FrejaEIDSAML

Used when acting as a SAML IDP in conjunction with Freja eID. 

Only QR-code is available when using other device.  No user input required by the user. On same device (mobile client) the pattern of "app switching" is used.

Read more about Freja eID and integration here: 

https://frejaeid.com/rest-api/Authentication%20Service.html

and here regarding authentication:

https://frejaeid.com/rest-api/Authentication%20Service.html#AuthenticationService-Methods


The authenticator only handles Swedish and English localisation.

Properties

Name Description Default value Mandatory
idpID The internal id if the IDP that should be issuing the assertion Yes
pipeID Pipe to be executed after a successful authentication using Freja eID mobile. Yes
loginTemplate Name of the template used for rendering the frontend UI. frejaeid_v2.template No
keystoreId Id of the keystore to use when communicating with Freja eID backend server. Yes
mode Should communication be done to test or production Freja eID backend. Allowed values are 'test_personal','test_organisation','production_organisation' or 'production_personal'. production No
max_polls How many polls should be done before consider the process timed out. 30 No
poll_interval Time between polls, in milliseconds. Note that tighter pollintervall adds strain to the system. 2000 No
attributesToGet The list of attributes to return from Freja eID ie the user data. Allowed values are BASIC_USER_INFO,EMAIL_ADDRESS,DATE_OF_BIRTH,ADDRESSES,SSN,ORGANISATION_ID_IDENTIFIER. When adding/changing data must be entered as a string seperated by comma. SSN No
reqiredRegistrationLevel Allowed values are BASIC, EXTENDED or PLUS. This is a single value string PLUS No
samlAuthMethod Vaule to put in the SAML assertion AuthnContextClassRef urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract No

Example configuration

{
    "id": "freja",
    "alias": "freja",
    "name": "FrejaEIDSAML",
    "displayName": "Freja",
    "configuration": {
        "pipeID": "64452300-d25d-45ae-bd7a-a6cfb7f0e5e0",
        "idpID": "da35b801-9894-45b9-9d97-98c336ead5f0",
        "keystoreId": "c5e0b707-a297-420e-a741-08d3e25df1be",
        "mode": "test_personal",
        "attributesToGet": "EMAIL_ADDRESS,SSN,ORG_ID"
    }
}

Additional information

Only some of the information returned from Freja eID is available to the pipe when executing. 

If returned from Freja eID, the attributes are:

  • userPersonalNumber
  • userGivenName
  • userSurName
  • primaryMail
  • relyingPartyUserId
  • integratorSpecificUserId

The executing PIPE MUST return an item property named userName. It will be used as user identifier for the current session.

It may NOT be empty.

Requirements

A keystore with a valid certificate is uploaded to the PAS server.

User enrolled for freja e-id.


Trusting the Freja backend HTTPS/TLS. This is not done by default.

Add new certificates to the trust store

Installation

The installation only applies to version 4.0. 

Attached zip includes the required files. The structure inside the zip reflects the folders of the current installation, apart from the name of the base folder.

Extract the zip. Copy the content of the base folder into <root_installation>/mods/com.phenixidentity~auth-http~4.x.x/

Reboot of the service is required after files have been copied.