Summary

This document will guide you through the steps to provide Single-Sign-On and Single Logout to Cambio Cosmic (desktop client, “digital biljett”) using SAML with PhenixID Authentication Services as SAML IdP.

System Requirements

• PhenixID Authentication Services 2.0 or higher
• Information about the Cambio Cosmic environment: Assertion Consumer Location URL, entity ID, signing certificate, Single Logout URL (normally, the Single Logout URL is the same as Assertion Consumer Location URL).
• Cambio Cosmic test account

Instruction

Set up PhenixID Authentication Services as SAML IdP

1. Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here). Make sure to fetch the Cosmic userID (hsaID or other attribute) during authentication.
2. Modify the execution flow in order to create the SAML assertion properly:
   1. Make sure you have an item property named hsaid (fetched from previous valve in the pipe, for example an LDAP search or a certificate attribute).
   2. Add a valve to include the property role with the value cosmic-user. Make sure to place it before the AssertionProviderValve.
      
   3. Add a valve to include the property http://sambi.se/attributes/1/employeeHsaId with the hsaiD value. Make sure to place it before the AssertionProviderValve.
      
   4. Click Save
   5. Click Advanced
   6. Click Pipe Valves
   7. Locate the AssertionProvider valve used in the flow.
   8. Edit the AssertionProvider valve.
      Set these params:
      – nameIDAttribute = hsaid
      – additionalAttributes=role,http://sambi.se/attributes/1/employeeHsaId
      – misc object:
      * excludeSubjectNotBefore=true
      * nameIdFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
      Example:

      {
       "id": "23bef445-5170-4a01-a806-c40d5c92ae39",
       "name": "AssertionProvider",
       "enabled": "true",
       "config": {
       "targetEntityID": "cc5332ed-6c3d-445f-ba77-0450e1f13dc1",
       "userNameAttribute": "sAMAccountName",
       "sourceID": "urn:dt-test:demo.phenixid.net",
       "nameIDAttribute": "http://sambi.se/attributes/1/employeeHsaId",
       "guide_ref": "4881ddc5-2b18-4423-b765-72de5d0a0751",
       "additionalAttributes": "http://sambi.se/attributes/1/employeeHsaId,role",
       "misc": {
       "excludeSubjectNotBefore": "true",
       "nameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
       }
       },
       "created": "2018-05-07T20:25:44.929Z",
       "modified": "2018-05-07T20:27:55.131Z"
       },

3. Click Stage Changes
4. Click Commit Changes.
5. Download the IdP SAML Metadata and provide it to the technical contact from Cambio Cosmic.
6. Configure Cambio Cosmic to trust the IDP [Not documented here].

Add Cambio Cosmic SAML SP Metadata to PhenixID Authentication Services

1. Ask the Cosmic administrator for SAML SP XML Metadata url or file.
2. Upload the metadata url/file using this Federation Scenario.

Test

1. Open the Cosmic client and click Login.
2. You should be redirected to the Idp (PhenixID Authentication Services)
3. Authenticate
4. You should be redirected back to Cosmic
5. You are now logged in to Cosmic.

