Step by Step – Add PhenixID Authentication Services SAML Identity Provider to Skolfederationen


This document will guide you through the steps to add PhenixID Authentication Services (PAS) to Skolfederationen as a SAML Identity Provider (IdP).

System Requirements

  • PhenixID Authentication Services 3.2 or higher
  • Agreement with Skolfederation to be able to connect the IdP to Skolfederation production environment.
    (Connecting the IdP to Skolfederation trial enviroment is possible without agreement.)


Configure PAS as a SAML Identity Provider

  • Login to Configuration Manager
  • Navigate to Scenarios->Federation. Follow this guide on how to add a SAML Identity Provider.
  • Select the authentication method of your choice. Follow the steps in the guide to connect to your user store. Set userPrincipalName as NameID attribute.
  • When the scenario configuration is done, navigate to the created identity provider, then select Identity Provider.
    • Deselect Require signed requests.
    • Add Organization data (display name, name and url).
    • Save.
  • Click View SAML Metadata
  • Save the SAML Metadata as an XML file and name it skolfed_idp.xml.
  • Open skolfed_idp.xml in a text editor.
  • Add required NameIDFormat tags to the metadata:


  • Add required scope value(s).
    The scope defines the suffix of the userID (EPPN) used with your PhenixID Authentication Services IdP. If your users will be identified as and the scope values to be added are and Change this to suite your environment. Example:
    …….<md:EntityDescriptor entityID=”…”>
    <shibmd:Scope regexp=”false”></shibmd:Scope>
    <shibmd:Scope regexp=”false”></shibmd:Scope>

    <md:IDPSSODescriptor ………..

Connect the IdP to Skolfederationen

  • Browse to and upload the metadata. Your IdP metadata will now be validated.
  • If validation was ok, browse to to upload your metadata (trial and/or production).

Modify the execution flow

  • Login to Configuration Manager
  • Navigate to Scenarios->Federation and then select the Skolfederationen IdP just created.
  • Click Execution flow
  • Click on the valve performing the user lookup (usually LDAPSearchValve). Make sure that these attributes are fetched from the user object:
    – userPrincipalName
    – mail
    – givenName
    – sn
    – norEduPersonNIN (“personnummer”)
    – memberOf
    – sisSchoolUnitCode (“Skolenhetskod”)
    – displayName
    – sisSchoolGrade (“årskurs”)
    – Class (“Klass”)
    – o (“Organisation”)

    Change the attribute names, if needed, to match your user store schema.


    NB! If you can’t find the data needed or are in need of advanced configuration assistance, such as SQL user store lookup or a mixed user store lookup (multiple LDAP stores, LDAP and SQL or equivalent), please contact PhenixID for assistance. PhenixID has tools to fetch data from LDAP, SQL, web services, api:s.
  • Follow this guide to add the eduPersonScopedAffiliation item property to the flow.
  • Follow this guide to add sisSchoolCourseStudent and sisSchoolCourseTeacher item properties to the flow.
  • Follow this guide to add norEduPersonBirthDate to the flow
  • Click Add Valve
  • Select PropertyCopyValve
    Source = userPrincipalName
    Destination = eduPersonPrincipalName
  • Move the new valve to be executed after the user store lookup valve
  • Click Add Valve
  • Select AuthnRequestDecoder
  • Move the new valve to be executed before the AssertionProvider valve.
  • Save.

Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID -