PhenixID web apps authentication – SAML SP

The purpose of this document is to describe how to configure PhenixID server internal web applications for authentication using SAML Service Provider Authentication. This is used when the user authentication is performed on an external SAML Identity Provider.

Prerequisites

  • External SAML IdP Metadata (url or file)

Modules Required

  • auth-http
  • phenix-saml

Configure SAML IdP trust and SAML SP

  1. Place the external SAML IdP metadata file on the server. Save it in the <phenixid_server>/resources folder.
  2. Restart PhenixID Server
  3. Log in to Configuration Manager
  4. Click Advanced
  5. Click Resources
  6. Verify that the metadata file has been added:

7. Add the IDP to SAMLMETA. The id should be the same as the entityID of the IDP.

{

"id" : "https://demo.phenixid.net/idp_rdweb_demo",

"resource" : "externalSamlIdp.xml"

}

8. Add a keystore to use for the SAML signing and/or encryption. Keystore

9. Open the Advanced tab. Define your sp in the SAMLSP section. Note that the id and entityID must have the same value.

{

 "id" : "<create_a_sp_name_and_put_it_here>",

 "keystoreSign" : "<point_to_the_keystore_id_added_in_previous_step>",

"keystoreEncrypt" : "<point_to_the_keystore_id_added_in_previous_step>",

"entityID" : "<create_a_sp_name_and_put_it_here>" }

 

Example:

{

 "id" : "sp.phenixid.se",

 "keystoreSign" : "bhull",

"keystoreEncrypt" : "bhull",

"entityID" : "sp.phenixid.se" }

 

Configuration - add authenticator and pipe

Configuration Properties:

Name Description Default value Mandatory
successURL The URL to redirect the browser to after successful authentication Yes
includeQueryString Enable to append query string (passed to authenticator) to successURL. false No
pipeID Id of pipe to be executed Yes
targetIDP Id of the external SAMLIDP in store. Will be overridden if IDP Discovery is used. Yes
discoveryUrl IDP Discovery service URL. No
acsURL The URL to receive the assertion. Should reference to same authenticator (//authenticate/ Yes
entityID EntityID of this SAML SP. Must have the same value as the sp parameter. Yes
errorURL The URL to redirect the browser to if an error occurs. No

Example configuration

The configuration must be added in the Advanced section of Configuration Manager.

HTTP Authenticators

{
 "id" : "samlsp",
 "alias" : "samlsp",
 "name" : "SAMLServiceProviderAuthN",
 "displayName" : "External IdP",
 "configuration" : {
 "successURL" : "/selfservice/",
 "sp" : "sp.phenixid.se",
 "pipeID" : "assertionConsumer",
 "targetIDP" : "https://demo.phenixid.net/idp_rdweb_demo",
 "acsUrl" : "https://sp.phenixid.se/selfservice/authenticate/samlsp",
 "entityID" : "sp.phenixid.se"
 }
 }

 

Pls note that entityID and sp must have the same value configured.

Pipe

{
 "id" : "assertionConsumer",
 "valves" : [ {
 "name" : "AssertionConsumer",
 "config" : {
 }
 },
{
 "name" : "FlowFailValve",
"config" : {
"message":"User does not exist",
 "exec_if_expr" : "flow.items().isEmpty()"
 }
 },
{
		"name": "PropertyAddValve",
		"config": {
			"name": "roles",
			"value": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93",
			"enable_multi_value": "true"
		}
	}
	
]
 } 

Read this article to get the correct value for the roles property.