Freja eID enrollment - Self service
Warning
Please note, this document is using the legacy authenticators - in order to use the new protocol agnostic authenticators, you need to apply relevant modifications to the configuration examples outlined in this article.
This guide will give you a rough instruction on how to configure the Freja eID enrollment.
The usecase is when a user will perform a self service enrollment.
Add FrejaEIDSAML
Create an FrejaEIDSAML authenticator to be used for protection of the enrollment application.
Configuration
Download and zip the templates from this zip-file and place them in PAS-FOLDER\overlay\auth-http\files\templates\Freja-enrollment
The alias of the authenticator has to be called "frejaeidpersonal" in order to be able to follow this instruction.
Start by following these instructions.
Configure the keystoreId with a reference to YOUR Freja Keystore.
Configure the loginTemplate parameter with a reference to the login template.
Configure the mode parameter with production_personal
Configure the attributesToGet paremeter with EMAIL_ADDRESS,SSN,BASIC_USER_INFO
Example:
{
"id": "6491086b-4a36-4803-9a71-887c70d32547",
"alias": "frejaeidpersonal",
"name": "FrejaEIDSAML",
"displayName": "Freja eID personal",
"configuration": {
"pipeID": "ccb06eb0-464a-4bef-95a1-1ee4ce586383",
"idpID": "2a3f19f1-2c0d-45b8-a254-54d1cba107dd",
"keystoreId": "Replace-Value-with-ID-of-Freja-Keystore",
"loginTemplate": "C:\\Program Files\\PhenixID\\Server\\overlay\\auth-http\\files\\templates\\Freja-enrollment\\frejaeid_v2-enrollment.template",
"mode": "production_personal",
"attributesToGet": "EMAIL_ADDRESS,SSN,BASIC_USER_INFO"
},
"created": "2022-05-03T06:43:08.137Z"
}
Configure execution flow
The SAML-assertion created by the flow have to use uid as NameID and these additional attributes: adminuser,sn,mail,givenname,pnr,uid
Please look at the following screenshots for an example configuration:
Enrollment App
Add the block below to the Auhentication - HTTP bucket.
Replace these strings before commiting:
| Value to replace | Comment |
|---|---|
| Replace-Value-with-DNS-For-Your-Server |
The DNS-name of your server, ex: pas.company.org |
{
"alias": "frejaenroll",
"name": "Registration",
"id": "frejaenroll",
"configuration": {
"stages": [
{
"pipeid": "FrejaOrgIdEnroll",
"template": "C:\\Program Files\\PhenixID\\Server\\overlay\\auth-http\\files\\templates\\Freja-enrollment\\freja-enroll",
"sessionValues": [
"givenname",
"sn",
"mobile",
"username",
"mail",
"roles",
"adminuser",
"pnrsub",
"pnr",
"uid"
],
"translation": [
"phxverify.messages.information.title",
"phxverify.messages.information.searchuser",
"phxverify.messages.username",
"phxverify.messages.querybox",
"phxverify.messages.or",
"phxverify.messages.logout",
"phxverify.messages.information.title",
"phxverify.messages.givenname",
"phxverify.messages.snname",
"phxverify.messages.mobile",
"phxverify.messages.mail",
"phxverify.messages.information.choose_method",
"phxverify.messages.cancel",
"phxverify.messages.bid"
],
"templateVariables": {
"searchmethods": [
{
"type": "username",
"title": "phxverify.messages.username"
},
{
"type": "mail",
"title": "phxverify.messages.mail"
},
{
"type": "mobile",
"title": "phxverify.messages.mobile"
}
],
"settings": {
"sp_url": "/frejaenroll/authenticate/frejaenrollsp/"
}
},
"errorTranslation": []
},
{
"pipeid": "phxverify-complete",
"template": "C:\\Program Files\\PhenixID\\Server\\overlay\\auth-http\\files\\templates\\Freja-enrollment\\freja-enroll-complete",
"templateVariables": {
"useBid": ""
},
"translation": [
"phxverify.messages.information.title",
"phxverify.messages.username",
"phxverify.messages.enterotp",
"phxverify.messages.givenname",
"phxverify.messages.snname",
"phxverify.messages.mobile",
"phxverify.messages.mail",
"phxverify.messages.ot",
"phxverify.messages.otstatus",
"phxverify.messages.sms",
"phxverify.messages.mail",
"phxverify.messages.pp",
"phxverify.messages.cancel",
"phxverify.messages.userverified",
"phxverify.messages.logout",
"phxverify.messages.bid"
],
"sessionValues": [
"givenname",
"sn",
"mobile",
"username",
"mail",
"roles",
"adminuser",
"pnrsub",
"pnr",
"uid"
],
"errorTranslation": []
}
]
}
},
{
"id": "frejaenrollsp",
"alias": "frejaenrollsp",
"name": "SAMLServiceProviderAuthN",
"displayName": "frejaenrollsp IdP",
"configuration": {
"successURL": "/frejaenroll/authenticate/frejaenroll/",
"sp": "https://Replace-Value-with-DNS-For-Your-Server/frejaenroll",
"pipeID": "FrejaEnrollSPPipe",
"targetIDP": "https://Replace-Value-with-DNS-For-Your-Server/saml/authenticate/frejaeidpersonal",
"acsUrl": "https://Replace-Value-with-DNS-For-Your-Server/frejaenroll/authenticate/frejaenrollsp",
"entityID": "https://Replace-Value-with-DNS-For-Your-Server/frejaenroll"
}
},
SAML SP
Add the block below to the SAML 2 Service provides bucket.
