Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Reverted from v. 68

You can set up access to PhixFlow either through PhixFlow Users, by integrating with your Active Directory infrastructure, or with SAML. If you integrate with SAML, Access Control is maintained by mapping Active Directory Groups to PhixFlow User Groups, as described below. By using the SAML integration users will be redirected to a chosen identity provider page where they will enter their username and password. If they are successfully authenticated they will then be redirected to PhixFlow and logged in.

This page describes how to integrate PhixFlow with SAML:

Table of Contents
maxLevel1

Configure phixflow-login.xml

Configuration details for SAML are configured in the file phixflow-SAML.xml, under [tomcat root]/webapps/phixflow/WEB-INF/classes. When you first install PhixFlow, you probably created a copy of this file by simply copying the example file phixflow-login.xml.example (see Install PhixFlow Webapp).

Create SAML reference

To create a reference to SAML, update the section in the example file to:

Code Block
languagexml
		<!-- example of a SAML authentication provider
		-->
		<security:authentication-provider ref="samlAuthenticationProvider"/>

Add key store details

In order to SAML A keystore must be included at  [tomcat root]/webapps/phixflow/WEB-INF/classes/keystore/<<youtkeystorename.jks>>. Instructions for creating a keystore can be seen at Configure Tomcat For HTTPS. The configuration files included assume that the alias of the key is  "PhixflowSAML", if you wish to use another alias you will have to replace all instances of "PhixflowSAML" with your alias. Below is an example of a keystore:

Code Block
languagexml
   	<!-- An Example of a KeyStore File -->
	
	<bean id="keyManager"
		class="org.springframework.security.saml.key.JKSKeyManager">
		<constructor-arg
			value="classpath:keystore/samlKeystore.jks" />
		<constructor-arg type="java.lang.String"
			value="<<KeyStorePassword>>" />
		<constructor-arg>
			<map>
				<entry key="PhixflowSAML" value="<<KeyPassword>>" />
			</map>
		</constructor-arg>
		<constructor-arg type="java.lang.String"
			value="PhixflowSAML" />
	</bean>

For the most basic configuration just replace the "/samlKeystore.jks" with your keystore, "<<KeyStorePassword>>" with the password to the keystore and then "<<KeyPassword>>" with the password for the key.

Metadata generator

In order to connect to your identity provider PhixFlow must be configured to contain service provider metadata. The configuration file contains all the tools needed in order to generate a metadata file. It is recommended to follow this procedure to generate your metadata then save the resulting xml in a file called "sp-metadata.xml" in the folder at  [tomcat root]/webapps/phixflow/WEB-INF/classes/metadata.  In order to configure the metadata generator two things need to be customised.

Firstly replace the value of the entityId with something unique so that the service provider will correctly be associated with only you.

Code Block
languagexml
  <property name="entityId"	
			value="urn:test:phixflow:phixflow" />

Secondly replace the values under entityBaseURL to point at your tomcat configuration.

Code Block
languagexml
<property name="entityBaseURL"
					value="http(s)://<<hostname>>:<<port>>/Phixflow" />

For example if you are using the default tomcat configuration :

Code Block
languagexml
<property name="entityBaseURL"
					value="http://localhost:8081/Phixflow" />

or alternatively using a tomcat configured for HTTPS:

Code Block
languagexml
<property name="entityBaseURL"
					value="https://localhost:8443/Phixflow" />

Metadata configuration

The next step is to configure PhixFlow so that it knows where to look for both identity provider and service provider metadata. First we look at identity provider metadata:

With the default configuration the identity provider metadata is saved as a file under the metadata folder named "idp-metadata.xml". If you wish to use a different file name just change it here.

Code Block
languagexml
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
	<constructor-arg>
		<value type="java.io.File">classpath:metadata/idp-metadata.xml</value>
	</constructor-arg>
	<property name="parserPool" ref="parserPool" />
</bean>

Next comes the service provider metadata. If you are using the metadata generator leave this next section commented out as if you do not PhixFlow will not start as it will be looking for a file that does not exist. Below is a completed service provider bean which will be broken down in more detail lower down.

