PhenixID

Step by step – PhenixID Server as IdP for VMware Identity Manager / Horizon

Summary

This document will guide you through the steps to enable PhenixID Server as an IdP in combination with VMware Identity Manager/Horizon.

System Requirements

  • PhenixID Authentication Server 2.7 or higher
  • WMware IAM

Instruction

Configure PhenixID IDP

  1. Configure a IdP in the PhenixID server.
    See the following document on how to do it Scenarios – Federation
    Select the authentication method of your choice and set userPrincipalName as NameID attribute.
  2. Identity Provider -> Deselect Require signed requests.
  3. Save.
  4. Click “View SAML Metadata”
  5. Save the SAML Idp metadata as an xml file
  6. Open the XML file and remove:
    – header
    – start and end tag
    – …content….

Example before removal:

<?xml version="1.0" encoding="UTF-8"?><md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Name="SAML IDP"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI=""><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>pozXLH2eeq8FXpVDPcrrp61RTMU=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>nIS9shJDOwpILBIoe0EsF5EUCwqU0eapSANCBBD/NmOQRcTq4z8MYqPgK2zw9dcwsKUY+PcQmKYN
nD5RHXcx51t9ZS0sBGlsZQ+FTzm3DwQSLae6bBEPvdJ3kmqMrAqelhHjYDGlNcKJUd/42i/c2wI8
c02uE4fwFf/KqxEG55BlOw5g7DtGKyOYXAv/YSi5w2jdm76y96ZM1uErOzbtlu8Q/LPL6FX1ij0f
k5DM014yzxdR31HiCo7TURbsKmeMxP8OjPyRQ96DMPgXHRlfDw8ryoEQJp1vSRXUKgP/vA7AM+Po
mU1KcJ1gjx7BhX3KtsF9Teha+dfJK//YC74P4A==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDYDCCAkigAwIBAgIBFjANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJTRTEVMBMGA1UEBxMM
TmFja2EgU3RyYW5kMQ8wDQYDVQQKEwZNY0FmZWUxFDASBgNVBAsTC0VuZ2luZWVyaW5nMRowGAYD
VQQDExFFQSBERU1PIHVzZXIgQ0EgMTAeFw0xNDA1MjMxMjA3MDBaFw0xOTA1MjMxMjA3MDBaMEIx
DjAMBgNVBAMTBWJodWxsMQ0wCwYDVQQEEwRIdWxsMQ4wDAYDVQQqEwVCb2JieTERMA8GA1UEBRMI
MTk2NTE5NjYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8yVowqmpfeKptuigqFHje
KC/CViAMexnbgCYdbo9atIc08b35lV364uTpkafupgAexTi9X1GOuKEM4KKgAQQ91sSPJeuz7r6Y
5EN5HO/dEXtuQXb1TwZ2FGvDEEaeFigQyNALxnUrhWyfwSceU3ev4j+QbGpRuX7MfYT6BZbmrWyV
0+j/mIHq9dfLcp48wfTPh6VXo1iHCYQVtn3ZFHP7oFtb/xyJi62dvFqrsnEbFkfmRN+sRmgfJtC9
