FrejaEIDAuthenticator
This document describes how to configure FrejaEIDAuthenticator.
A keystore should have been received from Freja eID and imported into PhenixID Server before configuration of the authenticator. The keystore contains a certificate that allows the Freja eID server to verify requests from the PAS authenticator.
Please follow this document to import the keystore.
In the example below, a Freja eID authentication is used to protect the /mfaadmin resource.
This authenticator is deprecated and will be removed.
Properties
General description
When a user client sends an authentication request to this authenticator, the authenticator will in turn send an authentication request to the Freja eID server for the specified username. If the user has enrolled a device at the Freja eID server, that device will receive a request from the Freja eID server to allow or deny the authentication. The authenticator will regularly check the server for a response from the user, until a response is received or a timeout limit is reached. If the authentication request is allowed by the user, the authenticator will execute a pipe. If the pipe request is successful, the user will be allowed to the requested resource.
In the following, we will look specifically at an example where a Freja eID authenticator is used to protect the /mfaadmin resource on the PAS server, using a database lookup in addition to the authentication to ensure that the user is valid. To try the example, make sure that the MFA Admin application is activated.
Database configuration
The system is typically configured to check a database for the existence of the requesting user before allowing the user client to the requested resource. The database connection can be configured from the PhenixID Configuration Portal under Scenarios/Connections, or by using the Advanced view. An example configuration of a database connection, as seen in the Advanced view, is provided below.
<p>{
"id": "d5c9fd4f-0e51-43d4-b1c5-b3e34b6edd4b",
"type": "ldap",
"description": "Connection to local OpenDJ",
"config": {
"host": "localhost",
"port": "389",
"bind_dn": "cn=Directory Manager",
"password": "mypassword",
"use_ssl": "true",
"ssl_trust_all": "true",
"follow_referrals": "false",
"auto_reconnect": "true",
"use_keep_alive": "true",
"response_timeout_ms": "30000",
"pool_initial_size": "1",
"pool_max_size": "2"
}
}</p>
The pipe that checks the database for the existence of the requesting user is in this case most easily configured using the Advanced view in the PhenixID Configuration Portal. After logging in and navigating to the advanced view, click the pencil next to the header "Pipes". Add the configuration below to the list of pipe configurations in the opened window, then click "Stage changes" and "Commit changes".
<p>{
"id": "68731314-eeb2-4d59-9aaa-79cd9913a320",
"valves": [{
"name": "LDAPSearchValve",
"enabled": "true",
"config": {
"connection_ref": "d5c9fd4f-0e51-43d4-b1c5-b3e34b6edd4b",
"base_dn": "dc=example,dc=org",
"scope": "SUB",
"size_limit": "0",
"filter_template": "mail={{request.username}}"
}
}]
}</p>
Note that the value of the field "connection_ref" corresponds to the value of the field "id" of the database configuration above.
The keystore
In order for the authenticator to act as a client to the Freja eID server, triggering authentication requests and polling the server for user responses, a keystore with a certificate is necessary. The certificate is provided by Freja eID and must be kept secure. For instructions of how to upload the keystore to the PAS server, see here. The resulting configuration, as seen in the Advanced view, can be seen below.
<p>{
"id" : "a9bdfe2c-9a0b-4165-8d6d-0ae3f2ec7d9e",
"type" : "pkcs12",
"password" : "keystore password",
"certificateAlias" : "xxxx",
"privateKeyPassword" : "keystore password",
"resource" : "c9be2a3b-f3c0-471a-9f87-15ede5d55498",
"name" : "freja"
}</p>
The truststore
In order for the PAS server to ensure that it is connecting to the correct Freja eID server, it is necessary to provide a truststore with public certificates
You have to add the add the certificate chain that the above client cert is created from.
This part has to be added manually in the Advanced view.
Open the Keystores part with the pen and add following code at the end.