Code Block
languagexml
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
	<constructor-arg>
		<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
			<constructor-arg>
				<bean class="java.util.Timer" />
			</constructor-arg>
			<constructor-arg>
				<bean class="org.opensaml.util.resource.ClasspathResource">
					<constructor-arg value="/metadata/sp-metadata.xml" />
				</bean>
			</constructor-arg>
			<property name="parserPool" ref="parserPool" />
		</bean>
	</constructor-arg>
	<constructor-arg>
		<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
			<property name="local" value="true" />
			<property name="alias" value="urn:test:phixflow:phixflow" />
			<property name="signingKey" value="PhixflowSAML" />
			<property name="encryptionKey" value="PhixflowSAML" />
		</bean>
	</constructor-arg>
</bean>

The first configurable part of the service provider metadata is the file name. By default this is expecting a file named "sp-metadata.xml" under the metadata folder. If you wish to use another file name change it here :

Code Block
languagexml
		<constructor-arg value="/metadata/sp-metadata.xml" />

Next we have the Extended metadata configuration. For the simplest setup all that needs changing here is the alias needs to be updated to the entity ID that you specified earlier. If you are using the recommended Key name of "PhixflowSAML" then no further configuration is required. If you are not using this key name then you will have to replace the PhixflowSAML with your keyname under the "signingKey" and "encryptionKey" sections.

Code Block
languagexml
	<!-- The following sections must be uncommented to enable SAML Login -->
	<!--

	<security:http entry-point-ref="samlEntryPoint"
		pattern="/saml/**" use-expressions="false">
		<security:intercept-url pattern="/**" access="ROLE_USER" />
		<security:custom-filter	after="BASIC_AUTH_FILTER" ref="samlFilter" />
	</security:http>
	
	<import resource="phixflow-SAML.xml/>
	-->

After this there is only one remaining section which contains a line that needs to be included when you wish to generate your metadata, but commented out if you do not wish to generate your own metadata. This line is as follows :

Code Block
languagexml
<!--<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>-->

so to generate your metadata the configuration should look like 

Code Block
languagexml
 	<!-- with the exception of the metageneratorfilter line the following must be uncommented to enable SAML login -->
	<security:http entry-point-ref="samlEntryPoint"
		pattern="/SAMLLogin" use-expressions="false">
		<security:intercept-url pattern="/**"
			access="ROLE_USER" />
		<security:custom-filter
			after="BASIC_AUTH_FILTER" ref="samlFilter" />
	<!--  uncomment the line below to generate your service provider metadata -->		
	<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
	</security:http>

and if you do not need to generate your metadata the configuration should look like 

Code Block
languagexml
 	<!-- with the exception of the metageneratorfilter line the following must be uncommented to enable SAML login -->
	<security:http entry-point-ref="samlEntryPoint"
		pattern="/SAMLLogin" use-expressions="false">
		<security:intercept-url pattern="/**"
			access="ROLE_USER" />
		<security:custom-filter
			after="BASIC_AUTH_FILTER" ref="samlFilter" />
	<!--  uncomment the line below to generate your service provider metadata -->		
	<!--<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>-->
	</security:http>

Other configuration

After this in order to enable SAML all that is required is to uncomment the following sections with a few exceptions. First uncomment all of the text listed below:

Code Block
languagexml
		<!--

	<security:http entry-point-ref="samlEntryPoint"
		pattern="/saml/**" use-expressions="false">
		<security:intercept-url pattern="/**"
			access="ROLE_USER" />

		<security:custom-filter
			after="BASIC_AUTH_FILTER" ref="samlFilter" />

	</security:http>
	
		<import resource="phixflow-SAML.xml/>
	-->

Metadata Generation

After completing this initial setup. It's time to generate the metadata. To do this setup the login configuration form to have a log in with SAML button and click it. You should be redirected to your identity provider and rejected, but your metadata will be generated by this step. Next log in as a local user then go to <<yourhost>>/Phixflow/saml/metdata in order to download an XML file of your metadata.This will need to be given to your identity provider to log in. In order to simplify configuration it is recommended to save this as metadata/sp-metadata.xml

At this point please refer to  the Phixflow Active Directory Setup section for more information on how to connect your identity provider provided groups to PhixFlow groups. The "default domain" section is not needed.

Logging in as a SAML user

Image Removed

To log in, users simply have to select a login option with SAML and click on the login button where they will be redirected to the identity provider to enter their credentials. If the login form configuration has been set to automatically log in with SAML, then they will see this screen and will instead be redirected straight to the identity provider.

Troubleshooting

...

Insert excerpt
_Banners
_Banners
nameadministration
nopaneltrue

This page is for PhixFlow administrators who need to integrate PhixFlow with Azure AD to support Single Sign-on (SSO). This uses the SAML protocol.

