eIDAS Authentication

Overview

This guide provides a comprehensive walkthrough for setting up eIDAS Authentication with PhenixID Authentication Services (PAS) to secure services with eIDAS-based identity verification. By acting as a SAML Service Provider, PAS enables users to authenticate through eIDAS, allowing for secure access to internal applications, SAML Service Providers (SPs), and OpenID Connect (OIDC) Relying Parties.

Once configured, test the setup by accessing the protected service and verifying that authentication is successfully routed through the eIDAS federation. This configuration enables secure and compliant access to services using trusted eIDAS authentication standards.

Requirements

eIDAS offers three distinct environments:

• Sandbox
• QA
• Production

Connecting to the Sandbox environment requires no agreements. However, to access the QA and Production environments, customers must establish an agreement with their country’s eIDAS node. In Sweden, this process is managed by Sweden Connect

Configure your authenticator

Depending on the service you protect, you need to create an authenticator:

• Protecting internal web application (for example myapps, self service, signing):

  • Internal Authentication, which then use the authenticator

  • SPBroker

• Protecting external service (SAML SP, OIDC RP):

  • SAML Identity Provider or OpenID Provider, which then use the authenticator

  • SPBroker

Make sure to set these parameters on the SPBroker authenticator:

• "targetIDP": "<eidas_node_connector_idp_entity_id>"

  For Sweden, the targetIDP value should be:

  • PRODUCTION: https://connector.eidas.swedenconnect.se/eidas

  • QA: https://qa.connector.eidas.swedenconnect.se/eidas

  • SANDBOX: https://dev.connector.swedenconnect.se/eidas

• "addsignature": "true"

SPBroker example conf:

{
    "id": "spbroker",
    "alias": "spbroker",
    "name": "SPBroker",
    "displayName": "eIDAS",
    "configuration": {
        "sp": "spbroker",
        "pipeID": "pipeAssertionConsumer",
        "targetIDP": "https://dev.connector.swedenconnect.se/eidas",
        "addsignature": "true",
    }
}

SP example configuration:

{
  "id": "spbroker",
  "name": "SAML Service provider",
  "keystoreSign": "<your keystore>",
  "keystoreEncrypt": "<your keystore>",
  "entityID": "https://yourbaseurl/samlsp/spbroker",
  "baseURL": "https://yourbaseurl",
  "wantsAuthnRequestsSigned": "true",
  "assertionConsumerServiceUrls": [
   "https://yourbaseurl/authentication/saml/idp/login",
  ]
 },

More information on how you configure federation broker scenario can be found here.

Extract your metadata

1. Fetch your sp metadata by opening the URL:
   https://yourbaseurl/samlsp/spbroker/meta

2. Save the produced metadata to a xml file.

3. Open the xml file in a text editor.

4. Manually add an extension block with entity-attributes. This will present which LOA levels this SP will accept. Please change to suit your environment. Please consult eIDAS documentation for proper values (or consult PhenixID staff). This block should be added in the EntityDescriptor tag. Example:

   <md:EntityDescriptor entityID="https://yourbaseurl/samlsp/spbroker" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">

    <md:Extensions>
        <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">
            <ns5:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" xmlns:ns5="urn:oasis:names:tc:SAML:2.0:assertion">
                <ns5:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">http://id.elegnamnden.se/ec/1.0/loa3-pnr</ns5:AttributeValue>
                <ns5:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">http://id.elegnamnden.se/ec/1.0/eidas-naturalperson</ns5:AttributeValue>
                <ns5:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">http://id.elegnamnden.se/st/1.0/public-sector-sp</ns5:AttributeValue>
            </ns5:Attribute>
        </mdattr:EntityAttributes>
    </md:Extensions>

5. Manually add an extension block with SP GUI information. This will be used when presenting list of SPs in eIDAS. Please adjust texts and image to suit your environment. This should be placed in the SPSSODescriptor tag. Example:

   <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">


        <md:Extensions>
            <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
                <mdui:DisplayName xml:lang="en">PhenixID AB</mdui:DisplayName>
                <mdui:DisplayName xml:lang="sv">PhenixID AB</mdui:DisplayName>
                <mdui:Description xml:lang="sv">PhenixID sandbox SP for eIDAS</mdui:Description>
                <mdui:Description xml:lang="en">PhenixID sandbox SP for eIDAS</mdui:Description>
                <mdui:Logo height="1" width="1">https://www.phenixid.se/wp-content/uploads/2016/06/logo.png</mdui:Logo>
            </mdui:UIInfo>
            <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://ubuntu.phenixid.local:8443/saml/authenticate/sp" index="1"/>
        </md:Extensions>

