FrejaEIDAuthenticator

This document describes how to configure FrejaEIDAuthenticator.

A keystore should have been received from Freja eID and imported into PhenixID Server before configuration of the authenticator. The keystore contains a certificate that allows the Freja eID server to verify requests from the PAS authenticator.

Please follow this document to import the keystore.

In the example below, a Freja eID authentication is used to protect the /mfaadmin resource.

Properties

Name Description Default value Mandatory
pipeID Id of pipe used by Freja eID Authenticator. Yes
successURL The URL to redirect the browser to after successful authentication. Yes
keyStore ID of the keyStore created in PhenixID Server. Yes
trustStore ID of the trustStore based on the public trusted certificates from Verisec. Yes
poll_frequency Poll frequency from the authenticator to Verisec server 1 No
poll_max Max number of polls from the authenticator to Verisec server, before the response is returned to the browser, where a new polling period is initiated. 120 No
test_mode Test mode, connecting to Verisec test environment false No
userNameParameter Username parameter name username No
relyingPartyId Freja eID relying party id No
allowLanguageChange Allow language change No
title Title login.messages.heading No
translationKey Translation key No
headingtranslationKey Heading translation key login.messages.information.header No
openLocalFrejaApp Open local Freja App text key login.messages.openLocalFrejaApp No
failedAuthKey Failed authentication key login.messages.failed_auth No
loginTemplate Login template frejaeid.template No
templates_dir Template directory templates No
includeQueryString Include query string false No
success_template Success template autopost No

General description

When a user client sends an authentication request to this authenticator, the authenticator will in turn send an authentication request to the Freja eID server for the specified username. If the user has enrolled a device at the Freja eID server, that device will receive a request from the Freja eID server to allow or deny the authentication. The authenticator will regularly check the server for a response from the user, until a response is received or a timeout limit is reached.  If the authentication request is allowed by the user, the authenticator will execute a pipe. If the pipe request is successful, the user will be allowed to the requested resource.


In the following, we will look specifically at an example where a Freja eID authenticator is used to protect the /mfaadmin resource on the PAS server, using a database lookup in addition to the authentication to ensure that the user is valid. To try the example, make sure that the MFA Admin application is activated.

Database configuration

The system is typically configured to check a database for the existence of the requesting user before allowing the user client to the requested resource. The database connection can be configured from the PhenixID Configuration Portal under Scenarios/Connections, or by using the Advanced view. An example configuration of a database connection, as seen in the Advanced view, is provided below.

<p>{
  "id": "d5c9fd4f-0e51-43d4-b1c5-b3e34b6edd4b",
  "type": "ldap",
  "description": "Connection to local OpenDJ",
  "config": {
    "host": "localhost",
    "port": "389",
    "bind_dn": "cn=Directory Manager",
    "password": "mypassword",
    "use_ssl": "true",
    "ssl_trust_all": "true",
    "follow_referrals": "false",
    "auto_reconnect": "true",
    "use_keep_alive": "true",
    "response_timeout_ms": "30000",
    "pool_initial_size": "1",
    "pool_max_size": "2"
  }
}</p>
Click to copy

The pipe that checks the database for the existence of the requesting user is in this case most easily configured using the Advanced view in the PhenixID Configuration Portal. After logging in and navigating to the advanced view, click the pencil next to the header "Pipes". Add the configuration below to the list of pipe configurations in the opened window, then click "Stage changes" and "Commit changes".

<p>{
  "id": "68731314-eeb2-4d59-9aaa-79cd9913a320",
  "valves": [{
    "name": "LDAPSearchValve",
    "enabled": "true",
    "config": {
      "connection_ref": "d5c9fd4f-0e51-43d4-b1c5-b3e34b6edd4b",
      "base_dn": "dc=example,dc=org",
      "scope": "SUB",
      "size_limit": "0",
      "filter_template": "mail={{request.username}}"
    }
  }]
}</p>
Click to copy

Note that the value of the field "connection_ref" corresponds to the value of the field "id" of the database configuration above.

The keystore

In order for the authenticator to act as a client to the Freja eID server, triggering authentication requests and polling the server for user responses, a keystore with a certificate is necessary. The certificate is provided by Freja eID and must be kept secure. For instructions of how to upload the keystore to the PAS server, see here. The resulting configuration, as seen in the Advanced view, can be seen below.

<p>{
    "id" : "a9bdfe2c-9a0b-4165-8d6d-0ae3f2ec7d9e",
    "type" : "pkcs12",
    "password" : "keystore password",
    "certificateAlias" : "xxxx",
    "privateKeyPassword" : "keystore password",
    "resource" : "c9be2a3b-f3c0-471a-9f87-15ede5d55498",
    "name" : "freja"
  }</p>
Click to copy

The truststore

In order for the PAS server to ensure that it is connecting to the correct Freja eID server, it is necessary to provide a truststore with public certificates

You have to add the add the certificate chain that the above client cert is created from.
This part has to be added manually in the Advanced view.

Open the Keystores part with the pen and add following code at the end.

<p>{
    "id": "frejaeid-truststore",
    "resource": "frejaeid-resource",
    "name": "Verisec Certificate Chain",
    "certificateAlias": "0",
    "type": "pkcs12"
}</p>
Click to copy

Stage and Commit and then open the Resources part with it´s pen.

Add the following code, Stage and Commit.

<p>{
    "description": "Verisec Certificate Chain",
    "id": "frejaeid-resource",
    "content_type": "application/x-pkcs12",
    "content_encoding": "base64",
    "content": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVjVENDQTFtZ0F3SUJBZ0lVQy90NG0zcXM3YU4yWHdlMTlzSUVLSDE4ZXd3d0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZTXhDekFKQmdOVkJBWVRBbE5GTVJJd0VBWURWUVFIRXdsVGRHOWphMmh2YkcweEZEQVNCZ05WQkdFVApDelUxT1RFeE1DMDBPREEyTVIwd0d3WURWUVFLRXhSV1pYSnBjMlZqSUVaeVpXcGhJR1ZKUkNCQlFqRU5NQXNHCkExVUVDeE1FVkdWemRERWNNQm9HQTFVRUF4TVRVbE5CSUZSRlUxUWdTWE56ZFdsdVp5QkRRVEFlRncweE9EQXgKTVRFeE1URTFNakphRncweU16QXhNVEV4TVRFMU1qSmFNSUdLTVFzd0NRWURWUVFHRXdKVFJURVNNQkFHQTFVRQpCeE1KVTNSdlkydG9iMnh0TVJRd0VnWURWUVJoRXdzMU5Ua3hNVEF0TkRnd05qRWRNQnNHQTFVRUNoTVVWbVZ5CmFYTmxZeUJHY21WcVlTQmxTVVFnUVVJeERUQUxCZ05WQkFzVEJGUmxjM1F4SXpBaEJnTlZCQU1UR25ObGNuWnAKWTJWekxuUmxjM1F1Wm5KbGFtRmxhV1F1WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQgpDZ0tDQVFFQWc4RTVDaUZlb3QxTUpQYjZ0RHdTT2dmdWRGMjlTZUNsQkdESzB4UG9ueDRXczh1VVFrRlpCeHh6CnJpbGVtNUhQZjF2ZytlamVjTUd0dFgybXpRK2pXY3dEVXpmSjYvM0tONWtBaWF0U04xVFdiWU1NTEt2cGZxTW0KWWNsTEd5NFBFcDJZdkx6YjN3OUY4VTAyU1dSS2ZOTjFXQk1vRnlsNUhEYURkVnhveTV5UWNlUG15QjFMTW52bwptNXhPVHR1QjBIZ283ZWpFeFNNUnlVSzhtRTJmMGszVDZ2N2RRMWJzS09mTW14U25GKzFJNWJwY2JFdGJCVDRpCkFrc2dxVWtPcWN6V21MZlFKczVZRkUvYk1jQklwRGNmU0xtU2VWRU9UbFBiTmY3ZTk4TnhVVmIzVHk3YitCbmQKZS96ZkIrRi9UQUlmVlpzM3YwR3p0b2t0Z25oR1NRSURBUUFCbzRIVE1JSFFNQTRHQTFVZER3RUIvd1FFQXdJRgo0REFNQmdOVkhSTUJBZjhFQWpBQU1COEdBMVVkSXdRWU1CYUFGR3A4aWcrZGNBNGMybDh0b0R3bVg0am9GYitjCk1CSUdBMVVkSUFRTE1Ba3dCd1lGS2dNRUJRZ3dQUVlEVlIwUkJEWXdOSUlhYzJWeWRtbGpaWE11ZEdWemRDNW0KY21WcVlXVnBaQzVqYjIyQ0ZtRjFkR2d1ZEdWemRDNW1jbVZxWVdWcFpDNWpiMjB3SFFZRFZSME9CQllFRkVkNwpoNXlra3dyblV1ekp5bk9JbkN2M0dVenlNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01DQmdnckJnRUZCUWNECkFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUF3cFJhSUM3c2k1MzNZWU5MM3dPZnV0SjR0d0YxcjhPajVwakgKUkpUTjhKcXdDeUl0d3NnZ2ZGYjk5YklJMEpMYzFDNWh6ZEQrVlNja3ltamY1bVNCQVBLNHV3cWxzWmdtblhvNApxbTJGUkdiZThDRnU1d3ZDWk1xTU43YTJOZytIeStZUWNEVmNueGs0UWZCNSszYTZ0R253OTFrMzYvVldDNGZ5Ck5ZSFJYbWhXWXJxNFNrUFZpc2c2dE8wRHpTRnNleVNQQWc4aTY5TmduMU54V2pWVU9uSkduZUZnNy9WV3RkMXMKYWU5Mlg0eDdoY2UyYmRJYm81MHlSSGZxeVVuU3hpdlRIL216VXVpT2daSFlDbzh4c3V2cDlCWTdPVVI5bzJKagpMbjlSWnpaOVVmRVBmQWI0amJWblR3MG83L1E0dFBvU1ZscGJId1E1ZWVlSUxyR0hYQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdNekNDQkJ1Z0F3SUJBZ0lVUEI0clVxRkZpRzZnNjdhK2NMQ0JDdVRreEdRd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1VURUxNQWtHQTFVRUJoTUNVMFV4RXpBUkJnTlZCQW9UQ2xabGNtbHpaV01nUVVJeEVqQVFCZ05WQkFzVApDVVp5WldwaElHVkpSREVaTUJjR0ExVUVBeE1RVWxOQklGUmxjM1FnVW05dmRDQkRRVEFlRncweE56QTFNVEF4Ck5ESTJNREJhRncwME56QTFNVEF4TkRJMk1EQmFNRkV4Q3pBSkJnTlZCQVlUQWxORk1STXdFUVlEVlFRS0V3cFcKWlhKcGMyVmpJRUZDTVJJd0VBWURWUVFMRXdsR2NtVnFZU0JsU1VReEdUQVhCZ05WQkFNVEVGSlRRU0JVWlhOMApJRkp2YjNRZ1EwRXdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUtBb0lDQVFDNm42SXZKY09JCnk5eTR4NFlabGNEWVdHQU5abi81OGFRcS8rcS8ySU9oZXFIN3BmcWYwMEZyWm1URnpYUVRJNGtvUFVPcGFnWU0KRVNHNk1MbGdXN2FrQ25BM1Y1ZHVFdkdCSmdBUjZGbGRhaXdkSE1xV0JLTGI1cHZvQzIvdWN6U05pZStwRWlkUQp1aitPaDVNd1VDSld4NG4yZkxvSk1UUDRMYjFueEZRWHpDalJNV0oxdzNwTSszbURZSnp2TEZoVjJVcjdRQkFkCkpqR0dQQ3ByRGRSRWZ6YW5tN0pnNW1GdGR0Yk1QUG9iTVZES1JpQ3ZmWExhdkU0VWV1cEpGMlJkZzUzMHRwYUoKTWI2bSsrT3NGTU40c0hxMEhVWWlZSXdldGRteFkzVzJkcEtKam1MN3BQUHByY3BuSHFjaTlhM04zMmFqY2xwVgpaN2MwamZ1d0N3ays2RUZZUk5tQ2tLRWtNclNlOHdyOHR1SDRGWXdoVFFDc0ZRZUFXVWFXelNsMjlJZWxteDM4Ck90K2czYVV3OExabHRaek1ZaGFrMjU3Yng0THFmcjIzZWRqejJnNDUvREVrNUgyL3pzdkVHbndxNzN4dHBBSloKclpIU3FndWd3UHFMaEN4S3M5M2FidVNoTWFzOTJDTDdqdUFwNEZqWXpqQlM4NXFRbkhoeFZGemlHb3l2dFVVMwpZUzZaTmFlOTZLYmdXN0tqZDcyaS93ZlVOSktkRjJRQUtXSUpZTDgwYlE5bTJ3K3NMNlROZC90UkczT1hXSkhECnByS1JUWUtpVzJuWnhEb1g0Q2xzTk1XajJpS1BhR3RibDZ0bVpwUkxadGpzOHM5bEFpTkJRZDBYcXRUc3l5ci8KMys4QWZuaHMrREc1NUE0LzkxRGRhWGxEQTRVYnBqWnBEUUlEQVFBQm80SUJBVENCL2pBT0JnTlZIUThCQWY4RQpCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkF6Q0J1QVlEVlIwZ0JJR3dNSUd0TUlHcUJnVXFBd1FGCkJqQ0JvREE0QmdnckJnRUZCUWNDQVJZc2FIUjBjSE02THk5amNITXVkR1Z6ZEM1bWNtVnFZV1ZwWkM1amIyMHYKWTNCekwybHVaR1Y0TG1oMGJXd3daQVlJS3dZQkJRVUhBZ0l3V0F4V1ZHaHBjeUJqWlhKMGFXWnBZMkYwWlNCbwpZWE1nWW1WbGJpQnBjM04xWldRZ0lHbHVJR0ZqWTI5eVpHRnVZMlVnZDJsMGFDQjBhR1VnUm5KbGFtRWdaVWxFCklGUkZVMVFnVUc5c2FXTjVJRU52Ym5SeWIyd3dIUVlEVlIwT0JCWUVGTXF3N0xsWHc1dzlyVG1LRS9yd05icnMKREhlS01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQk9HSTJZNHVYUWVBTVNzd0VTc0lzYkY0UmxrdklRaUdDZAprd3Q3T3pwZmlSY09Rbmt4bTlybHBkUHRDN01halZJNm93dFp3VDZCU0cwam15VUZMaWhwNFZCMDJWTTAyeGtjCllzU0QvNThWK0dmLzFpRWpnUWduTmp6OVo1YlVSR1VpUEs5VFdyY2hpN0UyTUxseVNlSEFFSlVVMXU1aHdVMFYKKzBoUTRTK0VFWkJZZk9WNVdhb0ZtYTJZWEZUU1NDSHR6bUcrT01oSXRnZXZKRnQrT0x5bU9UZXd1Rjd2NHZjUApQVnlVQjlpRWdhd0V3cGpKRUJ0YXhrbUlhSnY0Si9jOTJLS0hjVEt4cjhFYVBmT2w0dDNVQ0htUUxnbkNFRy8zCkhuNktnTnNINlJDT21ab2pkVGY1dndRWjJCN0FjYlZvelUvbm9KWjFvNkM0b1J0NVBrVEVkU25BbVg4cGY0TW4KTlhZbXhQcFhFN0tsRWF6THg5cG9CR1ZvYkNuMFgzRisxQTVwRUhmWThPeS9FT0tjMytac3dXMjk0QXVXQ3MvbgpIbGFtV1BTK2pxTktXM3Fqak5LNkZaczcySUVDdWY5T1NONUJ2RHJVc1c0NGIwWTZvR0lVZXZPdGV4QVhpQldWClNLVDlHc29qcmxZMzZYME8zK2xra3F0VzRhZWExMXFpM29Heis5aVhjUFFlZUQ3a2dma3N6U1lLa245V0IxWVQKai9scFpUbGY5RGx4QTUrK3V1M0dycHg3cVJkQ2xFYkRmNVEySExJU1dWd2lyb2N5U0d6aDR3QUNGSGk2aVFqbgpzcm56SHU5NjhNdE9uTjZGUXQ5elBaeGFSWXJ6THBWLzl5eWFoOWpZWXVMRklHamUreXpBbjVNOE9SVjVwMUF0CkZ2alRSZkg1b0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlHT0RDQ0JDQ2dBd0lCQWdJVWR4T0NNMFNoWUdTUkg2dUhSTVhqOWJLa2dWNHdEUVlKS29aSWh2Y05BUUVMCkJRQXdVVEVMTUFrR0ExVUVCaE1DVTBVeEV6QVJCZ05WQkFvVENsWmxjbWx6WldNZ1FVSXhFakFRQmdOVkJBc1QKQ1VaeVpXcGhJR1ZKUkRFWk1CY0dBMVVFQXhNUVVsTkJJRlJsYzNRZ1VtOXZkQ0JEUVRBZUZ3MHhOekExTVRjeApORFF5TlRKYUZ3MHlOekExTVRjeE5EUXlOVEphTUlHRE1Rc3dDUVlEVlFRR0V3SlRSVEVTTUJBR0ExVUVCeE1KClUzUnZZMnRvYjJ4dE1SUXdFZ1lEVlFSaEV3czFOVGt4TVRBdE5EZ3dOakVkTUJzR0ExVUVDaE1VVm1WeWFYTmwKWXlCR2NtVnFZU0JsU1VRZ1FVSXhEVEFMQmdOVkJBc1RCRlJsYzNReEhEQWFCZ05WQkFNVEUxSlRRU0JVUlZOVQpJRWx6YzNWcGJtY2dRMEV3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRFNVaEdECkhIcHFocDlPbUEyZjhIaktIZCtKSkR0ZXhyVlFldHladWpaZmlnOFVWNnk4NW5FY0F3N0ZoMWtFRzlJM0pIZS8KUE5tQkwveTlOYVJicXl3Z1I4ZXZVMGw1d1NCbGV2R2VsejlIK25lR1ZFRnZLa0htRk92cjdmN2M1YlZXYS9VUgp6VG1DZldBb2xLdlkrQXdLbElrZFRFMWVwdG44TTk0MFlGdlVVTEJoTGFEU1pYTmh2djZFWlQ5dzJ4VFQ0WnlICndkOGZhTGZFdnRHcysxM0tyQWh1dGFKSllZNlhxMEZuOVE3MXNYL3g1VDdkRzVJblNpRVBZTmdnVzlwUlZreDYKMW1kYnBpejZ3YUdzTnJNbzB3T3lYOC93ZnB0Z1E4MUI0QlVuS1Q4OUYzTk9oOU03WkpOOStzUnRYMGtXTExSWgpTTitSZzFZeTczRDY4QjB4QWdNQkFBR2pnZ0hUTUlJQnp6QU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUCkFRSC9CQWd3QmdFQi93SUJBREJQQmdnckJnRUZCUWNCQVFSRE1FRXdQd1lJS3dZQkJRVUhNQUdHTTJoMGRIQTYKTHk5eWIyOTBZMkZzWVdJek1TNTBaWE4wTG1aeVpXcGhaV2xrTG1OdmJUbzROemMzTDJGa2MzTXZiMk56Y0RBZgpCZ05WSFNNRUdEQVdnQlRLc095NVY4T2NQYTA1aWhQNjhEVzY3QXgzaWpDQnVBWURWUjBnQklHd01JR3RNSUdxCkJnVXFBd1FGQmpDQm9EQTRCZ2dyQmdFRkJRY0NBUllzYUhSMGNITTZMeTlqY0hNdWRHVnpkQzVtY21WcVlXVnAKWkM1amIyMHZZM0J6TDJsdVpHVjRMbWgwYld3d1pBWUlLd1lCQlFVSEFnSXdXQXhXVkdocGN5QmpaWEowYVdacApZMkYwWlNCb1lYTWdZbVZsYmlCcGMzTjFaV1FnSUdsdUlHRmpZMjl5WkdGdVkyVWdkMmwwYUNCMGFHVWdSbkpsCmFtRWdaVWxFSUZSRlUxUWdVRzlzYVdONUlFTnZiblJ5YjJ3d1hRWURWUjBmQkZZd1ZEQlNvRkNnVG9aTWFIUjAKY0RvdkwzSnZiM1JqWVd4aFlqTXhMblJsYzNRdVpuSmxhbUZsYVdRdVkyOXRPamczTnpjdllXUnpjeTlqY214egpMMlp5WldwaFpXbGtYM0p6WVY5eWIyOTBYMk5oTG1OeWJEQWRCZ05WSFE0RUZnUVVhbnlLRDUxd0RoemFYeTJnClBDWmZpT2dWdjV3d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFHekhrRWtWRE1xY0ErR1JUQXZXMk9XMXREWm8KRmxqTSt3MUF1UXozODBrbU1hbUFsNGYrSW13M1VzVDNKaFhQWmFKTlZvZnFQQk8vRmlvb085bVBJZjhqTXhyeApMZm0vcC8ybjlLNDlSWXdnUk5Ed1Z5VzU5YzFIMGp2SGVQcGZhUnRQUzJvdjBlSStRU012azE0L3BoSXYvYmtOCmQrME9WcDBxZ1RWVFR3d0F2VVFKMlA5Y0RLM09JajdIMHZKaGh3N3V4NjZnTk1IZitJbkVScmJ1MFNpNXJRZW0KU2FmYVFUUzZOMFFOdEpWQWFmUllETS9GVE9kUHVsYnhrYmt0eWJqTWlEVHVKM012aHFLdjV6Q1I4bm9Zd0VCUApWcmVQQXZnNmJ3YjBLMWFDQVFtNElzV0JDS0Y0dDZzcWpydmFxLzNqVW8rTTY1VHAwQUtUS240QjhubVR2R3Y5CmxUNFBnc0NUd3dYYklVY1c1cmZzbUU5d1ZwUmZpZUc3R3g2MnlkSFBsSVBrVENoVXpzL2pvanU4c3lrVm5zc0YKMVlEcVFsZ01hMlNwK2t4NWk3ZWlqWDFlamNKaCtwbXVRVFFuWGo2c0RKcnk4MU90cURPN0Q3RGhhVUhmR0xpbAptWHVyQW9sdWptbGw1TWFiZEJFcTNFNFRUZWJ2djZXU05wRVl3UTFTKzhlRSs5c2xMbm1oUjJSU05wV0dEUS9sCld3Rm9Bc1RDakcrZTlmNTdtR1VsbVNlVTZ6RVJJeGllRVI3d01NN0VhcVdhWW82SmJlT2h1c2JkVFUvTG1zeUEKOGZaWXArZ24vRk04V2w4ZWgxcWovR0ljQWREQUlPM2s4bXFBOThzV1I3TXg1dmdkUk5jbXBDdE9ReHhpaWpDNwpNUmJZS2VCazRIT3RYdzllCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdNekNDQkJ1Z0F3SUJBZ0lVUEI0clVxRkZpRzZnNjdhK2NMQ0JDdVRreEdRd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1VURUxNQWtHQTFVRUJoTUNVMFV4RXpBUkJnTlZCQW9UQ2xabGNtbHpaV01nUVVJeEVqQVFCZ05WQkFzVApDVVp5WldwaElHVkpSREVaTUJjR0ExVUVBeE1RVWxOQklGUmxjM1FnVW05dmRDQkRRVEFlRncweE56QTFNVEF4Ck5ESTJNREJhRncwME56QTFNVEF4TkRJMk1EQmFNRkV4Q3pBSkJnTlZCQVlUQWxORk1STXdFUVlEVlFRS0V3cFcKWlhKcGMyVmpJRUZDTVJJd0VBWURWUVFMRXdsR2NtVnFZU0JsU1VReEdUQVhCZ05WQkFNVEVGSlRRU0JVWlhOMApJRkp2YjNRZ1EwRXdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUtBb0lDQVFDNm42SXZKY09JCnk5eTR4NFlabGNEWVdHQU5abi81OGFRcS8rcS8ySU9oZXFIN3BmcWYwMEZyWm1URnpYUVRJNGtvUFVPcGFnWU0KRVNHNk1MbGdXN2FrQ25BM1Y1ZHVFdkdCSmdBUjZGbGRhaXdkSE1xV0JLTGI1cHZvQzIvdWN6U05pZStwRWlkUQp1aitPaDVNd1VDSld