Overview

Security Assertion Markup Language (SAML) is a standard for providing secure single-sign on for users.

This page describes integrating with Azure Active Directory to support SSO. If you would like to use ADFS (Active Directory Federation Services) to support SSO, please contact support@phixflow.com.

This page describes two modes:

  • mixed - in mixed mode, AAD performs the authentication for the users, and PhixFlow the authorisation.

  • mapped groups - in mapped groups mode, the groups that the user has been assigned to in AAD are mapped to PhixFlow groups; in other words, AAD is responsible for both authentication and authorisation.

Prerequisites

Before configuring SAML integration you must set Tomcat:

  • to use HTTPS

  • to have the secure flag on session cookies.

See Install Tomcat.

Adding an Unlisted (Non-Gallery) Application in Azure

  • Log into the Azure portal and navigate to the Enterprise Applications blade

Image Added
  • Click on New application

    Image Added
  • Select Create your own application and then radio button Integrate any other application you don't find in the gallery (Non-gallery)Image Added

  • Enter a suitable name to represent the application, e.g. example-phixflow-prod, then click Create

  • The application Overview page will then appear

    Image Added
  • Under the Manage section on the left hand side menu, click Properties and ensure the following settings apply:

    1. Enabled for users to sign-in? is set to Yes - this determines whether users assigned to the application can sign in

    2. User assignment required? is set to Yes - this determines whether users who aren't assigned to the application can sign in

    3. Visible to users? is set to Yes - this determines whether users assigned to an app can see it in the access panel and M365 launcher

Image Added

Configuring SAML-Based Single Sign-On to Non-Gallery Applications via Azure AD (Identity Provider)

  • Under the Manage section for the above application in Azure, select Single sign-on

  • Select SAML

Image Added
  • The Set up Single Sign-On with SAML page will appear. The only changes required are in step 1 and 2 as shown in the following screenshot:

Image Added
  • Click the pencil icon in the top left corner of the first step and enter the following:

  • Click Save and close this configuration box to return to the main Set up Single Sign-On with SAML page above.

  • Click the pencil icon in the top left corner of the second step to edit the user attributes and claims. The default attributes and claims should look similar to the following list:

    Image Added
  • Click the Unique User Identifier (Name ID) attribute and set Source to Transformation on the claim page. A configuration window will open up:

Image Added
  • Set Transformation to ExtractMailPrefix() and Parameter to user.userprincipalname. Press Add, then press Save:

Image Added
  • Click Add a group claim

  • In the configuration window which opens up, select All groups

  • Select the source attribute - in the example it shows Group ID

Note

Source attribute

Group ID is fine to use when using mixed mode - that is, authentication is performed by AAD and authorisation is performed by PhixFlow.

When using mapped groups mode, this option works, but you will have to put GUIDs (e.g. 6f674ed0-bc19-4150-8af0-09100a33b6a2) into the external group fields in PhixFlow, which is less user friendly for PhixFlow administrators.

Other than Group ID, most options are only available if you are syncing with an on-premise Active Directory.

However, if you select Groups assigned to the application you can select Cloud-only group display names. If you choose this option, make sure you add groups as needed to the Enterprise Applcation (see https://phixflow.atlassian.net/wiki/spaces/HELP100/pages/9106732489/Configure+AAD+Integration+via+SAML#Add-users%2Fgroups-to-the-enterprise-application)

Image Added
  • Press Save. This can be updated in future to harden the groups that are emitted

  • The resulting list of attributes and claims should look similar to the following:

    Image Added

  • In the third step (SAML Certificates), there is an option to download the Federation Metadata XML. Click Download:

Image Added
  • Upload the downloaded XML file to the server that is hosting the PhixFlow application

  • In the fourth step (Set up <enterprise application name>), copy the value for Azure AD Identifier (it is of the form https://sts.windows.net/[id_string]/) - this will be needed later in the configuration of PhixFlow

Image Added

Add users/groups to the enterprise application

  • Navigate to the Users and groups section of the Enterprise Application:

Image Added
  • Assign users or groups to the application as needed by following the on-screen prompts.

  • There is functionality to bulk select users from the list and search for specific users.

Configuring PhixFlow (Service Provider)

Configure phixflow-login.xml

To set up SAML integration, you need to add details to the configuration file, phixflow-login.xml, which is in the directory <tomcat root>/webapps/phixflow/WEB-INF/classes. This file is created during installation, by copying the example file phixflow-login.xml.example, and setting any essential options; see Install the PhixFlow Webapp.