6. Manually replace the NameID format tag to be persistent.

   <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>

7. Manually add an Organization block. Change the values to suit your environment. This should be placed in the EntityDescriptor tag. Example

    <md:Organization>
        <md:OrganizationName xml:lang="en">PhenixID AB</md:OrganizationName>
        <md:OrganizationName xml:lang="sv">PhenixID AB</md:OrganizationName>
        <md:OrganizationDisplayName xml:lang="en">PhenixID sandbox SP for eIDAS</md:OrganizationDisplayName>
        <md:OrganizationDisplayName xml:lang="sv">PhenixID sandbox SP for eIDAS</md:OrganizationDisplayName>
        <md:OrganizationURL xml:lang="en">https://www.phenixid.se</md:OrganizationURL>
        <md:OrganizationURL xml:lang="sv">https://www.phenixid.se</md:OrganizationURL>
    </md:Organization>
    <md:ContactPerson contactType="support">
        <md:Company>PhenixID AB</md:Company>
        <md:GivenName>Foo</md:GivenName>
        <md:SurName>Bar</md:SurName>
        <md:EmailAddress>foo.bar@phenixid.se</md:EmailAddress>
    </md:ContactPerson>
    <md:ContactPerson contactType="technical">
         <md:Company>PhenixID AB</md:Company>
        <md:GivenName>Foo</md:GivenName>
        <md:SurName>Bar</md:SurName>
        <md:EmailAddress>foo.bar@phenixid.se</md:EmailAddress>
    </md:ContactPerson>

8. Save the file.

   Example of complete xml metadata file:

       
   <?xml version="1.0" encoding="UTF-8"?>
   <md:EntityDescriptor entityID="https://ubuntu.phenixid.local/saml/sp"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
    <md:Extensions>
     <mdattr:EntityAttributes
      xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xmlns:xs="http://www.w3.org/2001/XMLSchema">
      <ns5:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
       xmlns:ns5="urn:oasis:names:tc:SAML:2.0:assertion">
       <ns5:AttributeValue xsi:type="xs:string"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">http://id.elegnamnden.se/ec/1.0/loa3-pnr
       </ns5:AttributeValue>
       <ns5:AttributeValue xsi:type="xs:string"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">http://id.elegnamnden.se/ec/1.0/eidas-naturalperson
       </ns5:AttributeValue>
       <ns5:AttributeValue xsi:type="xs:string"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">http://id.elegnamnden.se/st/1.0/public-sector-sp
       </ns5:AttributeValue>
      </ns5:Attribute>
     </mdattr:EntityAttributes>
    </md:Extensions>
    <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     <md:Extensions>
      <mdui:UIInfo
       xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
       <mdui:DisplayName xml:lang="en">PhenixID AB</mdui:DisplayName>
       <mdui:DisplayName xml:lang="sv">PhenixID AB</mdui:DisplayName>
       <mdui:Description xml:lang="sv">PhenixID sandbox SP for eIDAS</mdui:Description>
       <mdui:Description xml:lang="en">PhenixID sandbox SP for eIDAS</mdui:Description>
       <mdui:Logo height="1" width="1">https://www.phenixid.se/wp-content/uploads/2016/06/logo.png</mdui:Logo>
      </mdui:UIInfo>
      <idpdisc:DiscoveryResponse
       xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://ubuntu.phenixid.local:8443/saml/authenticate/sp" index="1"/>
      </md:Extensions>
      <md:KeyDescriptor use="signing">
       <ds:KeyInfo
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
         <ds:X509Certificate>MIIDYDCCAkigAwIBAgIBFjANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJTRTEV
   MBMGA1UEBxMMTmFja2EgU3RyYW5kMQ8wDQYDVQQKEwZNY0FmZWUxFDASBgNVBAsT
   C0VuZ2luZWVyaW5nMRowGAYDVQQDExFFQSBERU1PIHVzZXIgQ0EgMTAeFw0xNDA1
   MjMxMjA3MDBaFw0xOTA1MjMxMjA3MDBaMEIxDjAMBgNVBAMTBWJodWxsMQ0wCwYD
   VQQEEwRIdWxsMQ4wDAYDVQQqEwVCb2JieTERMA8GA1UEBRMIMTk2NTE5NjYwggEi
   MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8yVowqmpfeKptuigqFHjeKC/C
   ViAMexnbgCYdbo9atIc08b35lV364uTpkafupgAexTi9X1GOuKEM4KKgAQQ91sSP
   Jeuz7r6Y5EN5HO/dEXtuQXb1TwZ2FGvDEEaeFigQyNALxnUrhWyfwSceU3ev4j+Q
   bGpRuX7MfYT6BZbmrWyV0+j/mIHq9dfLcp48wfTPh6VXo1iHCYQVtn3ZFHP7oFtb
   /xyJi62dvFqrsnEbFkfmRN+sRmgfJtC90jjPvbjMsUHaKmYh99FrK26e1N2T8cxZ
   sH/3Xx2hpE1jL9TolrV+YQ5XdFfJRHeAoG0zX7rtt722kMOAJq+eNBpRXXejAgMB
   AAGjPDA6MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPOypDuauffXkwjNdeNti0Ik
   YSpdMAsGA1UdDwQEAwIEsDANBgkqhkiG9w0BAQUFAAOCAQEAMAxB95G/XCOetwAM
   1KXt7qH+tU0mvbXHqgWdyHRFHeayQjmKp3831ciNWEYDSBvGoUz2FI0WQjrBETDX
   kwoXRxFf81o8SSFkC2HpitqUW/on+lH4v2u7U2yaO5rUXwFsiU63NrJIPttjDzyJ
   cHFVXq1JrnRWDYq8X0JaTh3RU9Pww8eN2dw8MjHLDtgxZg3vPElkSWaDTse/HfQP
   Bc0cAc2D7/HOj3qyrEqIDrHHmQBTkC5S9C/O1sEhpJktqi8SMUmmniVhhR5v5MVN
   PGlIDzQwJ9nXWzdBz5wmQqLkw2/853OujVK2ZXcKB6e9GklHBw5YtFItbMmVvuxC
   n5TfcQ==</ds:X509Certificate>
        </ds:X509Data>
       </ds:KeyInfo>
      </md:KeyDescriptor>
      <md:KeyDescriptor use="encryption">
       <ds:KeyInfo
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
         <ds:X509Certificate>MIIDYDCCAkigAwIBAgIBFjANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJTRTEV
   MBMGA1UEBxMMTmFja2EgU3RyYW5kMQ8wDQYDVQQKEwZNY0FmZWUxFDASBgNVBAsT
   C0VuZ2luZWVyaW5nMRowGAYDVQQDExFFQSBERU1PIHVzZXIgQ0EgMTAeFw0xNDA1
   MjMxMjA3MDBaFw0xOTA1MjMxMjA3MDBaMEIxDjAMBgNVBAMTBWJodWxsMQ0wCwYD
   VQQEEwRIdWxsMQ4wDAYDVQQqEwVCb2JieTERMA8GA1UEBRMIMTk2NTE5NjYwggEi
   MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8yVowqmpfeKptuigqFHjeKC/C
   ViAMexnbgCYdbo9atIc08b35lV364uTpkafupgAexTi9X1GOuKEM4KKgAQQ91sSP
   Jeuz7r6Y5EN5HO/dEXtuQXb1TwZ2FGvDEEaeFigQyNALxnUrhWyfwSceU3ev4j+Q
   bGpRuX7MfYT6BZbmrWyV0+j/mIHq9dfLcp48wfTPh6VXo1iHCYQVtn3ZFHP7oFtb
   /xyJi62dvFqrsnEbFkfmRN+sRmgfJtC90jjPvbjMsUHaKmYh99FrK26e1N2T8cxZ
   sH/3Xx2hpE1jL9TolrV+YQ5XdFfJRHeAoG0zX7rtt722kMOAJq+eNBpRXXejAgMB
   AAGjPDA6MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPOypDuauffXkwjNdeNti0Ik
   YSpdMAsGA1UdDwQEAwIEsDANBgkqhkiG9w0BAQUFAAOCAQEAMAxB95G/XCOetwAM
   1KXt7qH+tU0mvbXHqgWdyHRFHeayQjmKp3831ciNWEYDSBvGoUz2FI0WQjrBETDX
   kwoXRxFf81o8SSFkC2HpitqUW/on+lH4v2u7U2yaO5rUXwFsiU63NrJIPttjDzyJ
   cHFVXq1JrnRWDYq8X0JaTh3RU9Pww8eN2dw8MjHLDtgxZg3vPElkSWaDTse/HfQP
   Bc0cAc2D7/HOj3qyrEqIDrHHmQBTkC5S9C/O1sEhpJktqi8SMUmmniVhhR5v5MVN
   PGlIDzQwJ9nXWzdBz5wmQqLkw2/853OujVK2ZXcKB6e9GklHBw5YtFItbMmVvuxC
   n5TfcQ==</ds:X509Certificate>
        </ds:X509Data>
       </ds:KeyInfo>
      </md:KeyDescriptor>
      <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ubuntu.phenixid.local:8443/saml/authenticate/sp" index="0" isDefault="true"/>
     </md:SPSSODescriptor>
     <md:Organization>
      <md:OrganizationName xml:lang="en">PhenixID AB</md:OrganizationName>
      <md:OrganizationName xml:lang="sv">PhenixID AB</md:OrganizationName>
      <md:OrganizationDisplayName xml:lang="en">PhenixID sandbox SP for eIDAS</md:OrganizationDisplayName>
      <md:OrganizationDisplayName xml:lang="sv">PhenixID sandbox SP for eIDAS</md:OrganizationDisplayName>
      <md:OrganizationURL xml:lang="en">https://www.phenixid.se</md:OrganizationURL>
      <md:OrganizationURL xml:lang="sv">https://www.phenixid.se</md:OrganizationURL>
     </md:Organization>
     <md:ContactPerson contactType="support">
      <md:Company>PhenixID AB</md:Company>
      <md:GivenName>Foo</md:GivenName>
      <md:SurName>Bar</md:SurName>
      <md:EmailAddress>foo.bar@phenixid.se</md:EmailAddress>
     </md:ContactPerson>
     <md:ContactPerson contactType="technical">
      <md:Company>PhenixID AB</md:Company>
      <md:GivenName>Foo</md:GivenName>
      <md:SurName>Bar</md:SurName>
      <md:EmailAddress>foo.bar@phenixid.se</md:EmailAddress>
     </md:ContactPerson>
    </md:EntityDescriptor>

