eIDAS Authentication
This document describes how to protect services with eidas authentication using PhenixID Authentication Services.
The reader of this document should have some basic knowledge about PhenixID Server.
We will make changes to phenix-store.json, so make sure to have a recent copy/backup of this file.
System requirements
- PhenixID Server v 2.7 or higher installed.
Other prerequisites
eIDAS provide three different environments:
1. Sandbox
2. QA
3. Production
To be able to connect to the Sandbox environment, no agreements are needed.
To be able to connect to the QA and Production environment, the customer must close an agreement with their respective country's eIDAS node.
In Sweden, this is handled by Sweden Connect. (https://elegnamnden.se/juridikochteknik/avtal.4.4498694515fe27cdbcf1265.html)
Overview
PhenixID Authentication Services (PAS) will act as a SAML Service Provider against the eIDAS federation. By doing this, PhenixID Authentication Services can protect any service (internal application such as self service or signing, SAML SPs, OpenID Connect RPs) with eIDAS authentication methods.
The PAS SAML Service Provider will connect to the eIDAS node in the customer country. The examples in this documentation present how to connect to the swedish eIDAS node.
Please consult PhenixID for other countries.
Configure your authenticator
Depending on the service you protect, you need to create an authenticator:
- Protecting internal web application (for example myapps, self service, signing) -> SAMLServiceProviderAuthN. Please view the instruction, found in Authenticators - HTTP -> PhenixID web apps authentication – SAML SP to set this up.
- Protecting external service (SAML SP, OIDC RP) -> SAMLSPBroker. Please view the instruction, found in Authenticators - HTTP -> SAML - Federation Broker to set this up.
Make sure to set these parameters on the authenticator:
- "targetIDP": "<eidas_node_connector_idp_entity_id>"
For Sweden, the targetIDP value should be:
PRODUCTION: https://connector.eidas.swedenconnect.se/eidas
QA: https://qa.connector.eidas.swedenconnect.se/eidas
SANDBOX: https://qa.connector.eidas.swedenconnect.se/eidas
- "addsignature": "true"
Example conf:
{
"id": "sp",
"alias": "sp",
"name": "SAMLServiceProviderAuthN",
"displayName": "eIDAS",
"configuration": {
"sp": "https://ubuntu.phenixid.local/saml/sp",
"pipeID": "pipeAssertionConsumer",
"successURL": "/saml/selfservice/",
"acsUrl": "https://ubuntu.phenixid.local:8443/saml/authenticate/sp",
"entityID": "https://ubuntu.phenixid.local/saml/sp",
"targetIDP": "https://dev.connector.swedenconnect.se/eidas",
"addsignature": "true"
}
}
Extract your metadata
1. Fetch your sp metadata by opening the URL:
For a SAMLServiceProviderAuthN authenticator : <acsUrl_in_authenticator_conf>?getSPMeta
For a SAMLSPBroker authenticator : <acsUrl_in_authenticator_conf>?getMeta
2. Save the produced metadata to a xml file.
3. Open the xml file in a text editor.
4. Manually add an extension block with entity-attributes. This will present which LOA levels this SP will accept. Please change to suit your environment. Please consult eIDAS documentation for proper values (or consult PhenixID staff). This block should be added in the EntityDescriptor tag. Example:
<md:EntityDescriptor entityID="https://ubuntu.phenixid.local/saml/sp" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:Extensions>
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<ns5:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" xmlns:ns5="urn:oasis:names:tc:SAML:2.0:assertion">
<ns5:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">http://id.elegnamnden.se/ec/1.0/loa3-pnr</ns5:AttributeValue>
<ns5:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">http://id.elegnamnden.se/ec/1.0/eidas-naturalperson</ns5:AttributeValue>
<ns5:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">http://id.elegnamnden.se/st/1.0/public-sector-sp</ns5:AttributeValue>
</ns5:Attribute>
</mdattr:EntityAttributes>
</md:Extensions>
5. Manually add an extension block with SP GUI information. This will be used when presenting list of SPs in eIDAS. Please adjust texts and image to suit your environment. This should be placed in the SPSSODescriptor tag. Example:
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:Extensions>
<mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
<mdui:DisplayName xml:lang="en">PhenixID AB</mdui:DisplayName>
<mdui:DisplayName xml:lang="sv">PhenixID AB</mdui:DisplayName>
<mdui:Description xml:lang="sv">PhenixID sandbox SP for eIDAS</mdui:Description>
<mdui:Description xml:lang="en">PhenixID sandbox SP for eIDAS</mdui:Description>
<mdui:Logo height="1" width="1">https://www.phenixid.se/wp-content/uploads/2016/06/logo.png</mdui:Logo>
</mdui:UIInfo>
<idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://ubuntu.phenixid.local:8443/saml/authenticate/sp" index="1"/>