Specify the Authentication Manager

Edit the authenticationManager section of phixflow-login.xml to add a samlAuthProvider.

Find this section of the file:

Code Block
	<security:authentication-manager alias="authenticationManager">
		<!-- test authentication provider, leave commented out -->
		<!-- <security:authentication-provider ref="testAuthProvider" /> -->

		<!-- local authentication provider - provide access for CenterView database users. Don't change it -->
		<security:authentication-provider ref="localAuthProvider" />

		<!-- Add an Active Directory Authentication Provider below this line; uncomment if using active directory integration -->
		<!-- <security:authentication-provider ref="exampleActiveDirectoryAuthProvider" /> -->

		<!-- Add SAML Authentication Provider; uncomment if using saml / single sign-on -->
		<!-- <security:authentication-provider ref="samlAuthProvider"/> -->
	</security:authentication-manager>

Edit it to look like this (omitting comments):

Code Block
	<security:authentication-manager alias="authenticationManager">
		<security:authentication-provider ref="localAuthProvider" />
		<security:authentication-provider ref="samlAuthProvider" />
	</security:authentication-manager>
Note

We recommend that you keep the localAuthProvider and a local administrator user. This means you can still login if there is problem with the SAML integration.

Set up User Accounts

If you are using mixed mode, create PhixFlow user accounts. Mixed users are authenticated by SAML but their access privileges are managed using User Groups in PhixFlow; see User.

Configure Login Forms

Edit the loginConfiguration section of phixflow-login.xml to define the login form options (local, single sign-on, active directory). These specify what the user sees on their PhixFlow login screen. This mechanism allows you to define a default form tailored to regular users and one or more forms for advanced users; see Configure Login Forms for details.

Enable a Cookie Filter

Edit the sameSiteCookieFilter section of phixflow-login.xml to set the SameSite property on the session cookie. This is required to initiate login from the PhixFlow login form.

Edit it to look like this:

Code Block
languagexml
<bean id="sameSiteCookieFilter"
	class="com.accipia.centerview.web.filter.SameSiteCookieFilter">
	<property name="cookies">
		<props>
			<prop key="JSESSIONID">None</prop>
		</props>
	</property>
</bean>	

Enable SAML Beans

Edit the beans profile section section of phixflow-login.xml. Edit the 2 blocks that disable the options that are only required when PhixFlow is managing user authentication.

Find these lines:

Code Block
	<!-- comment out to enable saml / single sign-on -->
	<beans profile="saml">

Remove them or comment them out:

Code Block
	<!-- comment out to enable saml / single sign-on -->
	<!--
	<beans profile="saml">
	-->

Find these lines, near the end of the file:

Code Block
	<!-- comment out to enable saml -->
	</beans>

and remove them or comment them out:

Code Block
	<!-- comment out to enable saml -->
	<!--
	</beans>
	-->

Create a certificate and configure the keyManager

In this section we will generate a self-signed certificate, store associated private and public keys in a keystore, and edit the keyManager section of phixflow-login.xml to specify the keystore. A self-signed certificate is acceptable in this case because this is used to protect the SAML exchange, a private exchange between two systems. This certificate is not used to identity the service provider to general users over the public internet.

These steps involve the use of the Java program keytool, which should already be installed on your server if it has been prepared for PhixFlow by a standard installation of Java.

Windows

Code Block
languagepowershell
keytool -genkey -alias tomcat -keyalg RSA -keystore pathToKeystoreFile

E.g.

Code Block
languagepowershell
keytool -genkey -alias tomcat -keyalg RSA -keystore C:\app\secure\saml\keystore.jks

Linux

Code Block
languagebash
keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/phixflow/secure/saml/keystore.jks

Recommended: select the default option not to set a separate password for the private key. You can set separate passwords if you wish; if you do, take a note of these and set as needed in the configuration of phixflow-login.xml (see below). The security advantages of setting separate passwords are limited in this case.

E.g.

