Trusted Central Signing Service - PhenixID Document Seal Web Application - Use external SAML Identity Provider

Prerequisites

- PhenixID Signing Services 2.8 or higher installed

- Phenix Signing Services configured using instructions in this guide.

- The reader of this document should have some basic knowledge about PhenixID Server.

- Changes will be made to the file phenix-store.json, so please make sure to have a backup  of this file.

- Access to External SAML Identity Provider SAML Metadata as URL or XML file

- The entityID value of the external SAML Identity Provider. This can be found in the SAML Metadata content for the Identity provider.

Add trust to external SAML Identity Provider

- Login to PhenixID Authentication Services - Configuration manager

- Go to Scenarios->Federation->SAML metadata upload

- Add new metadata. Enter the URL or upload the xml file.

Fetch the authenticator used for PhenixID Document Seal Web Application

- Open Configuration Manager

- Find the authenticator used for the PhenixID Document Seal web application (by looking in this guide -> Add authenticator for PhenixID Document Seal Web Application )

- Example:

{
		"alias": "sealapp",
		"name": "PostUidAndPassword",
		"configuration": {
			"pipeID": "pipeSealAppAuth",
			"successURL": "/sealapp/",
			"translationKey": "login.messages.information.body.enduser",
			"headingtranslationKey": "login.messages.information.header.enduser",
			"title": "login.messages.information.title.enduser",
			"allowLanguageChange": "true"
		},
		"id": "sealapp"
	}

- Change the alias value from "sealapp" to "sealapp_old"

 

Add new authenticator for PhenixID Document Seal Web Application

- Add a new authenticator and additional SAML Service Provider conf using this guide. Skip the first seven points below Configure SAML IdP trust and SAML SP.

- Once done, change the added SAMLServiceProviderAuthn authenticator configuration parameters (only the ones in bold):

{
 "id" : "samlsp",
 "alias" : "sealapp",
 "name" : "SAMLServiceProviderAuthN",
 "displayName" : "External IdP",
 "configuration" : {
 "successURL" : "/sealapp/",
 "sp" : "<no change needed>",
 "pipeID" : "<no change needed>",
 "targetIDP" : "<Set to external idp entityID value fetched in previous step>",
 "acsUrl" : "<your_phenixid_signing services_domain>/sealapp/authenticate/sealapp",
 "entityID" : "<no change needed>"
 }
 }

 

Test

  1. Browse to https://<phenix_server>:<phenix_server_http_port>/sealapp/
  2. You should be redirected to the external IdP
  3. Authenticate on the external IdP
  4. You should now be redirected back and logged in to the PhenixID Document Seal Web application
  5. Upload a pdf document and click Sign
  6. Verify that a sealed pdf document was sent to your mail box
  7. Download the sealed pdf document
  8. Upload the sealed pdf document and click Verify.
  9. Signature validation should result in a successful (green bar) respons.

Troubleshooting

Check server.log file.