SAML - Configuring Swedish BankID as an authentication method for PhenixID server
The purpose of this document is to describe how to configure PhenixID server for federation with SAML2 using Swedish BankID as an authentication method for PhenixID server.
Simplified Overview
Prerequisites
- PhenixID Server configured according to this instruction: "Federation - Username and password"
- BankID test client certificate (FPTestcert2_20150818_102329.pfx will be used for test environments)
- BankID customer client certificate (for production environments)
- Access to BankIDs infrastructure from the PhenixID Server
Add the BankID certificate to the configuration
- Rename the BankID certificate from *.pfx to *.p12
- Follow this guide to import the BankID certificate as a keystore
- Note the ID of this keystore as this will be referred later in this instruction
Convert the Federation - Username and Password scenario to SAML2BankID
Open the Advanced tab and locate the Authentication - HTTP entry that was configured in the previous "Federation - Username and password" scenario.
Change the value of the name parameter from "PostUidAndPasswordSAML" to "SAML2BankID"
Click the pen sign next to "configuration" and add the following configuration
"keyStore": "<reference to the prevously uploaded BankID Keystore>",
"mode": "test",
"templateVariables": {
"methods": [
{
"image": "/authenticate/res/images/bankid/bankid.png",
"data-toggle-action": "OD",
"title": "bankid.messages.option_label_od"
},
{
"image": "/authenticate/res/images/bankid/bankid.png",
"data-toggle-action": "SD",
"title": "bankid.messages.option_label_sd"
},
{
"image": "/authenticate/res/images/bankid/bankid-qrc.png",
"data-toggle-action": "QR",
"title": "bankid.messages.option_label_qr"
}
]
},
"enableHoneypot": "false",
"translation": [
"bankid.messages.title_starting",
"bankid.messages.title_current_device",
"bankid.messages.title_mobile_device",
"bankid.messages.title_qrcode",
"bankid.messages.text_starting",
"bankid.messages.text_current_device",
"bankid.messages.text_mobile_device",
"bankid.messages.text_qrcode",
"bankid.messages.input_personal_number",
"bankid.messages.button_submit",
"bankid.messages.button_start_over",
"bankid.messages.button_start_manually",
"bankid.messages.info_bankid_link_creation_app",
"bankid.messages.info_bankid_url_link_redirection_success_app",
"bankid.messages.info_open_app",
"bankid.messages.info_rediection_app",
"bankid.messages.info_verified_app",
"bankid.messages.info_qrcode_scanned_app",
"bankid.messages.error_bad_personal_number",
"bankid.messages.error_cancellation",
"bankid.messages.error_request",
"bankid.messages.changeLanguage"
],
"loginTemplate": "bankid.template"
Set "mode" = "test" (This parameter should be removed if production environment)
Click Stage changes
Example how this could look once completed
Configure the execution flow used for the SAML assertion to suit your needs
- Open the Execution flow tab and expand the flow.
- Delete the valve #1 (InputParameterExistsValidatorValve) and valve #3 (LDAPBindValve)
- Expand (Show) the LDAPSearchValve and modify the search filter to fetch users where serialNumber=<PersonalIdentificationNumber From BankID>: filter_template = serialNumber={{request.userPersonalNumber}}
- Add a parameter for attributes to fetch for the matched LDAP entry: attributes = serialNumber,sAMAccountName
- Expand (Show) the AssertionProvider and modify nameIDAttribute parameter: nameIDAttribute = serialNumber
- Click Save