SAML - Header based authentication
The purpose of this document is to describe how to configure PhenixID server for federation with SAML2 using Header Based authentication as an authentication method for PhenixID server.
This authenticator is used in a scenario where you have another security front end, such as a reverse proxy, that stands in front of PhenixID server. The front end server is also responsible of validating the user. The front end proxy needs to pass the username (or other attribute identifying the user) to the back end server (PhenixID server) as a request header.
Prerequisites
- PhenixID Server configured according to this instruction: "Federation - Username and password"
- Name of request header containing the user identifier value
Convert the Federation - Username and Password scenario to HeaderSAML
Open the Advanced tab and locate the Authentication - HTTP entry that was configured in the previous "Federation - Username and password" scenario.
Change the value of the name parameter from "PostUidAndPasswordSAML" to "HeaderSAML"
Click the plus sign next to "configuration" to add new parameters
Set "header" = "<Name of the header containing the user identifier>"
Click Stage changes
Click Commit changes
Example how this could look once completed
Configure the execution flow used for the SAML assertion to suit your needs
- Open the Execution flow tab and expand the flow.
- Delete the valve #1 (InputParameterExistsValidatorValve) and valve #3 (LDAPBindValve)
- Expand (Show) the LDAPSearchValve and modify the search filter to fetch users where uid=<Header value>:
filter_template: uid={{request.USERID}} - Add a parameter for attributes to fetch for the matched LDAP entry: attributes = uid
- Expand (Show) the AssertionProvider and modify nameIDAttribute parameter: nameIDAttribute = uid
- Click Save
