Reset Password using other methods or external authentication provider
This document describes how to create a web page to use other authentication methods provided by PhenixID, such as electronic IDs, certificates or external authentication providers. This is done by protecting PPSS with a SAML Service Provider authenticator which is connected to an SAML Identity Provider (internal, ie the same server, or an external authenticator provider).
You can also create a web page to choose method from, see the following document, PPSS Choice, on how to do that.
Requirements :
- LDAP must be configured, note the ID of the connections they will be used in later steps.
- Configured SAML IdP, on the same server or on an other server, note the address of the IdP it will be used in later steps
- Keystore to be used by the SAML SP, see the following document http://document.phenixid.net/m/82710/l/985418-keystore
Do the following steps in the ADVANCED tab in the Configuration GUI
Step 1 - Authentication - HTTP
Add the following configuration to “Authentication - HTTP”
{
"alias": "spresetpwd",
"name": "Registration",
"configuration": {
"stages": [
{
"pipeid": "spresetpwd-set-password",
"template": "changepwd/spresetpwd-set-password",
"templateVariables": {
"password_validity": {
"contains_lowercase": "true",
"contains_uppercase": "true",
"contains_special": "true",
"contains_number": "true",
"password_length": "8"
},
"cancel_href": "/ppss/authenticate/logout/?nextTarget=/ppss/authenticate/changepwdchoice/"
},
"translation": [
"otpwdreset.title",
"otpwdreset.setpwd.header",
"otpwdreset.setpwd.paragraph",
"otpwdreset.setpwd.givenname",
"otpwdreset.setpwd.surname",
"otpwdreset.setpwd.username",
"otpwdreset.setpwd.mobile",
"otpwdreset.setpwd.continue",
"ppsspas.common.validation.header",
"ppsspas.common.validation.lowercase",
"ppsspas.common.validation.uppercase",
"ppsspas.common.validation.number",
"ppsspas.common.validation.special",
"ppsspas.common.validation.length",
"ppsspas.common.validation.",
"ppsspas.common.error.lockout",
"ppsspas.common.error.user",
"ppsspas.common.error.otp",
"ppsspas.common.error.ldappwd"
],
"sessionValues": [
"givenName",
"sn",
"mobile",
"authenticatedUserID",
"authURL"
]
},
{
"pipeid": "spresetpwd-complete",
"template": "changepwd/spresetpwd-complete",
"sessionValues": [],
"templateVariables": {
"done_href": "/ppss/authenticate/logout/?nextTarget=/ppss/authenticate/changepwdchoice/"
},
"translation": [
"otpwdreset.title",
"otpwdreset.complete.header",
"otpwdreset.complete.paragraph",
"otpwdreset.complete.done"
]
}
]
},
"id": "spresetpwd"
},
{
"id": "changepwdsamlsp",
"alias": "changepwdsamlsp",
"name": "SAMLServiceProviderAuthN",
"displayName": "External IdP",
"configuration": {
"successURL": "/ppss/authenticate/spresetpwd",
"pipeID": "changepwd-assertionConsumer",
"sp": "replace-sp_address/saml/authenticate/changepwdsp",
"entityID": "replace-sp_address/saml/authenticate/changepwdsp",
"targetIDP": "replace-targetIDP_address",
"acsUrl": "replace-acsUrl_address/ppss/authenticate/changepwdsamlsp"
}
}
Replace the following “Authentication - HTTP” settings:
"replace-sp_address" to match your environment, example "https://pas-training.company.local:8443/saml/authenticate/changepwdsamlsp"
"replace-targetIDP_address" to match your environment, example "https://idp.phenixid.se:8443/saml/authenticate/ppss_idp"
"replace-acsUrl_address" to match your environment, example "https://pas-training.company.local:8443/ppss/authenticate/changepwdsamlsp"
Adjust the following settings to match your password policy:
Requires lower case character set this value to true else false- "contains_lowercase": "true",
Requires upper case character set this value to true else false- "contains_uppercase": "true",
Requires special character set this value to true else false - "contains_special": "true",
Requires a number set this value to true else false - "contains_number": "true",
Minimum length of the password , in this example minimum 8 characters- "password_length": "8"
Verify that "nextTarget" on both “cancel_href” and “done_href” values match your requirements.