4NG4yZkxvSk1UUDRMYjFueEZRWHpDalJNV0oxdzNwTSszbURZSnp2TEZoVjJVcjdRQkFkCkpqR0dQQ3ByRGRSRWZ6YW5tN0pnNW1GdGR0Yk1QUG9iTVZES1JpQ3ZmWExhdkU0VWV1cEpGMlJkZzUzMHRwYUoKTWI2bSsrT3NGTU40c0hxMEhVWWlZSXdldGRteFkzVzJkcEtKam1MN3BQUHByY3BuSHFjaTlhM04zMmFqY2xwVgpaN2MwamZ1d0N3ays2RUZZUk5tQ2tLRWtNclNlOHdyOHR1SDRGWXdoVFFDc0ZRZUFXVWFXelNsMjlJZWxteDM4Ck90K2czYVV3OExabHRaek1ZaGFrMjU3Yng0THFmcjIzZWRqejJnNDUvREVrNUgyL3pzdkVHbndxNzN4dHBBSloKclpIU3FndWd3UHFMaEN4S3M5M2FidVNoTWFzOTJDTDdqdUFwNEZqWXpqQlM4NXFRbkhoeFZGemlHb3l2dFVVMwpZUzZaTmFlOTZLYmdXN0tqZDcyaS93ZlVOSktkRjJRQUtXSUpZTDgwYlE5bTJ3K3NMNlROZC90UkczT1hXSkhECnByS1JUWUtpVzJuWnhEb1g0Q2xzTk1XajJpS1BhR3RibDZ0bVpwUkxadGpzOHM5bEFpTkJRZDBYcXRUc3l5ci8KMys4QWZuaHMrREc1NUE0LzkxRGRhWGxEQTRVYnBqWnBEUUlEQVFBQm80SUJBVENCL2pBT0JnTlZIUThCQWY4RQpCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkF6Q0J1QVlEVlIwZ0JJR3dNSUd0TUlHcUJnVXFBd1FGCkJqQ0JvREE0QmdnckJnRUZCUWNDQVJZc2FIUjBjSE02THk5amNITXVkR1Z6ZEM1bWNtVnFZV1ZwWkM1amIyMHYKWTNCekwybHVaR1Y0TG1oMGJXd3daQVlJS3dZQkJRVUhBZ0l3V0F4V1ZHaHBjeUJqWlhKMGFXWnBZMkYwWlNCbwpZWE1nWW1WbGJpQnBjM04xWldRZ0lHbHVJR0ZqWTI5eVpHRnVZMlVnZDJsMGFDQjBhR1VnUm5KbGFtRWdaVWxFCklGUkZVMVFnVUc5c2FXTjVJRU52Ym5SeWIyd3dIUVlEVlIwT0JCWUVGTXF3N0xsWHc1dzlyVG1LRS9yd05icnMKREhlS01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQk9HSTJZNHVYUWVBTVNzd0VTc0lzYkY0UmxrdklRaUdDZAprd3Q3T3pwZmlSY09Rbmt4bTlybHBkUHRDN01halZJNm93dFp3VDZCU0cwam15VUZMaWhwNFZCMDJWTTAyeGtjCllzU0QvNThWK0dmLzFpRWpnUWduTmp6OVo1YlVSR1VpUEs5VFdyY2hpN0UyTUxseVNlSEFFSlVVMXU1aHdVMFYKKzBoUTRTK0VFWkJZZk9WNVdhb0ZtYTJZWEZUU1NDSHR6bUcrT01oSXRnZXZKRnQrT0x5bU9UZXd1Rjd2NHZjUApQVnlVQjlpRWdhd0V3cGpKRUJ0YXhrbUlhSnY0Si9jOTJLS0hjVEt4cjhFYVBmT2w0dDNVQ0htUUxnbkNFRy8zCkhuNktnTnNINlJDT21ab2pkVGY1dndRWjJCN0FjYlZvelUvbm9KWjFvNkM0b1J0NVBrVEVkU25BbVg4cGY0TW4KTlhZbXhQcFhFN0tsRWF6THg5cG9CR1ZvYkNuMFgzRisxQTVwRUhmWThPeS9FT0tjMytac3dXMjk0QXVXQ3MvbgpIbGFtV1BTK2pxTktXM3Fqak5LNkZaczcySUVDdWY5T1NONUJ2RHJVc1c0NGIwWTZvR0lVZXZPdGV4QVhpQldWClNLVDlHc29qcmxZMzZYME8zK2xra3F0VzRhZWExMXFpM29Heis5aVhjUFFlZUQ3a2dma3N6U1lLa245V0IxWVQKai9scFpUbGY5RGx4QTUrK3V1M0dycHg3cVJkQ2xFYkRmNVEySExJU1dWd2lyb2N5U0d6aDR3QUNGSGk2aVFqbgpzcm56SHU5NjhNdE9uTjZGUXQ5elBaeGFSWXJ6THBWLzl5eWFoOWpZWXVMRklHamUreXpBbjVNOE9SVjVwMUF0CkZ2alRSZkg1b0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t"
}</p>
Click to copy

