How to setup the HTTP API for Freja eID authentication

Overview

The HTTP API for Freja eID authentication can be used to authenticate with the Freja personal ID or the Freja Organization ID.

Prerequisites

- Freja eID test client certificate (for test environments)

- Freja eID customer client certificate (for production environments)

- Access to Freja eID infrastructure from PhenixID Server

- Access to Freja eID infrastructure from Mobile device

- PAS 4.3 or later installed

Authentication

It is recommended to add authentication to the API, to verify the consuming API client. These authentication methods are supported:

- Client certificate (recommended).
Use a reverse proxy to add client certificate authentication. Add valves to the pipe(s) to verify the certificate.

- Basic authentication
Add valves to the pipes to perform basic authentication verification.

Add Freja eID certificate

- Login to configuration manager

- Go to Scenarios->Federation->Keystore

- Add new keystore

- Upload the Freja eID certificate (p12 or pfx format) and enter the password

- Click create

- Copy the ID value when created - this value will be used in later steps.

Add local http-api module

- Login to configuration manager

- Click the Advanced tab

- Open Modules (click on the pen)

- Add this module (if module is already added, only add tenant and/or allowedOperation):

{
		"module": "com.phenixidentity~phenix-api-authenticate",
		"enabled": "true",
		"config": {
			"tenant": [
				{
					"id": "t1",
					"displayName": "Tenant1",
					"allowedOperation": [
						"freja_eid_start_auth",
						"freja_eid_check_auth"
					]
}
			]
		},
		"id": "authapi_module"
	}

- Click Stage Changes and Commit Changes

- Open NODE_GROUPS (click on the pen)

- Add id of the newly added module to module_refs. Example below. (You can skip this step if the module was already added)

{
		"name": "WIN-DHB3ICNDG4E",
		"description": "Default node (created automatically)",
		"config": {
			"module_refs": "authapi_module,sealapp,signapp_1,......"
		},
		"created": "2017-07-03T11:38:03.135Z",
		"id": "493afd0e-0fe8-40e4-b1a1-a24a5e2df6e2",
		"modified": "2017-07-03T14:39:43.257Z"
	}

- Click Stage Changes and Commit Changes

 

Add pipes to trigger Freja eID authentication and collect authentication status

- Click the Advanced tab

- Open Pipes (click on the pen)

- Add these pipes. Change these properties to suit your environment:

keystoreID -> ID value of the keystore uploaded in previous step.

mode -> The desired mode. Please view the FrejaEIDAuthRequestValve documentation for more information.

{
  "id": "freja_eid_start_auth",
  "description": "Start auth with Freja eID",
  "valves": [
    {
      "name": "FrejaEIDAuthRequestValve",
      "config": {
        "keystoreID": "<ID value copied in previous step>",
        "mode": "production_personal_auth"
      }
    }
  ]
}
,
	{
  "id": "freja_eid_check_auth",
  "description": "Check Freja eID auth status",
  "valves": [
    {
      "name": "FrejaEIDAuthStatusValve",
      "config": {
        "keystoreID": "<ID value copied in previous step>",
        "mode": "production_personal_auth"
      }
    }
  ]
}

- Click Stage Changes and Commit Changes

Test

Use a HTTP rest client for testing and debugging. Follow this document to structure the HTTP requests properly.