SAML2SithsEID

Authenticate using Siths EID (card or app).

Siths EID authenticator allows for two different scenarios:

  • Starting Siths EID on the same device.
  • Starting Siths EID using a QR code. 

Every method needs to be activated through configuration.

 

On successful authentication, these parameters will be added to the request sent to the connected pipe:

  • userPersonalNumber  - The end user personal number (SSID)
  • userCertificate  - The full user certificate (PEM formatted)

Properties

Name Description Default value Mandatory
idpID The internal identifier of the idp used N/A Yes
pipeID ID of the pipe to be executed on successful authentication N/A Yes
samlAuthMethod The value to be set in the AuthnContextClassRef of the SAML assertion urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig No
keyStore ID of the key store used to communicate with Siths eid backend N/A Yes
sithseidURL The root URL of the Siths EID Backend. N/A Yes
rfc2253Issuers List of trusted SITHS eID issuers. [ "CN=TEST SITHS e-id Person HSA-id 3 CA v1,O=Inera AB,C=SE", "CN=TEST SITHS e-id Person ID 3 CA v1,O=Inera AB,C=SE", "CN=TEST SITHS e-id Person ID Mobile CA v1,O=Inera AB,C=SE", "CN=CGI Test Root CA,OU=Test,O=CGI,ST=Jamtland,C=SE", "CN=SITHS Type 1 CA v1,O=Inera AB,C=SE", "CN=SITHS Type 1 CA v1 PP,O=Inera AB,C=SE" ] No
loginTemplate Template used for rendering the user facing UI sithseid.template No
templateVariables Parameters to control the GUI rendering. Methods define the user options to present (sd=same device, qr=qr code) N/A Yes
organizationName The header text to be displayed in the Siths Eid client during authentication. N/A Yes

Example Configuration 

	{
		"id": "c48b7a22-21c9-44f2-b606-6bd000db60fe",
		"alias": "siths-eid-test",
		"name": "SAML2SithsEID",
		"displayName": "siths-eid-test",
		"configuration": {
			"keyStore": "5ca8fb2f-bb98-48eb-a1fd-f1e89879fd50",
			"pipeID": "e9acc237-0357-4d8e-b68d-c487b2b987d4",
			"idpID": "2a9b1517-c8ef-47cc-a2f2-783076e124dc",
			"sithseidURL": "https://secure-authservice.idp.ineratest.org",
			"samlAuthMethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig",
			"organizationName": "PhenixID Authentication Services",
			"templateVariables": {
				"methods": [
					{
						"image": "/authenticate/res/images/sithseid/sithseid.png",
						"data-toggle-action": "SD",
						"title": "sithseid.messages.option_label_sd"
					},
					{
						"image": "/authenticate/res/images/sithseid/sithseid-qrc.png",
						"data-toggle-action": "QR",
						"title": "sithseid.messages.option_label_qr"
					}
				]
			},
			"translation": [
				"sithseid.messages.title_starting",
				"sithseid.messages.title_current_device",
				"sithseid.messages.title_mobile_device",
				"sithseid.messages.title_qrcode",
				"sithseid.messages.text_starting",
				"sithseid.messages.text_current_device",
				"sithseid.messages.text_mobile_device",
				"sithseid.messages.text_qrcode",
				"sithseid.messages.input_personal_number",
				"sithseid.messages.button_submit",
				"sithseid.messages.button_start_over",
				"sithseid.messages.button_start_manually",
				"sithseid.messages.info_bankid_link_creation_app",
				"sithseid.messages.info_bankid_url_link_redirection_success_app",
				"sithseid.messages.info_open_app",
				"sithseid.messages.info_rediection_app",
				"sithseid.messages.info_verified_app",
				"sithseid.messages.info_qrcode_scanned_app",
				"sithseid.messages.error_bad_personal_number",
				"sithseid.messages.error_cancellation",
				"sithseid.messages.error_request",
				"sithseid.messages.changeLanguage"
			],
			"loginTemplate": "sithseid.template"
		},
		"created": "2021-01-04 11:02:13.461"
	}

Requirements

  • A Siths Eid key store issued by an authorized issuer
  • PAS IP address whitelisted to be able to communicate with the siths eid backend URL
  • Siths eid client with enrolled user certificate
  • Siths eid backend URL SSL certificate (for https) ca:s added to cacerts trust store.

Adding trust to production SITHS CAs

Configure the rfc2253Issuers parameter to trust production SITHS CAs:

"rfc2253Issuers": [ 
"CN=SITHS e-id Person ID 3 CA v1,O=Inera AB,C=SE", 
"CN=SITHS e-id Person ID Mobile CA v1,O=Inera AB,C=SE" 
]