SAML - NetID Access Server (NIAS) authentication

The purpose of this document is to describe how to configure PhenixID server for federation with SAML2 using NetID Access Server as an authentication method for PhenixID server.

NB! This authenticator IS NOT shipped with the product. Please contact PhenixID support for more information on how to download and install this authenticator.

Overview

https://www.secmaker.com/net-id/software/net-id-access/

NetID Access is a client/server solution with the exact same flow as BankID to serve use cases such as out-of-band SITHS/EFOS authentication and signing, based on a smartcard or a mobile certificate.

Prerequisites

  • PhenixID Server configured according to this instruction: "Federation - Username and password"
  • Commercial agreement with NetID Access Server
  • Access to NetID Access Server infrastructure from the PhenixID Server
  • For authentication using NetID Access on same device, this patch must be applied (for version 3.0, included in later versions).

Convert the Federation - Username and Password scenario to SAMLNias

Open the Advanced tab and locate the Authentication - HTTP entry that was configured in the previous "Federation - Username and password" scenario.

Change the value of the name parameter from "PostUidAndPasswordSAML" to "SAMLNias"

Click the plus sign next to "configuration" to add new parameters

SAMLNias authenticator configuration reference.

Name Description Default value Mandatory
wsdlLocation The url to the NetID Access Server wsdl. Yes
loginTemplate Template file to use for authenticator nias.template No
nias_keystore_path Full path to p12 keystore - used when NIAS endpoint is protected with SSL client certificate authentication. No
nias_keystore_password Password to p12 keystore and private key - used when NIAS endpoint is protected with SSL client certificate authentication. No
userMapPipe Pipe to map entered username to certificate userID. Used in the flow NetID on other device. No
mappingProperty The property returned by the userMapPipe that contains the certificate userID.Used in the flow NetID on other device. No

Configuration example

Configure the execution flow used for the SAML assertion to suit your needs

  1. Open the Execution flow tab and expand the flow.
  2. Delete the valve #1 (InputParameterExistsValidatorValve) and valve #3 (LDAPBindValve)
  3. Expand (Show) the LDAPSearchValve and modify the search filter to fetch users where serialNumber=<PersonalIdentificationNumber From NetID Access Server>: filter_template = serialNumber={{request.username}}
  4. Add a parameter for attributes to fetch for the matched LDAP entry: attributes = serialNumber,sAMAccountName
  5. Expand (Show) the AssertionProvider and modify nameIDAttribute parameter: nameIDAttribute = serialNumber
  6. Click Save