Freja eID enrollment - Self service

This guide will give you a rough instruction on how to configure the Freja eID enrollment.

The usecase is when a user will perform a self service enrollment.

This video will show you how this works.

Add FrejaEIDSAML

Create an FrejaEIDSAML authenticator to be used for protection of the enrollment application. 

Configuration

Download and zip the templates from this zip-file and place them in PAS-FOLDER\overlay\auth-http\files\templates\Freja-enrollment

The alias of the authenticator has to be called "frejaeidpersonal" in order to be able to follow this instruction.

Start by following these instructions.

Configure the keystoreId with a reference to YOUR Freja Keystore.

Configure the loginTemplate parameter with a reference to the login template.

Configure the mode parameter with production_personal

Configure the attributesToGet paremeter with EMAIL_ADDRESS,SSN,BASIC_USER_INFO

Example:

{
		"id": "6491086b-4a36-4803-9a71-887c70d32547",
		"alias": "frejaeidpersonal",
		"name": "FrejaEIDSAML",
		"displayName": "Freja eID personal",
		"configuration": {
			"pipeID": "ccb06eb0-464a-4bef-95a1-1ee4ce586383",
			"idpID": "2a3f19f1-2c0d-45b8-a254-54d1cba107dd",
			"keystoreId": "Replace-Value-with-ID-of-Freja-Keystore",
			"loginTemplate": "C:\\Program Files\\PhenixID\\Server\\overlay\\auth-http\\files\\templates\\Freja-enrollment\\frejaeid_v2-enrollment.template",
			"mode": "production_personal",
			"attributesToGet": "EMAIL_ADDRESS,SSN,BASIC_USER_INFO"
		},
		"created": "2022-05-03T06:43:08.137Z"
}

Configure execution flow

The SAML-assertion created by the flow have to use uid as NameID and these additional attributes: adminuser,sn,mail,givenname,pnr,uid

Please look at the following screenshots for an example configuration:

Enrollment App

Authenticators

Add the block below to the Auhentication - HTTP bucket.

Replace these strings before commiting:

Value to replace
Comment
Replace-Value-with-DNS-For-Your-Server
The DNS-name of your server, ex: pas.company.org
{
	"alias": "frejaenroll",
	"name": "Registration",
	"id": "frejaenroll",
	"configuration": {
		"stages": [
			{
				"pipeid": "FrejaOrgIdEnroll",
				"template": "C:\\Program Files\\PhenixID\\Server\\overlay\\auth-http\\files\\templates\\Freja-enrollment\\freja-enroll",
				"sessionValues": [
					"givenname",
					"sn",
					"mobile",
					"username",
					"mail",
					"roles",
					"adminuser",
					"pnrsub",
					"pnr",
					"uid"
				],
				"translation": [
					"phxverify.messages.information.title",
					"phxverify.messages.information.searchuser",
					"phxverify.messages.username",
					"phxverify.messages.querybox",
					"phxverify.messages.or",
					"phxverify.messages.logout",
					"phxverify.messages.information.title",
					"phxverify.messages.givenname",
					"phxverify.messages.snname",
					"phxverify.messages.mobile",
					"phxverify.messages.mail",
					"phxverify.messages.information.choose_method",
					"phxverify.messages.cancel",
					"phxverify.messages.bid"
				],
				"templateVariables": {
					"searchmethods": [
						{
							"type": "username",
							"title": "phxverify.messages.username"
						},
						{
							"type": "mail",
							"title": "phxverify.messages.mail"
						},
						{
							"type": "mobile",
							"title": "phxverify.messages.mobile"
						}
					],
					"settings": {
						"sp_url": "/frejaenroll/authenticate/frejaenrollsp/"
					}
				},
				"errorTranslation": []
			},
			{
				"pipeid": "phxverify-complete",
				"template": "C:\\Program Files\\PhenixID\\Server\\overlay\\auth-http\\files\\templates\\Freja-enrollment\\freja-enroll-complete",
				"templateVariables": {
					"useBid": ""
				},
				"translation": [
					"phxverify.messages.information.title",
					"phxverify.messages.username",
					"phxverify.messages.enterotp",
					"phxverify.messages.givenname",
					"phxverify.messages.snname",
					"phxverify.messages.mobile",
					"phxverify.messages.mail",
					"phxverify.messages.ot",
					"phxverify.messages.otstatus",
					"phxverify.messages.sms",
					"phxverify.messages.mail",
					"phxverify.messages.pp",
					"phxverify.messages.cancel",
					"phxverify.messages.userverified",
					"phxverify.messages.logout",
					"phxverify.messages.bid"
				],
				"sessionValues": [
					"givenname",
					"sn",
					"mobile",
					"username",
					"mail",
					"roles",
					"adminuser",
					"pnrsub",
					"pnr",
					"uid"
				],
				"errorTranslation": []
			}
		]
	}
},
{
	"id": "frejaenrollsp",
	"alias": "frejaenrollsp",
	"name": "SAMLServiceProviderAuthN",
	"displayName": "frejaenrollsp IdP",
	"configuration": {
		"successURL": "/frejaenroll/authenticate/frejaenroll/",
		"sp": "https://Replace-Value-with-DNS-For-Your-Server/frejaenroll",
		"pipeID": "FrejaEnrollSPPipe",
		"targetIDP": "https://Replace-Value-with-DNS-For-Your-Server/saml/authenticate/frejaeidpersonal",
		"acsUrl": "https://Replace-Value-with-DNS-For-Your-Server/frejaenroll/authenticate/frejaenrollsp",
		"entityID": "https://Replace-Value-with-DNS-For-Your-Server/frejaenroll"
	}
},

