You can set up access to PhixFlow either through PhixFlow Managing the User List, by integrating with your Active Directory infrastructure, or with SAML. If you integrate with SAML, Access Control is maintained by mapping Active Directory Groups to PhixFlow User Groups, as described below. By using the SAML integration users will be redirected to a chosen identity provider page where they will enter their username and password. If they are successfully authenticated they will then be redirected to PhixFlow and logged in.
...
Contents
Table of Contents |
---|
Configure phixflow-login.xml
Configuration details for SAML are configured in the file phixflow-login.xml, under [tomcat root]/webapps/phixflow/WEB-INF/classes. When you first install PhixFlow, you probably created a copy of this file by simply copying the example file phixflow-login.xml.example (see Install PhixFlow Webapp).
Configure the authentication manager
Add the SAML auth provider (which is already defined) to the authenticationProvider.
Find this section of the file:
Code Block |
---|
<security:authentication-manager alias="authenticationManager">
<!-- test authentication provider, leave commented out -->
<!-- <security:authentication-provider ref="testAuthProvider" /> -->
<!-- local authentication provider - provide access for CenterView database users. Don't change it -->
<security:authentication-provider ref="localAuthProvider" />
<!-- Add an Active Directory Authentication Provider below this line; uncomment if using active directory integration -->
<!-- <security:authentication-provider ref="exampleActiveDirectoryAuthProvider" /> -->
<!-- Add SAML Authentication Provider; uncomment if using saml / single sign-on -->
<!-- <security:authentication-provider ref="samlAuthProvider"/> -->
</security:authentication-manager> |
... and edit it to look like this (omitting comments):
Code Block | ||
---|---|---|
| ||
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="localAuthProvider" />
<security:authentication-provider ref="samlAuthProvider" />
</security:authentication-manager> |
We recommend that you do not remove the localAuthProvider, and that you retain a local administrator user so that you can still login in the event of a problem with the SAML integration.
Configure Login Forms
Login forms define the login options (local, single sign-on, active directory) to be presented on the login screen when a user opens the PhixFlow URL. This mechanism allows you to define a default form tailored to regular users and one or more forms for advanced users.
See Configure Login Forms for how to configure and use login forms.
Enable SAML beans
These 2 blocks serve to disable the bulk of the file for the normal case where SAML is not required.
Find these lines and remove them or comment them out:
Code Block |
---|
<!-- comment out to enable saml / single sign-on -->
<beans profile="saml"> |
E.g.
Code Block |
---|
<!-- comment out to enable saml / single sign-on -->
<!--
<beans profile="saml">
--> |
Find these lines, near the end of the file, and remove them or comment them out:
Code Block |
---|
<!-- comment out to enable saml -->
</beans> |
E.g.
Code Block |
---|
<!-- comment out to enable saml -->
<!--
</beans>
--> |
Configure the keyManager
The SAML integration requires one or more public/private keys. These are stored in a Java keystore file, and the information needed to access that file is configured in the keyManager.
Instructions for creating a keystore can be found here: Configure Tomcat For HTTPS.
...
Insert excerpt | ||||||||
---|---|---|---|---|---|---|---|---|
|
...
...
...
...
...
...
...
...
...
...
Edit this by deleting the original contextProvider, uncommenting the reverse proxy version, and changing the serverName, serverPort and contextPath to match the public view.
...
...
Configure the Metadata Generator
...
...
The metadata generator generates the PhixFlow server's metadata based on configuration parameters and data available when a user tries to connect to it.
...
...
Then
- change the entityId value to something that globally identifies the PhixFlow instance
- change the entityBaseURL value to the URL normally used to start PhixFlow. If PhixFlow is running behind a reverse proxy, this should be the public URL, not the internal URL which only the proxy sees.
...
...
...
...
...
...
Find this section of the file:
...
language | xml |
---|
...
...
...
...
...
...
...
...
...
...
...
...
...
Change metadata/idp-metadata.xml to reflect the actual location of the identity provider's metadata file.
Info | ||
---|---|---|
| ||
You can refer to a file as classpath:dir/file or as file:dir/file. classpath:dir1/file2 refers to a file in directory dir1 under the webapp's classpath; this can mean $webapp/WEB-INF/classes/dir1, but could also mean $tomcat/lib/dir1. file:/dir1 refers to the top-level directory /dir1; without the '/' it refers to dir1 under the current directory (which is normally the tomcat home directory). |
Generate Service Provider metadata
...
Do the following:
...
...
...
...
...
...
...
e.g.
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
The mapping of LDAP attributes to outgoing claim types determines which of the user fields held on the active directory server are transmitted to the service provider. The name of the field on the right hand side does not matter, but you should try to pick something semantically close to the LDAP Attribute.
...
...
...
...
For the remaining LDAP Attributes, you can try out different mappings, to see what they actually contain when sent down to the phixflow application server.
...
...
...
...
...
...
...
...
...
...
...
...
...
...
Create a new map by copying the example and changing it's id.
Change the domain to the value you want to be displayed as the domain for any users who login using SAML (it is hard-coded).
Change the property values to match the attributes supplied by the identity provider.
...
...
...
...
...
...
...
...
Troubleshooting
Enhanced diagnostics can be generated by adding the lines
...
...
...
...
...
...
to your logback.xml file - see Server Logging for details on controlling logging options with this file, and where to find the results.
Note that with this logging applied, the log files generated will be very large. You must switch off this logging as soon as you have completed your tests.
You could also consider applying a more limited set of debugging options, e.g. just these lines:
...