Insert excerpt | ||||||||
---|---|---|---|---|---|---|---|---|
|
loginConfiguration
section of phixflow-login.xml3 SAML BeansEdit the beans profile section section of . Edit the 2 blocks that disable the options that are only required when PhixFlow is managing user authentication.Find these lines:
Code Block |
---|
<!-- comment out to enable saml / single sign-on -->
<beans profile="saml"> |
Remove them or comment them out:
Code Block |
---|
<!-- comment out to enable saml / single sign-on -->
<!--
<beans profile="saml">
--> |
Find these lines, near the end of the file:
Code Block |
---|
<!-- comment out to enable saml -->
</beans> |
1.4. Configure the keyManager
Edit the keyManager
section of phixflow-login.xml to specify the keystore.
Tip |
---|
SAML integration requires one or more public/private keys. Keys are stored in a Java keystore file. For information about configuring a keystore, see Configure Tomcat For HTTPS. |
The minimum updates required are to set:
-
"file:/.../keystore.jks"
to your keystore "KeyStorePassword"
to your keystore password"keyPassword"
to your key password"keyAlias"
to an key entry name that exists in the keystore.-
"defaultKeyAlias"
to a key that exists. If the key does not exist PhixFlow will report an error when a user attempts to log in.
Example of a keyManager
bean configuration:
language | xml |
---|
4.4 For the claim rule template, select Send LDAP Attributes as Claims.
4.5 On the next screen, give the claim rule a name, and select Active Directory as the attribute store.
4.6 Map the LDAP Attributes to Outgoing Claim Types. This mapping determines which user fields are sent from the Active Directory server to PhixFlow.
- You must map the User-Principal-Name, which is the user name. Without this PhixFlow will reject the SAML login request.
- You must map Token-Groups - Unqualified Names to Role, as shown in the screenshot below. The mapping for user groups is mandatory for the SAML login request.
- Map any remaining LDAP attributes that you require. You may need to test different mappings, to identify what information is sent to the PhixFlow server.
When you map an LDAP Attribute to an Outgoing Claim Type, enter a Name ID. You can specify any name for an outgoing claim type. However, for clarity the name should be similar to the LDAP Attribute.
Tip |
---|
When you configure the attribute mapping on PhixFlow (the service provider) in Step 5, below, remember to match the domain to the service provider domain. |
Step 5 Configure Attribute Map in PhixFlow (Service Provider)
As part of the SAML single sign-on process, the identity provider sends details of the user who is logging in as a set of name/value pairs. An attribute map defines how PhixFlow maps the identity provider's attribute names to the names required by PhixFlow.
Each of the Outgoing Claim Types has a unique URN, which can be found under ADFS → Service → Claim Descriptions. For example Name ID
has a URN claim type of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
. Add this claim type to the attribute mapping in phixflow-login.xml.
Alternatively, look in the phixflow.log
file to see what attributes are being sent; see Log Files.
Info |
---|
Turn on debug logging in logback.xml for com.accipia.centerview.util.security. The log file will show the attributes and values that are available. Even if you choose to use the list of claim types as a guide, this logging can be useful diagnostic information. |
As long as you have correctly mapped the username and domain and the rest of the SAML setup is correct, you should see lines like these:
Code Block |
---|
2019-08-21 16:28:38,839 DEBUG [http-nio-8080-exec-3] o.s.s.s.w.WebSSOProfileConsumerImpl [WebSSOProfileConsumerImpl.java:237] Including attribute http://schemas.microsoft.com/ws/2008/06/identity/claims/role from assertion _8c9686b7-9029 |
The URN is the same as the URN given in the list of Claim Descriptions.
Back in phixflow-login.xml, find the attribute map section:
language | xml |
---|
Create a new map by copying the example and changing it's id.
Change the domain to the value you want to be displayed as the domain for any users who login using SAML (it is hard-coded).
Change the property values to match the attributes supplied by the identity provider. id User Group For a user to login , he User Group User Group, if he User Groupphixflow-logindebuglogin framework <logger name="org.springframework.security" level="debug" />comaccipia.centerviewutil.debug lare