Federation - Add configuration to redirect to different authentication methods based on client ip

This document is written for PhenixID Server.

The reader should have some basic knowledge about PhenixID Server.

This document describes how to configure the system to redirect to different authentication methods based on client ip. The typical use case for this is to force strong authentication for clients connecting from the internet or a non-internal network while clients on the internal network is allowed to use a weaker authentication method, such as Windows SSO or username/password.

Prerequisites

- Setup strong authentication federation scenario using guides in Configuration Manager

- Setup username/password authentication federation scenario using guide in Configuration Manager

- Internal client access network ip range

Change IdP reference

Log in to the configuration UI, go to the "Scenarios" tab

Click on the strong authentication federation scenario

Click Execution flow

Expand the last flow

Expand the AssertionProvider

Copy the value of the targetEntityID parameter

 

Click on the weak authentication federation scenario

Click Execution flow

Expand the flow

Expand AssertionProvider

Paste the value fetched previously into the targetEntityID

Click Save

Go to the Advanced tab

Expand Authentication - HTTP

Locate the weak authenticator

Change the idpID parameter to the value fetched previously

 

Click Stage changes and then Commit changes

Change alias for strong authenticator

Log in to the configuration UI, go to the "Scenarios" tab

Click on the strong authentication federation scenario

Click Identity Provider

Get the value of the POST SSO URL

Fetch the value after /authenticate/

Go to the "Advanced" tab and press the pencil to the right of "Authentication - HTTP"

Find the authenticator with alias=<value fetched from previous step>

Change the alias value to idp2.

{
		"id": "02d5c28e-ea46-48c9-85b5-decb871820e0",
		"alias": "idp2",
		"name": "PostUidPasswordAndOTPSAML",
		"displayName": "UnPwSMS",
		"configuration": {
			"userValidationPipeID": "052f5421-8283-4f49-a84f-1e96dbfcb315",
			"otpValidationPipeID": "7554bc87-c963-485c-8366-9cdaaaf92187",
			"idpID": "788e37f8-9da9-49b5-83cd-e518e77ab765"
		},
		"created": "2017-04-04T14:03:38.505Z"
	}

Find authenticator IDs

Log in to the configuration UI, go to the "Advanced" tab and press the pencil to the right of "Authentication - HTTP".

Fetch the id parameter value of the authenticators:

- The authenticator used for the weak authentication

{
		"id": "d544a852-f6ee-40f2-ba0c-c9ef00847503",
		"alias": "unpwmultiplesps",
		"name": "PostUidAndPasswordSAML",
		"displayName": "UnPwMultipleSPs",
		"configuration": {
			"pipeID": "d453859c-4d1e-4948-a157-d750cabf6dce",
			"idpID": "788e37f8-9da9-49b5-83cd-e518e77ab765"
		},
		"created": "2017-03-26T10:00:03.291Z"
	}

- The authenticator used for strong authentication

{
		"id": "02d5c28e-ea46-48c9-85b5-decb871820e0",
		"alias": "idp2",
		"name": "PostUidPasswordAndOTPSAML",
		"displayName": "UnPwSMS",
		"configuration": {
			"userValidationPipeID": "052f5421-8283-4f49-a84f-1e96dbfcb315",
			"otpValidationPipeID": "7554bc87-c963-485c-8366-9cdaaaf92187",
			"idpID": "788e37f8-9da9-49b5-83cd-e518e77ab765"
		},
		"created": "2017-04-04T14:03:38.505Z"
	}

Add Dispatch authenticator

Log in to the configuration UI, go to the "Advanced" tab and press the pencil to the right of "Authentication - HTTP".

Add a new Dispatch authenticator object.
- Set "alias" to the value you fetched from this step.

- Set "idpID" to the value you fetched from this step.

- Set "authenticator" to the values you fetched from this step.

- Change ip network range to suite your environment. (In the example below, internal client ip starts with 192.168.98)

- Change request parameter if needed. For example, if PhenixID Server sits behind a reverse proxy, the client ip request parameter is probably X-Forwarded-For.

{
		"name": "Dispatch",
		"id": "start","alias": "start",
		"configuration": {
			"idpID": "788e37f8-9da9-49b5-83cd-e518e77ab765",
			"mapping": [
				{
					"authenticator": "02d5c28e-ea46-48c9-85b5-decb871820e0",
					"expression": "!request.getParameter('remoteAddress').startsWith('192.168.98')"
				},
				{
					"authenticator": "d544a852-f6ee-40f2-ba0c-c9ef00847503",
					"expression": "request.getParameter('remoteAddress').startsWith('192.168.98')"
				}
			]
		}
	}

When done press Stage changes/Commit changes.

Protect weak authenticator

A person that knows the URL of the weak authenticator can address it directly simply by entering the URL in a web browser. To prevent external users to use the weak authenticator, follow these steps.

Log in to the configuration UI, go to the "Scenarios" tab

Click on the weak authentication federation scenario

Click Execution flow

Expand the Execution flow

Click Add valve

Enter FlowFailValve

Check Enabled

Click Add configuration parameter

Key= exec_if_expr, Value=!request['remoteAddress'].startsWith('192.168.98')

(Change the ip address range and/or the request parameter name to suite your environment, see previous step)

Click Add configuration parameter

Key=message, Value=common.messages.failure

Click Add Valve

Move to the newly added valve to be executed first

 

Test

From internal client:

Browse to the alias of the Dispatch authenticator (..../authenticate/start)

Verify that weak authentication method is presented and that the authentication works

 

From external client:

Browse to the alias of the Dispatch authenticator (..../authenticate/start)

Verify that strong authentication method is presented and that the authentication works

 

From external client:

Browse to the alias of the weak authenticator

Try authenticating

Make sure a Failure message is presented.