Table of Contents

Unikum – MFA and SSO with PhenixID Authentication Services

Summary

This document will guide you through the steps to configure PhenixID Authentication Services to deliver multi-factor authentication and Single Sign-on (SSO) to Unikum ( https://www.unikum.se).

System Requirements

  • PhenixID Authentication Services 2.7 or higher
  • PhenixID Authentication Services configured with a SAML Identity Provider connected to Skolfederation. Follow this step-by-step to add PhenixID Authentication Services to Skolfederation.

Instruction

Configure Execution flow for Unikum

  • Login to Configuration Manager

  • Click Scenarios, Federation.

  • Select your previously configured IdP for Skolfederationen.

  • Click Execution Flow

  • Prepare SAML<->User Store attribute mapping for Unikum using this guide. The SAML attributes to be sent to Unikum:

    • urn:oid:1.3.6.1.4.1.2428.90.1.5
    • urn:oid:2.5.4.4
    • urn:oid:2.5.4.42
    • urn:oid:1.3.6.1.4.1.5923.1.1.1.6
    • urn:oid:0.9.2342.19200300.100.1.3

  • Expand the last execution flow and look for an existing AssertionProvider

  • Expand the AssertionProvider

  • Copy the Target Entity ID Value

  • Add new valve to the last execution flow (where the SAML Assertion is produced)

    • Type=AssertionProvider
    • Set Target Entity ID to the previously copied value
    • Set NameID attribute = userPrincipalName
    • Set Additional attributes = urn:oid:1.3.6.1.4.1.2428.90.1.5,urn:oid:2.5.4.4,urn:oid:2.5.4.42,urn:oid:1.3.6.1.4.1.5923.1.1.1.6,urn:oid:0.9.2342.19200300.100.1.3
    • Set Source ID = https://start.unikum.net/sp
    • Add a Miscellanous value: excludeSubjectNotBefore = true

  • On the Advanced tab of the valve you should limit the AssertionProvider to only be executed when authentication to Unikum is requested. Add this to Execute if expression:

    flow.property('issuer').equals('https://start.unikum.net/sp')

  • Save. Make sure the new AssertionProvider added is placed last in the Execution flow list.

    NA

Test

  • Find out the post_sso_url for your previously created IDP.

    That can be find in the page:

    Scenarios, Federation, “your IDP authenticator”, Identity Provider.

  • Open a browser and open <post_sso_url_from_previous_step>?resolvedSPID=https://start.unikum.net/sp

  • Your browser should be redirected to the PhenixID IdP

  • Authenticate

  • Verify that you are redirected to the Unikum application after login with a valid SAML Assertion. Please consult PhenixID for additional debugging if needed.

SAML 2 Federation Use Case: Federation of web services Step by Step Identity Provider