<p>{
"id": "frejaeid-truststore",
"resource": "frejaeid-resource",
"name": "Verisec Certificate Chain",
"certificateAlias": "0",
"type": "pkcs12"
}</p>
Stage and Commit and then open the Resources part with it´s pen.
Add the following code, Stage and Commit.
<p>{
"description": "Verisec Certificate Chain",
"id": "frejaeid-resource",
"content_type": "application/x-pkcs12",
"content_encoding": "base64",
"content": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVjVENDQTFtZ0F3SUJBZ0lVQy90NG0zcXM3YU4yWHdlMTlzSUVLSDE4ZXd3d0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZTXhDekFKQmdOVkJBWVRBbE5GTVJJd0VBWURWUVFIRXdsVGRHOWphMmh2YkcweEZEQVNCZ05WQkdFVApDelUxT1RFeE1DMDBPREEyTVIwd0d3WURWUVFLRXhSV1pYSnBjMlZqSUVaeVpXcGhJR1ZKUkNCQlFqRU5NQXNHCkExVUVDeE1FVkdWemRERWNNQm9HQTFVRUF4TVRVbE5CSUZSRlUxUWdTWE56ZFdsdVp5QkRRVEFlRncweE9EQXgKTVRFeE1URTFNakphRncweU16QXhNVEV4TVRFMU1qSmFNSUdLTVFzd0NRWURWUVFHRXdKVFJURVNNQkFHQTFVRQpCeE1KVTNSdlkydG9iMnh0TVJRd0VnWURWUVJoRXdzMU5Ua3hNVEF0TkRnd05qRWRNQnNHQTFVRUNoTVVWbVZ5CmFYTmxZeUJHY21WcVlTQmxTVVFnUVVJeERUQUxCZ05WQkFzVEJGUmxjM1F4SXpBaEJnTlZCQU1UR25ObGNuWnAKWTJWekxuUmxjM1F1Wm5KbGFtRmxhV1F1WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQgpDZ0tDQVFFQWc4RTVDaUZlb3QxTUpQYjZ0RHdTT2dmdWRGMjlTZUNsQkdESzB4UG9ueDRXczh1VVFrRlpCeHh6CnJpbGVtNUhQZjF2ZytlamVjTUd0dFgybXpRK2pXY3dEVXpmSjYvM0tONWtBaWF0U04xVFdiWU1NTEt2cGZxTW0KWWNsTEd5NFBFcDJZdkx6YjN3OUY4VTAyU1dSS2ZOTjFXQk1vRnlsNUhEYURkVnhveTV5UWNlUG15QjFMTW52bwptNXhPVHR1QjBIZ283ZWpFeFNNUnlVSzhtRTJmMGszVDZ2N2RRMWJzS09mTW14U25GKzFJNWJwY2JFdGJCVDRpCkFrc2dxVWtPcWN6V21MZlFKczVZRkUvYk1jQklwRGNmU0xtU2VWRU9UbFBiTmY3ZTk4TnhVVmIzVHk3YitCbmQKZS96ZkIrRi9UQUlmVlpzM3YwR3p0b2t0Z25oR1NRSURBUUFCbzRIVE1JSFFNQTRHQTFVZER3RUIvd1FFQXdJRgo0REFNQmdOVkhSTUJBZjhFQWpBQU1COEdBMVVkSXdRWU1CYUFGR3A4aWcrZGNBNGMybDh0b0R3bVg0am9GYitjCk1CSUdBMVVkSUFRTE1Ba3dCd1lGS2dNRUJRZ3dQUVlEVlIwUkJEWXdOSUlhYzJWeWRtbGpaWE11ZEdWemRDNW0KY21WcVlXVnBaQzVqYjIyQ0ZtRjFkR2d1ZEdWemRDNW1jbVZxWVdWcFpDNWpiMjB3SFFZRFZSME9CQllFRkVkNwpoNXlra3dyblV1ekp5bk9JbkN2M0dVenlNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01DQmdnckJnRUZCUWNECkFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUF3cFJhSUM3c2k1MzNZWU5MM3dPZnV0SjR0d0YxcjhPajVwakgKUkpUTjhKcXdDeUl0d3NnZ2ZGYjk5YklJMEpMYzFDNWh6ZEQrVlNja3ltamY1bVNCQVBLNHV3cWxzWmdtblhvNApxbTJGUkdiZThDRnU1d3ZDWk1xTU43YTJOZytIeStZUWNEVmNueGs0UWZCNSszYTZ0R253OTFrMzYvVldDNGZ5Ck5ZSFJYbWhXWXJxNFNrUFZpc2c2dE8wRHpTRnNleVNQQWc4aTY5TmduMU54V2pWVU9uSkduZUZnNy9WV3RkMXMKYWU5Mlg0eDdoY2UyYmRJYm81MHlSSGZxeVVuU3hpdlRIL216VXVpT2daSFlDbzh4c3V2cDlCWTdPVVI5bzJKagpMbjlSWnpaOVVmRVBmQWI0amJWblR3MG83L1E0dFBvU1ZscGJId1E1ZWVlSUxyR0hYQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdNekNDQkJ1Z0F3SUJBZ0lVUEI0clVxRkZpRzZnNjdhK2NMQ0JDdVRreEdRd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1VURUxNQWtHQTFVRUJoTUNVMFV4RXpBUkJnTlZCQW9UQ2xabGNtbHpaV01nUVVJeEVqQVFCZ05WQkFzVApDVVp5WldwaElHVkpSREVaTUJjR0ExVUVBeE1RVWxOQklGUmxjM1FnVW05dmRDQkRRVEFlRncweE56QTFNVEF4Ck5ESTJNREJhRncwME56QTFNVEF4TkRJMk1EQmFNRkV4Q3pBSkJnTlZCQVlUQWxORk1STXdFUVlEVlFRS0V3cFcKWlhKcGMyVmpJRUZDTVJJd0VBWURWUVFMRXdsR2NtVnFZU0JsU1VReEdUQVhCZ05WQkFNVEVGSlRRU0JVWlhOMApJRkp2YjNRZ1EwRXdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUtBb0lDQVFDNm42SXZKY09JCnk5eTR4NFlabGNEWVdHQU5abi81OGFRcS8rcS8ySU9oZXFIN3BmcWYwMEZyWm1URnpYUVRJNGtvUFVPcGFnWU0KRVNHNk1MbGdXN2FrQ25BM1Y1ZHVFdkdCSmdBUjZGbGRhaXdkSE1xV0JLTGI1cHZvQzIvdWN6U05pZStwRWlkUQp1aitPaDVNd1VDSld4NG4yZkxvSk1UUDRMYjFueEZRWHpDalJNV0oxdzNwTSszbURZSnp2TEZoVjJVcjdRQkFkCkpqR0dQQ3ByRGRSRWZ6YW5tN0pnNW1GdGR0Yk1QUG9iTVZES1JpQ3ZmWExhdkU0VWV1cEpGMlJkZzUzMHRwYUoKTWI2bSsrT3NGTU40c0hxMEhVWWlZSXdldGRteFkzVzJkcEtKam1MN3BQUHByY3BuSHFjaTlhM04zMmFqY2xwVgpaN2MwamZ1d0N3ays2RUZZUk5tQ2tLRWtNclNlOHdyOHR1SDRGWXdoVFFDc0ZRZUFXVWFXelNsMjlJZWxteDM4Ck90K2czYVV3OExabHRaek1ZaGFrMjU3Yng0THFmcjIzZWRqejJnNDUvREVrNUgyL3pzdkVHbndxNzN4dHBBSloKclpIU3FndWd3UHFMaEN4S3M5M2FidVNoTWFzOTJDTDdqdUFwNEZqWXpqQlM4NXFRbkhoeFZGemlHb3l2dFVVMwpZUzZaTmFlOTZLYmdXN0tqZDcyaS93ZlVOSktkRjJRQUtXSUpZTDgwYlE5bTJ3K3NMNlROZC90UkczT1hXSkhECnByS1JUWUtpVzJuWnhEb1g0Q2xzTk1XajJpS1BhR3RibDZ0bVpwUkxadGpzOHM5bEFpTkJRZDBYcXRUc3l5ci8KMys4QWZuaHMrREc1NUE0LzkxRGRhWGxEQTRVYnBqWnBEUUlEQVFBQm80SUJBVENCL2pBT0JnTlZIUThCQWY4RQpCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkF6Q0J1QVlEVlIwZ0JJR3dNSUd0TUlHcUJnVXFBd1FGCkJqQ0JvREE0QmdnckJnRUZCUWNDQVJZc2FIUjBjSE02THk5amNITXVkR1Z6ZEM1bWNtVnFZV1ZwWkM1amIyMHYKWTNCekwybHVaR1Y0TG1oMGJXd3daQVlJS3dZQkJRVUhBZ0l3V0F4V1ZHaHBjeUJqWlhKMGFXWnBZMkYwWlNCbwpZWE1nWW1WbGJpQnBjM04xWldRZ0lHbHVJR0ZqWTI5eVpHRnVZMlVnZDJsMGFDQjBhR1VnUm5KbGFtRWdaVWxFCklGUkZVMVFnVUc5c2FXTjVJRU52Ym5SeWIyd3dIUVlEVlIwT0JCWUVGTXF3N0xsWHc1dzlyVG1LRS9yd05icnMKREhlS01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQk9HSTJZNHVYUWVBTVNzd0VTc0lzYkY0UmxrdklRaUdDZAprd3Q3T3pwZmlSY09Rbmt4bTlybHBkUHRDN01halZJNm93dFp3VDZCU0cwam15VUZMaWhwNFZCMDJWTTAyeGtjCllzU0QvNThWK0dmLzFpRWpnUWduTmp6OVo1YlVSR1VpUEs5VFdyY2hpN0UyTUxseVNlSEFFSlVVMXU1aHdVMFYKKzBoUTRTK0VFWkJZZk9WNVdhb0ZtYTJZWEZUU1NDSHR6bUcrT01oSXRnZXZKRnQrT0x5bU9UZXd1Rjd2NHZjUApQVnlVQjlpRWdhd0V3cGpKRUJ0YXhrbUlhSnY0Si9jOTJLS0hjVEt4cjhFYVBmT2w0dDNVQ0htUUxnbkNFRy8zCkhuNktnTnNINlJDT21ab2pkVGY1dndRWjJCN0FjYlZvelUvbm9KWjFvNkM0b1J0NVBrVEVkU25BbVg4cGY0TW4KTlhZbXhQcFhFN0tsRWF6THg5cG9CR1ZvYkNuMFgzRisxQTVwRUhmWThPeS9FT0tjMytac3dXMjk0QXVXQ3MvbgpIbGFtV1BTK2pxTktXM3Fqak5LNkZaczcySUVDdWY5T1NONUJ2RHJVc1c0NGIwWTZvR0lVZXZPdGV4QVhpQldWClNLVDlHc29qcmxZMzZYME8zK2xra3F0VzRhZWExMXFpM29Heis5aVhjUFFlZUQ3a2dma3N6U1lLa245V0IxWVQKai9scFpUbGY5RGx4QTUrK3V1M0dycHg3cVJkQ2xFYkRmNVEySExJU1dWd2lyb2N5U0d6aDR3QUNGSGk2aVFqbgpzcm56SHU5NjhNdE9uTjZGUXQ5elBaeGFSWXJ6THBWLzl5eWFoOWpZWXVMRklHamUreXpBbjVNOE9SVjVwMUF0CkZ2alRSZkg1b0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlHT0RDQ0JDQ2dBd0lCQWdJVWR4T0NNMFNoWUdTUkg2dUhSTVhqOWJLa2dWNHdEUVlKS29aSWh2Y05BUUVMCkJRQXdVVEVMTUFrR0ExVUVCaE1DVTBVeEV6QVJCZ05WQkFvVENsWmxjbWx6WldNZ1FVSXhFakFRQmdOVkJBc1QKQ1VaeVpXcGhJR1ZKUkRFWk1CY0dBMVVFQXhNUVVsTkJJRlJsYzNRZ1VtOXZkQ0JEUVRBZUZ3MHhOekExTVRjeApORFF5TlRKYUZ3MHlOekExTVRjeE5EUXlOVEphTUlHRE1Rc3dDUVlEVlFRR0V3SlRSVEVTTUJBR