Versions Compared

Old Version 4

changes.mady.by.user Gary Parden

Saved on

compared with

New Version 5

changes.mady.by.user Gary Parden

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

You can set up access to PhixFlow either through PhixFlow Users, by integrating with your Active Directory infrastructure, or with SAML. If you integrate with SAML, Access Control is maintained by mapping Active Directory Groups to PhixFlow User Groups, as described below. By using the SAML integration users will be redirected to a chosen identity provider page where they will enter their username and password. If they are successfully authenticated they will then be redirected to PhixFlow and logged in.

This page describes how to integrate PhixFlow with SAML:

Table of Contents
maxLevel1

Configure phixflow-login.xml

Configuration details for SAML are configured in the file phixflow-SAML.xml, under [tomcat root]/webapps/phixflow/WEB-INF/classes. When you first install PhixFlow, you probably created a copy of this file by simply copying the example file phixflow-login.xml.example (see Install PhixFlow Webapp).

Create SAML reference

To create a reference to SAML, update the section in the example file to:

Code Block
languagexml
		<!-- example of a SAML authentication provider
		-->
		<security:authentication-provider ref="samlAuthenticationProvider"/>


Add key store details

In order to SAML A keystore must be included at  [tomcat root]/webapps/phixflow/WEB-INF/classes/keystore/<<youtkeystorename.jks>>. Instructions for creating a keystore can be seen at Configure Tomcat For HTTPS. The configuration files included assume that the alias of the key is  "PhixflowSAML", if you wish to use another alias you will have to replace all instances of "PhixflowSAML" with your alias. Below is an example of a keystore:

Code Block
languagexml
   	<!-- An Example of a KeyStore File -->
	
	<bean id="keyManager"
		class="org.springframework.security.saml.key.JKSKeyManager">
		<constructor-arg
			value="classpath:keystore/samlKeystore.jks" />
		<constructor-arg type="java.lang.String"
			value="<<KeyStorePassword>>" />
		<constructor-arg>
			<map>
				<entry key="PhixflowSAML" value="<<KeyPassword>>" />
			</map>
		</constructor-arg>
		<constructor-arg type="java.lang.String"
			value="PhixflowSAML" />
	</bean>

For the most basic configuration just replace the "/samlKeystore.jks" with your keystore, "<<KeyStorePassword>>" with the password to the keystore and then "<<KeyPassword>>" with the password for the key.


Metadata generator

In order to connect to your identity provider PhixFlow must be configured to contain service provider metadata. The configuration file contains all the tools needed in order to generate a metadata file. It is recommended to follow this procedure to generate your metadata then save the resulting xml in a file called "sp-metadata.xml" in the folder at  [tomcat root]/webapps/phixflow/WEB-INF/classes/metadata.  In order to configure the metadata generator two things need to be customised.

...

Code Block
languagexml
<property name="entityBaseURL"
					value="https://localhost:8443/Phixflow" />


Metadata configuration

The next step is to configure PhixFlow so that it knows where to look for both identity provider and service provider metadata. First we look at identity provider metadata:

...

Code Block
languagexml
 	<!-- with the exception of the metageneratorfilter line the following must be uncommented to enable SAML login -->
	<security:http entry-point-ref="samlEntryPoint"
		pattern="/SAMLLogin" use-expressions="false">
		<security:intercept-url pattern="/**"
			access="ROLE_USER" />
		<security:custom-filter
			after="BASIC_AUTH_FILTER" ref="samlFilter" />
	<!--  uncomment the line below to generate your service provider metadata -->		
	<!--<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>-->
	</security:http>


Other configuration

After this in order to enable SAML all that is required is to uncomment the following sections with a few exceptions. First uncomment all of the text listed below:

Code Block
languagexml
		<!--

	<security:http entry-point-ref="samlEntryPoint"
		pattern="/saml/**" use-expressions="false">
		<security:intercept-url pattern="/**"
			access="ROLE_USER" />

		<security:custom-filter
			after="BASIC_AUTH_FILTER" ref="samlFilter" />

	</security:http>
	
		<import resource="phixflow-SAML.xml/>
	-->


Metadata Generation

After completing this initial setup. It's time to generate the metadata. To do this setup the login configuration form to have a log in with SAML button and click it. You should be redirected to your identity provider and rejected, but your metadata will be generated by this step. Next log in as a local user then go to <<yourhost>>/Phixflow/saml/metdata in order to download an XML file of your metadata.This will need to be given to your identity provider to log in. In order to simplify configuration it is recommended to save this as metadata/sp-metadata.xml

...

At this point please refer to  the Phixflow Active Directory Setup section for more information on how to connect your identity provider provided groups to PhixFlow groups. The "default domain" section is not needed.

Logging in as a SAML user


To log in, users simply have to select a login option with SAML and click on the login button where they will be redirected to the identity provider to enter their credentials. If the login form configuration has been set to automatically log in with SAML, then they will see this screen and will instead be redirected straight to the identity provider.

Troubleshooting

Enhanced diagnostics can be generated by adding the lines

...