PhenixID DocumentationPhenixID Password Self ServicePhenixID Password Self ServiceConfigurationReset Password using external authentication provider (external SAML IdP)

Reset Password using external authentication provider (external SAML IdP)

This document describes how to protect the PhenixID Password Self Service Application with an external (ie not on the same server) SAML IdP.

Requirements :  

  • PhenixID Authentication Services 3.2 or higher installed

Step 1 - Upload external SAML IdP Metadata

  • Login to Configuration Manager
  • Browse to Scenarios->Federation->SAML Metadata upload
  • Upload the SAML IdP Metadata

Step 2 - Configure PhenixID Password Self Service application

Configure the Password Self Service Application according to the instruction in Overview.

Step 3 - Modify ACS url

  • Login to Configuration Manager
  • Browse to Advanced
  • Click on the pen to the right of Authentication-HTTP
  • Locate the authenticator added by the previous scenario (successURL value should match the uri of the PPSS application)
  • Add the domain of the server to the acsURL value. Example:
    "acsUrl": "https://support.phenixid.se/pss/authenticate/zzzz-yyy-xxxx"
  • Copy the acsURL value
  • Click Stage Changes and Commit Changes

Step 4 - Fetch PPSS SAML SP Metadata

Step 5 - Configure the external SAML IdP

  • Upload the SAML SP metadata to the IdP
  • Configure the IdP to send the user identifier as NameID (by default, the Password Self Service Application authentication will handle the NameID value as the userID).
  • Configure the IdP to use a password-less authentication method

Test

  • Browse to https://<your_phenixid_server_domain>/pss/
    Example: https://support.phenixid.se/ppss/
  • You should be redirected to the IdP
  • Authenticate
  • You should be redirected back to Password Self Service and presented with Reset password start page