PhenixID

Step by Step – RocketChat MFA and SSO with PhenixID Authentication Services

Summary

This document will guide you through the steps to enable multi-factor authentication and SSO for the communication platform Rocket.Chat (https://rocket.chat/)

System Requirements

  • PhenixID Authentication Server 3.0 or higher
  • Rocket chat administrative rights

Instruction

Configure PhenixID Authentication Services as Identity Provider

  1. Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here)
  2. Fetch the mail address and the displayName attributes from the user store. Attribute names may differ depending on user store type.
  3. Go to Scenarios->Federation-><YOUR_IDP>->Identity Provider
  4. Add a Post SLO url: https://<your_phenixid_domain>/saml/authenticate/logout/
  5. Go to Scenarios->Federation-><YOUR_IDP>->Execution Flow
  6. Make the following adjustments:
    1. Add a PropertyAddValve above the AssertionProvider with the following values:
      name = username
      value = {{item.mail}}
    2. Click AssertionProvider
    3. Set NameID Attribute = username
    4. Set additional attributes = username,mail,displayName
  7. Save.
  8. Go to Scenarios->Federation-> <newly_added_scenario> -> Identity Provider. Deselect “Require signed requests”.
  9. Save.
  10. Then export your SAML IdP metadata by going to the URL:
    https://<YourServerDomainName>/saml/authenticate/<authenticator_alias>?getIDPMeta
    and download the metadata to a xml file.
  11. Open the metadata file in a text editor
  12. Fetch the SSO-Location value:
  13. Fetch the SLO-Location value:
  14. Extract the SAML IdP metadata to a file (name the file idp-cert.crt) by following this guide.

Configure Rocket.Chat

  1. Login to Rocket.Chat as an administrator
  2. Go to SAML under Administration.
  3. Fill out  these values:
    Custom Provider PhenixID
    Custom Entry Point Paste the fetched SSO-Location value (from above)
    IDP SLO Redirect URL Paste the fetched SSO-Location value (from above)
    Custom Issuer https://<your-rocketchat-url>/_saml/metadata/PhenixID
    Public Cert Contents 1. Open the Public Cert Contents dropdown
    2 Open idp-cert.crt in a text editor. Copy and paste the content here.
    Signature Validation Type Validate Either Signature
    User Data Field Map Open the User Data Field Map dropdown and enter the following attributes:
    {“username”:”username”, “email”:”mail”, “name”: “displayName”}
  4. Save
  5. Browse to https://<your-rocketchat-url>/_saml/metadata/PhenixID
  6. Download the XML to a file, sp.xml.

Add Rocket.Chat as a trusted Service Provider in PhenixID Authentication Services

  1. Login to configuration manager
  2. Scenarios->Federation
  3. SAML Metadata upload
  4. Select the file (sp.xml) downloaded in previous step

Test

Browse to your Rocket.chat instance and select PhenixID as the authentication provider.

You should be redirected to PhenixID Authentication Services.

Authenticate.

You should be redirected back to Rocket.Chat.

You should now be logged in to Rocket.Chat.

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se