Summary

This document will guide you through the steps to enable multi-factor authentication and Single-Sign On for the Business intelligence and Performance management system Hypergene (https://www.hypergene.com/), using OpenID Connect.

System Requirements

• PhenixID Authentication Server 4.0 or higher
• Hypergene technical contact

Instruction

Overview

This document will guide you through the steps to enable multi-factor authentication and Single-Sign on for Hypergene.

PhenixID Authentication Services acting as OpenID Connect Provider

Setup PAS as OpenID Connect Provider

1. Login to Configuration Manager.
2. Scenarios->OIDC
3. Add a new relying party:
   – client_id = hypergene
   – client_password = <create a password and set>
   – Allowed redirect uri:s = <ask the Hypergene admin which value(s) to use>
4. Create a new OpenID Connect provider by selecting the desired authentication method. Follow the scenario guidelines for values.
   Use the Authorization Code Flow.
   Allow hypergene as an allowed RP to use the OP.
5. (Points 6-10 below is only necessary with PAS version 4.0 or previous).
6. Click Execution flow
7. Expand Token endpoint
8. Click Add Valve
9. Select PropertyAddValve
10. Enter name = token_type and value = Bearer. Make sure the valve is placed last in the execution flow.
11. Open the first valve RPBasicAuthenticationValve
    Change username to username_api & password to password_api
    
12. Open the OIDCTokenRequestValidationValve
    Disable that valve.
13. Save the changes
14. Click General
15. Click View OP Discovery
16. Copy the jwks_uri value.
    Example:
17. Open the copied address
18. Copy the row defining the kid value. Paste the result in a text editor (for temporary storage).
19. (Points 20-30 below is only necessary with PAS version 4.2 or previous).
20. Go back to Configuration Manager->Scenarios->Your OP->Execution flow
21. Expand token endpoint
22. Expand the GenerateJwtTokenVavle
23. Click Advanced
24. Copy the ID valve
25. Click the top Advanced tab
26. Click on the pen to the right of pipe valves
27. Search, paste the ID value
28. In the GenerateJWTTokenVavle configuration, add the kid-value to the configuration. Example:
    .
    .
    “config”: {
    “subjectattribute”: “{{session.user_id}}”,
    “keystore”: “45g324-123rwe-23412-123”,
    “expire_seconds”: “90”,
    “kid”: “aDsxKfK5yr3jp3zRJwicxBV3B5o”,
    .
    
29. At the same valve, also change the amr string attribute to an array.
    Like this.
    {
    “name”: “amr”,
    “value”: “[\”pwd\”]”,
    “type”: “array”
    },
30. Click Stage changes and Commit changes
31. Go back to Configuration Manager->Scenarios->Your OP->Execution flow
32. Expand the first execution flow
33. Fetch the userPrincipalAttribute from your user store.
34. Add a SessionPropertyReplaceValve with these values:”name” : “UPN”,
    “value” : “{{item.userPrincipalName}}”
35. Place the valve after SessionLoadValve and before SessionPersistValve
36. Save
37. Expand the Token endpoint execution flow
38. Locate the GenerateJwtTokenVavle
39. On the Token attributes part (which defines the claims to be set in the id_token), add a new key-value pair:
    “name” : “UPN”,
    “value” : “{{session.UPN}}”
40. Save
41. Click Scenarios->OIDC-><Your OP>
42. Click View OP Discovery
43. Copy the OP discovery URL.
44. Send this information to the Hypergene administrator:
    Hypergene naming in parathesis
    – OP Discovery URL (oidc_issuer_url)
    – client_id (oidc_client_id)
    – client_secret (oidc_client_secret)
    – List of claims that will be present in the id_token
    In the example above, UPN. (oidc_username_claim)

Configure Hypergene

1. The Hypergene administrator will handle this part.

Test

The Hypergene administrator will supply instructions on how to test the setup.