• PAS version 4.0 or higher
• PAS configured according to this instruction: "Federation - Username and password"
• Inera Siths EID relying party certificate ("förlitande part - certifikat")
• Inera Siths EID endpoint URL
• Access to Ineras infrastructure from the PhenixID Authentication Services (make sure the calling IP is whitelisted)

1. Follow this guide to import the Inera relying party certificate (in p12 or pfx format) as a keystore
2. Note the ID of the keystore as the ID will be referred to later in this instruction

1. Open the Advanced tab and locate the Authentication - HTTP entry that was configured in the previous "Federation - Username and password" scenario.

2. Change the value of the name parameter from "PostUidAndPasswordSAML" to "SAML2SithsEID"

3. Append new parameters (and patch the PAS installation if using version 4.0) according to this instruction.

Keep these values unchanged:

- pipeID

- idpID

- id

- alias

Use the keystore ID fetched in previous step as the keyStore value.

4. Click Stage changes and commit changes.

1. Open the Execution flow tab and expand the flow.
2. Delete the valve #1 (InputParameterExistsValidatorValve) and valve #3 (LDAPBindValve)
3. Expand (Show) the LDAPSearchValve and modify the search filter to fetch users where serialNumber=<PersonalIdentificationNumber From the Siths Eid Authentication>: filter_template = serialNumber={{request.userPersonalNumber}}
4. Add a parameter for attributes to fetch for the matched LDAP entry: attributes = serialNumber,sAMAccountName
5. Expand (Show) the AssertionProvider and modify nameIDAttribute parameter: nameIDAttribute = serialNumber
6. Click Save

NB! The logic above can be configured differently according to your needs.

1. Based on the siths eid backend url, control the CA(s) of the https-ssl-certificate.

2. Download the CA certificate(s) from Inera

3. Add the CA certificate(s) to cacerts truststore in PAS using keytools (instructions here)

4. Restart PAS.