SAML - NetID Access Server (NIAS) authentication

The purpose of this document is to describe how to configure PhenixID server for federation with SAML2 using NetID Access Server as an authentication method for PhenixID server.

Overview

https://www.secmaker.com/net-id/software/net-id-access/

NetID Access is a client/server solution with the exact same flow as BankID to serve use cases such as out-of-band SITHS/EFOS authentication and signing, based on a smartcard or a mobile certificate.

Prerequisites

  • PhenixID Server configured according to this instruction: "Federation - Username and password"
  • Commercial agreement with NetID Access Server
  • Access to NetID Access Server infrastructure from the PhenixID Server
  • For authentication using NetID Access on same device, this patch must be applied (for version 3.0, included in later versions).

Convert the Federation - Username and Password scenario to SAMLNias

Open the Advanced tab and locate the Authentication - HTTP entry that was configured in the previous "Federation - Username and password" scenario.

Change the value of the name parameter from "PostUidAndPasswordSAML" to "SAMLNias"

Click the plus sign next to "Configuration" to add new parameters.

SAMLNias authenticator configuration reference.

Please view this article for SAMLNias configuration assistance and examples.

Configure the execution flow used for the SAML assertion to suit your needs

  1. Open the Execution flow tab and expand the flow.
  2. Delete the valve #1 (InputParameterExistsValidatorValve) and valve #3 (LDAPBindValve)
  3. Expand (Show) the LDAPSearchValve and modify the search filter to fetch users where serialNumber=<PersonalIdentificationNumber From NetID Access Server>: filter_template = serialNumber={{request.username}}
  4. Add a parameter for attributes to fetch for the matched LDAP entry: attributes = serialNumber,sAMAccountName
  5. Expand (Show) the AssertionProvider and modify nameIDAttribute parameter: nameIDAttribute = serialNumber
  6. Click Save

 

The above example requires a user database, such as Active Directory, to perform an additional lookup to fetch additional attributes needed for the SAML attribute statement.
In some scenarios, no user database is present and the only information to act on is based on the certificate used for the authentication. This execution flow example use the certificate attributes only:

{ "id": "SAMLNIAS_Pipe", "valves": [{ "name": "ItemCreateValve", "config": { "dest_id": "result" } }, { "name": "PropertyAddValve", "config": { "name": "certToParse", "value": "-----BEGIN CERTIFICATE-----\n{{request.certificate}}\n-----END CERTIFICATE-----" } }, { "name": "CertificateExtractorValve", "config": { "cert": "{{item.certToParse}}" } }, { "name": "DNSplitterValve", "enabled": "true", "config": { "source": "{{item.cert_subject}}", "dest_scope": "item" } }, { "name": "AssertionProvider", "config": { "targetEntityID": "PhenixID_IdP", "nameIDAttribute": "dn_serialNumber", "additionalAttributes": "dn_commonName,dn_organizationName" } } ] }