How to setup the HTTP API for NetID Access (SITHS/EFOS/Own CA) authentication

Prerequisites

- Access to NetID Access Server infrastructure (URL) from PhenixID Server

- Access to NetID Access Server infrastructure (URL) from NetID Access device (mobile, computer, tablet)

- If NetID Access Server is protected with client certificate authentication, a client certificate is necessary

- PAS 2.7 installed

Authentication

It is recommended to add authentication to the API. These authentication methods are supported:

- Client certificate (recommended).
Use a reverse proxy to add client certificate authentication. Add valves to the pipe(s) to verify the certificate.

- Basic authentication
Add valves to the pipes to perform basic authentication verification.

Add NetID Access certificate [Not always mandatory, pls consult your NIAS administrator]

- Access the PhenixID Server root folder

- Create a folder called NIAS_CERT

- Add the certificate (.p12 file) to the folder NIAS_CERT

Add local http-api module

- Login to configuration manager

- Click the Advanced tab

- Open Modules (click on the pen)

- Add this module (if module is already added, only add tenant and/or allowedOperation):

{
		"module": "com.phenixidentity~phenix-api-authenticate",
		"enabled": "true",
		"config": {
			"tenant": [
				{
					"id": "t1",
					"displayName": "Tenant1",
					"allowedOperation": [
						"netid_start_auth",
						"netid_check_auth"
					]
}
			]
		},
		"id": "authapi_module"
	}

- Click Stage Changes and Commit Changes

- Open NODE_GROUPS (click on the pen)

- Add id of the newly added module to module_refs. Example below. (You can skip this step if the module was already added)

{
		"name": "WIN-DHB3ICNDG4E",
		"description": "Default node (created automatically)",
		"config": {
			"module_refs": "authapi_module,sealapp,signapp_1,......"
		},
		"created": "2017-07-03T11:38:03.135Z",
		"id": "493afd0e-0fe8-40e4-b1a1-a24a5e2df6e2",
		"modified": "2017-07-03T14:39:43.257Z"
	}

- Click Stage Changes and Commit Changes

 

Add pipes to trigger NetID authentication and collect authentication status

In this example, no client certificate is used. Please read the Valves documentation on how to configure a client certificate to the NetID valves.

- Click the Advanced tab

- Open Pipes (click on the pen)

- Add these pipes. Change these properties to suit your environment:

- wsdlLocation -> NetID Access Server wsdl endpoint.

{
		"id": "netid_start_auth",
		"description": "Start auth with netid",
		"valves": [
			{
				"name": "NIASSignValve",
				"config": {
					"wsdlLocation": "https://showroom.lab.secmaker.com/nias/ServiceServer.asmx?WSDL",
					"pnr": "{{request.pnr}}",
					"user_visible_data": "Logga in"
				}
			}
		]
	},	
{
		"id": "netid_check_auth",
		"description": "Check auth",
		"valves": [
			{
				"name": "NIASCollectSignatureValve",
				"config": {
					"wsdlLocation": "https://showroom.lab.secmaker.com/nias/ServiceServer.asmx?WSDL",
					"transactionID": "{{request.transactionID}}"
				}
			}
		]
	}

- Click Stage Changes and Commit Changes

Test

Use a HTTP rest client for testing and debugging. Follow the document Using PhenixID HTTP API for NetID Access (SITHS/EFOS/Own CA) authentication to structure the HTTP requests properly.