FrejaAuthenticator
Note
Used when authenticating or signing against Freja eID.
Read more about Freja eID and integration here:
https://frejaeid.com/rest-api/Authentication%20Service.html
and here regarding authentication:
https://frejaeid.com/rest-api/Authentication%20Service.html#AuthenticationService-Methods.
Authentication mode is always the default. To use signature mode, the authentication must be for SAML and the AuthnRequest must contain a SignMessage. The "signText" for this Freja eID transaction will be set to the value of the SignMessage. You can disable signatures completely by setting the configuration parameter "allowSignTransactions" to "false".
Warning
The authenticator only handles Swedish and English localisation.
Properties
| Name | Description | Default value | Mandatory |
|---|---|---|---|
| pipeID | Pipe to be executed after a successful authentication using Freja eID. | Yes | |
| keystoreId | Id of the keystore to use when communicating with Freja eID backend server. | Yes | |
| mode | Should communication be done to test or production Freja eID backend. Allowed values are 'test_personal','test_organisation','production_organisation' or 'production_personal'. | production | No |
| attributesToGet | The list of attributes to return from Freja eID ie the user data. Allowed values are BASIC_USER_INFO,EMAIL_ADDRESS,DATE_OF_BIRTH,ADDRESSES,SSN,ORGANISATION_ID_IDENTIFIER,DOCUMENT,PHOTO,REGISTRATION_LEVEL,UNIQUE_PERSONAL_IDENTIFIER,LOA_LEVEL. When adding/changing data must be entered as a string seperated by comma. | SSN | No |
| requiredRegistrationLevel | Allowed values are BASIC, EXTENDED or PLUS. This is a single value string | PLUS | No |
| allowSignTransactions | Whether or not to allow Freja eID sign transactions to be started if an incoming request contains a SignMessage. | true | No |
| signTitle | The title of the sign transaction as it appears in the app. Only relevant when a sign transaction has been triggered. | ||
| customReturnUrls | Custom return urls to be used, read more here. | No | |
| relyingPartyId | Identifier of the relying party | No | |
| allowedModes | Which authenticator modes are allowed to be used. Possible values are 'deviceApp' and 'qrCode', and recommended is to allow both. | deviceApp, qrCode | No |
| timeoutMinutes | Amount of minutes before the transaction expires and a manual restart is needed. Recommended to be at least 5 for accessibility. | 10 | No |
| userInfoType | The userInfoType as defined by Freja. Default is INFERRED, which is QR Code / Same Device. Possible values are INFERRED, EMAIL, PHONE, SSN. | INFERRED | No |
| userInfo | The userInfo to start the transaction for, pairs with userInfoType. Default is N/A which pairs with userInfoType INFERRED. If userInfoType is e.g. PHONE, then userInfo should be a phone number registered in the user's Freja id. This attribute is EXPANDABLE so you may fill this value with attributes from the current authentication flow. Example below. | N/A | No |
Example configuration
{
"id": "freja",
"alias": "freja",
"name": "FrejaAuthenticator",
"displayName": "Freja",
"configuration": {
"pipeID": "64452300-d25d-45ae-bd7a-a6cfb7f0e5e0",
"keystoreId": "c5e0b707-a297-420e-a741-08d3e25df1be",
"mode": "test_personal",
"attributesToGet": "EMAIL_ADDRESS,SSN,ORG_ID",
"allowedModes": ["qrCode", "deviceApp"]
}
}
Example with non-default userInfoType
In this example, userInfo is set to {{item.ssn}} meaning the userInfo depends on the current item in the authentication flow.
You may want to use a SequenceAuthenticator to set up a user input via a DynamicAuthenticator in a previous step, such that
the current item has an attribute "ssn" that contains the personal number you want to start a Freja authentication for.
{
"id": "freja",
"alias": "freja",
"name": "FrejaAuthenticator",
"displayName": "Freja",
"configuration": {
"pipeID": "64452300-d25d-45ae-bd7a-a6cfb7f0e5e0",
"keystoreId": "c5e0b707-a297-420e-a741-08d3e25df1be",
"mode": "test_personal",
"userInfoType": "SSN",
"userInfo": "{{item.ssn}}",
"attributesToGet": "EMAIL_ADDRESS,SSN,ORG_ID",
"allowedModes": ["qrCode", "deviceApp"]
}
}
Additional information
Only some of the information returned from Freja eID is available to the pipe when executing.
If returned from Freja eID, the attributes are:
- userPersonalNumber
- userGivenName
- userSurName
- primaryMail
- relyingPartyUserId
- integratorSpecificUserId
- documentType
- documentExpirationDate
- documentCountry
- documentSerialNumber
- registrationLevel
- uniquePersonalIdentifier
- loaLevel
The executing PIPE MUST return an item property named userName. It will be used as user identifier for the current session.
It may NOT be empty.
Requirements
A keystore with a valid certificate is uploaded to the PAS server.
User enrolled for freja e-id.
Trusting the Freja backend HTTPS/TLS. This is not done by default.
Add new certificates to the trust store