Freja eID enrollment - Self service
This guide will give you a rough instruction on how to configure the Freja eID enrollment.
The usecase is when a user will perform a self service enrollment.
This video will show you how this works.
Add FrejaEIDSAML
Create an FrejaEIDSAML authenticator to be used for protection of the enrollment application.
Configuration
Download and zip the templates from this zip-file and place them in PAS-FOLDER\overlay\auth-http\files\templates\Freja-enrollment
The alias of the authenticator has to be called "frejaeidpersonal" in order to be able to follow this instruction.
Start by following these instructions.
Configure the keystoreId with a reference to YOUR Freja Keystore.
Configure the loginTemplate parameter with a reference to the login template.
Configure the mode parameter with production_personal
Configure the attributesToGet paremeter with EMAIL_ADDRESS,SSN,BASIC_USER_INFO
Example:
{
"id": "6491086b-4a36-4803-9a71-887c70d32547",
"alias": "frejaeidpersonal",
"name": "FrejaEIDSAML",
"displayName": "Freja eID personal",
"configuration": {
"pipeID": "ccb06eb0-464a-4bef-95a1-1ee4ce586383",
"idpID": "2a3f19f1-2c0d-45b8-a254-54d1cba107dd",
"keystoreId": "Replace-Value-with-ID-of-Freja-Keystore",
"loginTemplate": "C:\\Program Files\\PhenixID\\Server\\overlay\\auth-http\\files\\templates\\Freja-enrollment\\frejaeid_v2-enrollment.template",
"mode": "production_personal",
"attributesToGet": "EMAIL_ADDRESS,SSN,BASIC_USER_INFO"
},
"created": "2022-05-03T06:43:08.137Z"
}
Click to copy
Configure execution flow
The SAML-assertion created by the flow have to use uid as NameID and these additional attributes: adminuser,sn,mail,givenname,pnr,uid
Please look at the following screenshots for an example configuration:
Enrollment App
Authenticators
Add the block below to the Auhentication - HTTP bucket.
Replace these strings before commiting:
| Value to replace |
Comment |
|---|---|
| Replace-Value-with-DNS-For-Your-Server |
The DNS-name of your server, ex: pas.company.org |
{
"alias": "frejaenroll",
"name": "Registration",
"id": "frejaenroll",
"configuration": {
"stages": [
{
"pipeid": "FrejaOrgIdEnroll",
"template": "C:\\Program Files\\PhenixID\\Server\\overlay\\auth-http\\files\\templates\\Freja-enrollment\\freja-enroll",
"sessionValues": [
"givenname",
"sn",
"mobile",
"username",
"mail",
"roles",
"adminuser",
"pnrsub",
"pnr",
"uid"
],
"translation": [
"phxverify.messages.information.title",
"phxverify.messages.information.searchuser",
"phxverify.messages.username",
"phxverify.messages.querybox",
"phxverify.messages.or",
"phxverify.messages.logout",
"phxverify.messages.information.title",
"phxverify.messages.givenname",
"phxverify.messages.snname",
"phxverify.messages.mobile",
"phxverify.messages.mail",
"phxverify.messages.information.choose_method",
"phxverify.messages.cancel",
"phxverify.messages.bid"
],
"templateVariables": {
"searchmethods": [
{
"type": "username",
"title": "phxverify.messages.username"
},
{
"type": "mail",
"title": "phxverify.messages.mail"
},
{
"type": "mobile",
"title": "phxverify.messages.mobile"
}
],
"settings": {
"sp_url": "/frejaenroll/authenticate/frejaenrollsp/"
}
},
"errorTranslation": []
},
{
"pipeid": "phxverify-complete",
"template": "C:\\Program Files\\PhenixID\\Server\\overlay\\auth-http\\files\\templates\\Freja-enrollment\\freja-enroll-complete",
"templateVariables": {
"useBid": ""
},
"translation": [
"phxverify.messages.information.title",
"phxverify.messages.username",
"phxverify.messages.enterotp",
"phxverify.messages.givenname",
"phxverify.messages.snname",
"phxverify.messages.mobile",
"phxverify.messages.mail",
"phxverify.messages.ot",
"phxverify.messages.otstatus",
"phxverify.messages.sms",
"phxverify.messages.mail",
"phxverify.messages.pp",
"phxverify.messages.cancel",
"phxverify.messages.userverified",
"phxverify.messages.logout",
"phxverify.messages.bid"
],
"sessionValues": [
"givenname",
"sn",
"mobile",
"username",
"mail",
"roles",
"adminuser",
"pnrsub",
"pnr",
"uid"
],
"errorTranslation": []
}
]
}
},
{
"id": "frejaenrollsp",
"alias": "frejaenrollsp",
"name": "SAMLServiceProviderAuthN",
"displayName": "frejaenrollsp IdP",
"configuration": {
"successURL": "/frejaenroll/authenticate/frejaenroll/",
"sp": "https://Replace-Value-with-DNS-For-Your-Server/frejaenroll",
"pipeID": "FrejaEnrollSPPipe",
"targetIDP": "https://Replace-Value-with-DNS-For-Your-Server/saml/authenticate/frejaeidpersonal",
"acsUrl": "https://Replace-Value-with-DNS-For-Your-Server/frejaenroll/authenticate/frejaenrollsp",
"entityID": "https://Replace-Value-with-DNS-For-Your-Server/frejaenroll"
}
},
Click to copy
SAML SP
Add the block below to the SAML 2 Service provides bucket.
