SAML - Configuring Hypr as an authentication method

The purpose of this document is to describe how to configure PhenixID Authentication Services for federation with SAML2 using Hypr as the authentication method.

Simplified Overview

Prerequisites

  • PAS version 4.0 or higher
  • (For version 4.0.x, Hypr patch must be applied).
  • PAS configured according to this instruction: "Federation - Username and password"
  • Hypr tenant endpoint URL, appID and access_token.
  • Access to Hypr tenant from the PhenixID Authentication Services server (check firewall settings)

Convert the Federation - Username and Password scenario to SAML2Hypr

1. Open the Advanced tab and locate the Authentication - HTTP entry that was configured in the previous "Federation - Username and password" scenario.

2. Change the value of the name parameter from "PostUidAndPasswordSAML" to "SAML2Hypr"

3. Append new parameters (and patch the PAS installation if using version 4.0.x) according to this instruction.

Keep these values unchanged:

- pipeID

- idpID

- id

- alias

 

4. Click Stage changes and commit changes.

Configure the execution flow used for the SAML assertion to suit your needs

  1. Open the Execution flow tab and expand the flow.
  2. Delete the valve #1 (InputParameterExistsValidatorValve) and valve #3 (LDAPBindValve)
  3. Expand (Show) the LDAPSearchValve and modify the search filter to fetch users where uid=<Hypr userID>: filter_template = uid={{request.username}}
    (Change uid to the attribute containing the Hypr userID value)
  4. Add a parameter for attributes to fetch for the matched LDAP entry: attributes = uid,sAMAccountName
  5. Expand (Show) the AssertionProvider and modify nameIDAttribute parameter: nameIDAttribute = uid
  6. Click Save

NB! The logic above can be configured differently according to your needs.