SAML function in this configuration
  • Swedish BankID keystore should have been configured if Swedish BankID will be used
  • All methods to be used shall be configure

Step 1 - Authentication - HTTP

Add the following configuration to “Authentication - HTTP” 

	{
		"alias": "phxverify",
		"name": "Registration",
		"id": "phxverify",
		"configuration": {
			"stages": [
				{
					"pipeid": "phxverify-username",
					"template": "phxverify",
					"sessionValues": [
						"roles",
						"adminuser"
					],
					"translation": [
						"phxverify.messages.information.title",
						"phxverify.messages.information.searchuser",
						"phxverify.messages.username",
						"phxverify.messages.querybox",
						"phxverify.messages.or",
						"phxverify.messages.logout"
					],
					"templateVariables": {
						"searchmethods": [
							{
								"type": "username",
								"title": "phxverify.messages.username"
							},
							{
								"type": "mail",
								"title": "phxverify.messages.mail"
							},
							{
								"type": "mobile",
								"title": "phxverify.messages.mobile"
							}
						],
						"settings": {
							"sp_url": "/phxverify/authenticate/phxverifysp/"
						}
					},
					"errorTranslation": [
						{
							"key": "User does not exist",
							"value": "phxverify.error.usernotexist"
						},
						{
							"key": "Multiple users found",
							"value": "phxverify.error.multipleusersfound"
						},
						{
							"key": "Login failed",
							"value": "phxverify.error.loginfailed"
						}
					]
				},
				{
					"pipeid": "phxverify-verifychoice",
					"template": "phxverify",
					"templateVariables": {
						"useBid": "true",
						"methods": [
							{
								"type": "ot",
								"title": "phxverify.messages.ot"
							},
							{
								"type": "token",
								"title": "phxverify.messages.pp"
							},
							{
								"type": "sms",
								"title": "phxverify.messages.sms"
							},
							{
								"type": "mail",
								"title": "phxverify.messages.mail"
							},
							{
								"type": "bid",
								"title": "phxverify.messages.bid"
							}
						]
					},
					"sessionValues": [
						"phxverify-disabled-token",
						"phxverify-disabled-sms",
						"phxverify-disabled-ot",
						"phxverify-disabled-mail",
						"phxverify-disabled-bid",
						"givenname",
						"sn",
						"mobile",
						"username",
						"mail",
						"roles",
						"adminuser",
						"pnrsub"
					],
					"translation": [
						"phxverify.messages.information.title",
						"phxverify.messages.username",
						"phxverify.messages.givenname",
						"phxverify.messages.snname",
						"phxverify.messages.mobile",
						"phxverify.messages.mail",
						"phxverify.messages.information.choose_method",
						"phxverify.messages.cancel",
						"phxverify.messages.logout",
						"phxverify.messages.bid"
					],
					"errorTranslation": [
						{
							"key": "Wrong verification code",
							"value": "phxverify.error.wrongotp"
						},
						{
							"key": "User does not exist",
							"value": "phxverify.error.usernotexist"
						},
						{
							"key": "Multiple users found",
							"value": "phxverify.error.multipleusersfound"
						},
						{
							"key": "Login failed",
							"value": "phxverify.error.loginfailed"
						},
						{
							"key": "alreadyInProgress",
							"value": "phxverify.error.bid_alreadyinprogress"
						}
					]
				},
				{
					"pipeid": "phxverify-verifyOTP",
					"template": "phxverify",
					"templateVariables": {
						"useBid": "true"
					},
					"translation": [
						"phxverify.messages.information.title",
						"phxverify.messages.username",
						"phxverify.messages.enterotp",
						"phxverify.messages.givenname",
						"phxverify.messages.snname",
						"phxverify.messages.mobile",
						"phxverify.messages.mail",
						"phxverify.messages.ot",
						"phxverify.messages.otstatus",
						"phxverify.messages.sms",
						"phxverify.messages.mail",
						"phxverify.messages.pp",
						"phxverify.messages.verify",
						"phxverify.messages.information.verifyotp",
						"phxverify.messages.information.otpending",
						"phxverify.messages.information.bidpending",
						"phxverify.messages.information.ot_timedout",
						"phxverify.messages.information.bid_timedout",
						"phxverify.messages.cancel",
						"phxverify.messages.logout",
						"phxverify.messages.bid"
					],
					"sessionValues": [
						"phxverify-disabled-token",
						"phxverify-disabled-sms",
						"phxverify-disabled-ot",
						"phxverify-disabled-mail",
						"phxverify-disabled-bid",
						"givenname",
						"sn",
						"mobile",
						"username",
						"mail",
						"roles",
						"phxverify-verifyotp",
						"phxverify-otpending",
						"phxverify-bidpending",
						"adminuser",
						"pnrsub"
					],
					"errorTranslation": [
						{
							"key": "Wrong verification code",
							"value": "phxverify.error.wrongotp"
						},
						{
							"key": "User does not exist",
