Create SAML metadata for Sweden Connect using PhenixID Authentication Services as IdP

This document describes how set up PhenixID Authentication Services as an IdP against the Sweden Connect federation. It also describes manual changes of the metadata, required to be able to join the federation.

The reader of this document should have some basic knowledge about PhenixID Server.

System requirements

- PhenixID Server v 4.0 or higher installed.

Setup PhenixID Authentication Services as Identity Provider

  • Login to Configuration Manager
  • Setup a SAML Identity Provider using Scenarios->Federation. Follow the steps in the guide. (NameID and additional attributes can be set to default).
  • Once created, click on the created IdP and then the tab Identity Provider.
  • Change these settings:

 

  1. Set the Post SLO URL to https://<your_phenixID_domain>/saml/authenticate/logout/
  2. Set the Redirect SSO URL to the same value as Post SSO URL
  3. Select Require Signed Requests. Set Organization display name, name and URL.
  • Click Save
  • Copy the entityID value of the IdP
  • Click Advanced
  • Click on the pen to the right of SAML Identity Providers
  • Search for the entityID value copied in previous step
  • Add contact person(s) for the IdP by adding this info to the IdP object: (Change the values to suite your environment)
"adminContact": [
			{
				"givenName": "admin",
				"sn": "admin",
				"mail": "[email protected]"
			}
		],
		"supportContact": [
			{
				"givenName": "support",
				"sn": "support",
				"mail": "[email protected]"
			}
		],
		"billingContact": [
			{
				"givenName": "billing",
				"sn": "billing",
				"mail": "[email protected]"
			}
		],
		"otherContact": [
			{
				"givenName": "other",
				"sn": "other",
				"mail": "[email protected]"
			}
		],
		"techContact": [
			{
				"givenName": "tech",
				"sn": "tech",
				"mail": "[email protected]"
			}
		]

Full example:

  • Click Stage changes and Commit changes

Alter metadata

  • Open the IdP metadata in a browser (login to configuration manager, Scenarios->Federation->your idp -> Identity Provider->View SAML Metadata)
  • Save the IdP metadata to an xml file.

Remove signature

  • Open the idp metadata file in a text editor
  • Remove the whole ds:signature tag:

Save the file.

Add KeyDescriptor for encryption

  • Open the idp metadata file in a text editor
  • Copy the whole KeyDescriptor tag
  • Paste the copied content below </md:KeyDescriptor>.
  • In the newly pasted content, change use="signing" to use="encryption".
  • Save the file.

Add swedish organization name

  • Open the idp metadata file in a text editor
  • Locate the <md:organizationName> tag
  • Copy the tag
  • Paste the tag
  • In the newly pasted content, change xml:lang="en" to xml:lang="sv"
  • Save the file.

Add NameID format declarations

  • Open the idp metadata file in a text editor
  • Between the SingleLogoutService and the SingleSignOnService tags, add these lines:
<md:NameIDFormat xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
  • Save the file.

Add EntityAttributes

  • Open the idp metadata file in a text editor
  • Add these lines just below the EntityDescriptor tag. Change the values if your IdP has a different LOA-certification level.
<md:Extensions>
    <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">http://id.elegnamnden.se/loa/1.0/loa1</saml:AttributeValue>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">http://id.elegnamnden.se/loa/1.0/loa2</saml:AttributeValue>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">http://id.elegnamnden.se/loa/1.0/loa3</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">http://id.elegnamnden.se/ec/1.0/loa3-pnr</saml:AttributeValue>
      </saml:Attribute>
    </mdattr:EntityAttributes>
  </md:Extensions>
  • Save the file.

Add md_ui

  • Open the idp metadata file in a text editor
  • Add these lines just below the IDPSSODescriptor tag:
<mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
       <mdui:DisplayName xml:lang="en">PhenixID</mdui:DisplayName>
       <mdui:DisplayName xml:lang="sv">PhenixID</mdui:DisplayName>
       <mdui:Logo width="76" height="66">https://testlab.phenixid.net/authenticate/res/images/default.png</mdui:Logo>
       <mdui:Description xml:lang="sv">PhenixID IdP</mdui:Description>
       <mdui:Description xml:lang="en">PhenixID IdP</mdui:Description>
     </mdui:UIInfo>
  • Change the DisplayName, Description and Logo values to suite your environment.
  • Save the file

Validate the metadata

Using the IdP metadata