You can set up access to PhixFlow either through PhixFlow Users, by integrating with your Active Directory infrastructure, or with SAML. If you integrate with SAML, Access Control is maintained by mapping Active Directory Groups to PhixFlow User Groups, as described below. By using the SAML integration users will be redirected to a chosen identity provider page where they will enter their username and password. If they are successfully authenticated they will then be redirected to PhixFlow and logged in.
This page describes how to integrate PhixFlow with SAML:
Table of Contents | ||
---|---|---|
|
Configure phixflow-login.xml
Configuration details for SAML are configured in the file phixflow-SAML.xml, under [tomcat root]/webapps/phixflow/WEB-INF/classes. When you first install PhixFlow, you probably created a copy of this file by simply copying the example file phixflow-login.xml.example (see Install PhixFlow Webapp).
Create SAML reference
To create a reference to SAML, update the section in the example file to:
language | xml |
---|
Configure the authentication manager
Add the SAML auth provider (which is already defined) to the authenticationProvider.
Find this section of the file:
Code Block |
---|
<security:authentication-manager alias="authenticationManager"> <!-- test authentication provider, leave commented out --> <!-- example of a SAML<security:authentication-provider ref="testAuthProvider" /> --> <!-- local authentication provider - provide access for CenterView database users. Don't change it --> <security:authentication-provider ref="localAuthProvider" /> <!-- Add an Active Directory Authentication Provider below this line; uncomment if using active directory integration --> <!-- <security:authentication-provider ref="samlAuthenticationProviderexampleActiveDirectoryAuthProvider" /> |
Add key store details
In order to SAML A keystore must be included at [tomcat root]/webapps/phixflow/WEB-INF/classes/keystore/<<youtkeystorename.jks>>.> -->
<!-- Add SAML Authentication Provider; uncomment if using saml / single sign-on -->
<!-- <security:authentication-provider ref="samlAuthProvider"/> -->
</security:authentication-manager> |
... and edit it to look like this (omitting comments):
Code Block | ||
---|---|---|
| ||
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="localAuthProvider" />
<security:authentication-provider ref="samlAuthProvider" />
</security:authentication-manager> |
We recommend that you do not remove the localAuthProvider, and that you retain a local administrator user so that you can still login in the event of a problem with the active directory integration.
Enable SAML beans
These 2 blocks serve to disable the bulk of the file for the normal case where SAML is not required.
Find these lines and remove them or comment them out:
Code Block |
---|
<!-- comment out to enable saml / single sign-on -->
<beans profile="saml"> |
Find these lines, near the end of the file, and remove them or comment them out:
Code Block |
---|
<!-- comment out to enable saml -->
</beans> |
Configure the keyManager
The SAML integration requires one or more public/private keys. These are stored in a Java keystore file, and the information needed to access that file is configured in the keyManager.
Instructions for creating a keystore can be seen at found here: Configure Tomcat For HTTPS. The configuration files included assume that the alias of the key is "PhixflowSAML", if you wish to use another alias you will have to replace all instances of "PhixflowSAML" with your alias.
Below is an example of a keystore:
Code Block | ||
---|---|---|
| ||
<!-- AnThe ExampleKeyStore ofstores aencryption KeyStore Filekeys --> <bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager"> <!-- the keystore file --> <constructor-arg value="classpath:keystore/samlKeystorefile:/opt/tomcat/secure/keystore.jks" /> <!-- password protecting the keystore --> <constructor-arg type="java.lang.String" value="<<KeyStorePassword>>keyStorePassword" /> <constructor-arg> <map> <!-- key alias and key-specific password; add one entry for each key in the keystore --> <entry key="PhixflowSAMLkeyAlias" value="<<KeyPassword>>keyPassword" /> </map> </constructor-arg> <!-- default key alias --> <constructor-arg type="java.lang.String" value="PhixflowSAMLdefaultKeyAlias" /> </bean> |
For the most basic configuration just replace the "/samlKeystorefile:/.../keystore.jks" with your keystore, "<<KeyStorePassword>>KeyStorePassword" with the your keystore password to the keystore and then "<<KeyPassword>>keyPassword" with the password for the keyyour key password.
Warning |
---|
For security reasons, access to this file should be restricted so that it is read-only to the tomcat user / account and not readable by regular users. |
Metadata generator
In order to connect to your identity provider PhixFlow must be configured to contain service provider metadata. The configuration file contains all the tools needed in order to generate a metadata file. It is recommended to follow this procedure to generate your metadata then save the resulting xml in a file called "sp-metadata.xml" in the folder at [tomcat root]/webapps/phixflow/WEB-INF/classes/metadata. In order to configure the metadata generator two things need to be customised.
...