Reset Password using external authentication provider (external SAML IdP)
This document describes how to protect the PhenixID Password Self Service Application with an external (ie not on the same server) SAML IdP.
Requirements :
- PhenixID Authentication Services 3.2 or higher installed
Step 1 - Upload external SAML IdP Metadata
- Login to Configuration Manager
- Browse to Scenarios->Federation->SAML Metadata upload
- Upload the SAML IdP Metadata
Step 2 - Configure PhenixID Password Self Service application
Configure the Password Self Service Application according to the instruction in Overview.
Step 3 - Modify ACS url
- Login to Configuration Manager
- Browse to Advanced
- Click on the pen to the right of Authentication-HTTP
- Locate the authenticator added by the previous scenario (successURL value should match the uri of the PPSS application)
- Add the domain of the server to the acsURL value. Example:
"acsUrl": "https://support.phenixid.se/pss/authenticate/zzzz-yyy-xxxx" - Copy the acsURL value
- Click Stage Changes and Commit Changes
Step 4 - Fetch PPSS SAML SP Metadata
- Open a web browser
- Open the url copied in previous step and append ?getMeta.
- Example: https://support.phenixid.se/pss/authenticate/zzzz-yyy-xxxx?getMeta
- This will display the SAML SP Metadata
- Download the metadata as an XML file
Step 5 - Configure the external SAML IdP
- Upload the SAML SP metadata to the IdP
- Configure the IdP to send the user identifier as NameID (by default, the Password Self Service Application authentication will handle the NameID value as the userID).
- Configure the IdP to use a password-less authentication method
Test
- Browse to https://<your_phenixid_server_domain>/pss/
Example: https://support.phenixid.se/ppss/ - You should be redirected to the IdP
- Authenticate
- You should be redirected back to Password Self Service and presented with Reset password start page