Replace these strings before commiting:
| Value to replace |
Comment |
|---|---|
| Replace-Value-with-DNS-For-Your-Server |
The DNS-name of your server, ex: pas.company.org |
| Replace-Value-with-ID-of-SAML-Signing-Keystore |
The ID of the keystore used to sign SAML-tokens |
{
"id": "https://Replace-Value-with-DNS-For-Your-Server/frejaenroll",
"keystoreSign": "Replace-Value-with-ID-of-SAML-Signing-Keystore",
"keystoreEncrypt": "Replace-Value-with-ID-of-SAML-Signing-Keystore",
"entityID": "https://Replace-Value-with-DNS-For-Your-Server/frejaenroll"
}
Click to copy
Pipes
Add the block below to the Pipes bucket.
Replace these strings before commiting:
| Value to replace |
Comment |
|---|---|
| Replace-Value-With-Organizaion-Name |
Your organization name. This value will be displayed for the user when authenticating, ex Our Company. |
| Replace-With-Friendly-Name-Of-UserID |
The friendly name of the userid. This value will be displayed for the user when authenticating, ex: AnvändarID. |
| Replace-Value-with-ID-of-Freja-Keystore |
The id of the keystore previously uploaded to PAS for communication with Freja Backend |
{
"id": "FrejaOrgIdEnroll",
"valves": [
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "ItemCreateValve",
"config": {
"dest_id": "user"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "userInfo",
"value": "{\"country\":\"SE\",\"ssn\":\"{{session.pnr}}\"}",
"splitter": "@"
}
},
{
"name": "PropertyStringBase64EncoderValve",
"config": {
"source": "userInfo",
"dest": "userInfob64"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "initAddOrganisationIdRequest",
"value": "{ \"userInfoType\": \"SSN\", \"userInfo\": \"{{item.userInfob64}}\", \"organisationId\": { \"title\": \"Replace-Value-With-Organizaion-Name\", \"identifierName\": \"Replace-With-Friendly-Name-Of-UserID\", \"identifier\": \"{{session.uid}}\" } }",
"splitter": "@"
}
},
{
"name": "PropertyStringBase64EncoderValve",
"config": {
"source": "initAddOrganisationIdRequest",
"dest": "initAddOrganisationIdRequestb64"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "body",
"value": "initAddOrganisationIdRequest={{item.initAddOrganisationIdRequestb64}}",
"splitter": "@"
}
},
{
"name": "HttpPostRequestValve",
"config": {
"url": "https://services.prod.frejaeid.com/organisation/management/orgId/1.0/initAdd",
"body": "{{item.body}}",
"http_crypto_protocol": "TLS",
"trust_all_certs": "true",
"keystore": "Replace-Value-with-ID-of-Freja-Keystore"
}
}
]
},
{
"id": "FrejaEnrollSPPipe",
"valves": [
{
"name": "AssertionConsumer",
"config": {}
},
{
"name": "FlowFailValve",
"config": {
"message": "User does not exist",
"exec_if_expr": "flow.items().isEmpty()"
}
}
]
}
Click to copy