SAML SP

Add the block below to the SAML 2 Service provides bucket.

Replace these strings before commiting:

Value to replace
Comment
Replace-Value-with-DNS-For-Your-Server
The DNS-name of your server, ex: pas.company.org
Replace-Value-with-ID-of-SAML-Signing-Keystore
The ID of the keystore used to sign SAML-tokens
{
	"id": "https://Replace-Value-with-DNS-For-Your-Server/frejaenroll",
	"keystoreSign": "Replace-Value-with-ID-of-SAML-Signing-Keystore",
	"keystoreEncrypt": "Replace-Value-with-ID-of-SAML-Signing-Keystore",
	"entityID": "https://Replace-Value-with-DNS-For-Your-Server/frejaenroll"
}

Pipes

Add the block below to the Pipes bucket.

Replace these strings before commiting:

Value to replace
Comment
Replace-Value-With-Organizaion-Name
Your organization name. This value will be displayed for the user when authenticating, ex Our Company.
Replace-With-Friendly-Name-Of-UserID
The friendly name of the userid. This value will be displayed for the user when authenticating, ex: AnvändarID.
Replace-Value-with-ID-of-Freja-Keystore
The id of the keystore previously uploaded to PAS for communication with Freja Backend
{
	"id": "FrejaOrgIdEnroll",
	"valves": [
		{
			"name": "SessionLoadValve",
			"config": {
				"id": "{{request.session_id}}"
			}
		},
		{
			"name": "ItemCreateValve",
			"config": {
				"dest_id": "user"
			}
		},
		{
			"name": "PropertyAddValve",
			"config": {
				"name": "userInfo",
				"value": "{\"country\":\"SE\",\"ssn\":\"{{session.pnr}}\"}",
				"splitter": "@"
			}
		},
		{
			"name": "PropertyStringBase64EncoderValve",
			"config": {
				"source": "userInfo",
				"dest": "userInfob64"
			}
		},
		{
			"name": "PropertyAddValve",
			"config": {
				"name": "initAddOrganisationIdRequest",
				"value": "{ \"userInfoType\": \"SSN\", \"userInfo\": \"{{item.userInfob64}}\", \"organisationId\": { \"title\": \"Replace-Value-With-Organizaion-Name\", \"identifierName\": \"Replace-With-Friendly-Name-Of-UserID\", \"identifier\": \"{{session.uid}}\" } }",
				"splitter": "@"
			}
		},
		{
			"name": "PropertyStringBase64EncoderValve",
			"config": {
				"source": "initAddOrganisationIdRequest",
				"dest": "initAddOrganisationIdRequestb64"
			}
		},
		{
			"name": "PropertyAddValve",
			"config": {
				"name": "body",
				"value": "initAddOrganisationIdRequest={{item.initAddOrganisationIdRequestb64}}",
				"splitter": "@"
			}
		},
		{
			"name": "HttpPostRequestValve",
			"config": {
				"url": "https://services.prod.frejaeid.com/organisation/management/orgId/1.0/initAdd",
				"body": "{{item.body}}",
				"http_crypto_protocol": "TLS",
				"trust_all_certs": "true",
				"keystore": "Replace-Value-with-ID-of-Freja-Keystore"
			}
		}
	]
},
{
	"id": "FrejaEnrollSPPipe",
	"valves": [
		{
			"name": "AssertionConsumer",
			"config": {}
		},
		{
			"name": "FlowFailValve",
			"config": {
				"message": "User does not exist",
				"exec_if_expr": "flow.items().isEmpty()"
			}
		}
	]
}