Insert excerpt | ||||||||
---|---|---|---|---|---|---|---|---|
|
loginConfiguration
section of phixflow-login.xml
3 SAML BeansEdit the beans profile section section of . Edit the 2 blocks that disable the phixflow-login.xml
options that are only required when PhixFlow is managing user authentication.Find these lines:
Code Block |
---|
<!-- comment out to enable saml / single sign-on -->
<beans profile="saml"> |
Remove them or comment them out:
Code Block |
---|
<!-- comment out to enable saml / single sign-on -->
<!--
<beans profile="saml">
--> |
1.4. Configure the keyManager
Edit the keyManager
section of phixflow-login.xml
to specify the keystore.
Tip |
---|
SAML integration requires one or more public/private keys. Keys are stored in a Java keystore file. For information about configuring a keystore, see Configure Tomcat For HTTPS. |
The minimum updates required are to set:
-
"file:/.../keystore.jks"
to your keystore "KeyStorePassword"
to your keystore password"keyPassword"
to your key password"keyAlias"
to an key entry name that exists in the keystore.-
"defaultKeyAlias"
to a key that exists. If the key does not exist PhixFlow will report an error when a user attempts to log in.
Example of a keyManager
bean configuration:
Code Block | ||
---|---|---|
| ||
<!-- The KeyStore stores encryption keys -->
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<!-- the keystore file -->
<constructor-arg value="file:/opt/tomcat/secure/keystore.jks" />
<!-- password protecting the keystore -->
<constructor-arg type="java.lang.String" value="keyStorePassword" />
<constructor-arg>
<map>
<!-- key alias and key-specific password; add one entry for each key in the keystore -->
<entry key="keyAlias" value="keyPassword" />
</map>
</constructor-arg>
<!-- default key alias -->
<constructor-arg type="java.lang.String" value="defaultKeyAlias" />
</bean> |
Warning |
---|
For security reasons, access to |
1.5. Configure the Context Provider
The context provider communicates the external view of the PhixFlow server to other parts of the configuration.
If the server does not run behind a reverse proxy, you can skip this section.
If the server runs behind a reverse proxy, a different context provider must be configured to reflect the public view of the service.
Edit the Context Provider
section of phixflow-login.xml.
- Delete the original
contextProvider
- Uncomment the reverse proxy version
- Change the
serverName
,serverPort
andcontextPath
to match the public view.
Find these lines:
Code Block |
---|
<!-- Context Provider -->
<!-- context provider when behind reverse proxy -->
<!-- see https://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x/reference/html/configuration-advanced.html -->
<!--
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
<property name="scheme" value="https"/>
<property name="serverName" value="www.myserver.com"/>
<property name="serverPort" value="443"/>
<property name="includeServerPortInRequestURL" value="false"/>
<property name="contextPath" value="/spring-security-saml2-sample"/>
</bean>
-->
<!-- context provider when not behind reverse proxy -->
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl" /> |
Example of Context Provider
configuration (comments omitted):
Code Block |
---|
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
<property name="scheme" value="https"/>
<property name="serverName" value="myserver.com"/>
<property name="serverPort" value="443"/>
<property name="includeServerPortInRequestURL" value="false"/>
<property name="contextPath" value="/phixflow"/>
</bean> |
1.6. Configure the Metadata Generator
SAML communication is via an exchange of metadata between:
- the SAML identity provider, such as Active Directory Federation Services (ADFS)
- and a SAML Service Provider, in this case PhixFlow
Each party generates metadata to describe how to connect to it. That metadata must be installed into the other party before any connection can be made.
The metadata generator generates the PhixFlow server's metadata based on configuration parameters and data available when a user tries to connect to it.
Edit the metadataGeneratorFilter
section of phixflow-login.xml
and set:
entityId
to a value that globally identifies the PhixFlow instanceentityBaseURL
to a the URL normally used to start PhixFlow.
If PhixFlow is running behind a reverse proxy, this should be the public URL, not the internal URL which only the proxy sees.
This is the metadataGeneratorFilter
section before configuration:
1.7. Configure the Identity-Provider Metadata Provider
The identity provider metadata provider defines how PhixFlow installs and handles the identity-provider's metadata. For example, PhixFlow can either enable or disable additional security checks.
Save the identity provider's metadata file in a convenient folder. This example file metadata is How you do this is specific to the follow these How you do this is specific to the The following steps are for Mapping LDAP attributesThe mapping of LDAP attributes to outgoing claim types determines which of the user fields held on the active directory server are transmitted to the service provider. The name of the field on the right does not matter, but it should be semantically close to the LDAP Attribute.
You must include the Name ID as an Outgoing Claim Type, and it should be mapped to the User-Principal-Name (that is, the user name)LDAP Attribute The mapping for user groups is mandatory for the SAML login request. Map screenshot below.For the remaining LDAP Attributes, you the Service Provider (PhixFlow) sideyou may inspect down urn urn 10departmenturn:oid:2.5.4.11 <property name="email" value="urn:oid:0.9.2342.19200300.100.1.3" /> <property name="groups" value="1.2.840.113556.1.2.613" /> </bean>
Create a new map by copying the example and changing it's id.
Change the domain to the value you want to be displayed as the domain for any users who login using SAML (it is hard-coded).
Change the property values to match the attributes supplied by the identity provider.
id User Group For a user to login , he User Group User Group, if he User Group's External Login Groups.External group names may contain references to the current instance name as '{instance}' e.g. 'ADMIN_{instance}'. This allow groups to be moved from one instance to another and for each instance to use it's own set of external group names.
See Configure Groups for External Login for how to configure External Login groups.
Troubleshooting
Enhanced diagnostics can be generated by adding the linesdebugcomaccipiacenterview.util.securitydebug" /> <logger name="org.springframework.security.saml" level = "debug" /> <logger name="org.opensaml" level="debug" />to your logback.xml file - see Log Files for details on controlling logging options with this file, and where to find the results.
Note that with this logging applied, the log files generated will be very large. You must switch off this logging as soon as you have completed your tests.
You could also consider applying a more limited set of debugging options, e.g. just these lines: