This page is for PhixFlow administrators who need to integrate PhixFlow with Azure AD to support Single Sign-on (SSO). This uses the SAML protocol.
Security Assertion Markup Language (SAML) is a standard for providing secure single-sign on for users.
This page describes integrating with Azure Active Directory to support SSO. If you would like to use ADFS (Active Directory Federation Services) to support SSO, please contact support@phixflow.com.
This page describes two modes:
mixed - in mixed mode, AAD performs the authentication for the users, and PhixFlow the authorisation.
mapped groups - in mapped groups mode, the groups that the user has been assigned to in AAD are mapped to PhixFlow groups; in other words, AAD is responsible for both authentication and authorisation.
Before configuring SAML integration you must set Tomcat: See Install Tomcat. |
Image AddedClick on New application
Image AddedSelect Create your own application and then radio button Integrate any other application you don't find in the gallery (Non-gallery)Image Added
Enter a suitable name to represent the application, e.g. example-phixflow-prod
, then click Create
The application Overview page will then appear
Image AddedUnder the Manage section on the left hand side menu, click Properties and ensure the following settings apply:
Enabled for users to sign-in? is set to Yes - this determines whether users assigned to the application can sign in
User assignment required? is set to Yes - this determines whether users who aren't assigned to the application can sign in
Visible to users? is set to Yes - this determines whether users assigned to an app can see it in the access panel and M365 launcher
Image AddedImage AddedImage AddedClick the pencil icon in the top left corner of the first step and enter the following:
Click Save and close this configuration box to return to the main Set up Single Sign-On with SAML page above.
Click the pencil icon in the top left corner of the second step to edit the user attributes and claims. The default attributes and claims should look similar to the following list:
Image AddedClick the Unique User Identifier (Name ID) attribute and set Source to Transformation on the claim page. A configuration window will open up:
Image AddedImage AddedClick Add a group claim
In the configuration window which opens up, select All groups
Select the source attribute - in the example it shows Group ID
Note |
---|
Source attribute Group ID is fine to use when using mixed mode - that is, authentication is performed by AAD and authorisation is performed by PhixFlow. When using mapped groups mode, this option works, but you will have to put GUIDs (e.g. 6f674ed0-bc19-4150-8af0-09100a33b6a2 ) into the external group fields in PhixFlow, which is less user friendly for PhixFlow administrators. Other than Group ID, most options are only available if you are syncing with an on-premise Active Directory. However, if you select Groups assigned to the application you can select Cloud-only group display names. If you choose this option, make sure you add groups as needed to the Enterprise Applcation (see https://phixflow.atlassian.net/wiki/spaces/HELP100/pages/9106732489/Configure+AAD+Integration+via+SAML#Add-users%2Fgroups-to-the-enterprise-application) |
Image AddedPress Save. This can be updated in future to harden the groups that are emitted
The resulting list of attributes and claims should look similar to the following:
Image AddedIn the third step (SAML Certificates), there is an option to download the Federation Metadata XML. Click Download:
Image AddedUpload the downloaded XML file to the server that is hosting the PhixFlow application
In the fourth step (Set up <enterprise application name>), copy the value for Azure AD Identifier (it is of the form https://sts.windows.net/[id_string]/) - this will be needed later in the configuration of PhixFlow
Image AddedImage AddedTo set up SAML integration, you need to add details to the configuration file, phixflow-login.xml, which is in the directory <tomcat root>/webapps/phixflow/WEB-INF/classes
. This file is created during installation, by copying the example file phixflow-login.xml.example, and setting any essential options; see Install the PhixFlow Webapp.
Edit the authenticationManager
section of phixflow-login.xml to add a samlAuthProvider
.
Find this section of the file:
Code Block |
---|
<security:authentication-manager alias="authenticationManager">
<!-- test authentication provider, leave commented out -->
<!-- <security:authentication-provider ref="testAuthProvider" /> -->
<!-- local authentication provider - provide access for CenterView database users. Don't change it -->
<security:authentication-provider ref="localAuthProvider" />
<!-- Add an Active Directory Authentication Provider below this line; uncomment if using active directory integration -->
<!-- <security:authentication-provider ref="exampleActiveDirectoryAuthProvider" /> -->
<!-- Add SAML Authentication Provider; uncomment if using saml / single sign-on -->
<!-- <security:authentication-provider ref="samlAuthProvider"/> -->
</security:authentication-manager> |
Edit it to look like this (omitting comments):
Code Block |
---|
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="localAuthProvider" />
<security:authentication-provider ref="samlAuthProvider" />
</security:authentication-manager> |
Note |
---|
We recommend that you keep the localAuthProvider and a local administrator user. This means you can still login if there is problem with the SAML integration. |
If you are using mixed mode, create PhixFlow user accounts. Mixed users are authenticated by SAML but their access privileges are managed using User Groups in PhixFlow; see User.
Edit the loginConfiguration
section of phixflow-login.xml to define the login form options (local, single sign-on, active directory). These specify what the user sees on their PhixFlow login screen. This mechanism allows you to define a default form tailored to regular users and one or more forms for advanced users; see Configure Login Forms for details.
Edit the sameSiteCookieFilter
section of phixflow-login.xml to set the SameSite
property on the session cookie. This is required to initiate login from the PhixFlow login form.
Edit it to look like this:
Code Block |
---|
|
<bean id="sameSiteCookieFilter"
class="com.accipia.centerview.web.filter.SameSiteCookieFilter">
<property name="cookies">
<props>
<prop key="JSESSIONID">None</prop>
</props>
</property>
</bean> |
Edit the beans profile section section of phixflow-login.xml. Edit the 2 blocks that disable the options that are only required when PhixFlow is managing user authentication.
Find these lines:
Code Block |
---|
<!-- comment out to enable saml / single sign-on -->
<beans profile="saml"> |
Remove them or comment them out:
Code Block |
---|
<!-- comment out to enable saml / single sign-on -->
<!--
<beans profile="saml">
--> |
Find these lines, near the end of the file:
Code Block |
---|
<!-- comment out to enable saml -->
</beans> |
and remove them or comment them out:
Code Block |
---|
<!-- comment out to enable saml -->
<!--
</beans>
--> |
In this section we will generate a self-signed certificate, store associated private and public keys in a keystore, and edit the keyManager
section of phixflow-login.xml to specify the keystore. A self-signed certificate is acceptable in this case because this is used to protect the SAML exchange, a private exchange between two systems. This certificate is not used to identity the service provider to general users over the public internet.
These steps involve the use of the Java program keytool
, which should already be installed on your server if it has been prepared for PhixFlow by a standard installation of Java.
Windows
Code Block |
---|
|
keytool -genkey -alias tomcat -keyalg RSA -keystore pathToKeystoreFile |
E.g.
Code Block |
---|
|
keytool -genkey -alias tomcat -keyalg RSA -keystore C:\app\secure\saml\keystore.jks |
Linux
Code Block |
---|
|
keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/phixflow/secure/saml/keystore.jks |
Recommended: select the default option not to set a separate password for the private key. You can set separate passwords if you wish; if you do, take a note of these and set as needed in the configuration of phixflow-login.xml (see below). The security advantages of setting separate passwords are limited in this case.
E.g.
Code Block |
---|
|
sudo mkdir /opt/phixflow/secure/saml
keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/phixflow/secure/saml/keystore.jks
sudo chown -R tomcat:tomcat /opt/phixflow/secure
sudo chmod 500 /opt/phixflow/secure
sudo chmod 400 /opt/phixflow/secure/saml/keystore.jks |
Warning |
---|
Ensure that you create your keystore in a location that is only accessible to privileged users |
Now update the section of phixflow-login.xml that describes the keystore:
Code Block |
---|
<!-- The KeyStore stores encryption keys -->
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<!-- the keystore file -->
<constructor-arg value="file:/opt/phixflow/secure/saml/keystore.jks" />
<!-- password protecting the keystore -->
<constructor-arg type="java.lang.String" value="keyStorePassword" />
<constructor-arg>
<map>
<!-- key alias and key-specific password; add one entry for each key in the keystore -->
<entry key="keyAlias" value="keyPassword" />
</map>
</constructor-arg>
<!-- default key alias -->
<constructor-arg type="java.lang.String" value="defaultKeyAlias" />
</bean> |
The minimum updates required are to set:
"file:/.../keystore.jks"
to your keystore
"KeyStorePassword"
to your keystore password
"keyPassword"
to your key password; if you took the recommended option above when creating the keystore, this will be the same as the previous password
"keyAlias"
to the key you created in the keystore above; if you followed the example, this will be tomcat
"defaultKeyAlias"
to a key that exists. If the key does not exist PhixFlow will report an error when a user attempts to log in. If you followed the example, this will also be tomcat
.
For example:
Code Block |
---|
|
<!-- The KeyStore stores encryption keys -->
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<!-- the keystore file -->
<constructor-arg value="file:/opt/tomcat/secure/keystore.jks" />
<!-- password protecting the keystore -->
<constructor-arg type="java.lang.String" value="83dSKFnck130xSLDjzjd9Y" />
<constructor-arg>
<map>
<!-- key alias and key-specific password; add one entry for each key in the keystore -->
<entry key="tomcat" value="83dSKFnck130xSLDjzjd9Y" />
</map>
</constructor-arg>
<!-- default key alias -->
<constructor-arg type="java.lang.String" value="tomcat" />
</bean> |
Warning |
---|
For security reasons, access to phixflow-login.xml and to keystore.jks should be read-only to the Tomcat user or user account. It must be unreadable by all other users. |
1.7. Configure the Context Provider
The context provider communicates the external view of the PhixFlow server to other parts of the configuration.
If the server does not run behind a reverse proxy, you can skip this section.
If the server runs behind a reverse proxy, a different context provider must be configured to reflect the public view of the service.
Edit the Context Provider
section of phixflow-login.xml.
Comment out the original contextProvider
Uncomment the reverse proxy version
Change the serverName
, serverPort
and contextPath
to match the public view.
Find these lines:
Code Block |
---|
<!-- Context Provider -->
<!-- context provider when behind reverse proxy -->
<!-- see https://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x/reference/html/configuration-advanced.html -->
<!--
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
<property name="scheme" value="https"/>
<property name="serverName" value="www.myserver.com"/>
<property name="serverPort" value="443"/>
<property name="includeServerPortInRequestURL" value="false"/>
<property name="contextPath" value="/spring-security-saml2-sample"/>
</bean>
-->
<!-- context provider when not behind reverse proxy -->
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl" /> |
Example of Context Provider
configuration (preceding comments omitted):
Code Block |
---|
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
<property name="scheme" value="https"/>
<property name="serverName" value="phixflow.example.com"/>
<property name="serverPort" value="443"/>
<property name="includeServerPortInRequestURL" value="false"/>
<property name="contextPath" value="/phixflow"/>
</bean>
<!-- context provider when not behind reverse proxy -->
<!-- <bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl" /> --> |
To support a SAML exchange, each party generates metadata to describe how to connect to it. That metadata must be installed into the other party before any connection can be made.
The metadata generator generates the PhixFlow server's metadata based on configuration parameters and data available when a user tries to connect to it.
Edit the metadataGeneratorFilter
section of phixflow-login.xml and set:
Note |
---|
If PhixFlow is running behind a reverse proxy, this should be the public URL, not the internal URL which only the proxy sees. |
This is the metadataGeneratorFilter
section before configuration:
Code Block |
---|
<!-- filter that generates metadata based on configured properties -->
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="urn:test:phixflow:phixflow" />
<property name="entityBaseURL" value="https://myhostname:myport/phixflow" />
<property name="extendedMetadata">
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="idpDiscoveryEnabled" value="false" />
</bean>
</property>
</bean>
</constructor-arg>
</bean> |
The identity provider metadata provider defines how PhixFlow installs and handles the identity-provider's metadata - in our case, the Federation Metadata XML downloaded from AAD in a previous section on this page.
This is the metadata provider
section of phixflow-login.xml.
Code Block |
---|
|
<!-- file-base identity-provider (idp) metadata provider - this defines the metadata for a single identity provider -->
<bean id="idpFileMetadataProvider" class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:metadata/idp-metadata.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool" />
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<!-- add properties to extend the metadata -->
<!-- see https://docs.spring.io/spring-security-saml/docs/current/reference/html/configuration-metadata.html for values -->
<property name="local" value="false" />
</bean>
</constructor-arg>
<property name="metadataTrustCheck" value="true" />
</bean> |
A resulting example configuration:
Code Block |
---|
<!-- file-base identity-provider (idp) metadata provider - this defines the metadata for a single identity provider -->
<bean id="idpFileMetadataProvider" class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">file:/opt/phixflow/secure/saml/idp-metadata.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool" />
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<!-- add properties to extend the metadata -->
<!-- see https://docs.spring.io/spring-security-saml/docs/current/reference/html/configuration-metadata.html for values -->
<property name="local" value="false" />
</bean>
</constructor-arg>
<property name="metadataTrustCheck" value="false" />
</bean> |
Mixed mode is when AAD performs the authentication, and PhixFlow performs the authorisation.
For this step you will need the Azure AD Identifier, this was captured earlier during the Azure AD set up
In phixflow-login.xml
, find the samlUserDetailsService
bean:
Code Block |
---|
<!-- The following beans are for configuring SAML login -->
<bean id="samlUserDetailsService"
class="com.accipia.centerview.util.security.ResolvingSAMLUserDetailsService" >
<property name="externalUserLoader" ref="externalUserLoader" />
<property name="mappers">
<util:map>
<!-- the key is the identity provider's entity id: add an entry for each external identity-provider -->
<!--
<entry key="exampleEntityId">
<ref bean="example1SamlAttributeMap" />
</entry>
-->
</util:map>
</property>
</bean> |
Uncomment the entry key
section
Update exampleEntityId
to the value of Azure AD Identifier
Ensure the entry is pointing to exampleAuthenticationOnlySamlAttributeMap
A resulting example samlUserDetailsService
bean:
Code Block |
---|
<!-- The following beans are for configuring SAML login -->
<bean id="samlUserDetailsService"
class="com.accipia.centerview.util.security.ResolvingSAMLUserDetailsService" >
<property name="externalUserLoader" ref="externalUserLoader" />
<property name="mappers">
<util:map>
<!-- the key is the identity provider's entity id: add an entry for each external identity-provider -->
<entry key="https://sts.windows.net/0597bXXXXXXXXXXXXXXXXXXXXXXXX/">
<ref bean="exampleAuthenticationOnlySamlAttributeMap" />
</entry>
</util:map>
</property>
</bean> |
Code Block |
---|
<bean id="exampleAuthenticationOnlySamlAttributeMap" class="com.accipia.centerview.util.security.UserDetailsMapper" >
<property name="domain" value="example.com" />
<property name="username" value="nameid" />
<property name="authenticationOnly" value="true" />
<property name="globalLogout" value="true" />
</bean> |
In mapped group mode, you rely on the groups a user is assigned to in AAD to allow them access to certain PhixFlow apps and features. I.e. AAD is responsible for both authentication and authorisation of users.
See Configure Groups for External Login. To complete this you will need the names or IDs of groups that are being supplied by AAD via the SAML exchange. These can be obtained directly from AAD but see also https://phixflow.atlassian.net/wiki/spaces/HELP100/pages/9106732489/Configure+AAD+Integration+via+SAML#Discovering-details---claims-values-and-group-names%2F-IDs for a handy way of discovering these.
For this step you will need the Azure AD Identifier, this was captured earlier during the Azure AD set up
In phixflow-login.xml
, find the samlUserDetailsService
bean:
Code Block |
---|
<!-- The following beans are for configuring SAML login -->
<bean id="samlUserDetailsService"
class="com.accipia.centerview.util.security.ResolvingSAMLUserDetailsService" >
<property name="externalUserLoader" ref="externalUserLoader" />
<property name="mappers">
<util:map>
<!-- the key is the identity provider's entity id: add an entry for each external identity-provider -->
<!--
<entry key="exampleEntityId">
<ref bean="example1SamlAttributeMap" />
</entry>
-->
</util:map>
</property>
</bean> |
Uncomment the entry key
section
Update exampleEntityId
to the value of Azure AD Identifier
(Note that you can update the value example1SamlAttributeMap
or use this section as a template to create a new mapping with a different name, and rename the reference to this bean in the step below to match this, but in these instructions we have assumed that you will use the default names)
Find the example1SamlAttributeMap
bean:
Code Block |
---|
<!-- map external user attribute names to saml response attribute names -->
<bean id="example1SamlAttributeMap" class="com.accipia.centerview.util.security.UserDetailsMapper" >
<!-- this will be used to mark external users in the database as from this login provider / domain -->
<property name="domain" value="mysaml.org" />
<property name="username" value="urn:oid:0.9.2342.19200300.100.1.1" />
<property name="firstname" value="urn:oid:2.5.4.42" />
<property name="lastname" value="urn:oid:2.5.4.4" />
<property name="phonenumber" value="urn:oid:2.5.4.20" />
<property name="company" value="urn:oid:2.5.4.10" />
<property name="department" value="urn:oid:2.5.4.11" />
<property name="email" value="urn:oid:0.9.2342.19200300.100.1.3" />
<property name="groups" value="1.2.840.113556.1.2.613" />
</bean> |
There are a number of ways of updating this attribute map, this is a flexible mechanism for specifying the format of token claims, but for the remainder of this configuration we supply a recommended configuration that should suit the majority of PhixFlow instances.
Code Block |
---|
<!-- map external user attribute names to saml response attribute names -->
<bean id="example1SamlAttributeMap" class="com.accipia.centerview.util.security.UserDetailsMapper" >
<!-- this will be used to mark external users in the database as from this login provider / domain -->
<property name="domain" value="phixflow.org" />
<property name="username" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" />
<property name="firstname" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" />
<property name="lastname" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" />
<property name="email" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
<property name="groups" value="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"/>
<!-- set below property to true to enable single/global logout -->
<property name="globalLogout" value="false" />
</bean> |
There are various ways of getting details of the claims, and the names/ IDs of groups to be mapped (from AAD), but in many cases it is easiest to see what is being provided via SAML. To do this:
Apply the debug settings Option 1 (as described below)
Attempt a login with a test user that you believe has been set up correctly
Examine the server log file
In the example below, in the groups claim, Group ID has been set as the source attribute.
Code Block |
---|
2023-09-08 10:41:38,163 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.ResolvingSAMLUserDetailsService [ResolvingSAMLUserDetailsService.java:43] resolved entityId 'https://sts.windows.net/ac26b444-992c-45e0-9963-d5640855a490/' to realm 'phixflow.org'
2023-09-08 10:41:38,163 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:113] credentials: org.springframework.security.saml.SAMLCredential@5a65288c
2023-09-08 10:41:38,163 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/identity/claims/tenantid': 'ac26b444-992c-45e0-9963-d5640855a490'
2023-09-08 10:41:38,163 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/identity/claims/objectidentifier': '061fe582-ed14-4ce6-82e7-f59137d07211'
2023-09-08 10:41:38,163 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/identity/claims/displayname': 'Test User'
2023-09-08 10:41:38,163 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups': '65831f5a-06fa-4245-92f0-ad2252b79c04'
2023-09-08 10:41:38,163 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups': 'c06755b1-cfd5-4abf-9177-d497a463898f'
2023-09-08 10:41:38,163 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups': '91f46287-da2d-41b2-a145-1a3f476a969e'
2023-09-08 10:41:38,166 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/identity/claims/identityprovider': 'https://sts.windows.net/ac26b444-992c-45e0-9963-d5640855a490/'
2023-09-08 10:41:38,166 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/claims/authnmethodsreferences': 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password'
2023-09-08 10:41:38,166 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/claims/authnmethodsreferences': 'http://schemas.microsoft.com/claims/multipleauthn'
2023-09-08 10:41:38,166 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/ws/2008/06/identity/claims/wids': '34f948d8-759b-4f63-9427-79b007402544'
2023-09-08 10:41:38,166 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/ws/2008/06/identity/claims/wids': '290f8b04-e964-48ac-9063-c4fc669defb1'
2023-09-08 10:41:38,166 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname': 'Test'
2023-09-08 10:41:38,166 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname': 'User'
2023-09-08 10:41:38,166 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': 'test.user@example.com'
2023-09-08 10:41:38,166 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'test.user@example.com' |
You can optionally add property name
attributes to configure:
single (global) logout
By default, PhixFlow uses local logout. When a user logs out the PhixFlow session is terminated but
- the SAML identity provider is not notified
- the user is not logged out of their identity provider session.
Alternatively, single logout terminates the PhixFlow session and logs out of the identity provider. Depending on your identity provider configuration, this may include terminating sessions with other identity providers. To apply single logout to all users in this domain, add the line:
<property name="globalLogout" value="true" />
When troubleshooting the configuration, you can include additional diagnostics information in logs, by adding lines to logback.xml.
Option 1: more debug information
Code Block |
---|
<logger name="org.springframework.security" level="error" />
<logger name="com.accipia.centerview.util.security" level="debug" /> |
Option 2: full debug information
Code Block |
---|
#Log information about the SAML login framework |