Troubleshooting

1. Set PhenixID Server logging to DEBUG mode following this guide.

2. Open PhenixID server.log and find the log row which displays the return values from the execution pipe. Example:

2018-05-28 21:59:49,218 [PipesVerticle] DEBUG: Response: {“success”:true,”items”:[{“id”:”xxx”,”properties”:{“role”:[“nova-user”],”binding”:[“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”],”SAMLResponse”:[“PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIERlc3RpbmF0aW9uPSJodHRwczovL25vdmEtdGVzdC5jYW1iaW8uc2Uvbm92YS1hdXRoL3NhbWwiIElEPSJfMjA1NGY5NmU2YTI2OGIwNGNhYzBhNWQyODA5M2EwYTMiIEluUmVzcG9uc2VUbz0iSURfOWM3ODI0ZGEtZTFhMy00NWQxLTliMWUtMmQ3NjA2ZDU2ZWVmIiBJc3N1ZUluc3RhbnQ9IjIwMTgtMDUtMjhUMTk6NTk6NDlaIiBWZXJzaW9uPSIyLjAiPjxzYW1sMjpJc3N1ZXIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHBzOi8vZGVtby5waGVuaXhpZC5uZXQvc2FtbC9pZHAvZGVtb2M8L3NhbWwyOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2Ii8+PGRzOlJlZmVyZW5jZSBVUkk9IiNfMjA1NGY5NmU2YTI2OGIwNGNhYzBhNWQyODA5M2EwYTMiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjxlYzpJbmNsdXNpdmVOYW1lc3BhY2VzIHhtbG5zOmVjPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIFByZWZpeExpc3Q9InhzIi8+PC9kczpUcmFuc2Zvcm0+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5JcmtOaXBreWJWRlM2MVRaeCtlenlhNVZYMFU9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPlYvWWtGUDRZQ1k0cW5MSkdFUktKV3pwUks2b2wzTmFONFI3M241dHYwWGFvdVhDd1pOY2xrcFJWQ3kxRTUwaGkvdmJhR2srOFVUUnENCkJZZDYyK0JxYkp4VkttaXFCa0p4M1pnelVCUzlydmNBRERJSDI2Z3RrR1Nzd0gzR0hyM2NqdkV6Z1V2aUd3UWszUTlHRjRrc2g1NCsNCnVxeTdkVzZQTTgvNEJwL2FFeXJ6N29aTlVLWTdTcmVwelRWTGhBOU9tVitvSTBaOVJaZ1lCYlNSL3ZGY3NDKzlUQWlZWnBodk96d3kNCk1ibzJmZjV4amJHZXZtRzdFdFJLWGpmaVlmMnlFRzdqU3FRR05ueFhXQW90N1Y4Ym9senJUUTZWblI2aGhoc0xnVThjS1pjdWFxaXINCldQeVNZQjBhVnBOaUdFZTNtQWRubkFVdlBKQUs4T3lMSG9zNGFnPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUdkekNDQlYrZ0F3SUJBZ0lRRG41QVhmR0VhRmNndWkxOFYrTkdSREFOQmdrcWhraUc5dzBCQVFzRkFEQitNUXN3Q1FZRFZRUUcNCkV3SlZVekVkTUJzR0ExVUVDaE1VVTNsdFlXNTBaV01nUTI5eWNHOXlZWFJwYjI0eEh6QWRCZ05WQkFzVEZsTjViV0Z1ZEdWaklGUnkNCmRYTjBJRTVsZEhkdmNtc3hMekF0QmdOVkJBTVRKbE41YldGdWRHVmpJRU5zWVhOeklETWdVMlZqZFhKbElGTmxjblpsY2lCRFFTQXQNCklFYzBNQjRYRFRFMk1URXdPVEF3TURBd01Gb1hEVEU0TVRFeE1USXpOVGsxT1Zvd2dZSXhDekFKQmdOVkJBWVRBbE5GTVJnd0ZnWUQNClZRUUlEQTlUZEc5amEyaHZiRzF6SUd6RHBHNHhGVEFUQmdOVkJBY01ERTVoWTJ0aElGTjBjbUZ1WkRFVU1CSUdBMVVFQ2d3TFVHaGwNCmJtbDRTVVFnUVVJeEVEQU9CZ05WQkFzTUIxTjFjSEJ2Y25ReEdqQVlCZ05WQkFNTUVXUmxiVzh1Y0dobGJtbDRhV1F1Ym1WME1JSUINCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEyRmhINmRxdGhQWGlLbHZIRWd5VW1UT3FRamxWMG90Y2FFWUwNCjNOakttdGYzbTQwYkdzeHpDTGM1QnJWM2JxeFF3bE80RDBmYmo4bUMvK1BjWkNILzgzU3J0ZFVRRDl6WFJPUW9rVUxYeHkvV2dvTFgNCnpaWWJtUy9yZ2pRL3NZODlKU1ZDYmRNcjc5cnd5TDVWck1nemUxOHZSc0ltS21nMDFrVEw1eU91bHc3SitZN2ROcTliK2w3Q1EwWkkNClcwNVppN0xvcXNOcmtoN0VqV0FSbmVkREp4dmt0aE4weFc5U1V5K0QyajdKRGlNVUtwUWlBNkdSMWNveGFqbGRNOFNiTUlhUVBmbHANCmdZRncxcXRDdjdRNDVqdzMxVEFhbUNPaVBsT2NKczRKcm4zNmppbUFwaFlCUmlob3NBTC9hYXlZaFB0OUl2SWRraGQxSHlqTERGYnMNCmN3SURBUUFCbzRJQzZqQ0NBdVl3SEFZRFZSMFJCQlV3RTRJUlpHVnRieTV3YUdWdWFYaHBaQzV1WlhRd0NRWURWUjBUQkFJd0FEQU8NCkJnTlZIUThCQWY4RUJBTUNCYUF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01HRUdBMVVkSUFSYU1GZ3cNClZnWUdaNEVNQVFJQ01Fd3dJd1lJS3dZQkJRVUhBZ0VXRjJoMGRIQnpPaTh2WkM1emVXMWpZaTVqYjIwdlkzQnpNQ1VHQ0NzR0FRVUYNCkJ3SUNNQmtNRjJoMGRIQnpPaTh2WkM1emVXMWpZaTVqYjIwdmNuQmhNQjhHQTFVZEl3UVlNQmFBRkY5Z3oyR1FWZCtFUXhTS1lDcXkNCjlYcjBReGp2TUNzR0ExVWRId1FrTUNJd0lLQWVvQnlHR21oMGRIQTZMeTl6Y3k1emVXMWpZaTVqYjIwdmMzTXVZM0pzTUZjR0NDc0cNCkFRVUZCd0VCQkVzd1NUQWZCZ2dyQmdFRkJRY3dBWVlUYUhSMGNEb3ZMM056TG5ONWJXTmtMbU52YlRBbUJnZ3JCZ0VGQlFjd0FvWWENCmFIUjBjRG92TDNOekxuTjViV05pTG1OdmJTOXpjeTVqY25Rd2dnR0FCZ29yQmdFRUFkWjVBZ1FDQklJQmNBU0NBV3dCYWdCM0FOM3INCkhTdDZEVSttSUl1QnJZRm9jSDR1anAwQjFWeUlqVDBSeE0yMjdMN01BQUFCV0VnNHRNNEFBQVFEQUVnd1JnSWhBTFBiZUJTZmJwamoNCmdSSG1nME1oWGZxSVpTK1ptUE9QOXl4UE5zeHlqQjVpQWlFQW4xbjFtR0p3azZPbGZXb29hazVUTWc5bmUwL2owVXRHaXlPVmtOak4NCjlHc0Fkd0JvOXBqNEgyU0N2anFNN3Jrb0hVejhjVkZkWjVQVVJORUtaNnk3VDAvN3hBQUFBVmhJT0xWaUFBQUVBd0JJTUVZQ0lRQ3gNCmFvSndkUE9yUm9ZeHdwSEFIMUFYYVYyMjg2YzNOYldySVBGUzgxMmdtUUloQUwrdnNsTHBSMjQxWGF1M3pad2xEUVdFaWppVDRVVVkNCmlJdDFsaHpmWHU5K0FIWUE3a3U5dDNYT1lMcmhRbWtmcStHZVpxTVBmbCt3Y3RpREFNUjdpWHFvL2NzQUFBRllTRGkxSHdBQUJBTUENClJ6QkZBaUVBczlKdktGUGhSQUVxMmdIRmU4aEdZNGQ2TGppS1hjWDFTdjhucXR6NnJoSUNJREEzUWtLbzR1OXBjZzlSaHpwY3NiRzANCitQbU9ZNzRadGRCZFdWUHdBc0NlTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBdjJLdDB4OU04MzlhdUFlaUlsUWpRMEtLVjM5Sk4NCkFBN25ocm9YU1F5eGZpdkNRd2IrMDJxR0xoOW5CSEp3Nk9YbzgwSnc1UTg0R2xJUGhudC9mNldLbVo2bi96aWhzM2wwQ1gxT0xjMHANCm1lWjRKQTVzYkZXZ3dxWkxjSUM0bis1RkdITUNiellHQmdvOFNBNmxLMWhzN3h2aVBXRkdKTERMcVdOWDIrNE9XeFRtaHJ1RjRSdkINClVtYVlORG1aTWhpYmhtUTZIeVpwYVVwN1NHczN2T3JVWDdGdHg3VWZjYnpFNGIwc2FyQmJUVUd3SGlBSlRpK2pmdnRoN0xmdy9zWWgNClNYV1pTS0pIbUtCaW1icW5pQjhkTDh2Rkd2SU4rNStsZ3VaVkl0Rm40aVo4ejB5cHR0NGEvQ2N1TkgyTHpud0lIUzducEhkWnNUYzENCkVKOFdteVJDPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWwycDpTdGF0dXMgeG1sbnM6c2FtbDJwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1sMnA6U3RhdHVzPjxzYW1sMjpBc3NlcnRpb24geG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfNzNkOGU5ZDdjMWVkODM2NDAwM2E1MzMxNGU2MTI5ODIiIElzc3VlSW5zdGFudD0iMjAxOC0wNS0yOFQxOTo1OTo0OVoiIFZlcnNpb249IjIuMCI+PHNhbWwyOklzc3Vlcj5odHRwczovL2RlbW8ucGhlbml4aWQubmV0L3NhbWwvaWRwL2RlbW9jPC9zYW1sMjpJc3N1ZXI+PHNhbWwyOlN1YmplY3Q+PHNhbWwyOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNpc3RlbnQiPlNFMTYyMzIxMDAwMDI0LTAwNTA2MTc8L3NhbWwyOk5hbWVJRD48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89IklEXzljNzgyNGRhLWUxYTMtNDVkMS05YjFlLTJkNzYwNmQ1NmVlZiIgTm90T25PckFmdGVyPSIyMDE4LTA1LTI4VDIwOjAxOjQ5WiIgUmVjaXBpZW50PSJodHRwczovL25vdmEtdGVzdC5jYW1iaW8uc2Uvbm92YS1hdXRoL3NhbWwiLz48L3NhbWwyOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sMjpTdWJqZWN0PjxzYW1sMjpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxOC0wNS0yOFQxOTo1OTo0OVoiIE5vdE9uT3JBZnRlcj0iMjAxOC0wNS0yOFQyMDowMTo0OVoiPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT51cm46bm92YS10ZXN0OmRlbW8ucGhlbml4aWQubmV0PC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTgtMDUtMjhUMTk6NTk6NDlaIiBTZXNzaW9uSW5kZXg9IjU3ODFjYjMxLWYzOTQtNGU4Ny1iZGI5LTRlZmQ0ZTg5YTNjYiI+PHNhbWwyOkF1dGhuQ29udGV4dD48c2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L3NhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDI6QXV0aG5Db250ZXh0Pjwvc2FtbDI6QXV0aG5TdGF0ZW1lbnQ+PHNhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlIE5hbWU9InJvbGUiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5ub3ZhLXVzZXI8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjwvc2FtbDI6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDI6QXNzZXJ0aW9uPjwvc2FtbDJwOlJlc3BvbnNlPg==”],”hsaid”:[“SE162321000024-0050617″],”target”:[“https://nova-test.cambio.se/nova-auth/saml”]}}]}

3. Fetch the SAMLResponse value and base64 decode the value.

4. Verify that the nameID value, the role and hsa-sambi attribute are present in the SAML Assertion. Example extract: