Versions Compared

Old Version 10

changes.mady.by.user Gary Parden

Saved on

compared with

New Version 11

changes.mady.by.user Gary Parden

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info
titleclasspath: and file:

You can refer to a file as classpath:dir/file or as file:dir/file.

classpath:dir1/file2 refers to a file in directory dir1 under the webapp's classpath; this can mean $webapp/WEB-INF/classes/dir1, but could also mean $tomcat/lib/dir1.

file:/dir1 refers to the top-level directory /dir1; without the '/' it refers to dir1 under the current directory (which is normally the tomcat home directory).

...

languagexml

...

Generate Service Provider metadata

You are now in a position to generate metadata for the PhixFlow server.

Do the following:

Attempt to login using SAML / Single Sign-on.

This will fail as you have not yet installed PhixFlow's metadata in the identity provider, but the attempt will cause the metadata to be generated.

Login as a local user with admin rights

You need to be logged in in order to download the metadata file.

Download the metadata file

Browse to $phixflow/saml/metadata

e.g.

https://myhost.com/phixflow/saml/metadata

Save the resulting metadata file.

Install the Service Provider Metadata in the Identity Provider

How you do this is specific to the Identity Provider.

Configure Attribute Map

As part of the SAML / Single sign-on process, the identity provider sends details of the user who is logging in as a set of name/value pairs. An Attribute Map defines how PhixFlow maps the identity provider's attribute names to the names required by PhixFlow.

Find the attribute map section:

Code Block
languagexml
	<!-- map external user attribute names to saml response attribute names -->
	<bean id="example1SamlAttributeMap"	class="com.accipia.centerview.util.security.UserDetailsMapper" >
		<!-- this will be used to mark external users in the database as from this login provider / domain -->
		<property name="domain" value="mysaml.org" />
		<property name="

...

username" value="

...

The first configurable part of the service provider metadata is the file name. By default this is expecting a file named "sp-metadata.xml" under the metadata folder. If you wish to use another file name change it here :

Code Block
languagexml
		<constructor-arg value="/metadata/sp-metadata.xml" />

Next we have the Extended metadata configuration. For the simplest setup all that needs changing here is the alias needs to be updated to the entity ID that you specified earlier. If you are using the recommended Key name of "PhixflowSAML" then no further configuration is required. If you are not using this key name then you will have to replace the PhixflowSAML with your keyname under the "signingKey" and "encryptionKey" sections.

Code Block
languagexml
	<!-- The following sections must be uncommented to enable SAML Login -->
	<!--

	<security:http entry-point-ref="samlEntryPoint"
		pattern="/saml/**" use-expressions="false">
		<security:intercept-url pattern="/**" access="ROLE_USER" />
		<security:custom-filter	after="BASIC_AUTH_FILTER" ref="samlFilter" />
	</security:http>
	
	<import resource="phixflow-SAML.xml/>
	-->

After this there is only one remaining section which contains a line that needs to be included when you wish to generate your metadata, but commented out if you do not wish to generate your own metadata. This line is as follows :

Code Block
languagexml
<!--<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>-->

so to generate your metadata the configuration should look like 

Code Block
languagexml
 	<!-- with the exception of the metageneratorfilter line the following must be uncommented to enable SAML login -->
	<security:http entry-point-ref="samlEntryPoint"
		pattern="/SAMLLogin" use-expressions="false">
		<security:intercept-url pattern="/**"
			access="ROLE_USER" />
		<security:custom-filter
			after="BASIC_AUTH_FILTER" ref="samlFilter" />
	<!--  uncomment the line below to generate your service provider metadata -->		
	<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
	</security:http>

and if you do not need to generate your metadata the configuration should look like 

Code Block
languagexml
 	<!-- with the exception of the metageneratorfilter line the following must be uncommented to enable SAML login -->
	<security:http entry-point-ref="samlEntryPoint"
		pattern="/SAMLLogin" use-expressions="false">
		<security:intercept-url pattern="/**"
			access="ROLE_USER" />
		<security:custom-filter
			after="BASIC_AUTH_FILTER" ref="samlFilter" />
	<!--  uncomment the line below to generate your service provider metadata -->		
	<!--<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>-->
	</security:http>

Other configuration

...

urn:oid:0.9.2342.19200300.100.1.1" />
		<property name="firstname" value="urn:oid:2.5.4.42" />
		<property name="lastname" value="urn:oid:2.5.4.4" />
		<property name="phonenumber" value="urn:oid:2.5.4.20" />
		<property name="company" value="urn:oid:2.5.4.10" />
		<property name="department" value="urn:oid:2.5.4.11" />
		<property name="email" value="urn:oid:0.9.2342.19200300.100.1.3" />
		<property name="groups" value="1.2.840.113556.1.2.613" />
	</bean>

Create a new map by copying the example and changing it's id.

Change the domain to the value you want to be displayed as the domain for any users who login using SAML.

Change the property values to match the attributes supplied by the identity provider.

Info

Turn on debug logging in log4j.properties for com.accipia.centerview.util.security, the log file will show the attributes and values that are available.

Configure SAML User Details Service

The user details service is responsible for mapping the working out which attribute map to use, based on the identity provider's entity id.

Find the following section:

Code Block
languagexml
		<!--

	<security:http entry-point-ref="samlEntryPoint"
		pattern="/saml/**" use-expressions="false">
		<security:intercept-url pattern="/**"
			access="ROLE_USER" />

		<security:custom-filter
			after="BASIC_AUTH_FILTER" ref="samlFilter" />

	</security:http>
	
		<import resource="phixflow-SAML.xml/>
	--><bean id="samlUserDetailsService"
		class="com.accipia.centerview.util.security.ResolvingSAMLUserDetailsService" >
		<property name="externalUserDAO" ref="externalUserDAO" />
		<property name="transactionHelper" ref="transactionHelper" />
		<property name="mappers">
			<util:map>
				<!-- the key is the identity provider's entity id: add an entry for each external identity-provider -->
				<entry key="exampleEntityId">
					<ref bean="example1SamlAttributeMap" />
				</entry>
			</util:map>
		</property>
	</bean>

Change exampleEntityId to match the value of entityID sent by the identity provider. This should be in the metadata provided, but you can also see it by turning on logging as in the previous section.

Change example1SamlAttributeMap to reflect the id of the attribute map created in the previous section.

Metadata Generation

After completing this initial setup. It's time to generate the metadata. To do this setup the login configuration form to have a log in with SAML button and click it. You should be redirected to your identity provider and rejected, but your metadata will be generated by this step. Next log in as a local user then go to <<yourhost>>/Phixflow/saml/metdata in order to download an XML file of your metadata.This will need to be given to your identity provider to log in. In order to simplify configuration it is recommended to save this as metadata/sp-metadata.xml

...