Table of Contents

SAML IdP Discovery

Overview

This guide details the integration of an external SAML Identity Provider (IdP) Discovery Service with PhenixID Authentication Services (PAS), configured as a SAML Service Provider (SP) within aggregated federations like SAMBI or Skolfederation. In this setup, PAS directs the user’s browser to an external IdP Discovery Service, allowing the user to select their preferred IdP or organization for authentication. Once an IdP is chosen, the Discovery Service returns this selection to the PAS SP, which then initiates the standard login flow with the selected IdP.

Configure your SPBroker

Set the parameter "discoveryUrl" on the SPBroker authenticator to send the user to an IDP Discovery URL.

Example conf:

 {
  "id": "spb1",
  "alias": "spb1",
  "name": "SPBroker",
  "displayName": "eIDAS",
  "configuration": {
   "pipeID": "pipeAssertionConsumer",
   "targetIDP": "https://yoururl/authentication/saml/idp",
   "discoveryUrl": "https://apache.phenixid.se/discovery/DS",
   "sp": "sp"
  }
 }

Extract your metadata

  1. Fetch your sp metadata by opening the URL:
    For a SAMLServiceProviderAuthN authenticator : https://yoururl/samlsp/sp/meta
  2. Save the produced metadata to a xml file.
  3. Open the xml file in a text editor.
  4. Manually add an extension block with an idp discoveryResponse. This is used for the IDP Discovery services as the return url.  The location value must be the same as the acsUrl value. This block should be added in the SPSSODescriptor tag. Example:
    <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
          <md:Extensions>
            <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://yoururl/authentication/saml/idp/login" index="1"/>
        </md:Extensions>
  1. Save the file
  2. The metadata for your SP must now be provided to the IDP Discovery service (or the aggregated federation).

Verification of Discovery Service

Here are steps to test the authentication process after configuring SAML IdP Discovery with PhenixID Authentication Services (PAS):

  1. Initiate Authentication at Protected Service

    • Go to the protected service URL where PAS is configured as the SAML Service Provider.
    • Ensure that the login process initiates and the browser redirects to the configured IdP Discovery Service.

  2. Select an Identity Provider (IdP)

    • On the IdP Discovery Service page, select an available IdP or organization from the list.
    • Confirm that, after selection, the browser redirects back to PAS with the chosen IdP’s details.

  3. Verify Redirection to the IdP for Login

    • Check that PAS redirects the browser to the selected IdP’s login page.

  4. Authenticate with IdP

    • Enter valid user credentials for the selected IdP and proceed with the login.

  5. Access Protected Service

    • After successful authentication, verify that the browser redirects back to the protected service, granting access as expected.
    • Confirm that the user is logged in and can access the resources they are authorized to see.

These steps help confirm that the authentication flow from PAS to IdP Discovery and back to the selected IdP is functioning as intended.

SAML 2 Federation Use Case: Federation of web services