Local signing - API - Transaction (text) signing using Telia

Prerequisites

- PAS 2.7 or higher installed

- The reader of this document should have some basic knowledge about PhenixID Server.

- Changes will be made to the file phenix-store.json, so please make sure to have a backup  of this file.

- Telia signing requires additional end user client software and browser settings. Read more about it at https://www.telia.se/privat/bredband/tjanster/produkt/e-legitimation

Add module for file upload via API

- Login to PhenixID Authentication Services - Configuration manager

- Click on the tab Advanced

- Click on the pen to the right of Modules

- Append the files module

{
		"name": "com.phenixidentity~phenix-files",
		"enabled": "true",
		"id": "files_api",
		"config": {
			"read_only": "false",
			"name": "integration_dev_telia",
			"auth_method": "pipe",
			"auth_pipe": "files_auth_01",
			"http_configuration_ref": "441b0aad-534e-4cad-8151-130955913c08",
			"store_impl": "com.phenixidentity.files.internal.SessionFilesStore"
		}
	}

NOTE: The values for auth_method can be pipe, basic_auth

- Change the name value to suit your environment. The name value will be part of the url that will receive file uploads. (Example: https://demo.phenixid.net/files/integration_dev_telia)

- Change the http_configuration_ref (reference to HTTP connection) to a value that suits your configuration.

- Click Stage Changes and Commit Changes

 

- Click on the pen to the right of NODE_GROUPS

- Add the module "files_api" to module_refs.

- Click Stage Changes and Commit Changes

Add pipe for api client authentication (to file upload)

- Logon to Configuration Manager

- Click Advanced

- Click pipes

- Add pipe for authentication of api client.

{
		"id": "files_auth_01",
		"valves": [
{   
 "name": "HttpBasicAuthValve",
 "enabled": "true",
 "config": {
  "username_dest": "uid",
  "password_dest": "pwd"
 }
},
			{
 "name": "InternalUserStoreValidatorValve",
 "enabled": "true",
 "config": {
  "username": "{{attributes.uid}}",
  "password_param_name": "{{attributes.pwd}}"
 }
}
]
	}

- Click Stage changes and commit changes

Add api username and password

- Logon to Configuration Manager

- Click Advanced

- Click Internal users

- Copy an object

- Paste object

- Set id (username) and password in object

	{
		"id": "sign_api_client",
		"password": "secret",
		"description": "Sign api client caller"
	} 

- Change the id and password to suite your needs.

- Click Stage changes and Commit changes. The password will be encrypted once the config is saved.

Add prism module

- Login to configuration manager

- Click Advanced

- Click Modules

Add these modules:

{
    "id" : "prism_telia",
    "name" : "com.phenixidentity~phenix-prism-teliasigning",
    "enabled" : "false",
    "prism_enabled" : "true",
    "config" : {
      "display_name" : "Demo - Telia local sign",
      "base_uri" : "sign",
      "sign_pipe" : "sign_pipe_telia",
      "http_configuration_ref" : "https"
    }
  },
 {
    "id" : "prism_telia_root",
    "name" : "com.phenixidentity~phenix-prism",
    "enabled" : "true",
    "config" : {
      "base_url" : "/telia",
      "auth_redirect_url" : "/telia/authenticate/auth_prism_01_jwt",
      "module_refs" : "prism_telia",
      "http_configuration_ref" : "https"
    }
  }

- Change http_configuration_ref to point to a HTTP connection id in your configuration

- Change uri values to suite your needs (ie /telia)

- Click Stage Changes and Commit Changes

 

- Click on the pen to the right of NODE_GROUPS

- Add the module "prism_telia_root" to module_refs.

- Click Stage Changes and Commit Changes

Add primary authenticator

Add primary authenticator. This authenticator will parse incoming jwt token and add values to the session.

