Activate Pocket Pass - Change authentication method
This document describes how to change authentication method (by default it's protected with username/password) for the Activate Pocket Pass application. This is done using an internal SAML federation flow where Activate Pocket Pass will act as a SAML SP connected to a SAML IdP.
Requirements
- PhenixID Pocket Pass activation application configured
Configure authentication method
- Login to Configuration Manager
- Set up a SAML IdP with the required authentication method using Scenarios->Federation-><Method>.
(If you can't find the required method, please consult the documentation (http://document.phenixid.net -> Solutions -> Authentication flows -> SAML))- Set the entityID to ACTIVATEPP-IDP
- Set NameID to the attribute containing the userID (such as userPrincipalName, sAMAccountName or mail)
Protect the Pocket Pass activation application with a SAML SP
Get keystore id
- Login to Configuration Manager
- Navigate to Advanced -> Keystores
- Locate the the keystore object with "name":"Default auto generated server keystore"
- Copy the id value from the keystore
Add SAML SP base configuration
- Navigate to Advanced -> SAML 2 Service Providers
- Add this object
{
"id": "ACTIVATEPP-SP",
"keystoreSign": "<REPLACE_THIS_WITH_THE_KEYSTORE_ID_COPIED_IN_PREVIOUS_STEP>",
"entityID": "ACTIVATEPP-SP"
}Example:
{
"id": "ACTIVATEPP-SP",
"keystoreSign": "f2b90db8-b188-449b-8edc-163b8e3091cf",
"entityID": "ACTIVATEPP-SP"
}Add SAML SP authenticator
- Navigate to Advanced -> Authentication - HTTP
- Add this object
{
"id": "activateppsp",
"alias": "activateppsp",
"name": "SAMLServiceProviderAuthN",
"description": "SAML service provider for activate Pocket Pass application",
"configuration": {
"successURL": "/activatepocketpass/",
"sp": "ACTIVATEPP-SP",
"pipeID": "pipeAssertionConsumerAP",
"acsUrl": "/activatepocketpass/authenticate/activateppsp",
"entityID": "ACTIVATEPP-SP",
"targetIDP": "ACTIVATEPP-IDP"
}
}Get the required role value
- Navigate to Advanced -> Modules
- Locate the module object with "name": "com.phenixidentity~phenix-prism-enroll-oath"
- Copy the requires_role value
Add pipe
- Navigate to Advanced -> Pipes
- Add this pipe:
{
"id": "pipeAssertionConsumerAP",
"valves": [
{
"name": "AssertionConsumer",
"config": {}
},
{
"name": "FlowFailValve",
"config": {
"message": "User does not exist",
"exec_if_expr": "flow.items().isEmpty()"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "roles",
"value": "<REPLACE_WITH_PREVIOUSLY_FETCHED_REQUIRED_ROLE_VALUE>",
"enable_multi_value": "true"
}
}
]
}
Example pipe:
{
"id": "pipeAssertionConsumerAP",
"valves": [
{
"name": "AssertionConsumer",
"config": {}
},
{
"name": "FlowFailValve",
"config": {
"message": "User does not exist",
"exec_if_expr": "flow.items().isEmpty()"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "roles",
"value": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93",
"enable_multi_value": "true"
}
}
]
}Enable the SAML SP authenticator
- Navigate to Advanced -> Modules
- Locate the module with "base_url": "/activatepocketpass"
- Comment out the current auth_redirect_url parameter by adding another _ prefix
- Add the parameter "auth_redirect_url": "/activatepocketpass/authenticate/activateppsp"
See example:
Test
- Browse to https://<phenixid_server_domain>:<port>/activatepocketpass/
- The browser should be redirected to the IDP authenticator
- Authenticate
- The browser should be redirected to the SP
- You should now be logged in to the Activate Pocket Pass application
Error tracing
Check the server.log file for errors.