FrejaEIDSAML
Warning
This authenticator is a legacy authenticator. It is recommended to plan for migrating the authenticator to the new protocol agnostic authenticator architecture. More information about the legacy authenticators can be found here.
Note
Used acting when acting as a SAML IDP in conjunction with Freja eID.
Only QR-code is available when using other device. No user input required by the user. On same device (mobile client) the pattern of "app switching" is used.
Read more about Freja eID and integration here:
https://frejaeid.com/rest-api/Authentication%20Service.html
and here regarding authentication:
https://frejaeid.com/rest-api/Authentication%20Service.html#AuthenticationService-Methods
Warning
The authenticator only handles Swedish and English localisation.
Properties
| Name | Description | Default value | Mandatory |
|---|---|---|---|
| idpID | The internal id if the IDP that should be issuing the assertion | Yes | |
| pipeID | Pipe to be executed after a successful authentication using Freja eID mobile. | Yes | |
| loginTemplate | Name of the template used for rendering the frontend UI. | frejaeid_v2.template | No |
| relyingPartyId | Identifier of the relying party | No | |
| keystoreId | Id of the keystore to use when communicating with Freja eID backend server. | Yes | |
| mode | Should communication be done to test or production Freja eID backend. Allowed values are 'test_personal','test_organisation','production_organisation' or 'production_personal'. | production | No |
| max_polls | How many polls should be done before consider the process timed out. | 30 | No |
| poll_interval | Time between polls, in milliseconds. Note that tighter pollintervall adds strain to the system. | 2000 | No |
| attributesToGet | The list of attributes to return from Freja eID ie the user data. Allowed values are BASIC_USER_INFO,EMAIL_ADDRESS,DATE_OF_BIRTH,ADDRESSES,SSN,ORGANISATION_ID_IDENTIFIER,DOCUMENT,PHOTO,REGISTRATION_LEVEL. When adding/changing data must be entered as a string seperated by comma. | SSN | No |
| reqiredRegistrationLevel | Allowed values are BASIC, EXTENDED or PLUS. This is a single value string | PLUS | No |
| samlAuthMethod | Vaule to put in the SAML assertion AuthnContextClassRef | urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract | No |
| sendSAMLResponseOnError | Whether or not a SAMLResponse containing an error response should be sent back to the SP upon an internal authentication error. | false | No |
| strictValidation | Whether or not additional validation checks should be made on the SAMLRequest. | false | No |
| resolveSAMLRequestProperties | Whether or not request properties from the SAML AuthnRequest should be resolved before proceeding with the authentication. Typically used at the start of an authentication flow. | false | No |
| device_selector | Enables selection of authentication device. | true | No |
| method_other_device_enabled | Enables authentication using QR code with other device. | true | No |
| method_same_device_enabled | Enables authentication on same device. | true | No |
Example configuration
{
"id": "freja",
"alias": "freja",
"name": "FrejaEIDSAML",
"displayName": "Freja",
"configuration": {
"pipeID": "64452300-d25d-45ae-bd7a-a6cfb7f0e5e0",
"idpID": "da35b801-9894-45b9-9d97-98c336ead5f0",
"keystoreId": "c5e0b707-a297-420e-a741-08d3e25df1be",
"mode": "test_personal",
"attributesToGet": "EMAIL_ADDRESS,SSN,ORG_ID"
}
}
Additional information
Only some of the information returned from Freja eID is available to the pipe when executing.
If returned from Freja eID, the attributes are:
- userPersonalNumber
- userGivenName
- userSurName
- primaryMail
- relyingPartyUserId
- integratorSpecificUserId
- documentType
- documentExpirationDate
- documentCountry
- documentSerialNumber
- registrationLevel
The executing PIPE MUST return an item property named userName. It will be used as user identifier for the current session.
It may NOT be empty.
Requirements
A keystore with a valid certificate is uploaded to the PAS server.
User enrolled for freja e-id.
Trusting the Freja backend HTTPS/TLS. This is not done by default.
Add new certificates to the trust store