- Login to configuration manager

- Click Advanced

- Click HTTP Authenticator

Add this authenticator:

{
    "id" : "auth_prism_01_jwt",
    "alias" : "auth_prism_01_jwt",
    "name" : "PipeAuthenticator",
    "configuration" : {
      "pipeID" : "pipe_prism_jwt",
      "successURL" : "/telia/"
    }
  }

- Click Stage changes and Commit changes

Add pipe

- Click Advanced

- Click Pipes

Add this pipe:

{
    "name" : "Sign for telia",
    "enabled" : "true",
    "id" : "pipe_prism_jwt",
    "valves" : [ {
      "name" : "ItemCreateValve",
      "enabled" : "true",
      "config" : {
        "dest_id" : "_"
      }
    }, {
      "name" : "JWTTokenParserValve",
      "enabled" : "true",
      "config" : {
        "token_parameter" : "Authorization",
        "additional_attributes" : [ "id", "failure_url", "cancel_url", "success_url", "sub" ]
      }
    }, {
      "name" : "ItemRenameValve",
      "enabled" : "true",
      "config" : {
        "dest_id" : "{{item.jwt_sub}}"
      }
    }, {
      "name" : "SessionLoadValve",
      "enabled" : "true",
      "config" : {
        "id" : "{{item.jwt_id}}",
        "require_session" : "true",
        "require_auth_session" : "false"
      }
    }, {
      "name" : "PropertyAddValve",
      "enabled" : "true",
      "config" : {
        "name" : "file_id",
        "value" : "{{item.jwt_id}}"
      }
    }, {
      "name" : "PropertyAddValve",
      "enabled" : "true",
      "config" : {
        "name" : "contentb64",
        "value" : "{{session.content}}"
      }
    }, {
      "name" : "PropertyStringBase64DecoderValve",
      "config" : {
        "source" : "contentb64",
        "dest" : "content"
      }
    }, {
      "name" : "PropertyAddValve",
      "enabled" : "true",
      "config" : {
        "name" : "success_url",
        "value" : "{{item.jwt_success_url}}"
      }
    }, {
      "name" : "PropertyAddValve",
      "enabled" : "true",
      "config" : {
        "name" : "failure_url",
        "value" : "{{item.jwt_failure_url}}"
      }
    }, {
      "name" : "PropertyAddValve",
      "enabled" : "true",
      "config" : {
        "name" : "cancel_url",
        "value" : "{{item.jwt_cancel_url}}"
      }
    },
{
      "name" : "SessionLoadValve",
      "enabled" : "true",
      "config" : {
        "id" : "{{request.session_id}}"
      }
    },
	{
				"name": "SessionPropertyReplaceValve",
				"enabled": "true",
				"config": {
					"name": "file_id",
					"value": "{{item.jwt_id}}"
				}
			}, 
{
				"name": "SessionPersistValve",
				"enabled": "true",
				"config": {}
			}
		]
  }

Add execution flow (pipe) to sign data

- Click on the pen to the right of Pipes

- Add this pipe. The configuration in this pipe will get the signature from the request parameter data and save the signature to the file stored in session.

Please note that this might not suit your environment. Valves can be replaced, removed or added based on your needs. Please view the documentation to get a list of available valves.

 

{
		"name": "Telia sign - Save Signature",
		"description": "Get signature from request parameter=data and save this to the file in session associated with the current flow",
		"enabled": "true",
		"id": "sign_pipe_telia",
		"valves": [
			{
      "name" : "ItemCreateValve",
      "enabled" : "true",
      "config" : {
        "dest_id" : "dummyContainer"
      }
    },{
				"name": "SessionLoadValve",
				"enabled": "true",
				"config": {
					"id": "{{request.session_id}}"
				}
			},
{
				"name": "PropertyAddValve",
				"enabled": "true",
				"config": {
					"name": "file_id",
					"value": "{{session.file_id}}"
				}
			},
			
			{
				"name": "SessionLoadValve",
				"enabled": "true",
				"config": {
					"id": "{{item.file_id}}"
				}
			},
			{
				"name": "SessionPropertyReplaceValve",
				"enabled": "true",
				"config": {
					"name": "content",
					"value": "{{request.data}}"
				}
			},
			{
				"name": "SessionPropertyReplaceValve",
				"enabled": "true",
				"config": {
					"name": "modified",
					"value": "{{now}}"
				}
			},
			{
				"name": "SessionPersistValve",
				"enabled": "true",
				"config": {}
			}
		]
	}

 

- Click Stage changes and Commit changes

Test

Follow the document found in the chapter Developer integration guide to test your setup.

 

Troubleshooting

Check server.log file.