0jjPvbjMsUHaKmYh99FrK26e1N2T8cxZsH/3Xx2hpE1jL9TolrV+YQ5XdFfJRHeAoG0zX7rtt722
kMOAJq+eNBpRXXejAgMBAAGjPDA6MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPOypDuauffXkwjN
deNti0IkYSpdMAsGA1UdDwQEAwIEsDANBgkqhkiG9w0BAQUFAAOCAQEAMAxB95G/XCOetwAM1KXt
7qH+tU0mvbXHqgWdyHRFHeayQjmKp3831ciNWEYDSBvGoUz2FI0WQjrBETDXkwoXRxFf81o8SSFk
C2HpitqUW/on+lH4v2u7U2yaO5rUXwFsiU63NrJIPttjDzyJcHFVXq1JrnRWDYq8X0JaTh3RU9Pw
w8eN2dw8MjHLDtgxZg3vPElkSWaDTse/HfQPBc0cAc2D7/HOj3qyrEqIDrHHmQBTkC5S9C/O1sEh
pJktqi8SMUmmniVhhR5v5MVNPGlIDzQwJ9nXWzdBz5wmQqLkw2/853OujVK2ZXcKB6e9GklHBw5Y
tFItbMmVvuxCn5TfcQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:EntityDescriptor ID="_0cb6c543-bba4-4ce1-a74a-ae23a2e1f0b6" entityID="https://demo.phenixid.net/saml/idp/vm" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDYDCCAkigAwIBAgIBFjANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJTRTEVMBMGA1UEBxMM
TmFja2EgU3RyYW5kMQ8wDQYDVQQKEwZNY0FmZWUxFDASBgNVBAsTC0VuZ2luZWVyaW5nMRowGAYD
VQQDExFFQSBERU1PIHVzZXIgQ0EgMTAeFw0xNDA1MjMxMjA3MDBaFw0xOTA1MjMxMjA3MDBaMEIx
DjAMBgNVBAMTBWJodWxsMQ0wCwYDVQQEEwRIdWxsMQ4wDAYDVQQqEwVCb2JieTERMA8GA1UEBRMI
MTk2NTE5NjYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8yVowqmpfeKptuigqFHje
KC/CViAMexnbgCYdbo9atIc08b35lV364uTpkafupgAexTi9X1GOuKEM4KKgAQQ91sSPJeuz7r6Y
5EN5HO/dEXtuQXb1TwZ2FGvDEEaeFigQyNALxnUrhWyfwSceU3ev4j+QbGpRuX7MfYT6BZbmrWyV
0+j/mIHq9dfLcp48wfTPh6VXo1iHCYQVtn3ZFHP7oFtb/xyJi62dvFqrsnEbFkfmRN+sRmgfJtC9
0jjPvbjMsUHaKmYh99FrK26e1N2T8cxZsH/3Xx2hpE1jL9TolrV+YQ5XdFfJRHeAoG0zX7rtt722
kMOAJq+eNBpRXXejAgMBAAGjPDA6MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPOypDuauffXkwjN
deNti0IkYSpdMAsGA1UdDwQEAwIEsDANBgkqhkiG9w0BAQUFAAOCAQEAMAxB95G/XCOetwAM1KXt
7qH+tU0mvbXHqgWdyHRFHeayQjmKp3831ciNWEYDSBvGoUz2FI0WQjrBETDXkwoXRxFf81o8SSFk
C2HpitqUW/on+lH4v2u7U2yaO5rUXwFsiU63NrJIPttjDzyJcHFVXq1JrnRWDYq8X0JaTh3RU9Pw
w8eN2dw8MjHLDtgxZg3vPElkSWaDTse/HfQPBc0cAc2D7/HOj3qyrEqIDrHHmQBTkC5S9C/O1sEh
pJktqi8SMUmmniVhhR5v5MVNPGlIDzQwJ9nXWzdBz5wmQqLkw2/853OujVK2ZXcKB6e9GklHBw5Y
tFItbMmVvuxCn5TfcQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://demo.phenixid.net/saml/authenticate/vm"/></md:IDPSSODescriptor></md:EntityDescriptor></md:EntitiesDescriptor>

Example after removal:

