SAML - Dispatch
The purpose of this document is to describe how to configure PhenixID server for federation with SAML2 using Dispatch. Dispatch is used to find out which authenticator to use based on expressions. Expressions are usually based on request parameters, such as client ip address, if the request is authenticated, browser type.
Use cases
Some example use cases for Dispatch:
Federation - Add configuration to redirect to different authentication methods based on client ip
Federation - Add configuration to achieve Single-Sign-On
Dispatch authenticators can be chained. This means you may add several Dispatch authenticators to avoid having just one with complex/large expressions.
Prerequisites
- PhenixID Server SAML module loaded
- SAML authenticators to dispatch to configured
Authenticator properties
Name Description
mapping A JSON object containing one or more mappings. Each mapping contains:
* expression – a javascript expression that evaluates to true or false
* authenticator – the authenticator ID to use if expression is true.
Mandatory.
idpID Id of SAML IdP connected to authenticator. Mandatory.
The first authenticator with an expression that evaluates to true will be used.
Add Dispatch authenticator
Open the Advanced tab and locate Authentication - HTTP. Click on the plus sign to add authenticator. In this example, different authenticators will be used depending on the client ip address.
{
"name" : "Dispatch",
"id" : "start",
"configuration" : {
"idpID" : "idp",
"mapping" : [ {
"authenticator" : "unpwotp",
"expression" : "!request.getParameter('remoteAddress').startsWith('192.168.1')"
}, {
"authenticator" : "unpw",
"expression" : "request.getParameter('remoteAddress').startsWith('192.168.1')"
} ]
}
}
The above example will redirect to an authenticator with id=unpw if client ip starts with 192.168.1. If client ip do not start with 192.168.1, it will redirect to an authenticator with id=unpwotp.
Change to suit your requirements.
Click Stage changes
Click Commit changes.