PhenixID

Step by Step – Advanced configuration for Skolfederationen

Summary

This document will show how you can configure PhenixID Authentication Services for Skolfederation when you have multiple authentication methods and multiple applications with different demands of attributes.

Requirements

  • PhenixID Authentication Services 2.7 or higher
  • PhenixID Authentication Services configured with a SAML Identity Provider connected to Skolfederation. Follow this step-by-step to add PhenixID Authentication Services to Skolfederation.

Information

When you configure multiple authentication methods you normally will have to add attributes and assertionProviders to multiple places in the Execution Flow.
We will here show how to add a general pipe for that purpose that can be used in all authenticators.

Configuration

We begin at the Execution Flow used at a simple Skolfederation configuration.
Add some valves at the end as the picture below.

Disable the AssertionProvider Valve(s) that was at the end.
That should instead be configured in a pipe (AddSkolFedConfig) in advanced mode.

Go over to advanced mode and click the pencil next to pipes.
Here we add a pipe with all configuration and modification for attributes that we don’t want to add multiple times.
Attributes below is just some examples.
Note that the attributes from the source turns in to requests in this pipe.
At the end we add the AssertionProviders with their own configuration.
AssertionProviders are also only examples.
At the end we remove all attributes that we don’t want to go back to the calling Pipe

{
    "id": "AddSkolFedConfig",
    "_description": "Advanced SkolFederation config",
    "valves": [
        {
            "name": "ItemCreateValve",
            "config": {
                "dest_id": "{{request.source_item_id}}"
            }
        },
	{
		"name": "PropertyAddValve",
		"enabled": "true",
		"config": {
			"name": "urn:oid:0.9.2342.19200300.100.1.3",
			"value": "{{request.mail}}"
		}
	},
	{
		"name": "PropertyAddValve",
		"enabled": "true",
		"config": {
			"name": "urn:oid:1.2.752.194.10.2.4",
			"value": "{{request.sisSchoolUnitCode}}"
		}
	},
	{
		"name": "PropertyAddValve",
		"enabled": "true",
		"config": {
			"name": "urn:oid:2.5.4.4",
			"value": "{{request.sn}}"
		}
	},
	{
		"name": "PropertyAddValve",
		"enabled": "true",
		"config": {
			"name": "urn:oid:2.5.4.42",
			"value": "{{request.givenName}}"
		}
	},
	{
		"name": "PropertyAddValve",
		"enabled": "true",
		"config": {
			"name": "urn:oid:1.3.6.1.4.1.2428.90.1.5",
			"value": "{{request.personalNumber}}"
		}
	},

	{
		"name": "PropertySubstringValve",
		"enabled": "true",
		"config": {
			"proceed_on_error": "true",
			"source": "{{request.personalNumber}}",
			"dest": "urn:oid:1.3.6.1.4.1.2428.90.1.3",
			"begin_index": "0",
			"end_index": "8"
		}
	},
	{
		"name": "PropertyAddValve",
		"enabled": "true",
		"config": {
			"name": "eduPersonScopedAffiliation",
			"value": "student@<domain>,member@<domain>",
			"enable_multi_value": "true",
			"splitter": ",",
			"exec_if_expr": "request.getOrDefault('memberOf','A').contains('Elev')"
		}
	},
	{
		"name": "PropertyAddValve",
		"enabled": "true",
		"config": {
			"name": "eduPersonScopedAffiliation",
			"enable_multi_value": "true",
			"splitter": ",",
			"value": "employee@<domain>,member@<domain>",
			"exec_if_expr": "request.getOrDefault('memberOf','A').contains('Personal')"
		}
	},
	{
		"name": "PropertyAddValve",
		"enabled": "true",
		"config": {
			"name": "eduPersonScopedAffiliation",
			"enable_multi_value": "true",
			"splitter": ",",
			"value": "faculty@<domain>,employee@<domain>,member@<domain>",
			"exec_if_expr": "request.getOrDefault('memberOf','A').contains('Lärare')"
		}
	},
	{
		"name": "PropertyAddValve",
		"enabled": "true",
		"config": {
			"name": "sisSchoolCourseStudent",
			"value": "http://norrkoping.se/{{request.sisSchoolUnitCode}}/{{request.klass}}",
			"exec_if_expr": "request.getOrDefault('memberOf','A').contains('Elev')"
		}
	},
	{
		"name": "PropertyAddValve",
		"enabled": "true",
		"config": {
			"name": "sisSchoolCourseTeacher",
			"value": "http://norrkoping.se/{{request.sisSchoolUnitCode}}/Teachers",
			"exec_if_expr": "request.getOrDefault('memberOf','A').contains('Lärare')"
		}
	},
	{
		"name": "AssertionProvider",
		"description": "NE",
		"config": {
			"targetEntityID": "<your IDP ID>",
			"nameIDAttribute": "eduPersonPrincipalName",
			"additionalAttributes": "mail,sisSchoolUnitCode,urn:oid:1.2.752.194.10.2.4,urn:oid:0.9.2342.19200300.100.1.3",
			"exec_if_expr": "request.get('issuer').equals('https://www.ne.se/samlauth')",
			"misc": {
				"nameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
			}
		}
	},
	{
		"name": "AssertionProvider",
		"description": "Inläsningtjänst",
		"config": {
			"targetEntityID": "<your IDP ID>",
			"nameIDAttribute": "urn:oid:0.9.2342.19200300.100.1.3",
			"additionalAttributes": "urn:oid:1.3.6.1.4.1.5923.1.1.1.6,urn:oid:0.9.2342.19200300.100.1.3,urn:oid:1.2.752.194.10.2.4,urn:oid:2.16.840.1.113730.3.1.241,urn:oid:2.5.4.42,urn:oid:2.5.4.4,urn:oid:1.3.6.1.4.1.5923.1.1.1.9",
			"exec_if_expr": "flow.property('issuer').equals('https://skolfederation.grandid.com/simplesaml/module.php/saml/sp/metadata.php/inlasningstjanst_prod')"
		}
	},
	{
		"name": "PropertyRemoveValve",
		"config": {
			"name": "source_item_id,pipe"
		}
	}

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se