Authenticate using Siths EID (card or app).

Siths EID authenticator allows for two different scenarios:

  • Starting Siths EID on the same device.
  • Starting Siths EID using a QR code. 

Every method needs to be activated through configuration.


On successful authentication, these parameters will be added to the request sent to the connected pipe:

  • userPersonalNumber  - The end user personal number (SSID)
  • userCertificate  - The full user certificate (PEM formatted)

Patch instructions

SAML2SithsEID binaries and template files must for now (version 4.0) be added manually to the PAS installation. Please download binaries and instructions to install the patch here.



Name Description Default value Mandatory
idpID The internal identifier of the idp used N/A Yes
pipeID ID of the pipe to be executed on successful authentication N/A Yes
samlAuthMethod The value to be set in the AuthnContextClassRef of the SAML assertion urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig No
keyStore ID of the key store used to communicate with Siths eid backend N/A Yes
sithseidURL The root URL of the Siths EID Backend. N/A Yes
rfc2253Issuers List of trusted SITHS eID issuers. [ "CN=TEST SITHS e-id Person HSA-id 3 CA v1,O=Inera AB,C=SE", "CN=TEST SITHS e-id Person ID 3 CA v1,O=Inera AB,C=SE", "CN=TEST SITHS e-id Person ID Mobile CA v1,O=Inera AB,C=SE", "CN=CGI Test Root CA,OU=Test,O=CGI,ST=Jamtland,C=SE", "CN=SITHS Type 1 CA v1,O=Inera AB,C=SE", "CN=SITHS Type 1 CA v1 PP,O=Inera AB,C=SE" ] No
loginTemplate Template used for rendering the user facing UI sithseid.template No
templateVariables Parameters to control the GUI rendering. Methods define the user options to present (sd=same device, qr=qr code) N/A Yes
organizationName The header text to be displayed in the Siths Eid client during authentication. N/A Yes

Example Configuration

		"id": "c48b7a22-21c9-44f2-b606-6bd000db60fe",
		"alias": "siths-eid-test",
		"name": "SAML2SithsEID",
		"displayName": "siths-eid-test",
		"configuration": {
			"keyStore": "5ca8fb2f-bb98-48eb-a1fd-f1e89879fd50",
			"pipeID": "e9acc237-0357-4d8e-b68d-c487b2b987d4",
			"idpID": "2a9b1517-c8ef-47cc-a2f2-783076e124dc",
			"sithseidURL": "",
			"samlAuthMethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig",
			"organizationName": "PhenixID Authentication Services",
			"templateVariables": {
				"methods": [
						"image": "/authenticate/res/images/sithseid/sithseid.png",
						"data-toggle-action": "SD",
						"title": "sithseid.messages.option_label_sd"
						"image": "/authenticate/res/images/sithseid/sithseid-qrc.png",
						"data-toggle-action": "QR",
						"title": "sithseid.messages.option_label_qr"
			"translation": [
			"loginTemplate": "sithseid.template"
		"created": "2021-01-04 11:02:13.461"


  • A Siths Eid key store issued by an authorized issuer
  • PAS IP address whitelisted to be able to communicate with the siths eid backend URL
  • Siths eid client with enrolled user certificate
  • Siths eid backend URL SSL certificate (for https) ca:s added to cacerts trust store.


Make sure to have the proper rfc2253Issuers configured! 

The default value will not work with Ineras production environment.
Use the configuration below instead:

"rfc2253Issuers": [
"CN=SITHS e-id Person ID 3 CA v1,O=Inera AB,C=SE",
"CN=SITHS e-id Person ID Mobile CA v1,O=Inera AB,C=SE"
Click to copy