SAML2SithsEID
Warning
This authenticator is a legacy authenticator. It is recommended to plan for migrating the authenticator to the new protocol agnostic authenticator architecture. More information about the legacy authenticators can be found here.
Note
Authenticate using Siths EID (card or app).
Siths EID authenticator allows for two different scenarios:
- Starting Siths EID on the same device.
- Starting Siths EID using a QR code.
Every method needs to be activated through configuration.
On successful authentication, these parameters will be added to the request sent to the connected pipe:
- userPersonalNumber - The end user personal number (SSID)
- userCertificate - The full user certificate (PEM formatted)
Properties
| Name | Description | Default value | Mandatory |
|---|---|---|---|
| idpID | The internal identifier of the idp used | N/A | Yes |
| pipeID | ID of the pipe to be executed on successful authentication | N/A | Yes |
| samlAuthMethod | The value to be set in the AuthnContextClassRef of the SAML assertion | urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig | No |
| keyStore | ID of the key store used to communicate with Siths eid backend | N/A | Yes |
| sithseidURL | The root URL of the Siths EID Backend. | N/A | Yes |
| rfc2253Issuers | List of trusted SITHS eID issuers. | [ "CN=TEST SITHS e-id Person HSA-id 3 CA v1,O=Inera AB,C=SE", "CN=TEST SITHS e-id Person ID 3 CA v1,O=Inera AB,C=SE", "CN=TEST SITHS e-id Person ID Mobile CA v1,O=Inera AB,C=SE", "CN=CGI Test Root CA,OU=Test,O=CGI,ST=Jamtland,C=SE", "CN=SITHS Type 1 CA v1,O=Inera AB,C=SE", "CN=SITHS Type 1 CA v1 PP,O=Inera AB,C=SE" ] | No |
| loginTemplate | Template used for rendering the user facing UI | sithseid.template | No |
| templateVariables | Parameters to control the GUI rendering. Methods define the user options to present (sd=same device, qr=qr code) | N/A | Yes |
| organizationName | The header text to be displayed in the Siths Eid client during authentication. | N/A | Yes |
| personalIdentifier | Which personalIdentifier should be used. | No | |
| sendSAMLResponseOnError | Whether or not a SAMLResponse containing an error response should be sent back to the SP upon an internal authentication error. | false | No |
| strictValidation | Whether or not additional validation checks should be made on the SAMLRequest. | false | No |
| resolveSAMLRequestProperties | Whether or not request properties from the SAML AuthnRequest should be resolved before proceeding with the authentication. Typically used at the start of an authentication flow. | false | No |
Example Configuration
{
"id": "c48b7a22-21c9-44f2-b606-6bd000db60fe",
"alias": "siths-eid-test",
"name": "SAML2SithsEID",
"displayName": "siths-eid-test",
"configuration": {
"keyStore": "5ca8fb2f-bb98-48eb-a1fd-f1e89879fd50",
"pipeID": "e9acc237-0357-4d8e-b68d-c487b2b987d4",
"idpID": "2a9b1517-c8ef-47cc-a2f2-783076e124dc",
"sithseidURL": "https://secure-authservice.idp.ineratest.org",
"samlAuthMethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig",
"organizationName": "PhenixID Authentication Services",
"templateVariables": {
"methods": [
{
"image": "/authenticate/res/images/sithseid/sithseid.png",
"data-toggle-action": "SD",
"title": "sithseid.messages.option_label_sd"
},
{
"image": "/authenticate/res/images/sithseid/sithseid-qrc.png",
"data-toggle-action": "QR",
"title": "sithseid.messages.option_label_qr"
}
]
},
"translation": [
"sithseid.messages.title_starting",
"sithseid.messages.title_current_device",
"sithseid.messages.title_mobile_device",
"sithseid.messages.title_qrcode",
"sithseid.messages.text_starting",
"sithseid.messages.text_current_device",
"sithseid.messages.text_mobile_device",
"sithseid.messages.text_qrcode",
"sithseid.messages.input_personal_number",
"sithseid.messages.button_submit",
"sithseid.messages.button_start_over",
"sithseid.messages.button_start_manually",
"sithseid.messages.info_bankid_link_creation_app",
"sithseid.messages.info_bankid_url_link_redirection_success_app",
"sithseid.messages.info_open_app",
"sithseid.messages.info_rediection_app",
"sithseid.messages.info_verified_app",
"sithseid.messages.info_qrcode_scanned_app",
"sithseid.messages.error_bad_personal_number",
"sithseid.messages.error_cancellation",
"sithseid.messages.error_request",
"sithseid.messages.changeLanguage"
],
"loginTemplate": "sithseid.template"
},
"created": "2021-01-04 11:02:13.461"
}
Requirements
- A Siths Eid key store issued by an authorized issuer
- PAS IP address whitelisted to be able to communicate with the siths eid backend URL
- Siths eid client with enrolled user certificate
- Siths eid backend URL SSL certificate (for https) ca:s added to cacerts trust store.
Adding trust to production SITHS CAs
Configure the rfc2253Issuers parameter to trust production SITHS CAs:
"rfc2253Issuers": [
"CN=SITHS e-id Person ID 3 CA v1,O=Inera AB,C=SE",
"CN=SITHS e-id Person ID Mobile CA v1,O=Inera AB,C=SE"
]