The information in the content property is the .cer version of the root and intermediate certificates "Freja eID Production Root",  "Freja eID Production Issuing CA" and the corresponding test certificates concatenated into one file. That file has has then been base64 encoded to fit in the content property above

Configuring the authenticator

To protect the MFA Admin application with a Freja eID authentication and a database lookup, use the Advanced view in the Configuration Portal to enter the configuration below. After logging in and navigating to the Advanced view, click the pencil next to the header "Authentication - HTTP". Add the configuration below to the list of authenticator configurations in the opened window, then click "Stage changes" and "Commit changes".

<p>{
  "id": "0c18a73e-612a-4ce2-a353-40f60dd4bbf9",
  "alias": "freja",
  "name": "FrejaEIDAuthenticator",
  "displayName": "Freja",
  "configuration": {
    "pipeID": "68731314-eeb2-4d59-9aaa-79cd9913a320",
    "successURL": "/mfaadmin/",
    "keyStore": "a9bdfe2c-9a0b-4165-8d6d-0ae3f2ec7d9e"
  }
}</p>
Click to copy

Note that the value of the field "pipeID" corresponds to the value of the field "id" of the pipe configuration above, and that the value of the field "keyStore" corresponds to the value of the field "id" of the keystore configuration above.

Configuring the protected resource

To configure the MFA Admin application to be protected by the Freja eID authenticator, use the Advanced view in the Configuration Portal. After logging in and navigating to the Advanced view, locate the MFA Admin module and change the field "auth_redirect_url" to point to the authenticator alias, see below for example configuration.

<p>{
  "name" : "com.phenixidentity~phenix-prism",
  "enabled" : "true",
  "config" : {
    "base_url" : "/mfaadmin",
    "auth_redirect_url" : "/mfaadmin/authenticate/freja",
    "http_configuration_ref" : "bb8aed96-6b34-4850-9741-5c8960094e0f",
    "module_refs" : "a2103942-92ce-4259-ba4a-acbe4de209f8,97f3537e-a754-4cc5-b7f2-fce7eec38f33",
    "enable_roles" : "true"
  }
}</p>
Click to copy

If all the instructions above are carried out correctly, the user will be presented with a login screen for Freja eID when trying to access the /mfaadmin resource on the PAS server.

Requirements

A keystore with a valid certificate is uploaded to the PAS server.

User enrolled for freja e-id.