MyApps with authentication selector and roles

Overview

This document describes how to add configuration for a selector, where the person logging in can choose from different types of authentication.
Also, group membership will be used to determine what applications will be seen after login.

Please make sure to have a recent copy of the file phenix-store.json before doing any changes.

Prerequisites

PAS 3.0 or later installed.

Configure authenticators and selector

Start by adding the authenticators of choice through the Federation scenarios.
In this example we will use the following:
"Username, password and sms"
"Username, password and token" (Pocket Pass)

When done, configure MyApps and choose one of the newly created authenticators as "Trusted Identity Provider (EntityID)".

We will now add the AuthSelector and SAMLDataSave to “Authentication - HTTP”, on the advanced tab.
Add the selector according to this example:

{
   "name": "AuthSelector",
   "id": "selectorMyapps",
   "alias": "selectorMyapps",
   "configuration": {
	   "possibleAuthenticators": [
		{
			"id": "df2656a1-0391-445e-aa42-b03f2cf86a8c",
			"sortorder": "1",
			"image": "/authenticate/res/images/changepwd/pss-sms.png"
		},
		{
			"id": "3201b5ac-3dac-4158-a5b4-bc8035313bdc",
			"sortorder": "2",
			"image": "/authenticate/res/images/changepwd/pss-pp.png"
		}
	  ]
   }
},
Click to copy

Where id is set to the id of the respective authenticators.

Now add the SAMLDataSave, like this example:

{
    "alias": "SAMLDataSave",
    "name": "SAMLDataSave",
    "configuration": {
        "idpID": "idp",
        "nextAuthenticator": "selectorMyapps"
    }
}
Click to copy

Alias on SAMLDataSave should be set to the alias of the authenticator using the IdP that’s trusted by MyApps.
So start by changing the alias on that authenticator to something else, sms1 in this example:

"id": "df2656a1-0391-445e-aa42-b03f2cf86a8c",
		"alias": "sms1",
		"name": "PostUidPasswordAndOTPSAML",
Click to copy

And then set the SAMLDataSave to the entityid used by the IdP (sms).

Set the idpID to the internal identifier of the idp used and nextAuthenticator to the id of the selector.

{
		"alias": "sms",
		"name": "SAMLDataSave",
		"configuration": {
			"idpID": "c91c678d-1852-4040-81fc-a68f92a19d32",
			"nextAuthenticator": "selectorMyapps"
		},
		"id": "7558675c-e222-4f70-a599-164aaa9f9397"
	}
Click to copy

NOTE: Make sure to set the id of the trusted IdP on the second authenticator as well. And also on the AssertionProvider, see below. In this scenario MyApps trust the IdP with  entityID "sms", using the id that is now set on SAMLDataSave. Second authenticator in this example has alias "token": 

Change the value of idpID:

When done, click “Stage changes” and “Commit changes”.

To change the entityID on the AssertionProvider of the second authentication method, go to Scenarios/Federation/<Secondflowused>/Execution flow:

Change the value here as well and save the configuration:

There should now be a choice of login methods, when going to /myapps:

Limit access to applications using roles

When configuration of MyApps is done, two applications are available:

We will now limit access to the respective applications using group membership.
PhenixID Home will only be available to members of the group "Sales" and PhenixID Support will only be available to members of group "Support".

Start by setting the desired role value on the MyApps application:

Then, follow this document to add "appsfiltering" to "myappsLookUpPipe":
Filtering applications in MyApps

We will now add "PropertyContainsValve" and "PropertyAddValve" to the federation execution flow(s).
NOTE: The valves needs to be added to the respective login flows used by MyApps.
They should be placed just before the "AssertionProvider":

PropertyContainsValve will use memberOf, the group as token and a value of choice for destination.
PropertyAddValve will use the name roles and the same value as set on the application.

On the PropertyAddValve, make sure to add an "Execute if expression", like this:
flow.property('enable_support').equals('true')
So we only add the value for members of the group "Support".

On the AssertionProvider, add the attribute "roles":

Now when logging in, using an account that is member of the group Support, only that application will be displayed:

The same configuration can then be done for Sales, by adding the valves for that role:

The PropertyAddValve will now have:
flow.property('enable_sales').equals('true')
as expression.

When done, members of the group Sales will see The PhenixID Home application:

LogoutURL

The logout can be redirected to a URL of choice, using the parameter "logoff_uri", documented here.
Set it to a value similar to:
https://127.0.0.1:8443/saml/authenticate/logout/?nextTarget=https://127.0.0.1:8443/myapps/authenticate/logout/%3FnextTarget%3Dhttps%3A%2F%2Fwww.phenixid.se"

For the redirect to work, the URL needs to be whitelisted, instructions here.