</md:Extensions>
6. Manually replace the NameID format tag to be persistent.
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
7. Manually add an Organization block. Pls change the values to suit your environment. This should be placed in the EntityDescriptor tag. Example
<md:Organization>
<md:OrganizationName xml:lang="en">PhenixID AB</md:OrganizationName>
<md:OrganizationName xml:lang="sv">PhenixID AB</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">PhenixID sandbox SP for eIDAS</md:OrganizationDisplayName>
<md:OrganizationDisplayName xml:lang="sv">PhenixID sandbox SP for eIDAS</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">https://www.phenixid.se</md:OrganizationURL>
<md:OrganizationURL xml:lang="sv">https://www.phenixid.se</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="support">
<md:Company>PhenixID AB</md:Company>
<md:GivenName>Lars</md:GivenName>
<md:SurName>Forsgren</md:SurName>
<md:EmailAddress>[email protected]</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="technical">
<md:Company>PhenixID AB</md:Company>
<md:GivenName>Lars</md:GivenName>
<md:SurName>Forsgren</md:SurName>
<md:EmailAddress>[email protected]</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
8. Save the file.
Example of complete xml metadata file:
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="https://ubuntu.phenixid.local/saml/sp" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:Extensions>
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<ns5:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" xmlns:ns5="urn:oasis:names:tc:SAML:2.0:assertion">
<ns5:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">http://id.elegnamnden.se/ec/1.0/loa3-pnr</ns5:AttributeValue>
<ns5:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">http://id.elegnamnden.se/ec/1.0/eidas-naturalperson</ns5:AttributeValue>
<ns5:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">http://id.elegnamnden.se/st/1.0/public-sector-sp</ns5:AttributeValue>
</ns5:Attribute>
</mdattr:EntityAttributes>
</md:Extensions>
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:Extensions>
<mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
<mdui:DisplayName xml:lang="en">PhenixID AB</mdui:DisplayName>
<mdui:DisplayName xml:lang="sv">PhenixID AB</mdui:DisplayName>
<mdui:Description xml:lang="sv">PhenixID sandbox SP for eIDAS</mdui:Description>
<mdui:Description xml:lang="en">PhenixID sandbox SP for eIDAS</mdui:Description>
<mdui:Logo height="1" width="1">https://www.phenixid.se/wp-content/uploads/2016/06/logo.png</mdui:Logo>
</mdui:UIInfo>
<idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://ubuntu.phenixid.local:8443/saml/authenticate/sp" index="1"/>
</md:Extensions>
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDYDCCAkigAwIBAgIBFjANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJTRTEV
MBMGA1UEBxMMTmFja2EgU3RyYW5kMQ8wDQYDVQQKEwZNY0FmZWUxFDASBgNVBAsT
C0VuZ2luZWVyaW5nMRowGAYDVQQDExFFQSBERU1PIHVzZXIgQ0EgMTAeFw0xNDA1
MjMxMjA3MDBaFw0xOTA1MjMxMjA3MDBaMEIxDjAMBgNVBAMTBWJodWxsMQ0wCwYD
VQQEEwRIdWxsMQ4wDAYDVQQqEwVCb2JieTERMA8GA1UEBRMIMTk2NTE5NjYwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8yVowqmpfeKptuigqFHjeKC/C
ViAMexnbgCYdbo9atIc08b35lV364uTpkafupgAexTi9X1GOuKEM4KKgAQQ91sSP
Jeuz7r6Y5EN5HO/dEXtuQXb1TwZ2FGvDEEaeFigQyNALxnUrhWyfwSceU3ev4j+Q
bGpRuX7MfYT6BZbmrWyV0+j/mIHq9dfLcp48wfTPh6VXo1iHCYQVtn3ZFHP7oFtb
/xyJi62dvFqrsnEbFkfmRN+sRmgfJtC90jjPvbjMsUHaKmYh99FrK26e1N2T8cxZ
sH/3Xx2hpE1jL9TolrV+YQ5XdFfJRHeAoG0zX7rtt722kMOAJq+eNBpRXXejAgMB
AAGjPDA6MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPOypDuauffXkwjNdeNti0Ik
YSpdMAsGA1UdDwQEAwIEsDANBgkqhkiG9w0BAQUFAAOCAQEAMAxB95G/XCOetwAM
