This page is for administrators who need to integrate PhixFlow authentication with a SAML system.
Overview
Security Assertion Markup Language (SAML) is a standard for providing secure single-sign on for users. On Microsoft Windows Servers, the single sign-on identity for users are provided by the Active Directory Federation Services (ADFS) component.
On Windows Server systems that are running ADFS, you can configure PhixFlow to be a SAML Service Provider. This involves mapping PhixFlow user groups to the Active Directory groups. When a user attempts to log into PhixFlow, they are redirected to the authentication page of your system's identity provider, where they enter their username and password. If they are successfully authenticated they will then be redirected to PhixFlow and logged in.
Panel | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
|
Step 1 Configure phixflow-login.xml
To set up SAML integration, you need to add details to the configuration file, phixflow-login.xml
, which is in the directory <tomcat root>/webapps/phixflow/WEB-INF/classes
. This file is created during installation, by copying the example file phixflow-login.xml.example
, and setting any essential options; see Install PhixFlow Webapp.
1.1 Specify the Authentication Manager
Edit the authenticationManager
section of phixflow-login.xml
to add a samlAuthProvider
.
Find this section of the file:
Code Block |
---|
<security:authentication-manager alias="authenticationManager">
<!-- test authentication provider, leave commented out -->
<!-- <security:authentication-provider ref="testAuthProvider" /> -->
<!-- local authentication provider - provide access for CenterView database users. Don't change it -->
<security:authentication-provider ref="localAuthProvider" />
<!-- Add an Active Directory Authentication Provider below this line; uncomment if using active directory integration -->
<!-- <security:authentication-provider ref="exampleActiveDirectoryAuthProvider" /> -->
<!-- Add SAML Authentication Provider; uncomment if using saml / single sign-on -->
<!-- <security:authentication-provider ref="samlAuthProvider"/> -->
</security:authentication-manager> |
Edit it to look like this (omitting comments):
Code Block | ||
---|---|---|
| ||
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="localAuthProvider" />
<security:authentication-provider ref="samlAuthProvider" />
</security:authentication-manager> |
Tip |
---|
We recommend that you keep the |
1.2. Configure Login Forms
Edit the loginConfiguration
section of phixflow-login.xml
to define the login form options (local, single sign-on, active directory). These specify what the user sees on their PhixFlow login screen. This mechanism allows you to define a default form tailored to regular users and one or more forms for advanced users; see Configure Login Forms for details.
1.3. Enable SAML Beans
Edit the beans profile section section of phixflow-login.xml
. Edit the 2 blocks that disable the phixflow-login.xml
options that are only required when PhixFlow is managing user authentication.
Find these lines:
Code Block |
---|
<!-- comment out to enable saml / single sign-on -->
<beans profile="saml"> |
Remove them or comment them out:
Code Block |
---|
<!-- comment out to enable saml / single sign-on -->
<!--
<beans profile="saml">
--> |
Find these lines, near the end of the file:
Code Block |
---|
<!-- comment out to enable saml -->
</beans> |
and remove them or comment them out:
Code Block |
---|
<!-- comment out to enable saml -->
<!--
</beans>
--> |
1.4. Configure the keyManager
Edit the keyManager
section of phixflow-login.xml
to specify the keystore.
Insert excerpt | ||||||||
---|---|---|---|---|---|---|---|---|
|
keyManager
bean configurationkeyStorePasswordkeyAliaskeyPassworddefaultKeyAlias and 5.SAMLContextProviderImpl" />"443"/>
<property name="includeServerPortInRequestURL" value="false"/>
<property name="contextPath" value="/phixflow"/>
</bean>1.67 file metadata is How you do this is specific to the follow these How you do this is specific to the The following steps are for Mapping LDAP attributesThe mapping of LDAP attributes to outgoing claim types determines which of the user fields held on the active directory server are transmitted to the service provider. The name of the field on the right does not matter, but it should be semantically close to the LDAP Attribute.
You must include the Name ID as an Outgoing Claim Type, and it should be mapped to the User-Principal-Name (that is, the user name)LDAP Attribute The mapping for user groups is mandatory for the SAML login request. Map screenshot below.For the remaining LDAP Attributes, you the Service Provider (PhixFlow) sideyou may inspect down urn urn ="username092342.19200300.100.1.1firstname42lastname4phonenumber20company2.5.4.10department"urn:oid:2.5.4.11" /> <property name="email" value="urn:oid:0.9.2342.19200300.100.1.3" /> <property name="groups" value="1.2.840.113556.1.2.613" /> </bean>
Create a new map by copying the example and changing it's id.
Change the domain to the value you want to be displayed as the domain for any users who login using SAML (it is hard-coded).
Change the property values to match the attributes supplied by the identity provider. id User Group For a user to login , he User Group User Group, if he User GroupMore Details in Logs
To generate add the following phixflow-login#Log information about the SAML login framework debugcenterview.utildebugThe log files generated will be very large diagnostic see Log Files.You could also consider applying a more limited set of debugging options, e.g. just these lines: