OpenID Connect – SAML Identity Provider authentication

This authenticator is used in scenarios where PhenixID acts as OpenID Connect Provider, relaying the authorization step to a SAML Identity Provider.

PhenixID will act as a SAML Service Provider against the IdP.

Configuration

Upload SAML Identity Provider metadata

1. Upload the SAML Identity Provider metadata using this guide.

2. Note the entityID of the saml identity provider.

Define SAML Service Provider

1. Upload a keystore to be used for SAML message signing using in this guide.

2. Define your SAMLSP using Configure SAML IdP trust and SAML SP->step 9 in this guide.

3. Note the id of the defined SAMLSP.

HTTP Authenticators

Add the OIDCToSAMLBroker authenticator. For a full configuration reference, please view this document.

{
		"id": "oidc_authz_samlsp",
		"alias": "oidc_authz_samlsp",
		"name": "OIDCToSAMLBroker",
		"displayName": "Local SAML Identity Provider",
		"configuration": {
			"sp": "sp.phenixid.se",
			"pipeIDAssertionConsume": "pipeAssertionConsumer",
			"targetIDP": "http://example.org/idp",
			"acsUrl": "https://pas_server:443/oidc_auth/authenticate/oidc_authz_samlsp",
			"entityID": "sp.phenixid.se": 
"allowedRP": [
				"t1"
			]
		}
	}

 

Change:

- "sp" -> the id of the previously defined SAML Service Provider

- "targetIDP" -> the entityID of the previously uploaded SAML Identity Provider

- "acsUrl" ->  Change the domain (pas_server in the example) to your domain.

- "entityID" -> the id of the previously defined SAML Service Provider

- "allowedRP" -> The id(s) of one or more OIDC RPs allowed to use this authenticator.

Pipe

{
		"id": "pipeAssertionConsumer",
		"valves": [
			{
				"name": "AssertionConsumer",
				"config": {
					"clock_skew_minutes": "10"
				}
			},
			{
				"name": "FlowFailValve",
				"config": {
					"message": "User does not exist",
					"exec_if_expr": "flow.items().isEmpty()"
				}
			},
			{
				"name": "SessionLoadValve",
				"config": {
					"id": "{{request.session_id}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "redirect_uri",
					"value": "{{request.redirect_uri}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "response_type",
					"value": "{{request.response_type}}"
				}
			},
			{
				"name": "UUIDCreateValve",
				"enabled": "true",
				"config": {
					"name": "code"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "state",
					"value": "{{session.state}}"
				}
			},
			{
				"name": "SessionClearAllAliasValve",
				"config": {}
			},
			{
				"name": "SessionBindValve",
				"config": {
					"alias": "{{item.code}}"
				}
			},
			{
				"name": "PropertyKeepValve",
				"config": {
					"name": "code,state,response_type"
				}
			}
		]
	}

 

Extract SAML SP metadata

Open a web browser and go <acsURL>?getMeta. Example:

https://pas_server:443/oidc_auth/authenticate/oidc_authz_samlsp?getMeta

If not publicy reachable, download the XML presented. Distribute the URL (or the XML file) to the SAML Identity Provider administrator. The SAML Identity Provider administrator must now upload the SP metadata to the SAML Identity Provider.

Notes

Please be aware that this authenticator only is not sufficient to complete a full OpenIDConnect authentication scenario! This only describes the authorization endpoint part. To complete with token endpoint configuration, please view this document.