							"value": "phxverify.error.usernotexist"
						},
						{
							"key": "User rejected",
							"value": "ot_rejected"
						},
						{
							"key": "Pending user confirmation",
							"value": "ot_pending"
						},
						{
							"key": "User confirmation in progress",
							"value": "ot_inprogress"
						},
						{
							"key": "bid-outstandingTransaction",
							"value": "bid_outstandingTransaction"
						},
						{
							"key": "bid-noClient",
							"value": "bid_noClient"
						},
						{
							"key": "phxverify.messages.bid_startbankid",
							"value": "bid_startbankid"
						},
						{
							"key": "bid-started",
							"value": "bid_started"
						},
						{
							"key": "phxverify.messages.bid_usersign",
							"value": "bid_userSign"
						},
						{
							"key": "bid-expiredTransaction",
							"value": "bid_expiredTransaction"
						},
						{
							"key": "bid-certificateErr",
							"value": "bid_certificateErr"
						},
						{
							"key": "bid-userCancel",
							"value": "bid_userCancel"
						},
						{
							"key": "bid-cancelled",
							"value": "bid_cancelled"
						},
						{
							"key": "bid-startFailed",
							"value": "bid_startFailed"
						},
						{
							"key": "bid-unknown",
							"value": "bid_unknown"
						},
						{
							"key": "Multiple users found",
							"value": "phxverify.error.multipleusersfound"
						},
						{
							"key": "Login failed",
							"value": "phxverify.error.loginfailed"
						}
					]
				},
				{
					"pipeid": "phxverify-complete",
					"template": "phxverify",
					"templateVariables": {
						"useBid": "true"
					},
					"translation": [
						"phxverify.messages.information.title",
						"phxverify.messages.username",
						"phxverify.messages.enterotp",
						"phxverify.messages.givenname",
						"phxverify.messages.snname",
						"phxverify.messages.mobile",
						"phxverify.messages.mail",
						"phxverify.messages.ot",
						"phxverify.messages.otstatus",
						"phxverify.messages.sms",
						"phxverify.messages.mail",
						"phxverify.messages.pp",
						"phxverify.messages.cancel",
						"phxverify.messages.userverified",
						"phxverify.messages.logout",
						"phxverify.messages.bid"
					],
					"sessionValues": [
						"phxverify-disabled-token",
						"phxverify-disabled-sms",
						"phxverify-disabled-ot",
						"phxverify-disabled-mail",
						"givenname",
						"sn",
						"mobile",
						"username",
						"mail",
						"phxverify-newstatus",
						"roles",
						"adminuser",
						"pnrsub"
					],
					"errorTranslation": [
						{
							"key": "Wrong verification code",
							"value": "phxverify.error.wrongotp"
						},
						{
							"key": "User does not exist",
							"value": "phxverify.error.usernotexist"
						},
						{
							"key": "Multiple users found",
							"value": "phxverify.error.multipleusersfound"
						},
						{
							"key": "Login failed",
							"value": "phxverify.error.loginfailed"
						}
					]
				}
			]
		}
	},
	{
		"id": "phxverifysp",
		"alias": "phxverifysp",
		"name": "SAMLServiceProviderAuthN",
		"displayName": "PHXVerify IdP",
		"configuration": {
			"successURL": "/phxverify/authenticate/phxverify/",
			"sp": "https://replace_phxverify_address",
			"pipeID": "PHXVerifySPPipe",
			"targetIDP": "https://replace_phxverify_address/phxverify/authenticate/phxverifyidp",
			"acsUrl": "https://replace_phxverify_address/phxverify/authenticate/phxverifysp",
			"entityID": "https://replace_phxverify_address"
		}
	},
	{
		"id": "e93a1158-b7b4-4491-9770-24901c3b0296",
		"alias": "phxverifyidp2",
		"name": "PostUidAndPasswordSAML",
		"displayName": "PHXVerifyiDP",
		"configuration": {
			"pipeID": "d449c9a9-0601-484f-ac62-a273f5a4ecc9",
			"idpID": "9602d813-76c5-4ab7-b1f8-4ff51b40c3ff",
			"translation": [
				{
					"mapKeyTo": "phxverify.messages.information.title",
					"key": "login.messages.information.title"
				},
				{
					"mapKeyTo": "phxverify.messages.information.header",
					"key": "login.messages.information.header"
				},
				{
					"mapKeyTo": "phxverify.messages.information.body",
					"key": "login.messages.information.body"
				}
			]
		}
	},
	{
		"id": "002cd990-af32-4a27-9dc0-815eff7a717a",
		"alias": "phxverifysso",
		"name": "PostUidAndPasswordSAML",
		"displayName": "PHXVerifySSO",
		"configuration": {
			"pipeID": "951af7c4-0772-4030-b90a-c3f53c3332fb",
			"idpID": "1c650882-8e14-4bd6-9f6a-ef3553c5a43c"
		}
	},
	{
		"name": "Dispatch",
		"id": "phxverifyidp",
		"alias": "phxverifyidp",
		"configuration": {
			"idpID": "9602d813-76c5-4ab7-b1f8-4ff51b40c3ff",
			"mapping": [
				{
					"authenticator": "e93a1158-b7b4-4491-9770-24901c3b0296",
					"expression": "!request.getParameter('authenticatedrequest').equals('true')"
				},
				{
					"authenticator": "002cd990-af32-4a27-9dc0-815eff7a717a",
					"expression": "request.getParameter('authenticatedrequest').equals('true')"
				}
			]
		}
	}