Code Block
languagebash
sudo mkdir /opt/phixflow/secure/saml
keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/phixflow/secure/saml/keystore.jks
sudo chown -R tomcat:tomcat /opt/phixflow/secure
sudo chmod 500 /opt/phixflow/secure
sudo chmod 400 /opt/phixflow/secure/saml/keystore.jks
Warning

Ensure that you create your keystore in a location that is only accessible to privileged users

Now update the section of phixflow-login.xml that describes the keystore:

Code Block
	<!-- The KeyStore stores encryption keys -->
	<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
		<!-- the keystore file -->
		<constructor-arg value="file:/opt/phixflow/secure/saml/keystore.jks" />
		<!-- password protecting the keystore -->
		<constructor-arg type="java.lang.String" value="keyStorePassword" />
		<constructor-arg>
			<map>
				<!-- key alias and key-specific password; add one entry for each key in the keystore -->
				<entry key="keyAlias" value="keyPassword" />
			</map>
		</constructor-arg>
		<!-- default key alias -->
		<constructor-arg type="java.lang.String" value="defaultKeyAlias" />
	</bean>

The minimum updates required are to set:

  •  "file:/.../keystore.jks" to your keystore

  • "KeyStorePassword" to your keystore password

  • "keyPassword" to your key password; if you took the recommended option above when creating the keystore, this will be the same as the previous password

  • "keyAlias" to the key you created in the keystore above; if you followed the example, this will be tomcat

  •  "defaultKeyAlias" to a key that exists. If the key does not exist PhixFlow will report an error when a user attempts to log in. If you followed the example, this will also be tomcat.

For example:

Code Block
languagexml
	<!-- The KeyStore stores encryption keys -->
	<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
		<!-- the keystore file -->
		<constructor-arg value="file:/opt/tomcat/secure/keystore.jks" />
		<!-- password protecting the keystore -->
		<constructor-arg type="java.lang.String" value="83dSKFnck130xSLDjzjd9Y" />
		<constructor-arg>
			<map>
				<!-- key alias and key-specific password; add one entry for each key in the keystore -->
				<entry key="tomcat" value="83dSKFnck130xSLDjzjd9Y" />
			</map>
		</constructor-arg>
		<!-- default key alias -->
		<constructor-arg type="java.lang.String" value="tomcat" />
	</bean>
Warning

For security reasons, access to phixflow-login.xml and to keystore.jks should be read-only to the Tomcat user or user account. It must be unreadable by all other users.

1.7.  Configure the Context Provider

The context provider communicates the external view of the PhixFlow server to other parts of the configuration.

If the server does not run behind a reverse proxy, you can skip this section.

If the server runs behind a reverse proxy, a different context provider must be configured to reflect the public view of the service.

Edit the Context Provider section of phixflow-login.xml.

  • Comment out the original contextProvider

  • Uncomment the reverse proxy version

  • Change the serverName, serverPort and contextPath to match the public view.

Find these lines:

Code Block
	<!-- Context Provider -->

	<!-- context provider when behind reverse proxy -->
	<!-- see https://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x/reference/html/configuration-advanced.html -->
	<!--  
	<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
		<property name="scheme" value="https"/>
		<property name="serverName" value="www.myserver.com"/>
		<property name="serverPort" value="443"/>
		<property name="includeServerPortInRequestURL" value="false"/>
		<property name="contextPath" value="/spring-security-saml2-sample"/>
	</bean>
	-->

	<!-- context provider when not behind reverse proxy -->
	<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl" />

Example of Context Provider configuration (preceding comments omitted):

Code Block
	<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
		<property name="scheme" value="https"/>
		<property name="serverName" value="phixflow.example.com"/>
		<property name="serverPort" value="443"/>
		<property name="includeServerPortInRequestURL" value="false"/>
		<property name="contextPath" value="/phixflow"/>
	</bean>

    <!-- context provider when not behind reverse proxy -->
    <!-- <bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl" /> -->

1.8.  Configure the Metadata Generator

To support a SAML exchange, each party generates metadata to describe how to connect to it. That metadata must be installed into the other party before any connection can be made.

The metadata generator generates the PhixFlow server's metadata based on configuration parameters and data available when a user tries to connect to it.

Edit the metadataGeneratorFilter section of phixflow-login.xml and set:

Note

If PhixFlow is running behind a reverse proxy, this should be the public URL, not the internal URL which only the proxy sees.

This is the metadataGeneratorFilter section before configuration:

Code Block
	<!-- filter that generates metadata based on configured properties -->
	<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
		<constructor-arg>
			<bean class="org.springframework.security.saml.metadata.MetadataGenerator"> 
				<property name="entityId" value="urn:test:phixflow:phixflow" />
				<property name="entityBaseURL" value="https://myhostname:myport/phixflow" />
				<property name="extendedMetadata">
					<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
						<property name="idpDiscoveryEnabled" value="false" />
					</bean>
				</property>
			</bean>
		</constructor-arg> 
	</bean>

Configure the Identity-Provider Metadata Provider

The identity provider metadata provider defines how PhixFlow installs and handles the identity-provider's metadata - in our case, the Federation Metadata XML downloaded from AAD in a previous section on this page.

