PAS as SAML Federation Broker - IDP select shortcut

This document describes how to configure PAS to avoid IDP Discovery end user selection.

The reader of this document should have some basic knowledge about PhenixID Server.

We will make changes to phenix-store.json, so make sure to have a recent  copy/backup of this file.

System requirements

- PhenixID Server v 2.7 or higher installed.

- Download template files from https://files.phenixid.se/s/kKeY47GTMQq3d4q, unzip and add to <phenixid_server_root>/mods/*auth-http*/templates/ folder

Overview

Background to the issue to solve:

- Application (SAML Service Provider) connected to PhenixID Authentication Services serving as Federation Broker, ie forwarding the authentication request to external IDP

- PhenixID connected to multiple external IdPs

- Application (SAML Service Provider) not supporting idp-initiated saml signon

- Application (SAML Service Provider) can only connect to one IdP (the federation broker)

- Requirement to create URLs which will automatically redirect browser to correct IdP without user selecting the IDP

Configure Registration Authenticator

- Login to configuration manager

- Go to Advanced

- Open Authenticators - HTTP

- Add this authenticator

{
		"alias": "preselect_idp",
		"name": "Registration",
		"configuration": {
			"stages": [
				{
					"pipeid": "preselect_idp_pipe",
					"template": "preselect_idp_start",
					"sessionValues": [],
					"translation": []
				},
				{
					"pipeid": "dummy",
					"template": "preselect_idp_end",
					"translation": [],
					"sessionValues": [
						"redirect_uri"
					]
				}
			]
		},
		"id": "preselect_idp"
	}

Configure pipe

- Login to configuration manager

- Go to Advanced

- Open Pipes

- Add this pipe

{
		"enabled": "true",
		"id": "preselect_idp_pipe",
		"valves": [
			{
				"name": "ItemCreateValve",
				"enabled": "true",
				"config": {
					"dest_id": "dummy"
				}
			},
			{
				"name": "SessionLoadValve",
				"enabled": "true",
				"config": {
					"id": "{{request.session_id}}"
				}
			},
			{
				"name": "SessionPropertyAddValve",
				"config": {
					"name": "redirect_uri",
					"value": "{{request.redirect_uri}}"
				}
			},
			{
				"name": "SessionPropertyAddValve",
				"config": {
					"name": "selected_idp",
					"value": "{{request.idp}}"
				}
			},
			{
				"name": "SessionPersistValve",
				"config": {}
			}
		]
	}

Configure your dispatch authenticator

- Login to configuration manager

- Go to Advanced

- Open Authenticators - HTTP

- Add a dispatch authenticator.

(Change values and/or add new options to suit your environment. Change the alias to suit your idp startpoint (ie the post sso url authenticator alias)). In this example, if no selected_idp can be fetched, a selection of idps will be presented to the end user.

 

{
		"name": "Dispatch",
		"id": "start",
		"alias": "start",
		"configuration": {
			"idpID": "0a97d390-346a-48a0-8c22-1d934958ccc7",
			"mapping": [
				{
					"authenticator": "spBrokerCust1",
					"description": "IDP cust 1",
					"expression": "session.properties().getValueOrDefault('selected_idp','').equals('https://idp.example.org/idp')"
				},
				{
					"authenticator": "spBrokerCust2",
					"description": "IDP cust 2",
					"expression": "session.properties().getValueOrDefault('selected_idp','').equals('https://idp.phx.se/saml/idp')"
				},
				{
					"authenticator": "selector",
					"description": "Default selector if no idp set",
					"expression": "true"
				}
			]
		}
	}

Test

- Launch one of the built URLs in a web browser.  Click Login (or equivalent) in the application. You should now end up on the IdP without having to select and IdP.

- Launch the URL https://<pas_server>:<port>/saml/authenticate/logout/. Launch the SP url and try to login. Now, the Federation Broker (PAS) should display a list of IdPs to select from.