If needed change nextTarget value see the following example:
"cancel_href": "/ppss/authenticate/logout/?nextTarget=/ppss/authenticate/spresetpwd/"
"done_href": "/ppss/authenticate/logout/?nextTarget=/ppss/authenticate/spresetpwd/"
Step 2 - Pipes
Add the following configuration to “Pipes"
{
"id": "spresetpwd-set-password",
"valves": [
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "InputParameterExistValidatorValve",
"config": {
"param_name": "password"
}
},
{
"name": "LDAPSearchValve",
"config": {
"connection_ref": "replace-base_dn",
"base_dn": "replace-base_dn",
"scope": "SUB",
"size_limit": "0",
"filter_template": "replace-ppss-filter",
"attributes": ""
}
},
{
"name": "FlowFailValve",
"config": {
"message": "No user found, please authenticate first.",
"exec_if_expr": "flow.items().isEmpty()"
}
},
{
"name": "replace-ppss-pwdvalve",
"enabled": "true",
"config": {
"connection_ref": "replace-ldap-ref",
"value": "{{request.password}}"
}
},
{
"name": "SessionPersistValve",
"config": {}
}
]
},
{
"id": "spresetpwd-complete",
"valves": [
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "SessionRemoveValve",
"config": {}
}
]
},
{
"id": "changepwd-assertionConsumer",
"valves": [
{
"name": "AssertionConsumer",
"config": {
"clock_skew_minutes": "10"
}
},
{
"name": "FlowFailValve",
"config": {
"message": "User does not exist",
"exec_if_expr": "flow.items().isEmpty()"
}
},
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "SessionPropertyReplaceValve",
"config": {
"name": "authenticatedUserID",
"value": "{{item.id}}"
}
},
{
"name": "LDAPSearchValve",
"config": {
"connection_ref": "replace-ldap-ref",
"base_dn": "replace-base_dn",
"scope": "SUB",
"size_limit": "0",
"filter_template": "replace-ppss-filter",
"attributes": "givenName,sn,mobile"
}
},
{
"name": "ItemMergeValve",
"enabled": "true",
"config": {
"dest_id": "{{session.authenticatedUserID}}"
}
},
{
"name": "SessionPersistValve",
"config": {}
}
]
}
Replace the following Pipe settings:
“replace-ldap-ref” with your LDAP connection id, example “731c93fb-f123-403a-9b4f-45720eeed474”
“replace-base_dn” with your “base_dn”, example “DC=phenixid,DC=local”
"replace-ppss-filter" with either "sAMAccountName={{session.authenticatedUserID}}" if you have Active Directory or "uid={{session.authenticatedUserID}}" for other LDAP catalogs
"replace-ppss-pwdvalve" with "ADPasswordChangeValve" if you have Active Directory,
for other LDAP catalogs replace with "LDAPModifyValve" and add "modification_type": "REPLACE",
to the config section of the valve
Verify that “filter_template” and “attributes” match your environment.
Step 3 - Add template
- Download zip with templates from https://files.phenixid.se/s/zasQ7LDPNEQqL44
- Extract zip-file in folder <pas_root_folder>/mods/com.phenixidentity~auth-http~x.x.x/templates/changepwd
- After extract, 2 new files should be displayed in the folder
Step 4 - Add SAML SP
Add the following configuration to “SAML 2 Service providers”
{
"id": "replace-sp_address/saml/authenticate/changepwdsp",
"entityID": "replace-sp_address/saml/authenticate/changepwdsp",
"keystoreSign": "replace-sp_keystoreSign"
}
Replace the following SAML 2 settings:
“replace-sp_address” with the address to your server, example "https://pas-training.company.local:8443/saml/authenticate/changepwdsamlsp"
"replace-sp_keystoreSign" with the id of your keystore, example "b635275b-115c-486d-a16a-b171e36528a2"
Exchange metadata:
When done with the configuration, extract the SAML SP metadata and import it on the IdP (same server or external IdP).
Example to export SAML SP metadat get sp meta "https://pas-training.company.local:8443/ppss/authenticate/changepwdsamlsp/?getMeta"
Import the SAML IdP metadata on the server using the scenario Scenarios->Federation->SAML Metadata.
Step - 5 Link to the web page
Surf to https://"Server address":"port"/ppss/authenticate/spresetpwd , example https://www.phenixid.se:8443/ppss/authenticate/spresetpwd