PhenixID DocumentationPhenixID Authentication ServicesSolutionsOpenIDConnect (OIDC) / OAuthOIDC / OAuth - Add configuration to achieve Single-Sign-On (SSO)

OIDC / OAuth - Add configuration to achieve Single-Sign-On (SSO)

This document is written for PhenixID Authentication Services (PAS).

The reader should have some basic knowledge about PAS.

This document describes how to configure the system to achieve SSO (Single-Sign on) for OpenID Connect / OAuth authentication flows.

Overview

- If you are using PAS as OP-SAML_SP bridge with a SAML Identity Provider, the SSO should take place on the SAML IdP. If you are using another authentication mechanism on the OP, please follow the steps below.

Prerequisites

- At least one OIDC OP configured (using guide in PAS Configuration Manager). This OP is referred to below as OP1.

Add SSO authenticator

  • Log in to the configuration UI, go to the "Scenarios" tab
  • Click OIDC
  • Add a new OIDC OP by clicking the plus sign to the right of Username and Password (This OP will be referred to below as OP_SSO.)
  • Name the OIDC OP "SSO"
  • Select the same flow type, allowed RPs etc as OP1
  • Set tenant = dummy
  • Once done, click Execution flow
  • Remove the LDAPBindValve from the flow. (Or modify the sql statement if the users are located in a sql store)
  • If needed, modify the execution flow (the first one) with the same modifications as OP1
  • Click View OP Discovery
  • Fetch the OP_SSO startpoint alias by copying the last part of the authorization_endpoint URL. This will be used in later steps. Example:

 

Fetch OP1 original startpoint alias

  • Log in to the configuration UI, go to the "Scenarios" tab
  • Click the OP1 configuration
  • Click View OP Discovery
  • Copy the last part of the authorization_endpoint URL for later usage. Example:

Change alias for OP1

- Log in to the configuration UI, go to the "Scenarios" tab

- Click Advanced

- Click on the pen to the right of Authentication - HTTP

- Search for the OP1 alias fetched in previous step (oidc_otp in the above example).

- Change the alias value by adding _auth to the old value. Example below.

- Click Stage changes and Commit changes

Find authenticator IDs

Log in to the configuration UI, go to the "Advanced" tab and press the pencil to the right of "Authentication - HTTP".

Fetch the id parameter value of the authenticators:

- The authenticator used for OP1:

{
		"alias": "oidc_otp_auth",
		"name": "OIDCPostUidPasswordAndOTP",
		"configuration": {
			"userValidationPipeID": "9945b2a3-a25c-4f22-b618-affed640eabf",
			"otpValidationPipeID": "b283e3dd-a672-4c41-a909-64ac0f75d5f1",
			"allowedRP": [
				"ff"
			],
			"loginTemplate": "login.template",
			"otp": "otp",
			"userNameParamName": "username",
			"otpParamterName": "otp",
			"requireConsent": "false",
			"consentTemplate": "oidcconsent",
			"enableHoneypot": "true"
		},
		"created": "2019-10-21T07:03:06.794Z",
		"id": "74859296-96c2-4e5f-b257-4fe3ee94dc8d"
	}

- The authenticator used for OP_SSO:

{
		"alias": "oidc_az",
		"name": "OIDCPostUidAndPassword",
		"configuration": {
			"pipeID": "39ed8579-1509-4d58-9025-cd028d3c56a9",
			"allowedRP": [
				"ff"
			],
			"loginTemplate": "login.template",
			"userNameParamName": "username",
			"passworParamterName": "password",
			"requireConsent": "false",
			"consentTemplate": "oidcconsent",
			"enableHoneypot": "true"
		},
		"created": "2020-04-16T12:45:28.429Z",
		"id": "818cc560-fa60-44d2-9e16-cff7b0aeaa22"
	}

Add Dispatch authenticator

Log in to the configuration UI, go to the "Advanced" tab and press the pencil to the right of "Authentication - HTTP".

Add a new Dispatch authenticator object.

- Set "alias" to OP1 original startpoint alias

- Set "idpID" to "dummy"

- Set the first "authenticator" value to OP1 id

- Set the second "authenticator" value to OP_SSO id

{
		"name": "Dispatch",
		"id": "start",
      "alias": "oidc_otp",
		"configuration": {
			"idpID": "dummy",
			"mapping": [
				{
					"authenticator": "4859296-96c2-4e5f-b257-4fe3ee94dc8d",
					"expression": "!request.getParameter('authenticatedrequest').equals('true')"
				},
				{
					"authenticator": "818cc560-fa60-44d2-9e16-cff7b0aeaa22",
					"expression": "request.getParameter('authenticatedrequest').equals('true')"
				}
			]
		}
	}

When done press Stage changes/Commit changes.

Modify SSO authenticator

To prevent anonymous execution of the SSO authentication flow, please follow these steps:

- Log in to the configuration UI, go to the "Scenarios" tab

- Click on the OP_SSO oidc scenarion

- Click Execution flow

- Expand the first Execution flow

- Click Add valve

- Enter FlowFailValve

- Check Enabled

- Click Advanced and add this below skip if expression:

request.get('authenticatedrequest').equals('true')

- Move to the newly added valve to be executed first

- Save changes

 

Test

- Open the RP and click login

- Make sure you're logged in to the RP correctly

- Logout from the RP (not from the OP)

- With the browser still open, try to login to the RP again

- You should now be logged in to the RP without having to authenticate again.