Replace the following settings :

"replace_phxverify_address" with the address to your PhenixID Server and port to use, example "phxverify.phenixid.se:8443"

Disable Swedish BankID as an option to verify user :

  • Change all "useBid": "true" to "useBid": "" in the configuration above
  • Remove the following from "methods" sections in the configuration above
    {
    "type": "bid",
    "title": "phxverify.messages.bid"
    }

 

Step 2 - Guide configuration

Add the following configuration to "Guide configuration”

	{
		"id" : "ba6e71aa-4e32-4a5c-88df-a2ed6ee1709e",
		"name" : "PHXVerifyIdP",
		"description" : "PHXVerifyIdP",
		"type" : "guides.authentication.saml.samluidpwd2",
		"config" : {
			"pipeID" : "d449c9a9-0601-484f-ac62-a273f5a4ecc9",
			"idp_ref" : "9602d813-76c5-4ab7-b1f8-4ff51b40c3ff",
			"auth_ref" : "e93a1158-b7b4-4491-9770-24901c3b0296",
			"ldap_connection_ref" : "replace_ldap_id"
			}
	},
	{
		"id": "51265e65-b112-4948-a285-4851d772ec5c",
		"name": "PHXVerifySSO",
		"description": "PHXVerifySSO",
		"type": "guides.authentication.saml.samluidpwd2",
		"config": {
			"pipeID": "951af7c4-0772-4030-b90a-c3f53c3332fb",
			"idp_ref": "1c650882-8e14-4bd6-9f6a-ef3553c5a43c",
			"auth_ref": "002cd990-af32-4a27-9dc0-815eff7a717a",
			"ldap_connection_ref": "replace_ldap_id"
		}
	}

"replace_ldap_id" with the LDAP Scenario ID.


Step 3 - Pipes

Add the following configuration to “Pipes”