1KXt7qH+tU0mvbXHqgWdyHRFHeayQjmKp3831ciNWEYDSBvGoUz2FI0WQjrBETDX
kwoXRxFf81o8SSFkC2HpitqUW/on+lH4v2u7U2yaO5rUXwFsiU63NrJIPttjDzyJ
cHFVXq1JrnRWDYq8X0JaTh3RU9Pww8eN2dw8MjHLDtgxZg3vPElkSWaDTse/HfQP
Bc0cAc2D7/HOj3qyrEqIDrHHmQBTkC5S9C/O1sEhpJktqi8SMUmmniVhhR5v5MVN
PGlIDzQwJ9nXWzdBz5wmQqLkw2/853OujVK2ZXcKB6e9GklHBw5YtFItbMmVvuxC
n5TfcQ==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDYDCCAkigAwIBAgIBFjANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJTRTEV
MBMGA1UEBxMMTmFja2EgU3RyYW5kMQ8wDQYDVQQKEwZNY0FmZWUxFDASBgNVBAsT
C0VuZ2luZWVyaW5nMRowGAYDVQQDExFFQSBERU1PIHVzZXIgQ0EgMTAeFw0xNDA1
MjMxMjA3MDBaFw0xOTA1MjMxMjA3MDBaMEIxDjAMBgNVBAMTBWJodWxsMQ0wCwYD
VQQEEwRIdWxsMQ4wDAYDVQQqEwVCb2JieTERMA8GA1UEBRMIMTk2NTE5NjYwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8yVowqmpfeKptuigqFHjeKC/C
ViAMexnbgCYdbo9atIc08b35lV364uTpkafupgAexTi9X1GOuKEM4KKgAQQ91sSP
Jeuz7r6Y5EN5HO/dEXtuQXb1TwZ2FGvDEEaeFigQyNALxnUrhWyfwSceU3ev4j+Q
bGpRuX7MfYT6BZbmrWyV0+j/mIHq9dfLcp48wfTPh6VXo1iHCYQVtn3ZFHP7oFtb
/xyJi62dvFqrsnEbFkfmRN+sRmgfJtC90jjPvbjMsUHaKmYh99FrK26e1N2T8cxZ
sH/3Xx2hpE1jL9TolrV+YQ5XdFfJRHeAoG0zX7rtt722kMOAJq+eNBpRXXejAgMB
AAGjPDA6MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPOypDuauffXkwjNdeNti0Ik
YSpdMAsGA1UdDwQEAwIEsDANBgkqhkiG9w0BAQUFAAOCAQEAMAxB95G/XCOetwAM
1KXt7qH+tU0mvbXHqgWdyHRFHeayQjmKp3831ciNWEYDSBvGoUz2FI0WQjrBETDX
kwoXRxFf81o8SSFkC2HpitqUW/on+lH4v2u7U2yaO5rUXwFsiU63NrJIPttjDzyJ
cHFVXq1JrnRWDYq8X0JaTh3RU9Pww8eN2dw8MjHLDtgxZg3vPElkSWaDTse/HfQP
Bc0cAc2D7/HOj3qyrEqIDrHHmQBTkC5S9C/O1sEhpJktqi8SMUmmniVhhR5v5MVN
PGlIDzQwJ9nXWzdBz5wmQqLkw2/853OujVK2ZXcKB6e9GklHBw5YtFItbMmVvuxC
n5TfcQ==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ubuntu.phenixid.local:8443/saml/authenticate/sp" index="0" isDefault="true"/>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">PhenixID AB</md:OrganizationName>
<md:OrganizationName xml:lang="sv">PhenixID AB</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">PhenixID sandbox SP for eIDAS</md:OrganizationDisplayName>
<md:OrganizationDisplayName xml:lang="sv">PhenixID sandbox SP for eIDAS</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">https://www.phenixid.se</md:OrganizationURL>
<md:OrganizationURL xml:lang="sv">https://www.phenixid.se</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="support">
<md:Company>PhenixID AB</md:Company>
<md:GivenName>Lars</md:GivenName>
<md:SurName>Forsgren</md:SurName>
<md:EmailAddress>[email protected]</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="technical">
<md:Company>PhenixID AB</md:Company>
<md:GivenName>Lars</md:GivenName>
<md:SurName>Forsgren</md:SurName>
<md:EmailAddress>[email protected]</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
Add your metadata to eIDAS
Add the metadata produced in the previous step to eIDAS.
- For QA and production, send the metadata to [email protected]
- For the sandbox environment, please follow these steps:
1. Go to https://eid.svelegtest.se/mdreg/login and apply for an account
2. Login to https://eid.svelegtest.se/mdreg/login
3. Click Manage metadata
4. Add a display name and your metadata
5. Done. The metadata will be added to the eidas sandbox aggregated metadata (this process might take a while so be patient).
Add eIDAS federation metadata to PAS
- Login to Configuration Manager
- Navigate to Scenarios -> Federation
- Click the plus to add SAML Metadata
- Set metadata url.
PRODUCTION: https://md.swedenconnect.se/role/idp.xml
QA: https://qa.md.swedenconnect.se/role/idp.xml
SANDBOX: http://eid.svelegtest.se/metadata/mdx/role/idp.xml
- Click Save.
Test
Test it out by browsing to the service you protect.