SAML - Configure NameID persistent psuedonym

This document describes how to configure the execution flow to create a SAML NameID persistent pseudonym.

System requirements

- PhenixID Server v 3.0 or higher installed.

- SAML authentication flow configured

Configure Execution flow

- Login to Configuration Manager

- Locate the execution flow (pipe) containing the AssertionProvider valve (this pipe is creating the SAML assertion).

- Add these valves and place them before the AssertionProvider valve.

{
		"name": "AuthnRequestDecoder", //This only works for sp-initiated saml. If idp-initiated saml is needed, remove this valve.
		"enabled": "true",
		"config": {	
		}
	},
	{
		"name": "InputParameterHashValve",
		"enabled": "true",
		"config": {
			"provided_param_name": "{{request.username}}{{item.issuer}}",  //This only works for sp-initiated saml. If idp-initiated saml is needed, simply replace {{item.issuer}} with the SP entity ID, either hardcoded or, if possible, using the request parameters (in cases where the sp entity id has been added as a query string parameter.
Also, if needed, change request.username to the parameter (from request, item or session) containing the userID to be used based on your scenario. 
			"destination_attribute_name": "persNameID"
		}
	},
	{
		"name": "PropertyAddValve",
		"enabled": "true",
		"config": {
			"name": "persNameID",
			"value": "{{attributes.persNameID}}"
		}
	},

- Modify the AssertionProvider valve:

{
		"name": "AssertionProvider",
		"enabled": "true",
		"config": {
			.,
			.,
			"nameIDAttribute": "persNameID",
			"misc": [
				{
				    .,
					.,
					"nameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
				}
			]
		}
	}

Test

Test by browsing to the authenticator and login.

Verify the saml assertion NameID data using a web browser plugin tool, such as SAML Tracer.