PhenixID

Step by Step – ILT Inläsningstjänst – MFA and SSO with PhenixID Authentication Services

Summary

This document will guide you through the steps to configure PhenixID Authentication Services to deliver multi-factor authentication and Single Sign-on (SSO) to ILT – Inläsningstjänst (https://www.inlasningstjanst.se/).

System Requirements

  • PhenixID Authentication Services 2.7 or higher
  • PhenixID Authentication Services configured with a SAML Identity Provider connected to Skolfederation. Follow this step-by-step to add PhenixID Authentication Services to Skolfederation.

Instruction

Configure Execution flow for ILT

  • Login to Configuration Manager
  • Click Scenarios, Federation.
  • Select your previously configured IdP for Skolfederationen.
  • Click Execution Flow
  • Prepare SAML<->User Store attribute mapping for ILT using this guide. The SAML attributes to be sent to ILT:
    • urn:oid:1.3.6.1.4.1.5923.1.1.1.6
    • urn:oid:0.9.2342.19200300.100.1.3
    • urn:oid:1.2.752.194.10.2.4
    • urn:oid:2.16.840.1.113730.3.1.241
    • urn:oid:2.5.4.42
    • urn:oid:2.5.4.4
    • urn:oid:1.3.6.1.4.1.5923.1.1.1.9
  • Expand the last execution flow and look for an existing AssertionProvider
  • Expand the AssertionProvider
  • Copy the Target Entity ID Value
  • Add new valve to the last execution flow (where the SAML Assertion is produced)
    • Type=AssertionProvider
    • Set Target Entity ID to the previously copied value
    • Set NameID attribute = none
    • Set Additional attributes = urn:oid:1.3.6.1.4.1.5923.1.1.1.6,urn:oid:0.9.2342.19200300.100.1.3,urn:oid:1.2.752.194.10.2.4,urn:oid:2.16.840.1.113730.3.1.241,urn:oid:2.5.4.42,urn:oid:2.5.4.4,urn:oid:1.3.6.1.4.1.5923.1.1.1.9
    • Set Source ID = https://skolfederation.grandid.com/simplesaml/module.php/saml/sp/metadata.php/inlasningstjanst_prod
    • Add a Miscellanous value: nameIdFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:transient
  • On the Advanced tab of the valve you should limit the AssertionProvider to only be executed when authentication to ILT is requested. Add this to Execute if expression:
    flow.property(‘issuer’).equals(‘https://skolfederation.grandid.com/simplesaml/module.php/saml/sp/metadata.php/inlasningstjanst_prod‘)
  • Save. Make sure the new AssertionProvider added is placed last in the Execution flow list.

Test

  • Find out the EntityID for your previously created IDP.
    That can be find in the page:
    Scenarios, Federation, “your IDP authenticator”, Identity Provider.
  • Open a browser and open http://auth.inlasningstjanst.se/skolfederation/idp?id=<Your IDP EntityID>
  • Your browser should be redirected to the PhenixID IdP
  • Authenticate
  • Verify that you are redirected to the ILT application after login with a valid SAML Assertion. Please consult PhenixID for additional debugging if needed.

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se