	{
		"id": "phxverify-username",
		"valves": [
			{
				"name": "SessionLoadValve",
				"config": {
					"id": "{{request.session_id}}"
				}
			},
			{
				"name": "FlowFailValve",
				"config": {
					"message": "Login failed",
					"skip_if_expr": "request.get('authenticatedrequest').equals('true')"
				}
			},
			{
				"name" : "SessionPropertyRemoveValve",
				"config": {
					"name":"username,generated_otp,phxverify-verifyotp,ot_verify,phxverify-otpending,phxverify-bidpending,phxverify-disabled-bid,phxverify-newstatus,phxverify-disabled-sms,phxverify-disabled-mail,phxverify-disabled-token,phxverify-disabled-ot,givenname,OATH,PKI,username,mobile,sn,mail,pnr,pnrsub"
				}
			},
			{
				"name": "LDAPSearchValve",
				"config": {
					"connection_ref": "replace_ldap_id",
					"base_dn": "replace_ldap_base_dn",
					"scope": "SUB",
					"size_limit": "0",
					"filter_template": "replace_phxverify_user_attrib={{request.username}}",
					"attributes": "mobile,givenName,sn,mail,replace_phxverify_bankid_attrib",
					"exec_if_expr": "request.get('username')!=null"
				}
			},
			{
				"name": "LDAPSearchValve",
				"config": {
					"connection_ref": "replace_ldap_id",
					"base_dn": "replace_ldap_base_dn",
					"scope": "SUB",
					"size_limit": "0",
					"filter_template": "mail={{request.mail}}",
					"attributes": "mobile,givenName,sn,mail,replace_phxverify_user_attrib,replace_phxverify_bankid_attrib",
					"exec_if_expr": "request.get('mail')!=null"
				}
			},
			{
				"name": "LDAPSearchValve",
				"config": {
					"connection_ref": "replace_ldap_id",
					"base_dn": "replace_ldap_base_dn",
					"scope": "SUB",
					"size_limit": "0",
					"filter_template": "mobile={{request.mobile}}",
					"attributes": "mobile,givenName,sn,mail,replace_phxverify_user_attrib,replace_phxverify_bankid_attrib",
					"exec_if_expr": "request.get('mobile')!=null"
				}
			},
			{
				"name": "FlowFailValve",
				"config": {
					"message": "User does not exist",
					"exec_if_expr": "flow.items().isEmpty()"
				}
			},
			{
				"name": "FlowFailValve",
				"config": {
					"message": "Multiple users found",
					"skip_if_expr": "flow.isSingle()"
				}
			},
			{
				"config": {
					"name": "username",
					"value": "{{request.username}}",
					"exec_if_expr": "request.get('username')!=null"
				},
				"name": "SessionPropertyAddValve"
			},
			{
				"config": {
					"name": "username",
					"value": "{{item.replace_phxverify_user_attrib}}",
					"exec_if_expr": "request.get('mail')!=null || request.get('mobile')!=null"
				},
				"name": "SessionPropertyAddValve"
			},
			{
				"name": "GetTokenExistsValve",
				"config": {
					"username_attribute": "{{session.username}}",
					"token_type": "OATH",
					"get_value_attribute_key": "OATH"
				}
			},
			{
				"name": "GetTokenExistsValve",
				"config": {
					"username_attribute": "{{session.username}}",
					"token_type": "PKI",
					"get_value_attribute_key": "PKI"
				}
			},
			{
				"name": "SessionPropertyAddValve",
				"config": {
					"name": "OATH",
					"value": "{{item.OATH}}"
				}
			},
			{
				"name": "SessionPropertyAddValve",
				"config": {
					"name": "PKI",
					"value": "{{item.PKI}}"
				}
			},
			{
				"name": "SessionPropertyAddValve",
				"config": {
					"name": "mobile",
					"value": "{{item.mobile}}"
				}
			},
			{
				"name": "SessionPropertyAddValve",
				"config": {
					"dest_id": "{{session.pki_user}}",
					"name": "givenname",
					"value": "{{item.givenName}}"
				}
			},
			{
				"name": "SessionPropertyAddValve",
				"config": {
					"name": "sn",
					"value": "{{item.sn}}"
				}
			},
			{
				"name": "SessionPropertyAddValve",
				"config": {
					"name": "mail",
					"value": "{{item.mail}}"
				}
			},
			{
				"name": "SessionPropertyAddValve",
				"config": {
					"name": "pnr",
					"value": "{{item.replace_phxverify_bankid_attrib}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "pnr2sub",
					"value": "{{item.replace_phxverify_bankid_attrib}}"
				}
			},
			{
				"name": "PropertySubstringValve",
				"config": {
					"source": "pnr2sub",
					"end_index": "8",
					"begin_index": "0",
					"exec_if_expr": "request.get('replace_phxverify_bankid_attrib')!=null"
				}
			},
			{
				"config": {
					"name": "pnrsub",
					"value": "{{item.pnr2sub}}xxxx"
				},
				"name": "SessionPropertyAddValve"
			},
			{
				"name": "SessionPropertyAddValve",
				"config": {
					"name": "phxverify-disabled-bid",
					"value": "disabled",
					"exec_if_expr": "",
					"skip_if_expr": "flow.items().get(0).containsProperty('replace_phxverify_bankid_attrib')"
				}
			},
			{
				"name": "SessionPropertyAddValve",
				"config": {
					"name": "phxverify-disabled-sms",
					"value": "disabled",
					"exec_if_expr": "",
					"skip_if_expr": "flow.items().get(0).containsProperty('mobile')"
				}
			},
			{
				"name": "SessionPropertyAddValve",
				"config": {
					"name": "phxverify-disabled-mail",
					"value": "disabled",
					"exec_if_expr": "",
					"skip_if_expr": "flow.items().get(0).containsProperty('mail')"
				}
			},
			{
				"name": "SessionPropertyAddValve",
				"config": {
					"name": "phxverify-disabled-token",
					"value": "disabled",
					"exec_if_expr": "flow.property('OATH').equals('false')"
				}
			},
			{
				"name": "SessionPropertyAddValve",
				"config": {
					"name": "phxverify-disabled-ot",
					"value": "disabled",
					"exec_if_expr": "flow.property('PKI').equals('false')"
				}
			},
			{
				"name": "SessionPersistValve",
				"config": {}
			}
		]
	},
	{
		"id": "phxverify-verifychoice",
		"valves": [
			{
				"name": "SessionLoadValve",
				"config": {
					"id": "{{request.session_id}}"
				}
			},
			{
				"name" : "SessionPropertyRemoveValve",
				"config": {
					"name":"ot_verify, phxverify-otpending,phxverify-bidpending,phxverify-verifyotp,generated_otp,transactionID"
				}
			},
			{
				"name": "ItemCreateValve",
				"config": {
					"dest_id": "{{request.session_id}}"
				}
			},
			{
				"name": "OTPGeneratorValve",
				"config": {
					"length": "6",
					"alpha_numeric": "false",
					"name": "generated_otp",
					"valid_time_in_seconds": "300",
					"exec_if_expr": "",
					"skip_if_expr": ""
				}
			},
			{
				"name": "SessionPropertyAddValve",
				"config": {
					"name": "generated_otp",
					"value": "{{item.generated_otp}}",
					"skip_if_expr": ""
				}
			},
			{
				"name": "OTPBySMSValve",
				"config": {
                                        "message_gateway_settings" : "replace_gw_id",					
					"recipient_param_name": "{{session.mobile}}",
					"generated_otp_name": "generated_otp",
					"use_flash": "true",
					"exec_if_expr": "request.get('type') != null && request.get('type').contains('sms')",
					"skip_if_expr": ""
				}
			},
			{
				"name": "OTPBySMTPValve",
				"config": {
					"smtp_settings": "replace_smtp_settings",
					"start_tls_enabled": "true",
					"userid_param_name": "{{session.username}}",
					"mail_param_name": "{{session.mail}}",
					"exec_if_expr": "request.get('type') != null && request.get('type').contains('mail')"
				}
			},
			{
				"name": "SessionPropertyAddValve",
				"config": {
					"name": "phxverify-verifyotp",
					"value": "true",
					"exec_if_expr": "request.get('type') != null && (request.get('type').contains('sms') || request.get('type').contains('token') || request.get('type').contains('mail'))"
				}
			},
			{
				"name": "IssueAssignmentValve",
				"config": {
					"userNameParameter": "{{session.username}}",
					"serviceName": "Phenixid",
					"authMessage": "Verify your user ID",
					"serviceMessage": "",
					"exec_if_expr": "request.get('type') != null && request.get('type').contains('ot')"
				}
			},
			{
				"name": "SessionPropertyAddValve",
				"config": {
					"name": "ot_verify",
					"value": "{{item.assignmentid}}",
					"exec_if_expr": "request.get('type') != null && request.get('type').contains('ot')",
					"skip_if_expr": ""
				}
			},
			{
				"name": "BankIDAuthenticateValve",
				"config": {
					"bankid_keystore": "replace_phxverify_bankid_keystore",
					"mode": "test",
					"pnr": "{{session.pnr}}",
					"client_ip_request_param": "X-Forwarded-For",
					"exec_if_expr": "request.get('type') != null && request.get('type').contains('bid')"
					}
			},
			{
				"name": "ItemMergeValve",
				"config": {
					"dest_id": "{{request.session_id}}"
					}
			},
			{
				"name": "FlowFailValve",
				"config": {
					"message": "alreadyInProgress",
					"exec_if_expr": "flow.property('errorCode').equals('alreadyInProgress')",
					"item_include_expr" : "item.containsProperty('errorCode')"
				}
			},
			{
				"name": "SessionPropertyAddValve",
				"config": {
					"name": "transactionID",
					"value": "{{item.transactionID}}"
					}
			},
			{
				"name": "SessionPropertyAddValve",
				"config": {
					"name": "phxverify-otpending",
					"value": "true",
					"exec_if_expr": "request.get('type') != null && request.get('type').contains('ot')",
					"skip_if_expr": ""
				}
			},
			{
				"name": "SessionPropertyAddValve",
				"config": {
					"name": "phxverify-bidpending",
					"value": "true",
					"exec_if_expr": "request.get('type') != null && request.get('type').contains('bid')",
					"skip_if_expr": ""
				}
			},
			{
				"name": "SessionPersistValve",
				"config": {}
			}
		]
	},
	{
		"id": "phxverify-verifyOTP",
		"valves": [
			{
				"name": "SessionLoadValve",
				"config": {
					"id": "{{request.session_id}}"
				}
			},
			{
				"name": "ItemCreateValve",
				"config": {
					"dest_id": "{{request.session_id}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "username",
					"value": "{{session.username}}"
				}
			},
			{
				"name": "OTPValidationValve",
				"config": {
					"provided_otp_param_name": "{{request.otp}}",
					"generated_otp_param_name": "generated_otp",
					"proceed_on_error": "true",
					"exec_if_expr": "request.get('type').contains('sms')"
				}
			},
			{
				"name": "OTPValidationValve",
				"config": {
					"provided_otp_param_name": "{{request.otp}}",
					"generated_otp_param_name": "generated_otp",
					"proceed_on_error": "true",
					"exec_if_expr": "request.get('type').contains('mail')"
				}
			},
			{
				"name": "TokenValidationValve",
				"config": {
					"provided_otp_param_name": "{{request.otp}}",
					"otp_length": "6",
					"userid_param_name": "{{item.username}}",
					"exec_if_expr": "request.get('type').contains('token')"
				}
			},
			{
				"name": "FlowFailValve",
				"config": {
					"message": "Wrong verification code",
					"exec_if_expr": "attributes.user_authenticated === false"
				}
			},
			{
				"name": "AssignmentStatusValve",
