Summary

This document will guide you through the steps to add PhenixID Authentication Services (PAS) to Skolfederationen as a SAML Identity Provider (IdP).

System Requirements

• PhenixID Authentication Services 3.2 or higher
• Agreement with Skolfederation to be able to connect the IdP to Skolfederation production environment.
  (Connecting the IdP to Skolfederation trial enviroment is possible without agreement.)

Instruction

Configure PAS as a SAML Identity Provider

• Login to Configuration Manager
• Navigate to Scenarios->Federation. Follow this guide on how to add a SAML Identity Provider.
• Select the authentication method of your choice. Follow the steps in the guide to connect to your user store. Set userPrincipalName as NameID attribute.
• When the scenario configuration is done, navigate to the created identity provider, then select Identity Provider.
  • Deselect Require signed requests.
  • Add Organization data (display name, name and url).
  • Save.
• Click View SAML Metadata
• Save the SAML Metadata as an XML file and name it skolfed_idp.xml.
• Open skolfed_idp.xml in a text editor.
• Add required NameIDFormat tags to the metadata:
  …….</md:keyDescriptor>
  <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
  <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
  <md:SingleSignOnService………..
  

• Add required scope value(s).
  The scope defines the suffix of the userID (EPPN) used with your PhenixID Authentication Services IdP. If your users will be identified as x.y@kommun.se and z.w@elev.kommun.se the scope values to be added are kommun.se and elev.kommun.se. Change this to suite your environment. Example:
  …….<md:EntityDescriptor entityID=”…”>
  <md:Extensions>
  <shibmd:Scope regexp=”false”>kommun.se</shibmd:Scope>
  <shibmd:Scope regexp=”false”>elev.kommun.se</shibmd:Scope>
  </md:Extensions>
  <md:IDPSSODescriptor ………..

Connect the IdP to Skolfederationen

• Browse to https://validator.skolfederation.se/validator/ and upload the metadata. Your IdP metadata will now be validated.
• If validation was ok, browse to https://www.skolfederation.se/teknisk-information/metadata-2/lamna-nytt-metadata/ to upload your metadata (trial and/or production).

Modify the execution flow

• Login to Configuration Manager
• Navigate to Scenarios->Federation and then select the Skolfederationen IdP just created.
• Click Execution flow
• Click on the valve performing the user lookup (usually LDAPSearchValve). Make sure that these attributes are fetched from the user object:
  – userPrincipalName
  – mail
  – givenName
  – sn
  – norEduPersonNIN (“personnummer”)
  – memberOf
  – sisSchoolUnitCode (“Skolenhetskod”)
  – displayName
  – sisSchoolGrade (“årskurs”)
  – Class (“Klass”)
  – o (“Organisation”)
  
  Change the attribute names, if needed, to match your user store schema.
  
  Example:
  
  
  NB! If you can’t find the data needed or are in need of advanced configuration assistance, such as SQL user store lookup or a mixed user store lookup (multiple LDAP stores, LDAP and SQL or equivalent), please contact PhenixID for assistance. PhenixID has tools to fetch data from LDAP, SQL, web services, api:s.
  
• Follow this guide to add the eduPersonScopedAffiliation item property to the flow.
• Follow this guide to add sisSchoolCourseStudent and sisSchoolCourseTeacher item properties to the flow.
• Follow this guide to add norEduPersonBirthDate to the flow
• Click Add Valve
• Select PropertyCopyValve
  Source = userPrincipalName
  Destination = eduPersonPrincipalName
• Move the new valve to be executed after the user store lookup valve
• Click Add Valve
• Select AuthnRequestDecoder
• Move the new valve to be executed before the AssertionProvider valve.
• Save.