PhenixID DocumentationPhenixID Authentication ServicesSolutions Authentication flowsSAML - Configuring Siths Eid as an authentication method

SAML - Configuring Siths Eid as an authentication method

The purpose of this document is to describe how to configure PhenixID Authentication Services for federation with SAML2 using Siths Eid as an authentication method.

Simplified Overview

Prerequisites

  • PAS version 4.0 or higher
  • PAS configured according to this instruction: "Federation - Username and password"
  • Inera Siths EID relying party certificate ("förlitande part - certifikat")
  • Inera Siths EID endpoint URL
  • Access to Ineras infrastructure from the PhenixID Authentication Services (make sure the calling IP is whitelisted)

Add the Relying Party keystore to the configuration

  1. Follow this guide to import the Inera relying party certificate (in p12 or pfx format) as a keystore
  2. Note the ID of the keystore as the ID will be referred to later in this instruction

Convert the Federation - Username and Password scenario to SAML2SithsEID

1. Open the Advanced tab and locate the Authentication - HTTP entry that was configured in the previous "Federation - Username and password" scenario.

2. Change the value of the name parameter from "PostUidAndPasswordSAML" to "SAML2SithsEID"

3. Append new parameters (and patch the PAS installation if using version 4.0) according to this instruction.

Keep these values unchanged:

- pipeID

- idpID

- id

- alias

 

Use the keystore ID fetched in previous step as the keyStore value.

4. Click Stage changes and commit changes.

Configure the execution flow used for the SAML assertion to suit your needs

  1. Open the Execution flow tab and expand the flow.
  2. Delete the valve #1 (InputParameterExistsValidatorValve) and valve #3 (LDAPBindValve)
  3. Expand (Show) the LDAPSearchValve and modify the search filter to fetch users where serialNumber=<PersonalIdentificationNumber From the Siths Eid Authentication>: filter_template = serialNumber={{request.userPersonalNumber}}
  4. Add a parameter for attributes to fetch for the matched LDAP entry: attributes = serialNumber,sAMAccountName
  5. Expand (Show) the AssertionProvider and modify nameIDAttribute parameter: nameIDAttribute = serialNumber
  6. Click Save

NB! The logic above can be configured differently according to your needs.

Add trust to Inera Siths Eid SSL certificate for https

1. Based on the siths eid backend url, control the CA(s) of the https-ssl-certificate.

2. Download the CA certificate(s) from Inera

3. Add the CA certificate(s) to cacerts truststore in PAS using keytools (instructions here)

4. Restart PAS.