SAML - Freja eID

This document describes how to configure  FrejaEIDAuthenticatorSAML.

A keystore should have been received from Freja eID and imported into PhenixID Server before configuration of the authenticator.

Please follow this document to import the keystore.

Configure Authenticator

Start by confuring the scenario, Federation - Username and password, according to this instruction.
See information about values for the scenario below.

When done, go  to the Advanced tab and locate the Authentication - HTTP entry, that was configured in the previous "Federation - Username and password" scenario.

Change the value of the name parameter from "PostUidAndPasswordSAML" to "FrejaEIDAuthenticatorSAML".

Click Commit changes.

See example of Authenticator below.

Configuration Properties

Name Description Default value Mandatory
success_template Template to use for user interface (username and password prompt). login.template No
pipeID Id of pipe used by Freja eID SAMLAuthenticator.   Yes
idpID Id of idp configured for Freja eID.   Yes
keyStore ID of the keyStore created in PhenixID Server.   Yes

Example Freja eID SAMLAuthenticator

In PhenixID configuration portal, go to advanced and click on the pencil next to "Authentication - HTTP".

Authenticator should look similar to this:

{
        "id": "13d61f3d-3b41-49d9-ba7c-24a3b3b8911e",
        "alias": "Freja2018",
        "name": "FrejaEIDAuthenticatorSAML",
        "displayName": "SAMLUidPwd",
        "configuration": {
            "success_template": "samlconsent",
            "pipeID": "ff6cb2b4-101c-4734-b1bf-eb61526257c9",
            "idpID": "459256d5-fb72-4bf6-8628-229a2f091c2f",
            "keyStore": "b3d10a11-e325-4c6b-89e9-66bc2b240b81"
        }
    }

Add the keyStore parameter and value to the configuration. The value for keyStore can be found in PhenixID configuration portal, under Scenarios and then Federation, Keystore. Use the ID of the keystore created/imported earlier.

When done click Stage changes and Commit changes.

Configure the execution flow

Open the Execution flow tab and expand the flow.

Delete valve #1 (InputParameterExistValidatorValve), valve #2 (LDAPSearchValve) and valve #3 (LDAPBindValve).

On the valve AssertionProvider, make sure that the value for "NAME ID ATTRIBUTE" is set to "userIdentifier" and values for "ADDITIONAL ATTRIBUTES" is set to "userGivenName,userSurName".

Add valve ItemCreateFromRequestValve with the value {{request.uid}} for parameter "DESTINATION ITEM ID".
Place this valve before AssertionProvider, like this:

When done, press Save.

Example Pipes (from the section "Pipe valves")

{
    "id": "85808f6d-8228-41b4-a8b5-afb2a1cebc16",
    "name": "ItemCreateFromRequestValve",
    "enabled": "true",
    "config": {
	"proceed_on_error": "false",
	"dest_id": "{{request.uid}}"
	},
	"pipe_ref": "ff6cb2b4-101c-4734-b1bf-eb61526257c9"
}

----

{
    "id": "356c244c-daee-425e-9488-24f876d84751",
    "name": "AssertionProvider",
    "enabled": "true",
    "config": {
	"targetEntityID": "459256d5-fb72-4bf6-8628-229a2f091c2f",
	"sourceID": "https://external_sp/sp",
	"nameIDAttribute": "userIdentifier",
	"guide_ref": "e691e6e8-f519-4458-b389-8ed3a6b14f3d",
	"additionalAttributes": "userGivenName,userSurName"
	}
}