  •  Save the identity provider's metadata file in a convenient folder. You can specify a path using:

    • either classpath:dir1/file  
        This refers to a file in directory dir1 under the webapp's classpath. This is ambiguous as it can mean webapp/WEB-INF/classes/dir1 and tomcat/lib/dir1.

    • or file:/dir1/file
        This refers to the top-level directory /dir1. Without the forward slash / it refers to dir1 under the current directory, which is normally the Tomcat home directory.

  • Edit the metadata provider section of phixflow-login.xml.

    • Change metadata/idp-metadata.xml to the location of the identity provider's metadata file.

    • Update metadataTrustCheck to false

This is the metadata provider section of phixflow-login.xml.

Code Block
languagexml
	<!-- file-base identity-provider (idp) metadata provider - this defines the metadata for a single identity provider -->
	<bean id="idpFileMetadataProvider" class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
		<constructor-arg>
				<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
					<constructor-arg>
						<value type="java.io.File">classpath:metadata/idp-metadata.xml</value>
					</constructor-arg>
					<property name="parserPool" ref="parserPool" />
				</bean>
		</constructor-arg>
		<constructor-arg>
			<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
				<!-- add properties to extend the metadata -->
				<!-- see https://docs.spring.io/spring-security-saml/docs/current/reference/html/configuration-metadata.html for values -->
				<property name="local" value="false" />
			</bean>
		</constructor-arg>
		<property name="metadataTrustCheck" value="true" />
	</bean>

A resulting example configuration:

Code Block
	<!-- file-base identity-provider (idp) metadata provider - this defines the metadata for a single identity provider -->
	<bean id="idpFileMetadataProvider" class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
		<constructor-arg>
				<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
					<constructor-arg>
						<value type="java.io.File">file:/opt/phixflow/secure/saml/idp-metadata.xml</value>
					</constructor-arg>
					<property name="parserPool" ref="parserPool" />
				</bean>
		</constructor-arg>
		<constructor-arg>
			<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
				<!-- add properties to extend the metadata -->
				<!-- see https://docs.spring.io/spring-security-saml/docs/current/reference/html/configuration-metadata.html for values -->
				<property name="local" value="false" />
			</bean>
		</constructor-arg>
		<property name="metadataTrustCheck" value="false" />
	</bean>

Configure SAML User Details Service

For mixed mode

Mixed mode is when AAD performs the authentication, and PhixFlow performs the authorisation.

  • For this step you will need the Azure AD Identifier, this was captured earlier during the Azure AD set up

  • In phixflow-login.xml, find the samlUserDetailsService bean:

Code Block
        <!-- The following beans are for configuring SAML login -->
        <bean id="samlUserDetailsService"
                class="com.accipia.centerview.util.security.ResolvingSAMLUserDetailsService" >
                <property name="externalUserLoader" ref="externalUserLoader" />
                <property name="mappers">
                        <util:map>
                                <!-- the key is the identity provider's entity id: add an entry for each external identity-provider -->
                                <!--
                                <entry key="exampleEntityId">
                                        <ref bean="example1SamlAttributeMap" />
                                </entry>
                                -->
                        </util:map>
                </property>
        </bean>
  • Uncomment the entry key section

  • Update exampleEntityId to the value of Azure AD Identifier

  • Ensure the entry is pointing to exampleAuthenticationOnlySamlAttributeMap

A resulting example samlUserDetailsService bean:

Code Block
        <!-- The following beans are for configuring SAML login -->
        <bean id="samlUserDetailsService"
                class="com.accipia.centerview.util.security.ResolvingSAMLUserDetailsService" >
                <property name="externalUserLoader" ref="externalUserLoader" />
                <property name="mappers">
                        <util:map>
                                <!-- the key is the identity provider's entity id: add an entry for each external identity-provider -->
                                <entry key="https://sts.windows.net/0597bXXXXXXXXXXXXXXXXXXXXXXXX/">
                                        <ref bean="exampleAuthenticationOnlySamlAttributeMap" />
                                </entry>
                        </util:map>
                </property>
        </bean>
  • Update the exampleAuthenticationOnlySamlAttributeMap bean:

