PhenixID

Step by Step – Protect Nginx resoures – MFA and SSO with PhenixID Authentication Services

Summary

This document will guide you through the steps to enable multi-factor authentication and SSO for the web resources hosted on the Nginx Web- and application server platform Nginx (https://www.nginx.com/)

System Requirements

  • PhenixID Authentication Server 3.0 or higher
  • Nginx administrative rights

Overview

  • The integration is based on open source software Shibboleth, which will protect the resource and act as a SAML Service Provider against a SAML Identity Provider (PhenixID Authentication Services).
  • If the protected resource needs to fetch the userID of the authenticated user, simply fetch the value from the http header username on the incoming request.

Instruction

Configure PhenixID Authentication Services as Identity Provider

  1. Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here)
  2. Fetch the attribute containing your userID from the user store. This may differ based on your environment.
    (For AD, this may be sAMAccountName or userPrincipalName, for other LDAPs this may be uid).
  3. Go to Scenarios->Federation-><YOUR_IDP>->Identity Provider
  4. Add a Post SLO url: https://<your_phenixid_domain>/saml/authenticate/logout/
  5. Go to Scenarios->Federation-><YOUR_IDP>->Execution Flow
  6. Make the following adjustments:
    1. Add a PropertyAddValve above the AssertionProvider with the following values. Change <attribute_containing_username> to the value of the attribute from the step above.
      name = username
      value = {{item.<attribute_containing_username>}}

      Example value = {{item.userPrincipalName}}

    2. Click AssertionProvider
    3. Set NameID Attribute = username
    4. Set additional attributes = username
  7. Save.
  8. Go to Scenarios->Federation-> <newly_added_scenario> -> Identity Provider. Deselect “Require signed requests”.
  9. Save.
  10. Then export your SAML IdP metadata by going to the URL:
    https://<YourServerDomainName>/saml/authenticate/<authenticator_alias>?getIDPMeta
    and download the metadata to a xml file.

Configure Nginx

  1. Install Shibboleth SP for Nginx using this guide.
    In the configuration section, check for the location /secure section and change:
    – /secure to your path(s) to the web resource(s) to be protected
    more_clear_input_headers to:
    more_clear_input_headers ‘username’

    proxy_pass value to suite your environment.

  2. Configure Shibboleth SP by following this section. Open the downloaded idp metadata file from above step to find the entityID of the IdP.

    For the attribute mapping part, add this mapping:
    <Attribute name=”username” id=”username”>
    <AttributeDecoder xsi:type=”StringAttributeDecoder” caseSensitive=”false”/>
    </Attribute>

  3. Add the IdP as a trusted provider by following this section.

Add Nginx/Shibboleth SP as trusted Service Providers in PhenixID Authentication Services

  1. Login to configuration manager
  2. Follow this guide.

Test

Browse to the protected resource.

You should be redirected to PhenixID Authentication Services.

Authenticate.

You should be redirected back to Nginx shibboleth URI.

You should be redirected to the protected resource.

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se