				"config": {
					"id": "{{session.ot_verify}}",
					"dest": "userverifiedot",
					"exec_if_expr": "request.get('type').contains('ot')"
				}
			},
			{
				"name": "BankIDCollectAuthenticationStatusValve",
				"config": {
					"bankid_keystore": "replace_phxverify_bankid_keystore",
					"mode": "test",
					"transactionID": "{{session.transactionID}}",
					"customerID": "{{session.tenant}}",
					"exec_if_expr": "request.get('type').contains('bid')"
					}
				},
				{
				"name": "ItemMergeValve",
				"enabled": "true",
				"config": {
					"dest_id": "{{request.session_id}}"
					}
			},
			{
				"name": "FlowFailValve",
				"config": {
					"message": "User rejected",
					"exec_if_expr": "flow.property('userverifiedot').equals('REJECTED') && request.get('type').contains('ot')"
				}
			},
			{
				"name": "FlowFailValve",
				"config": {
					"message": "Pending user confirmation",
					"exec_if_expr": "flow.property('userverifiedot').equals('PENDING') && request.get('type').contains('ot')"
				}
			},
			{
				"name": "FlowFailValve",
				"config": {
					"message": "User confirmation in progress",
					"exec_if_expr": "flow.property('userverifiedot').equals('IN_PROGRESS') && request.get('type').contains('ot')"
				}
			},
			{
				"config": {
					"message": "bid-outstandingTransaction",
					"exec_if_expr": "request.get('type') != null && request.get('type').contains('bid') && flow.property('hintCode').equals('outstandingTransaction')"
				},
				"name": "FlowFailValve"
			},
			{
				"config": {
					"message": "bid-noClient",
					"exec_if_expr": "request.get('type') != null && request.get('type').contains('bid') && flow.property('hintCode').equals('noClient')"
				},
				"name": "FlowFailValve"
			},
			{
				"config": {
					"message": "bid-started",
					"exec_if_expr": "request.get('type') != null && request.get('type').contains('bid') && flow.property('hintCode').equals('started')"
				},
				"name": "FlowFailValve"
			},
			{
				"config": {
					"message": "bid-userSign",
					"exec_if_expr": "request.get('type') != null && request.get('type').contains('bid') && flow.property('hintCode').equals('userSign')"
				},
				"name": "FlowFailValve"
			},
			{
				"config": {
					"message": "bid-expiredTransaction",
					"exec_if_expr": "request.get('type') != null && request.get('type').contains('bid') && flow.property('hintCode').equals('expiredTransaction')"
				},
				"name": "FlowFailValve"
			},
			{
				"config": {
					"message": "bid-certificateErr",
					"exec_if_expr": "request.get('type') != null && request.get('type').contains('bid') && flow.property('hintCode').equals('certificateErr')"
				},
				"name": "FlowFailValve"
			},
			{
				"config": {
					"message": "bid-userCancel",
					"exec_if_expr": "request.get('type') != null && request.get('type').contains('bid') && flow.property('hintCode').equals('userCancel')"
				},
				"name": "FlowFailValve"
			},
			{
				"config": {
					"message": "bid-cancelled",
					"exec_if_expr": "request.get('type') != null && request.get('type').contains('bid') && flow.property('hintCode').equals('cancelled')"
				},
				"name": "FlowFailValve"
			},
			{
				"config": {
					"message": "bid-startFailed",
					"exec_if_expr": "request.get('type') != null && request.get('type').contains('bid') && flow.property('hintCode').equals('startFailed')"
				},
				"name": "FlowFailValve"
			},
			{
				"config": {
					"message": "bid-unknown",
					"exec_if_expr": "request.get('type') != null && request.get('type').contains('bid') && flow.property('hintCode').equals('unknown')"
				},
				"name": "FlowFailValve"
			},
			{
				"name": "SessionPropertyAddValve",
				"config": {
					"name": "phxverify-newstatus",
					"value": "ok"
				}
			},
			{
				"name": "SessionPersistValve",
				"config": {}
			}
		]
	},
	{
		"id": "phxverify-complete",
		"valves": [
			{
				"name": "SessionLoadValve",
				"config": {
					"id": "{{request.session_id}}"
				}
			},
			{
				"name": "SessionRemoveValve",
				"config": {}
			}
		]
	},
	{
		"id" : "PHXVerifySPPipe",
		"valves" : [
			{
				"name" : "AssertionConsumer",
				"config" : {}
			},
			{
				"name" : "FlowFailValve",
				"config" : {
					"message" : "User does not exist",
					"exec_if_expr" : "flow.items().isEmpty()"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "roles",
					"value": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93",
					"enable_multi_value": "true"
				}
			}
		]
	},
	{
		"id" : "d449c9a9-0601-484f-ac62-a273f5a4ecc9",
		"name" : "Find user and validate password",
		"description" : "Pipe performing username and password authentication",
		"enabled" : "true",
		"config" : {
			"valve_refs" : "a3d20fa0-b556-41aa-985d-aa30d4dc993c,1073e906-05ec-48ea-8888-1cde79e40219,28309e6a-b1cb-479e-8432-fb7e9ec28771,phxverifyadm1,phxverifyadm2,phxverifyadm3,cf0cbbde-597f-4ecd-85e3-72a46903d727"
			}
	},
	{
		"id": "951af7c4-0772-4030-b90a-c3f53c3332fb",
		"name": "Find user and validate password",
		"description": "Pipe performing username and password authentication",
		"enabled": "true",
		"config": {
			"valve_refs": "a6920bf0-b1a3-473e-b669-20cbedf2e8af,878b91e8-a4c0-42ef-b963-9fd0c437b0e0,phxverifyadm1,phxverifyadm2,phxverifyadm3,88a8b3be-2e54-4294-92ad-8ba88c40e427"
		},
		"guide_ref": "4cd62bf9-a01d-4a3d-aa55-2dda957e26cc"
	}

