Federation - Add configuration to achieve Single-Sign-On

This document is written for PhenixID Server.

The reader should have some basic knowledge about PhenixID Server.

This document describes how to configure the system to redirect to different authentication methods based on the session authentication status. The typical use case for this is achieve Single-Sign-On for an already authenticated session.

Prerequisites

- Setup strong authentication federation scenario using guides in Configuration Manager

- Setup username/password authentication federation scenario using guide in Configuration Manager. We will modify the configuration of this authenticator in order to use it as the SSO authenticator, ie when the session is already authenticated.

Change IdP reference and displayName

Log in to the configuration UI, go to the "Scenarios" tab

Click on the strong authentication federation scenario

Click Execution flow

Expand the last flow

Expand the AssertionProvider

Copy the value of the targetEntityID parameter

 

Click on the username/password authentication federation scenario

Click Execution flow

Expand the flow

Expand AssertionProvider

Paste the value fetched previously into the targetEntityID

Click Save

Go to the Advanced tab

Expand Authentication - HTTP

Locate the username/password authenticator

Change the idpID parameter to the value fetched previously

 

Also, for clarity, change the displayName to Single-Sign-On-Authenticator.

Click Stage changes and then Commit changes

Change alias for strong authenticator

Log in to the configuration UI, go to the "Scenarios" tab

Click on the strong authentication federation scenario

Click Identity Provider

Get the value of the POST SSO URL

Fetch the value after /authenticate/

Go to the "Advanced" tab and press the pencil to the right of "Authentication - HTTP"

Find the authenticator with alias=<value fetched from previous step>

Change the alias value to idp2.

{
		"id": "02d5c28e-ea46-48c9-85b5-decb871820e0",
		"alias": "idp2",
		"name": "PostUidPasswordAndOTPSAML",
		"displayName": "UnPwSMS",
		"configuration": {
			"userValidationPipeID": "052f5421-8283-4f49-a84f-1e96dbfcb315",
			"otpValidationPipeID": "7554bc87-c963-485c-8366-9cdaaaf92187",
			"idpID": "788e37f8-9da9-49b5-83cd-e518e77ab765"
		},
		"created": "2017-04-04T14:03:38.505Z"
	}

Find authenticator IDs

Log in to the configuration UI, go to the "Advanced" tab and press the pencil to the right of "Authentication - HTTP".

Fetch the id parameter value of the authenticators:

- The authenticator used for the SSO authentication

{
		"id": "d544a852-f6ee-40f2-ba0c-c9ef00847503",
		"alias": "unpwmultiplesps",
		"name": "PostUidAndPasswordSAML",
		"displayName": "Single-Sign-On-Authenticator",
		"configuration": {
			"pipeID": "d453859c-4d1e-4948-a157-d750cabf6dce",
			"idpID": "788e37f8-9da9-49b5-83cd-e518e77ab765"
		},
		"created": "2017-03-26T10:00:03.291Z"
	}

- The authenticator used for strong authentication

{
		"id": "02d5c28e-ea46-48c9-85b5-decb871820e0",
		"alias": "idp2",
		"name": "PostUidPasswordAndOTPSAML",
		"displayName": "UnPwSMS",
		"configuration": {
			"userValidationPipeID": "052f5421-8283-4f49-a84f-1e96dbfcb315",
			"otpValidationPipeID": "7554bc87-c963-485c-8366-9cdaaaf92187",
			"idpID": "788e37f8-9da9-49b5-83cd-e518e77ab765"
		},
		"created": "2017-04-04T14:03:38.505Z"
	}

Add Dispatch authenticator

Log in to the configuration UI, go to the "Advanced" tab and press the pencil to the right of "Authentication - HTTP".

Add a new Dispatch authenticator object.
- Set "alias" to the value you fetched from this step.

- Set "idpID" to the value you fetched from this step.

- Set "authenticator" to the values you fetched from this step.

{
		"name": "Dispatch",
		"id": "start","alias": "start",
		"configuration": {
			"idpID": "788e37f8-9da9-49b5-83cd-e518e77ab765",
			"mapping": [
				{
					"authenticator": "02d5c28e-ea46-48c9-85b5-decb871820e0",
					"expression": "!request.getParameter('authenticatedrequest').equals('true')"
				},
				{
					"authenticator": "d544a852-f6ee-40f2-ba0c-c9ef00847503",
					"expression": "request.getParameter('authenticatedrequest').equals('true')"
				}
			]
		}
	}

When done press Stage changes/Commit changes.

Modify SSO authenticator

- The SSO authenticator must not prompt for a password

- A person that knows the URL of the SSO authenticator can address it directly simply by entering the alias URL in a web browser. To prevent unauthorized users, the authenticator must fail if the session is not authenticated.

These are the steps to configure this:

Log in to the configuration UI, go to the "Scenarios" tab

Click on the weak authentication federation scenario

Click Execution flow

Expand the Execution flow

Click Add valve

Enter FlowFailValve

Check Enabled

Click Add configuration parameter

Key= exec_if_expr, Value=!request.getParameter('authenticatedrequest').equals('true')

Click Add configuration parameter

Key=message, Value=common.messages.failure

Click Add Valve

Move the newly added valve to be executed first

Remove InputParameterExistValidatorValve

Remove LDAPBind Valve

Click Save.

Test

Browse to the alias of the Dispatch authenticator (..../authenticate/start)

Verify that OTP authentication method is presented and that the authentication works

 

Keep the web browser open.

Browse to the alias of the Dispatch authenticator (..../authenticate/start)

You should not be prompted to authenticate again.

A SAML ticket should be created and sent to the service provider.

 

Restart the web browser.

 

Browse to the alias of the SSO authenticator (..../authenticate/d544a852-f6ee-40f2-ba0c-c9ef00847503)

Verify that a Failure message is presented.