    • Replace the contents of the bean with the contents below

    • Update the property domain to reflect the domain of your identity provider, i.e. of your Microsoft tenant (technically, this is the value that will be displayed as the domain for any users who login using SAML; but you are strongly recommended to make this the domain of your identity provider)

Code Block
        <bean id="exampleAuthenticationOnlySamlAttributeMap"    class="com.accipia.centerview.util.security.UserDetailsMapper" >
                <property name="domain" value="example.com" />
                <property name="username" value="nameid" />
                <property name="authenticationOnly" value="true" />
                <property name="globalLogout" value="true" />
        </bean>

For mapped group mode

In mapped group mode, you rely on the groups a user is assigned to in AAD to allow them access to certain PhixFlow apps and features. I.e. AAD is responsible for both authentication and authorisation of users.

Set up mapped groups in PhixFlow

See Configure Groups for External Login. To complete this you will need the names or IDs of groups that are being supplied by AAD via the SAML exchange. These can be obtained directly from AAD but see also https://phixflow.atlassian.net/wiki/spaces/HELP100/pages/9106732489/Configure+AAD+Integration+via+SAML#Discovering-details---claims-values-and-group-names%2F-IDs for a handy way of discovering these.

Complete configuration of phixflow-login.xml to support mapped groups

  • For this step you will need the Azure AD Identifier, this was captured earlier during the Azure AD set up

  • In phixflow-login.xml, find the samlUserDetailsService bean:

Code Block
        <!-- The following beans are for configuring SAML login -->
        <bean id="samlUserDetailsService"
                class="com.accipia.centerview.util.security.ResolvingSAMLUserDetailsService" >
                <property name="externalUserLoader" ref="externalUserLoader" />
                <property name="mappers">
                        <util:map>
                                <!-- the key is the identity provider's entity id: add an entry for each external identity-provider -->
                                <!--
                                <entry key="exampleEntityId">
                                        <ref bean="example1SamlAttributeMap" />
                                </entry>
                                -->
                        </util:map>
                </property>
        </bean>
  • Uncomment the entry key section

  • Update exampleEntityId to the value of Azure AD Identifier

  • (Note that you can update the value example1SamlAttributeMap or use this section as a template to create a new mapping with a different name, and rename the reference to this bean in the step below to match this, but in these instructions we have assumed that you will use the default names)

Find the example1SamlAttributeMap bean:

Code Block
<!-- map external user attribute names to saml response attribute names -->
<bean id="example1SamlAttributeMap"  class="com.accipia.centerview.util.security.UserDetailsMapper" >
    <!-- this will be used to mark external users in the database as from this login provider / domain -->
    <property name="domain" value="mysaml.org" />
    <property name="username" value="urn:oid:0.9.2342.19200300.100.1.1" />
    <property name="firstname" value="urn:oid:2.5.4.42" />
    <property name="lastname" value="urn:oid:2.5.4.4" />
    <property name="phonenumber" value="urn:oid:2.5.4.20" />
    <property name="company" value="urn:oid:2.5.4.10" />
    <property name="department" value="urn:oid:2.5.4.11" />
    <property name="email" value="urn:oid:0.9.2342.19200300.100.1.3" />
    <property name="groups" value="1.2.840.113556.1.2.613" />
</bean>

There are a number of ways of updating this attribute map, this is a flexible mechanism for specifying the format of token claims, but for the remainder of this configuration we supply a recommended configuration that should suit the majority of PhixFlow instances.

  • Update the example1SamlAttributeMap bean:

    • Replace the contents of the bean with the contents below

    • Update the property domain to reflect the domain of your identity provider, i.e. of your Microsoft tenant (technically, this is the value that will be displayed as the domain for any users who login using SAML; but you are strongly recommended to make this the domain of your identity provider)

Code Block
        <!-- map external user attribute names to saml response attribute names -->
        <bean id="example1SamlAttributeMap"     class="com.accipia.centerview.util.security.UserDetailsMapper" >
                <!-- this will be used to mark external users in the database as from this login provider / domain -->
                <property name="domain" value="phixflow.org" />
                <property name="username" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" />
                <property name="firstname" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" />
                <property name="lastname" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" />
                <property name="email" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
                <property name="groups" value="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"/>
                <!-- set below property to true to enable single/global logout -->
                <property name="globalLogout" value="false" />
        </bean>

Discovering details - claims values and group names/ IDs

There are various ways of getting details of the claims, and the names/ IDs of groups to be mapped (from AAD), but in many cases it is easiest to see what is being provided via SAML. To do this:

  • Apply the debug settings Option 1 (as described below)

  • Attempt a login with a test user that you believe has been set up correctly

  • Examine the server log file

In the example below, in the groups claim, Group ID has been set as the source attribute.

