PhenixID DocumentationPhenixID Authentication ServicesSolutionsAuthentication flowsSAML - Configuring Swedish BankID as an authentication method for PhenixID server

SAML - Configuring Swedish BankID as an authentication method for PhenixID server

The purpose of this document is to describe how to configure PhenixID server for federation with SAML2 using Swedish BankID as an authentication method for PhenixID server.

Simplified Overview

Simplified Overview

Prerequisites

  • PhenixID Server configured according to this instruction: "Federation - Username and password"
  • BankID test client certificate (FPTestcert2_20150818_102329.pfx will be used for test environments)
  • BankID customer client certificate (for production environments)
  • Access to BankIDs infrastructure from the PhenixID Server
  • Add Trust for the CA of BankID SSL Root CA v1 "Trusting BankID CA"

Add the BankID certificate to the configuration

  1. Rename the BankID certificate from *.pfx to *.p12
  2. Follow this guide to import the BankID certificate as a keystore
  3. Note the ID of this keystore as this will be referred later in this instruction

Convert the Federation - Username and Password scenario to SAML2BankID

Open the Advanced tab and locate the Authentication - HTTP entry that was configured in the previous "Federation - Username and password" scenario.

Change the value of the name parameter from "PostUidAndPasswordSAML" to "SAML2BankID"

 

Click the pen sign next to "configuration" and add the following configuration

"keyStore": "<reference to the prevously uploaded BankID Keystore>",
"mode": "test",
"userVisibleData" : "",
"templateVariables": {
	"methods": [
		{
			"image": "/authenticate/res/images/bankid/bankid.png",
			"data-toggle-action": "OD",
			"title": "bankid.messages.option_label_od"
		},
		{
			"image": "/authenticate/res/images/bankid/bankid.png",
			"data-toggle-action": "SD",
			"title": "bankid.messages.option_label_sd"
		},
		{
			"image": "/authenticate/res/images/bankid/bankid-qrc.png",
			"data-toggle-action": "QR",
			"title": "bankid.messages.option_label_qr"
		}
	]
},
"enableHoneypot": "false",
"translation": [
	"bankid.messages.title_starting",
	"bankid.messages.title_current_device",
	"bankid.messages.title_mobile_device",
	"bankid.messages.title_qrcode",
	"bankid.messages.text_starting",
	"bankid.messages.text_current_device",
	"bankid.messages.text_mobile_device",
	"bankid.messages.text_qrcode",
	"bankid.messages.input_personal_number",
	"bankid.messages.button_submit",
	"bankid.messages.button_start_over",
	"bankid.messages.button_start_manually",
	"bankid.messages.info_bankid_link_creation_app",
	"bankid.messages.info_bankid_url_link_redirection_success_app",
	"bankid.messages.info_open_app",
	"bankid.messages.info_rediection_app",
	"bankid.messages.info_verified_app",
	"bankid.messages.info_qrcode_scanned_app",
	"bankid.messages.error_bad_personal_number",
	"bankid.messages.error_cancellation",
	"bankid.messages.error_request",
	"bankid.messages.changeLanguage"
],
"loginTemplate": "bankid.template"

Set "mode" = "test" (This parameter should be removed if production environment)

Add userVisibleData or leave empty. Text displayed in the bankId application during authentication.

Click Stage changes

Click Commit changes

Example how this could look once completed

Configure the execution flow used for the SAML assertion to suit your needs

  1. Open the Execution flow tab and expand the flow.
  2. Delete the valve #1 (InputParameterExistsValidatorValve) and valve #3 (LDAPBindValve)
  3. Expand (Show) the LDAPSearchValve and modify the search filter to fetch users where serialNumber=<PersonalIdentificationNumber From BankID>: filter_template = serialNumber={{request.userPersonalNumber}}
  4. Add a parameter for attributes to fetch for the matched LDAP entry: attributes = serialNumber,sAMAccountName
  5. Expand (Show) the AssertionProvider and modify nameIDAttribute parameter: nameIDAttribute = serialNumber
  6. Click Save