Table of Contents

Protect Nginx resoures – MFA and SSO with PhenixID Authentication Services

Warning

Please note, this document is using the legacy authenticators - in order to use the new protocol agnostic authenticators, you need to apply relevant modifications to the configuration examples outlined in this article.

Summary

This document will guide you through the steps to enable multi-factor authentication and SSO for the web resources hosted on the Nginx Web- and application server platform Nginx ( https://www.nginx.com/)

System Requirements

  • PhenixID Authentication Server 3.0 or higher
  • Nginx administrative rights

Overview

  • The integration is based on open source software Shibboleth, which will protect the resource and act as a SAML Service Provider against a SAML Identity Provider (PhenixID Authentication Services).
  • If the protected resource needs to fetch the userID of the authenticated user, simply fetch the value from the http header username on the incoming request.

Instruction

Configure PhenixID Authentication Services as Identity Provider

  1. Setup PhenixID Authentication Services as a SAML IdP.

  2. Fetch the attribute containing your userID from the user store. This may differ based on your environment.

    (For AD, this may be sAMAccountName or userPrincipalName, for other LDAPs this may be uid).

  3. Go to Scenarios->Federation-><YOUR_IDP>->Identity Provider

  4. Add a Post SLO url: https://<your_phenixid_domain>/saml/authenticate/logout/

  5. Go to Scenarios->Federation-><YOUR_IDP>->Execution Flow

  6. Make the following adjustments:

    1. Add a PropertyAddValve above the AssertionProvider with the following values. Change <attribute_containing_username> to the value of the attribute from the step above.

      • name = username

      • value = {{item. <attribute_containing_username>}}

      Example value = {{item.userPrincipalName}}

    2. Click AssertionProvider

    3. Set NameID Attribute = username

    4. Set additional attributes = username

  7. Save.

  8. Go to Scenarios->Federation-> <newly_added_scenario> -> Identity Provider. Deselect “Require signed requests”.

  9. Save.

  10. Then export your SAML IdP metadata by going to the URL:

    https://<YourServerDomainName>/saml/authenticate/<authenticator_alias>?getIDPMeta

    and download the metadata to a xml file.

Configure Nginx

  1. Install Shibboleth SP for Nginx using this guide.

    In the configuration section, check for the location /secure section and change:

    • /secure to your path(s) to the web resource(s) to be protected

    • more_clear_input_headers to:

      more_clear_input_headers‘username’

    • proxy_pass value to suite your environment.

  2. Configure Shibboleth SP by following this section. Open the downloaded idp metadata file from above step to find the entityID of the IdP.

    For the attribute mapping part, add this mapping:

    <Attribute name="username" id="username">
  <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>

  3. Add the IdP as a trusted provider by following this section.

Add Nginx/Shibboleth SP as trusted Service Providers in PhenixID Authentication Services

  1. Login to configuration manager
  2. Follow this guide.

Test

Browse to the protected resource.

You should be redirected to PhenixID Authentication Services.

Authenticate.

You should be redirected back to Nginx shibboleth URI.

You should be redirected to the protected resource.

HTTP SAML 2 Use Case: Integrate with external systems Use Case: Federation of web services Federation Identity Provider Single Sign-On MFA