0ExVUVCeE1KClUzUnZZMnRvYjJ4dE1SUXdFZ1lEVlFSaEV3czFOVGt4TVRBdE5EZ3dOakVkTUJzR0ExVUVDaE1VVm1WeWFYTmwKWXlCR2NtVnFZU0JsU1VRZ1FVSXhEVEFMQmdOVkJBc1RCRlJsYzNReEhEQWFCZ05WQkFNVEUxSlRRU0JVUlZOVQpJRWx6YzNWcGJtY2dRMEV3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRFNVaEdECkhIcHFocDlPbUEyZjhIaktIZCtKSkR0ZXhyVlFldHladWpaZmlnOFVWNnk4NW5FY0F3N0ZoMWtFRzlJM0pIZS8KUE5tQkwveTlOYVJicXl3Z1I4ZXZVMGw1d1NCbGV2R2VsejlIK25lR1ZFRnZLa0htRk92cjdmN2M1YlZXYS9VUgp6VG1DZldBb2xLdlkrQXdLbElrZFRFMWVwdG44TTk0MFlGdlVVTEJoTGFEU1pYTmh2djZFWlQ5dzJ4VFQ0WnlICndkOGZhTGZFdnRHcysxM0tyQWh1dGFKSllZNlhxMEZuOVE3MXNYL3g1VDdkRzVJblNpRVBZTmdnVzlwUlZreDYKMW1kYnBpejZ3YUdzTnJNbzB3T3lYOC93ZnB0Z1E4MUI0QlVuS1Q4OUYzTk9oOU03WkpOOStzUnRYMGtXTExSWgpTTitSZzFZeTczRDY4QjB4QWdNQkFBR2pnZ0hUTUlJQnp6QU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUCkFRSC9CQWd3QmdFQi93SUJBREJQQmdnckJnRUZCUWNCQVFSRE1FRXdQd1lJS3dZQkJRVUhNQUdHTTJoMGRIQTYKTHk5eWIyOTBZMkZzWVdJek1TNTBaWE4wTG1aeVpXcGhaV2xrTG1OdmJUbzROemMzTDJGa2MzTXZiMk56Y0RBZgpCZ05WSFNNRUdEQVdnQlRLc095NVY4T2NQYTA1aWhQNjhEVzY3QXgzaWpDQnVBWURWUjBnQklHd01JR3RNSUdxCkJnVXFBd1FGQmpDQm9EQTRCZ2dyQmdFRkJRY0NBUllzYUhSMGNITTZMeTlqY0hNdWRHVnpkQzVtY21WcVlXVnAKWkM1amIyMHZZM0J6TDJsdVpHVjRMbWgwYld3d1pBWUlLd1lCQlFVSEFnSXdXQXhXVkdocGN5QmpaWEowYVdacApZMkYwWlNCb1lYTWdZbVZsYmlCcGMzTjFaV1FnSUdsdUlHRmpZMjl5WkdGdVkyVWdkMmwwYUNCMGFHVWdSbkpsCmFtRWdaVWxFSUZSRlUxUWdVRzlzYVdONUlFTnZiblJ5YjJ3d1hRWURWUjBmQkZZd1ZEQlNvRkNnVG9aTWFIUjAKY0RvdkwzSnZiM1JqWVd4aFlqTXhMblJsYzNRdVpuSmxhbUZsYVdRdVkyOXRPamczTnpjdllXUnpjeTlqY214egpMMlp5WldwaFpXbGtYM0p6WVY5eWIyOTBYMk5oTG1OeWJEQWRCZ05WSFE0RUZnUVVhbnlLRDUxd0RoemFYeTJnClBDWmZpT2dWdjV3d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFHekhrRWtWRE1xY0ErR1JUQXZXMk9XMXREWm8KRmxqTSt3MUF1UXozODBrbU1hbUFsNGYrSW13M1VzVDNKaFhQWmFKTlZvZnFQQk8vRmlvb085bVBJZjhqTXhyeApMZm0vcC8ybjlLNDlSWXdnUk5Ed1Z5VzU5YzFIMGp2SGVQcGZhUnRQUzJvdjBlSStRU012azE0L3BoSXYvYmtOCmQrME9WcDBxZ1RWVFR3d0F2VVFKMlA5Y0RLM09JajdIMHZKaGh3N3V4NjZnTk1IZitJbkVScmJ1MFNpNXJRZW0KU2FmYVFUUzZOMFFOdEpWQWFmUllETS9GVE