FrejaEIDAuthenticator

This document describes how to configure FrejaEIDAuthenticator.

A keystore should have been received from Freja eID and imported into PhenixID Server before configuration of the authenticator. The keystore contains a certificate that allows the Freja eID server to verify requests from the PAS authenticator.

Please follow this document to import the keystore.

In the example below, a Freja eID authentication is used to protect the /mfaadmin resource.

Properties

Name Description Default value Mandatory
pipeID Id of pipe used by Freja eID Authenticator. Yes
successURL The URL to redirect the browser to after successful authentication. Yes
keyStore ID of the keyStore created in PhenixID Server. Yes

General description

When a user client sends an authentication request to this authenticator, the authenticator will in turn send an authentication request to the Freja eID server for the specified username. If the user has enrolled a device at the Freja eID server, that device will receive a request from the Freja eID server to allow or deny the authentication. The authenticator will regularly check the server for a response from the user, until a response is received or a timeout limit is reached.  If the authentication request is allowed by the user, the authenticator will execute a pipe. If the pipe request is successful, the user will be allowed to the requested resource.


In the following, we will look specifically at an example where a Freja eID authenticator is used to protect the /mfaadmin resource on the PAS server, using a database lookup in addition to the authentication to ensure that the user is valid. To try the example, make sure that the MFA Admin application is activated.

Database configuration

The system is typically configured to check a database for the existence of the requesting user before allowing the user client to the requested resource. The database connection can be configured from the PhenixID Configuration Portal under Scenarios/Connections, or by using the Advanced view. An example configuration of a database connection, as seen in the Advanced view, is provided below.

{
  "id": "d5c9fd4f-0e51-43d4-b1c5-b3e34b6edd4b",
  "type": "ldap",
  "description": "Connection to local OpenDJ",
  "config": {
    "host": "localhost",
    "port": "389",
    "bind_dn": "cn=Directory Manager",
    "password": "mypassword",
    "use_ssl": "true",
    "ssl_trust_all": "true",
    "follow_referrals": "false",
    "auto_reconnect": "true",
    "use_keep_alive": "true",
    "response_timeout_ms": "30000",
    "pool_initial_size": "1",
    "pool_max_size": "2"
  }
}

The pipe that checks the database for the existence of the requesting user is in this case most easily configured using the Advanced view in the PhenixID Configuration Portal. After logging in and navigating to the advanced view, click the pencil next to the header "Pipes". Add the configuration below to the list of pipe configurations in the opened window, then click "Stage changes" and "Commit changes".

{
  "id": "68731314-eeb2-4d59-9aaa-79cd9913a320",
  "valves": [{
    "name": "LDAPSearchValve",
    "enabled": "true",
    "config": {
      "connection_ref": "d5c9fd4f-0e51-43d4-b1c5-b3e34b6edd4b",
      "base_dn": "dc=example,dc=org",
      "scope": "SUB",
      "size_limit": "0",
      "filter_template": "mail={{request.username}}"
    }
  }]
}

Note that the value of the field "connection_ref" corresponds to the value of the field "id" of the database configuration above.

The keystore

In order for the authenticator to act as a client to the Freja eID server, triggering authentication requests and polling the server for user responses, a keystore with a certificate is necessary. The certificate is provided by Freja eID and must be kept secure. For instructions of how to upload the keystore to the PAS server, see here. The resulting configuration, as seen in the Advanced view, can be seen below.

{
    "id" : "a9bdfe2c-9a0b-4165-8d6d-0ae3f2ec7d9e",
    "type" : "pkcs12",
    "password" : "keystore password",
    "certificateAlias" : "xxxx",
    "privateKeyPassword" : "keystore password",
    "resource" : "c9be2a3b-f3c0-471a-9f87-15ede5d55498",
    "name" : "freja"
  }

Configuring the authenticator

To protect the MFA Admin application with a Freja eID authentication and a database lookup, use the Advanced view in the Configuration Portal to enter the configuration below. After logging in and navigating to the Advanced view, click the pencil next to the header "Authentication - HTTP". Add the configuration below to the list of authenticator configurations in the opened window, then click "Stage changes" and "Commit changes".

{
  "id": "0c18a73e-612a-4ce2-a353-40f60dd4bbf9",
  "alias": "freja",
  "name": "FrejaEIDAuthenticator",
  "displayName": "Freja",
  "configuration": {
    "pipeID": "68731314-eeb2-4d59-9aaa-79cd9913a320",
    "successURL": "/mfaadmin/",
    "keyStore": "a9bdfe2c-9a0b-4165-8d6d-0ae3f2ec7d9e"
  }
}

Note that the value of the field "pipeID" corresponds to the value of the field "id" of the pipe configuration above, and that the value of the field "keyStore" corresponds to the value of the field "id" of the keystore configuration above.

Configuring the protected resource

To configure the MFA Admin application to be protected by the Freja eID authenticator, use the Advanced view in the Configuration Portal. After logging in and navigating to the Advanced view, locate the MFA Admin module and change the field "auth_redirect_url" to point to the authenticator alias, see below for example configuration.

{
  "name" : "com.phenixidentity~phenix-prism",
  "enabled" : "true",
  "config" : {
    "base_url" : "/mfaadmin",
    "auth_redirect_url" : "/mfaadmin/authenticate/freja",
    "http_configuration_ref" : "bb8aed96-6b34-4850-9741-5c8960094e0f",
    "module_refs" : "a2103942-92ce-4259-ba4a-acbe4de209f8,97f3537e-a754-4cc5-b7f2-fce7eec38f33",
    "enable_roles" : "true"
  }
}

If all the instructions above are carried out correctly, the user will be presented with a login screen for Freja eID when trying to access the /mfaadmin resource on the PAS server.

Requirements

A keystore with a valid certificate is uploaded to the PAS server.

User enrolled for freja e-id.