Replace the following settings :

"replace_ldap_id" with your LDAP connection id, example “731c93fb-f123-403a-9b4f-45720eeed474”

"replace_ldap_base_dn" with your “base_dn”, example “DC=phenixid,DC=local”

"replace_phxverify_user_attrib" with either "sAMAccountName" if you have Active Directory or "uid" for other LDAP catalogs

"replace_phxverify_bankid_attrib" with the attribute used for Swedish BankID in the LDAP directory, example "employeeID"

"replace_gw_id" with the Scenario ID for the Message Gateway

"replace_phxverify_bankid_keystore" with the Swedish BankID keystore ID, example "22962990-a11a-4f3e-b6b4-2554b9b9072e"



Step 4 - SAML 2 Identity providers

Add the following configuration to “SAML 2 Identity providers”

	{
		"id" : "9602d813-76c5-4ab7-b1f8-4ff51b40c3ff",
		"name" : "SAML IDP",
		"description" : "PHXVerifyIdP",
		"keystore" : "replace_keystore_id",
		"entityID" : "https://"replace_phxverify_idp"/phxverify/authenticate/phxverifyidp",
		"requireSigned" : "true",
		"postSSOURL" : "https://"replace_phxverify_idp"/phxverify/authenticate/phxverifyidp"
	},
	{
		"id": "1c650882-8e14-4bd6-9f6a-ef3553c5a43c",
		"name": "SAML IDP",
		"description": "PHXVerifySSO",
		"keystore": "replace_keystore_id",
		"entityID": "https://"replace_phxverify_idp"/phxverify/authenticate/phxverifysso",
		"requireSigned": "true",
		"postSSOURL": "https://"replace_phxverify_idp"/phxverifysaml/authenticate/phxverifysso"
	}

Replace the following settings :

"replace_phxverify_idp" with the address to your PhenixID Server and port to use, example "phxverify.phenixid.se:8443"

"replace_keystore_id" with the id for the keystore to use.