Replace these strings before commiting:
| Value to replace | Comment |
|---|---|
| Replace-Value-with-DNS-For-Your-Server |
The DNS-name of your server, ex: pas.company.org |
| Replace-Value-with-ID-of-SAML-Signing-Keystore |
The ID of the keystore used to sign SAML-tokens |
{
"id": "https://Replace-Value-with-DNS-For-Your-Server/frejaenroll",
"keystoreSign": "Replace-Value-with-ID-of-SAML-Signing-Keystore",
"keystoreEncrypt": "Replace-Value-with-ID-of-SAML-Signing-Keystore",
"entityID": "https://Replace-Value-with-DNS-For-Your-Server/frejaenroll"
}
Pipes
Add the block below to the Pipes bucket.
Replace these strings before commiting:
| Value to replace | Comment |
|---|---|
| Replace-Value-With-Organizaion-Name |
Your organization name. This value will be displayed for the user when authenticating, ex Our Company. |
| Replace-With-Friendly-Name-Of-UserID |
The friendly name of the userid. This value will be displayed for the user when authenticating, ex: AnvändarID. |
| Replace-Value-with-ID-of-Freja-Keystore |
The id of the keystore previously uploaded to PAS for communication with Freja Backend |
{
"id": "FrejaOrgIdEnroll",
"valves": [
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "ItemCreateValve",
"config": {
"dest_id": "user"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "userInfo",
"value": "{\"country\":\"SE\",\"ssn\":\"{{session.pnr}}\"}",
"splitter": "@"
}
},
{
"name": "PropertyStringBase64EncoderValve",
"config": {
"source": "userInfo",
"dest": "userInfob64"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "initAddOrganisationIdRequest",
"value": "{ \"userInfoType\": \"SSN\", \"userInfo\": \"{{item.userInfob64}}\", \"organisationId\": { \"title\": \"Replace-Value-With-Organizaion-Name\", \"identifierName\": \"Replace-With-Friendly-Name-Of-UserID\", \"identifier\": \"{{session.uid}}\" } }",
"splitter": "@"
}
},
{
"name": "PropertyStringBase64EncoderValve",
"config": {
"source": "initAddOrganisationIdRequest",
"dest": "initAddOrganisationIdRequestb64"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "body",
"value": "initAddOrganisationIdRequest={{item.initAddOrganisationIdRequestb64}}",
"splitter": "@"
}
},
{
"name": "HttpPostRequestValve",
"config": {
"url": "https://services.prod.frejaeid.com/organisation/management/orgId/1.0/initAdd",
"body": "{{item.body}}",
"http_crypto_protocol": "TLS",
"trust_all_certs": "true",
"keystore": "Replace-Value-with-ID-of-Freja-Keystore"
}
}
]
},
{
"id": "FrejaEnrollSPPipe",
"valves": [
{
"name": "AssertionConsumer",
"config": {}
},
{
"name": "FlowFailValve",
"config": {
"message": "User does not exist",
"exec_if_expr": "flow.items().isEmpty()"
}
}
]
}