9kUHVsYnhrYmt0eWJqTWlEVHVKM012aHFLdjV6Q1I4bm9Zd0VCUApWcmVQQXZnNmJ3YjBLMWFDQVFtNElzV0JDS0Y0dDZzcWpydmFxLzNqVW8rTTY1VHAwQUtUS240QjhubVR2R3Y5CmxUNFBnc0NUd3dYYklVY1c1cmZzbUU5d1ZwUmZpZUc3R3g2MnlkSFBsSVBrVENoVXpzL2pvanU4c3lrVm5zc0YKMVlEcVFsZ01hMlNwK2t4NWk3ZWlqWDFlamNKaCtwbXVRVFFuWGo2c0RKcnk4MU90cURPN0Q3RGhhVUhmR0xpbAptWHVyQW9sdWptbGw1TWFiZEJFcTNFNFRUZWJ2djZXU05wRVl3UTFTKzhlRSs5c2xMbm1oUjJSU05wV0dEUS9sCld3Rm9Bc1RDakcrZTlmNTdtR1VsbVNlVTZ6RVJJeGllRVI3d01NN0VhcVdhWW82SmJlT2h1c2JkVFUvTG1zeUEKOGZaWXArZ24vRk04V2w4ZWgxcWovR0ljQWREQUlPM2s4bXFBOThzV1I3TXg1dmdkUk5jbXBDdE9ReHhpaWpDNwpNUmJZS2VCazRIT3RYdzllCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdNekNDQkJ1Z0F3SUJBZ0lVUEI0clVxRkZpRzZnNjdhK2NMQ0JDdVRreEdRd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1VURUxNQWtHQTFVRUJoTUNVMFV4RXpBUkJnTlZCQW9UQ2xabGNtbHpaV01nUVVJeEVqQVFCZ05WQkFzVApDVVp5WldwaElHVkpSREVaTUJjR0ExVUVBeE1RVWxOQklGUmxjM1FnVW05dmRDQkRRVEFlRncweE56QTFNVEF4Ck5ESTJNREJhRncwME56QTFNVEF4TkRJMk1EQmFNRkV4Q3pBSkJnTlZCQVlUQWxORk1STXdFUVlEVlFRS0V3cFcKWlhKcGMyVmpJRUZDTVJJd0VBWURWUVFMRXdsR2NtVnFZU0JsU1VReEdUQVhCZ05WQkFNVEVGSlRRU0JVWlhOMApJRkp2YjNRZ1EwRXdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUtBb0lDQVFDNm42SXZKY09JCnk5eTR4NFlabGNEWVdHQU5abi81OGFRcS8rcS8ySU9oZXFIN3BmcWYwMEZyWm1URnpYUVRJNGtvUFVPcGFnWU0KRVNHNk1MbGdXN2FrQ25BM1Y1ZHVFdkdCSmdBUjZGbGRhaXdkSE1xV0JLTGI1cHZvQzIvdWN6U05pZStwRWlkUQp1aitPaDVNd1VDSld4NG4yZkxvSk1UUDRMYjFueEZRWHpDalJNV0oxdzNwTSszbURZSnp2TEZoVjJVcjdRQkFkCkpqR0dQQ3ByRGRSRWZ6YW5tN0pnNW1GdGR0Yk1QUG9iTVZES1JpQ3ZmWExhdkU0VWV1cEpGMlJkZzUzMHRwYUoKTWI2bSsrT3NGTU40c0hxMEhVWWlZSXdldGRteFkzVzJkcEtKam1MN3BQUHByY3BuSHFjaTlhM04zMmFqY2xwVgpaN2MwamZ1d0N3ays2RUZZUk5tQ2tLRWtNclNlOHdyOHR1SDRGWXdoVFFDc0ZRZUFXVWFXelNsMjlJZWxteDM4Ck90K2czYVV3OExabHRaek1ZaGFrMjU3Yng0THFmcjIzZWRqejJnNDUvREVrNUgyL3pzdkVHbndxNzN4dHBBSloKclpIU3FndWd3UHFMaEN4S3M5M2FidVNoTWFzOTJDTDdqdUFwNEZqWXpqQlM4NXFRbkhoeFZGemlHb3l2dFVVMwpZUzZaTmFlOTZLYmdXN0tqZDcyaS93ZlVOSktkRjJRQUtXSUpZTDgwYlE5bTJ3K3NMNlROZC90UkczT1hXSkhECnByS1JUWUtpVzJuWnhEb1g0Q2xzTk1XajJpS1BhR3RibDZ0bVpwUkxadGpzOHM5bEFpTkJRZDBYcXRUc3l5ci8KMys4QWZuaHMrREc1NUE0LzkxRGRhWGxEQTRVYnBqWnBEUUlEQVFBQm80SUJBVENCL2pBT0JnTlZIUThCQWY4RQpCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkF6Q0J1QVlEVlIwZ0JJR3dNSUd0TUlHcUJnVXFBd1FGCkJqQ0JvREE0QmdnckJnRUZCUWNDQVJZc2FIUjBjSE02THk5amNITXVkR1Z6ZEM1bWNtVnFZV1ZwWkM1amIyMHYKWTNCekwybHVaR1Y0TG1oMGJXd3daQVlJS3dZQkJRVUhBZ0l3V0F4V1ZHaHBjeUJqWlhKMGFXWnBZMkYwWlNCbwpZWE1nWW1WbGJpQnBjM04xWldRZ0lHbHVJR0ZqWTI5eVpHRnVZMlVnZDJsMGFDQjBhR1VnUm5KbGFtRWdaVWxFCklGUkZVMVFnVUc5c2FXTjVJRU52Ym5SeWIyd3dIUVlEVlIwT0JCWUVGTXF3N0xsWHc1dzlyVG1LRS9yd05icnMKREhlS01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQk9HSTJZNHVYUWVBTVNzd0VTc0lzYkY0UmxrdklRaUdDZAprd3Q3T3pwZmlSY09Rbmt4bTlybHBkUHRDN01halZJNm93dFp3VDZCU0cwam15VUZMaWhwNFZCMDJWTTAyeGtjCllzU0QvNThWK0dmLzFpRWpnUWduTmp6OVo1YlVSR1VpUEs5VFdyY2hpN0UyTUxseVNlSEFFSlVVMXU1aHdVMFYKKzBoUTRTK0VFWkJZZk9WNVdhb0ZtYTJZWEZUU1NDSHR6bUcrT01oSXRnZXZKRnQrT0x5bU9UZXd1Rjd2NHZjUApQVnlVQjlpRWdhd0V3cGpKRUJ0YXhrbUlhSnY0Si9jOTJLS0hjVEt4cjhFYVBmT2w0dDNVQ0htUUxnbkNFRy8zCkhuNktnTnNINlJDT21ab2pkVGY1dndRWjJCN0FjYlZvelUvbm9KWjFvNkM0b1J0NVBrVEVkU25BbVg4cGY0TW4KTlhZbXhQcFhFN0tsRWF6THg5cG9CR1ZvYkNuMFgzRisxQTVwRUhmWThPeS9FT0tjMytac3dXMjk0QXVXQ3MvbgpIbGFtV1BTK2pxTktXM3Fqak5LNkZaczcySUVDdWY5T1NONUJ2RHJVc1c0NGIwWTZvR0lVZXZPdGV4QVhpQldWClNLVDlHc29qcmxZMzZYME8zK2xra3F0VzRhZWExMXFpM29Heis5aVhjUFFlZUQ3a2dma3N6U1lLa245V0IxWVQKai9scFpUbGY5RGx4QTUrK3V1M0dycHg3cVJkQ2xFYkRmNVEySExJU1dWd2lyb2N5U0d6aDR3QUNGSGk2aVFqbgpzcm56SHU5NjhNdE9uTjZGUXQ5elBaeGFSWXJ6THBWLzl5eWFoOWpZWXVMRklHamUreXpBbjVNOE9SVjVwMUF0CkZ2alRSZkg1b0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t"
}</p>
The information in the content property is the .cer version of the root and intermediate certificates "Freja eID Production Root", "Freja eID Production Issuing CA" and the corresponding test certificates concatenated into one file. That file has has then been base64 encoded to fit in the content property above
Configuring the authenticator
To protect the MFA Admin application with a Freja eID authentication and a database lookup, use the Advanced view in the Configuration Portal to enter the configuration below. After logging in and navigating to the Advanced view, click the pencil next to the header "Authentication - HTTP". Add the configuration below to the list of authenticator configurations in the opened window, then click "Stage changes" and "Commit changes".
<p>{
"id": "0c18a73e-612a-4ce2-a353-40f60dd4bbf9",
"alias": "freja",
"name": "FrejaEIDAuthenticator",
"displayName": "Freja",
"configuration": {
"pipeID": "68731314-eeb2-4d59-9aaa-79cd9913a320",
"successURL": "/mfaadmin/",
"keyStore": "a9bdfe2c-9a0b-4165-8d6d-0ae3f2ec7d9e"
}
}</p>
Note that the value of the field "pipeID" corresponds to the value of the field "id" of the pipe configuration above, and that the value of the field "keyStore" corresponds to the value of the field "id" of the keystore configuration above.
Configuring the protected resource
To configure the MFA Admin application to be protected by the Freja eID authenticator, use the Advanced view in the Configuration Portal. After logging in and navigating to the Advanced view, locate the MFA Admin module and change the field "auth_redirect_url" to point to the authenticator alias, see below for example configuration.
<p>{
"name" : "com.phenixidentity~phenix-prism",
"enabled" : "true",
"config" : {
"base_url" : "/mfaadmin",
"auth_redirect_url" : "/mfaadmin/authenticate/freja",
"http_configuration_ref" : "bb8aed96-6b34-4850-9741-5c8960094e0f",
"module_refs" : "a2103942-92ce-4259-ba4a-acbe4de209f8,97f3537e-a754-4cc5-b7f2-fce7eec38f33",
"enable_roles" : "true"
}
}</p>
If all the instructions above are carried out correctly, the user will be presented with a login screen for Freja eID when trying to access the /mfaadmin resource on the PAS server.
Requirements
A keystore with a valid certificate is uploaded to the PAS server.
User enrolled for freja e-id.