<md:EntityDescriptor ID="_0cb6c543-bba4-4ce1-a74a-ae23a2e1f0b6" entityID="https://demo.phenixid.net/saml/idp/vm" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDYDCCAkigAwIBAgIBFjANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJTRTEVMBMGA1UEBxMM
TmFja2EgU3RyYW5kMQ8wDQYDVQQKEwZNY0FmZWUxFDASBgNVBAsTC0VuZ2luZWVyaW5nMRowGAYD
VQQDExFFQSBERU1PIHVzZXIgQ0EgMTAeFw0xNDA1MjMxMjA3MDBaFw0xOTA1MjMxMjA3MDBaMEIx
DjAMBgNVBAMTBWJodWxsMQ0wCwYDVQQEEwRIdWxsMQ4wDAYDVQQqEwVCb2JieTERMA8GA1UEBRMI
MTk2NTE5NjYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8yVowqmpfeKptuigqFHje
KC/CViAMexnbgCYdbo9atIc08b35lV364uTpkafupgAexTi9X1GOuKEM4KKgAQQ91sSPJeuz7r6Y
5EN5HO/dEXtuQXb1TwZ2FGvDEEaeFigQyNALxnUrhWyfwSceU3ev4j+QbGpRuX7MfYT6BZbmrWyV
0+j/mIHq9dfLcp48wfTPh6VXo1iHCYQVtn3ZFHP7oFtb/xyJi62dvFqrsnEbFkfmRN+sRmgfJtC9
0jjPvbjMsUHaKmYh99FrK26e1N2T8cxZsH/3Xx2hpE1jL9TolrV+YQ5XdFfJRHeAoG0zX7rtt722
kMOAJq+eNBpRXXejAgMBAAGjPDA6MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPOypDuauffXkwjN
deNti0IkYSpdMAsGA1UdDwQEAwIEsDANBgkqhkiG9w0BAQUFAAOCAQEAMAxB95G/XCOetwAM1KXt
7qH+tU0mvbXHqgWdyHRFHeayQjmKp3831ciNWEYDSBvGoUz2FI0WQjrBETDXkwoXRxFf81o8SSFk
C2HpitqUW/on+lH4v2u7U2yaO5rUXwFsiU63NrJIPttjDzyJcHFVXq1JrnRWDYq8X0JaTh3RU9Pw
w8eN2dw8MjHLDtgxZg3vPElkSWaDTse/HfQPBc0cAc2D7/HOj3qyrEqIDrHHmQBTkC5S9C/O1sEh
pJktqi8SMUmmniVhhR5v5MVNPGlIDzQwJ9nXWzdBz5wmQqLkw2/853OujVK2ZXcKB6e9GklHBw5Y
tFItbMmVvuxCn5TfcQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://demo.phenixid.net/saml/authenticate/vm"/></md:IDPSSODescriptor></md:EntityDescriptor>

7. Copy the metadata (after removal) above.

Add PhenixID IdP to VMware IAM

  • Login to VMware IAM
  • Select “Identity & Access Management”
  • Click on “Add Identity Provider”

Enter the IdP settings

  1.  Enter a name for the IDP in the Identity Provider Name field
  2.  Paste the Idp SAML Metadata and click Process IdP Metadata
  3.  Select Name ID Format :
    urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    and Name ID Value: userPrincipalName
  4.  Select all the networks ranges applicable for this IdP
  5.  Select the authentication method for the IdP.
    Set Authentication Methods, enter a friendly name and SAML Context
    In this example OTP by SMS is used : urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract
  6.  Enable Single Sign out configuration and add the IdP Sign-out
    URL: https:///saml/authenticate/logout/?nextTarget=
    Example: https://demo.phenixid.net/saml/authenticate/logout/?nextTarget=https://aw-test.vmwareidentity.eu
  7.  SAML SIgning certificate: Copy the Service Provider (SP) metadata URL
    This metadata URL will be used on the IdP
  8.  Click Add to create the new IdP configuration
  9.  Apply new SAML idp to the policy.

Import SP metadata to the  PhenixID server

  1. Login to the PhenixID server
  2. Go to Scenarios-Federation
  3.  Select SAML Metadata upload.
  4.  Create a new  SP configuration
  5. Enter a name for the SP and description (optional)
  6. Enter the SP URL (copied from SAML Signing Certificate in the previous step)
  7. Click on “Verify and show”
  8.  Click on “Create” to save the new SP configuration

Verify the configuration

Login to VMware IAM from one of the selected network for the IdP, you should be redirected to the authentication method you have configured.

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se