SAML - Configure NameID persistent psuedonym
This document describes how to configure the execution flow to create a SAML NameID persistent pseudonym.
System requirements
- PhenixID Server v 3.0 or higher installed.
- SAML authentication flow configured
Configure Execution flow
- Login to Configuration Manager
- Locate the execution flow (pipe) containing the AssertionProvider valve (this pipe is creating the SAML assertion).
- Add these valves and place them before the AssertionProvider valve.
{
"name": "AuthnRequestDecoder", //This only works for sp-initiated saml. If idp-initiated saml is needed, remove this valve.
"enabled": "true",
"config": {
}
},
{
"name": "InputParameterHashValve",
"enabled": "true",
"config": {
"provided_param_name": "{{request.username}}{{item.issuer}}", //This only works for sp-initiated saml. If idp-initiated saml is needed, simply replace {{item.issuer}} with the SP entity ID, either hardcoded or, if possible, using the request parameters (in cases where the sp entity id has been added as a query string parameter.
Also, if needed, change request.username to the parameter (from request, item or session) containing the userID to be used based on your scenario.
"destination_attribute_name": "persNameID"
}
},
{
"name": "PropertyAddValve",
"enabled": "true",
"config": {
"name": "persNameID",
"value": "{{attributes.persNameID}}"
}
},- Modify the AssertionProvider valve:
{
"name": "AssertionProvider",
"enabled": "true",
"config": {
.,
.,
"nameIDAttribute": "persNameID",
"misc": [
{
.,
.,
"nameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
}
]
}
}Test
Test by browsing to the authenticator and login.
Verify the saml assertion NameID data using a web browser plugin tool, such as SAML Tracer.