Federation - Add configuration to redirect to different authentication methods based on service provider entityID
This document is written for PhenixID Server.
The reader should have some basic knowledge about PhenixID Server.
This document describes how to configure the system to redirect to different authentication methods based on service provider entityID. The typical use case for this is to force strong authentication for specific services providers.
Prerequisites
- At least two federation authenticator(s) configured
Add Dispatch authenticator
Log in to the configuration UI, go to the "Advanced" tab and press the pencil to the right of "Authentication - HTTP".
Add a new Dispatch authenticator object.
{
"name": "Dispatch",
"id": "start","alias": "start",
"configuration": {
"idpID": "788e37f8-9da9-49b5-83cd-e518e77ab765",
"mapping": [
{
"authenticator": "02d5c28e-ea46-48c9-85b5-decb871820e0",
"expression": "request.getParameter('resolvedSPID').equals('https://sp.salesforce.com')"
},
{
"authenticator": "d544a852-f6ee-40f2-ba0c-c9ef00847503",
"expression": "request.getParameter('resolvedSPID').equals('google.com/a/thebjorks.se')"
}
]
}
}
- Set "alias" to match the IdP POST SSO URL alias.
- Set "idpID" to the value of the configured Idp.
- Set "authenticator" to the values of the configured authenticators.
- Change the values of the sp entitiy id to suite your environment.
- Add more mapping objects if needed.
When done press Stage changes/Commit changes.
Test
SP-initiated
1. Browse to the SP
2. Redirect to the IdP
3. Make sure the correct authentication method is presented.
IdP-initiated
1. Browse to https://<pas>/saml/authenticate/start?resolvedSPID=<entityID_of_the_SP>
2. Make sure the correct authentication method is presented.