Code Block
2023-09-08 10:41:38,163 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.ResolvingSAMLUserDetailsService [ResolvingSAMLUserDetailsService.java:43] resolved entityId 'https://sts.windows.net/ac26b444-992c-45e0-9963-d5640855a490/' to realm 'phixflow.org'
2023-09-08 10:41:38,163 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:113] credentials: org.springframework.security.saml.SAMLCredential@5a65288c
2023-09-08 10:41:38,163 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/identity/claims/tenantid': 'ac26b444-992c-45e0-9963-d5640855a490'
2023-09-08 10:41:38,163 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/identity/claims/objectidentifier': '061fe582-ed14-4ce6-82e7-f59137d07211'
2023-09-08 10:41:38,163 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/identity/claims/displayname': 'Test User'
2023-09-08 10:41:38,163 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups': '65831f5a-06fa-4245-92f0-ad2252b79c04'
2023-09-08 10:41:38,163 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups': 'c06755b1-cfd5-4abf-9177-d497a463898f'
2023-09-08 10:41:38,163 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups': '91f46287-da2d-41b2-a145-1a3f476a969e'
2023-09-08 10:41:38,166 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/identity/claims/identityprovider': 'https://sts.windows.net/ac26b444-992c-45e0-9963-d5640855a490/'
2023-09-08 10:41:38,166 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/claims/authnmethodsreferences': 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password'
2023-09-08 10:41:38,166 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/claims/authnmethodsreferences': 'http://schemas.microsoft.com/claims/multipleauthn'
2023-09-08 10:41:38,166 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/ws/2008/06/identity/claims/wids': '34f948d8-759b-4f63-9427-79b007402544'
2023-09-08 10:41:38,166 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.microsoft.com/ws/2008/06/identity/claims/wids': '290f8b04-e964-48ac-9063-c4fc669defb1'
2023-09-08 10:41:38,166 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname': 'Test'
2023-09-08 10:41:38,166 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname': 'User'
2023-09-08 10:41:38,166 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': 'test.user@example.com'
2023-09-08 10:41:38,166 DEBUG [http-nio-8080-exec-1] c.a.c.u.s.SAMLExternalUserSource [SAMLExternalUserSource.java:123] attr 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'test.user@example.com'

Other settings for SAML User Details Service

You can optionally add property name attributes to configure: 

  • single (global) logout
    By default, PhixFlow uses local logout. When a user logs out the PhixFlow session is terminated but
      - the SAML identity provider is not notified
      - the user is not logged out of their identity provider session.
    Alternatively, single logout terminates the PhixFlow session and logs out of the identity provider. Depending on your identity provider configuration, this may include terminating sessions with other identity providers. To apply single logout to all users in this domain, add the line:
       <property name="globalLogout" value="true" />

Troubleshooting

When troubleshooting the configuration, you can include additional diagnostics information in logs, by adding lines to logback.xml.

Option 1: more debug information

Code Block
<logger name="org.springframework.security" level="error" />
<logger name="com.accipia.centerview.util.security" level="debug" />

Option 2: full debug information

Code Block
#Log information about the SAML login framework

...


<logger name="org.springframework.security" level="error" />
<logger name="com.accipia.centerview.util.security" level="debug" />
<logger name="org.springframework.security.saml

...

" level = "debug" />
<logger name="org.opensaml

...

to your log4j.properties file - see Server Logging for details on controlling logging options with this file, and where to find the results.

Note that with all options applied, the log files generated will be very large. You must switch off these options as soon as you have completed your tests. You can comment out the lines in the log4j.properties file, if you want to keep them in the file, by placing a # at the beginning of each line.

You could also consider applying a more limited set of debugging options, e.g.

...

" level="debug" />
Tip

With additional debug information, PhixFlow will generate very large log files. Remember to remove these lines when your configuration is working and you no longer need the debug information. For information about accessing logs, see Server Log Files.

Live Search
spaceKey@self
additionalnone
placeholderSearch all help pages
typepage

Panel
borderColor#00374F
titleColorwhite
titleBGColor#00374F
borderStylesolid
titleSections on this page
Table of Contents
maxLevel3
indent12px
stylenone