PhenixID

Step by Step – Consume Google user authentication with PhenixID Authentication and Signing Services

 

Summary

This document will guide you through the steps to configure PhenixID Authentication Services and/or PhenixID Signing Services to consume Google user authentication.

PhenixID Authentication Services (PAS) will act as a SAML Service Provider against Google SAML Identity Provider.

Background

Many organizations use Google as the master identity store for all or parts of their user base. With PhenixID, you can:

  • Add the second factor in a multifactor authentication flow where the first factor is internal Google authentication.
  • Sign documents and transactions electronically using your Google account
  • Protect web- and cloud apps (SAML SPs, OIDC RPs) with Google authentication and PhenixID MFA
  • Protect internal PhenixID web apps, such as the MyApps portal, with Google authentication

System requirements

  • PhenixID Authentication Services 2.7 or higher
  • A Google administrator account

Instruction

Configure PhenixID Authentication Services

Add authenticator

  • Login to Configuration Manager
  • Advanced->Authenticators-HTTP
  • Depending on the service you protect, you need to create an authenticator:

– Protecting internal web application (for example Myapps, self service, signing) -> SAMLServiceProviderAuthN. Please view this instruction.

– Protecting external service which is a SAML SP -> SAMLSPBroker. Please view this instruction.

– Protecting external service which is an OIDC RP -> OIDCToSAMLBroker. Please view this instruction.

Make sure to set this parameter on the authenticator:

“targetIDP”: “dummy-will-be-changed-later”

Example configuration:

{
“id”: “sp”,
“alias”: “sp”,
“name”: “SAMLServiceProviderAuthN”,
“displayName”: “Google Identity Provider”,
“configuration”: {
“sp”: “https://ubuntu.phenixid.local/saml/sp”,
“pipeID”: “pipeAssertionConsumer”,
“successURL”: “/myapps”,
“acsUrl”: “https://ubuntu.phenixid.local:8443/myapps/authenticate/sp”,
“entityID”: “https://ubuntu.phenixid.local/saml/sp”,
“targetIDP”: “dummy-will-be-changed-later”
}
}

Fetch SAML SP Metadata

  • Fetch your sp metadata by opening the URL:

For a SAMLServiceProviderAuthN authenticator : <acsUrl_in_authenticator_conf>?getSPMeta

For a SAMLSPBroker or OIDCToSAMLBroker authenticator : <acsUrl_in_authenticator_conf>?getMeta

  • Save the produced metadata to a xml file.
  • Open the metadata xml file in a text editor
  • Locate the entityID property value. Copy it. This will be used in later step.
  • Locate the AssertionConsumerService->Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST“->Location value. Copy it. This will be used in later step.

Configure Google

  • Login to Google with your administrator account
  • Open the admin console -> Apps
  • Click SAML apps
  • Click + to add new app
  • Click Setup my own custom app

  • Click IDP Metadata -> Download. Save the file as google_idp.xml

     

  • Enter the name of the application = “PhenixID”.

     

  • In step 4, enter these values:
    ACS URL = <value fetched in previous step above (AssertionConsumerService)>
    Entity ID = <value fetched in previous step above (entityID)>
    Select Signed Response

    Example:

  • If needed, add more identity attributes, such as mobile number, to be released from the Google Identity Provider.
  • Done.

Add trust to Google for PhenixID Authentication Services

Upload Google metadata

  • Open Configuration Manager
  • Scenarios->Federation->SAML Metadata upload
  • Upload the file google_idp.xml

Set targetIdP

  • Open google_idp.xml in a text editor
  • Locate the entityID value. Copy the value.
  • Open Configuration Manager->Advanced->Authenticators-HTTP
  • Locate the authenticator you previously created
  • Set the targetIDP value to the entityID value.

Test

  • Trigger the authentication flow where the Google IDP authentication is involved.
  • Your browser should be redirected to the Google IDP
  • Authenticate using your Google test account
  • Your browser should be redirected back to PhenixID Authentication Services with a SAML assertion containing the Google userID (email address)
  • You should now be logged in to the service protected by Google authentication

Debugging

  • Use a SAML debugging tool, such as SAML Tracer, to retrieve the SAML messages
  • Use PhenixID server.log in debug mode to find


DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se