SAML2BankID

Authenticate using BankID. Depending on the method used the user may need to enter the personal number. 

BankID authenticator allows for three different scenarios:

  • Starting BankID on the same device.
  • Starting BankID on another device(only v5.1).
  • Starting BankID using a QR code. 

Every method needs to be activated through configuration.

Translate userVisibleData by adding keyword "bankid.translated.userVisibleData" to this field and update language files with the keyword and translations.  

On successful authentication, these parameters will be added to the request sent to the connected pipe:

  • userPersonalNumber  - The end user personal number (SSID)
  • userGivenName  - The end user given name
  • userSurName - The end user family name
  • bid_signature - The signature created in the bankID client during the authentication

Properties

Name Description Default value Mandatory
idpID The internal identifier of the idp used N/A Yes
pipeID ID of the pipe to be executed on successful authentication N/A Yes
samlAuthMethod What value is set in the AuthnContextClassRef urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig No
keyStore ID of the key store used to communicate with BankID backend N/A Yes
mode If connecting to BankID test backend set this value to "test". N/A No
version The version of the bankId-api to use v5.1 No
userVisibleData A text that is displayed to the user during authentication with BankID. No
userVisibleDataFormat If present, and set to “simpleMarkdownV1”, this parameter indicates that userVisibleData holds formatting characters No
userNonVisibleData Data not displayed to the user. String No
requirement Requirements on how the auth order must be performed. Json format. No
loginTemplate Template used for rendering the user facing UI bankid.template No
client_ip_request_param The parameter of the http client request holding the value of the requesting client remoteAddress No
certificatePolicy A comma sepearated string of BankdID policies. If this variable is used all other requirements will be ignored(use requirements attribute below if other settings is required) N/A No
sendSAMLResponseOnError Whether or not a SAMLResponse containing an error response should be sent back to the SP upon an internal authentication error. false No
strictValidation Whether or not additional validation checks should be made on the SAMLRequest. false No
resolveSAMLRequestProperties Whether or not request properties from the SAML AuthnRequest should be resolved before proceeding with the authentication. Typically used at the start of an authentication flow. false No
useRedirectUrl Whether or not redirect url should be provided when launching the bankid application for ios users. true No

Requirements

The requirement parameter is used to describe how a signature must be created and verified. Add a json(escaped as String) containing one or more of the attributes below to the authenticators configuration.

Name Description Default value version
pinCode New in v6.0. Users are required to sign the transaction with their PIN code, even if they have biometrics activated. false v6.0
allowFingerprint Removed in v6.0. Users of iOS and Android devices may use fingerprint for authentication and signing if the device supports it and the user configured the device to use it. true for authentication. false for signing. v5.1
mrtd Boolean. If present, and set to "true", the client needs to provide MRTD (Machine readable travel document) information to complete the order. Only Swedish passports and national ID cards are supported. false v6.0
certificatePolicies The oid in certificate policies in the user certificate. List of String. N/A v6.0 and v5.1
issuerCn The cn (common name) of the issuer. List of String. N/A v5.1
cardReader "class1" or "class2 determines that a cardReader must be used and a Pin code must be entered. See BankID documentation for further information. no cardReader is required v6.0 and v5.1

Example Configuration

{
        "id": "bidsaml",
        "alias": "bidsaml",
        "name": "SAML2BankID",
        "configuration": {
            "idpID":"samlidp",
            "pipeID": "pipeBID",
            "keyStore": "bankidkeystore",            
            "mode": "test",
            "version": "v6.0",
            "requirement": "{\"certificatePolicies\":[\"1.2.3.4.5\"], \"mrtd\": false}",             
            "userVisibleData": "*This is visible in the BankID application*",
            "userVisibleDataFormat": "simpleMarkdownV1",
            "enableHoneypot": "true",
            "loginTemplate": "bankid.template",
            "translation": [
                "bankid.messages.title_starting",
                "bankid.messages.title_current_device",
                "bankid.messages.title_mobile_device",
                "bankid.messages.title_qrcode",
                "bankid.messages.text_starting",
                "bankid.messages.text_current_device",
                "bankid.messages.text_mobile_device",
                "bankid.messages.text_qrcode",
                "bankid.messages.input_personal_number",
                "bankid.messages.button_submit",
                "bankid.messages.button_start_over",
                "bankid.messages.button_start_manually",
                "bankid.messages.info_bankid_link_creation_app",
                "bankid.messages.info_bankid_url_link_redirection_success_app",
                "bankid.messages.info_open_app",
                "bankid.messages.info_rediection_app",
                "bankid.messages.info_verified_app",
                "bankid.messages.info_qrcode_scanned_app",
                "bankid.messages.error_bad_personal_number",
                "bankid.messages.error_cancellation",
                "bankid.messages.error_request",
                "bankid.messages.changeLanguage"
            ],
            "templateVariables": {
                "methods": [
                    {
                        "title": "bankid.messages.option_label_od",
                        "image": "/authenticate/res/images/icons/phenixid-bankid.png",
                        "data-toggle-action": "OD"
                    },
                    {
                        "title": "bankid.messages.option_label_sd",
                        "image": "/authenticate/res/images/icons/phenixid-bankid.png",
                        "data-toggle-action": "SD"
                    },
                    {
                        "title": "bankid.messages.option_label_qr",
                        "image": "/authenticate/res/images/icons/phenixid-bankid-qr.png",
                        "data-toggle-action": "QR"
                    }
                ]
            }
        }
    }

Requirements

  • A BankID key store issued by an authorized issuer
  • The user must have activated BankID prior to authenticating