Step 5 - SAML 2 Service providers

Add the following configuration to “SAML 2 Service providers”

	{
	"id" : "replace_phxverify_sp",
	"keystoreSign" : "replace_sp_keystore",
	"keystoreEncrypt" : "replace_sp_keystore",
	"entityID" : "replace_phxverify_sp"
	}

Replace the following settings :

"replace_phxverify_sp" with the address to your PhenixID Server and port to use, example "https://phxverify.phenixid.se:8443"

"replace_sp_keystore" with the keystore ID to be used by the Service Provider (SP), example "44962990-a11a-4f3e-b6b4-2554b9b9072f"

Step 6 - Pipe valves

Add the following configuration to “Pipe valves"

	{
		"id" : "a3d20fa0-b556-41aa-985d-aa30d4dc993c",
		"name" : "InputParameterExistValidatorValve",
		"enabled" : "true",
			"config" : {
			"param_name" : "password",
			"skip_if_expr" : "request.authenticatedrequest === 'true'"
			}
	},
	{
		"id" : "1073e906-05ec-48ea-8888-1cde79e40219",
		"name" : "LDAPSearchValve",
		"enabled" : "true",
		"config" : {
			"connection_ref" : "replace_ldap_id",
			"base_dn" : "replace_ldap_base_dn",
			"scope" : "SUB",
			"size_limit" : "0",
			"_filter_template" : "replace_phxverify_user_attrib={{request.username}}",
			"filter_template": "(&(replace_phxverify_user_attrib={{request.username}})(replace_phxverify_group_member))",
			"guide_ref" : "4a3714f3-99dd-49fe-8154-8beded40d0d0"
			}
	},
	{
		"id" : "28309e6a-b1cb-479e-8432-fb7e9ec28771",
		"name" : "LDAPBindValve",
		"enabled" : "true",
		"config" : {
			"connection_ref" : "replace_ldap_id",
			"password_param_name" : "password",
			"lockout_enabled" : "false",
			"lockout_login_attempts" : "3",
			"lockout_login_window" : "30",
			"lockout_time" : "60",
			"guide_ref" : "4a3714f3-99dd-49fe-8154-8beded40d0d0"
			}
	},
	{
		"id" : "cf0cbbde-597f-4ecd-85e3-72a46903d727",
		"name" : "AssertionProvider",
		"enabled" : "true",
		"config" : {
			"targetEntityID" : "9602d813-76c5-4ab7-b1f8-4ff51b40c3ff",
			"sourceID" : "replace_phxverify_sp",
			"nameIDAttribute" : "replace_phxverify_user_attrib",
			"guide_ref" : "4a3714f3-99dd-49fe-8154-8beded40d0d0"
			}
	},
	{
		"id": "a6920bf0-b1a3-473e-b669-20cbedf2e8af",
		"name": "FlowFailValve",
		"enabled": "true",
		"config": {
			"skip_if_expr": "request.get('authenticatedrequest').equals('true')",
			"proceed_on_error": "false",
			"message": "common.messages.failure"
		},
		"pipe_ref": "951af7c4-0772-4030-b90a-c3f53c3332fb"
	},
	{
		"id": "878b91e8-a4c0-42ef-b963-9fd0c437b0e0",
		"name": "LDAPSearchValve",
		"enabled": "true",
		"config": {
			"connection_ref": "replace_ldap_id",
			"base_dn": "replace_ldap_base_dn",
			"scope": "SUB",
			"size_limit": "0",
			"filter_template": "replace_phxverify_user_attrib={{request.username}}",
			"guide_ref": "4cd62bf9-a01d-4a3d-aa55-2dda957e26cc"
		}
	},
	{
		"id": "phxverifyadm1",
		"name": "SessionLoadValve",
		"config": {
			"id": "{{request.session_id}}"
		}
	},
	{
		"id": "phxverifyadm2",
			"name": "SessionPropertyAddValve",
			"config": {
				"name": "adminuser",
				"value": "{{item.givenName}} {{item.sn}}"
		}
	},
	{
			"id": "phxverifyadm3",
			"name": "SessionPersistValve",
			"config": {}
	},
	{
		"id": "88a8b3be-2e54-4294-92ad-8ba88c40e427",
		"name": "AssertionProvider",
		"enabled": "true",
		"config": {
			"targetEntityID": "9602d813-76c5-4ab7-b1f8-4ff51b40c3ff",
			"sourceID": "replace_phxverify_sp",
			"nameIDAttribute": "replace_phxverify_user_attrib",
			"guide_ref": "4cd62bf9-a01d-4a3d-aa55-2dda957e26cc"
		}
	}

Replace the following settings :

"replace_ldap_id" with your LDAP connection id, example “731c93fb-f123-403a-9b4f-45720eeed474”

"replace_ldap_base_dn" with your “base_dn”, example “DC=phenixid,DC=local”

"replace_phxverify_user_attrib" with either "sAMAccountName" if you have Active Directory or "uid" for other LDAP catalogs

"replace_phxverify_group_member" with the security group used to control who can use this service, example "memberOf=CN=PhenixID-PhxVerifyAdmin,OU=Groups,DC=phenixid,DC=se"

"replace_phxverify_sp" with the address to your PhenixID Server and port to use, example "https://phxverify.phenixid.se:8443"