Add your metadata to eIDAS

Add the metadata created in the previous step to eIDAS.

• For QA and production, send the metadata to operations@swedenconnect.se

• For the sandbox environment, please follow these steps:

  1. Go to Sandbox MD-registry - Welcome page and apply for an account

  2. Login to Sandbox MD-registry - Login page

  3. Click Manage metadata

  4. Add a display name and your metadata

  5. Done. The metadata will be added to the eidas sandbox aggregated metadata (this process might take a while so be patient).

Add eIDAS federation metadata to PAS

• Login to Configuration Manager

• Navigate to Scenarios -> SAML

• Click the plus to add SAML Metadata

  

• Set metadata url.

  • PRODUCTION: https://md.swedenconnect.se/role/idp.xml

  • QA: https://qa.md.swedenconnect.se/role/idp.xml

  • SANDBOX: http://eid.svelegtest.se/metadata/mdx/role/idp.xml

• Click Save.

Verification Steps for eIDAS Authentication Setup with PhenixID

Validate Environment Access:

• Ensure you can connect to the appropriate eIDAS environment based on your setup:
  • Sandbox: No agreement needed.
  • QA/Production: Verify any agreements with the respective eIDAS node if required, such as through Sweden Connect.

Verify Authenticator Configuration in PAS:

• Confirm that the SPBroker authenticator is configured with the correct targetIDP URL for the chosen eIDAS environment (e.g., Sandbox, QA, Production).
• Ensure the addsignature parameter is set to "true" to sign requests as required by eIDAS.

Check Metadata Generation and Customization:

• Access the generated metadata URL (e.g., https://yourbaseurl/samlsp/spbroker/meta) and download the XML file.
• Open the metadata XML and confirm that the required custom blocks are added:
  • Entity Attributes: Verify LOA levels in the <md:EntityAttributes> section.
  • UI Information: Ensure <mdui:UIInfo> is configured correctly, with proper display name, description, and logo.
  • Persistent NameID Format: Confirm that <md:NameIDFormat> is set to "persistent".
  • Organization and Contact Details: Check that organization and contact details are accurately filled.

Submit Metadata to eIDAS:

• For Sandbox: Upload the metadata through the Sandbox MD-registry and confirm it appears in the eIDAS sandbox aggregated metadata.
• For QA/Production: Email the metadata to operations@swedenconnect.se and verify receipt and processing.

Confirm Federation Metadata in PAS:

• In PAS Configuration Manager, check that the correct eIDAS federation metadata URL is added under Scenarios -> SAML, using the appropriate link for your environment (e.g., Production, QA, Sandbox).

Perform an End-to-End Authentication Test:

• Access the protected service and ensure that users are directed to authenticate via eIDAS.
• Confirm that the authentication flow completes successfully, granting the user access to the service through eIDAS-based verification.

These steps confirm that eIDAS authentication with PAS is correctly configured, with metadata and federation settings aligned for secure SAML-based access.

Tags

SAML 2 Federation Use Case: Federation of web services OIDC (OpenID Connect) Identity Provider