Add a Federation or SAML SP
Last updated
Last updated
Add a Federation to Fortified ID Integrity Web
Add an SAML Service Provider (SP) to your Fortified ID SAML IdP
This use case assumes that you have good knowledge of the product in question.
Fortified ID Integrity WEB installed
To add exchange metadata with a Federation or an SAML SP is done in a similar fashion.
Add metadata for the connecting part, this done in two ways:
You receive the metadata from the administrator in a file that Integrity WEB will read during start up. Note. This is an example where Fortified ID Web act as an SAML IdP to sp_portal that acts a an SAML SP.
{
"path": "${globals.file_paths.base_dir}/config/../sp_portal.xml"
}You receive the metadata from the administrator using a URL that Integrity WEB will connected to and read during start up. Note. This is an example where Fortified ID Web act as an SAML Broker where in this case it as and SAML SP to the eIDAS SAML IdP/Federation.
{
"url": "https://eid.svelegtest.se/metadata/mdx/role/idp.xml"
}Some examples The first two additions are to two of the Fortified ID apps, Fortified ID Portal and Fortified ID Password Reset. Both provides their SAML SP data through a metadata file in this example.
The two last addition are for eIDAS and Microsoft Entra. Both of them present their metadata signing URL to connect to.
{
"path": "${globals.file_paths.base_dir}/config/../sp_portal.xml"
},
{
"path": "${globals.file_paths.base_dir}/config/../sp_pwdreset.xml"
},
{
"url": "https://eid.svelegtest.se/metadata/mdx/role/idp.xml"
},
{
"url": "https://login.microsoftonline.com/../federationmetadata/2007-06/federationmetadata.xml?appid=.."
}Regardless of whether Fortified ID Web acts as IdP or SP (e.g., SAML broker scenario), Fortified ID WEB needs to provide metadata about itself to the connecting part. Fortified ID WEB can either provide metadata in a file or using an URL.
There are two parts that create that the url that the connecting part can read the metadata of the Fortified ID Web.
In the metadata section of the config.json file you can add one or several metadata configuration. If you have several connecting services that need different configuration, the metadata section is where you can add those configuration.
Configuration in config.json In config.json you add the entity id and signing data for a specific configuration. You also add the file path to the metadata template of this configuration.
Metadata template file This is where the URL to the IdP is configured for example. Below is an example of an metadata file where Fortified ID WEB act as an SAML IdP
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://fortifiedid.se/test_idp_1">
<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dev.fortifiedid.se/saml/authn/chain" />
</md:IDPSSODescriptor>
</md:EntityDescriptor>
Under the assertion_config section you add all the assertion configuration. You can configure one per connecting part or use wildcard for all that do not has a specific configuration. In example bleow you have one assertion for Fortified ID Portal and one for any other connecting part. Note: Configure a pre_assertion_pipe is optional.
"assertion_config": [
{
"target_sp": [
"FortifiedID_Portal"
],
"nameid_parameter": "mail",
"auth_context_parameter": "AuthnContextClassRef",
"additional_attribute_parameter": [
"givenName",
"sn",
"mail",
"roles",
"display_name",
"distinguishedName"
],
"pre_assertion_pipe": "Retrieve_data_for_SAML_response_for_Portal"
},
{
"target_sp": [
"*"
],
"nameid_parameter": "mail",
"auth_context_parameter": "AuthnContextClassRef",
"additional_attribute_parameter": [
"email",
"display_name"
],
"pre_assertion_pipe": "Generic_assertion_pipe"
}
]Note. The configuration below is incomplete. It is also an example to explain this use case.
{
"globals": "@include:globals.json",
"modules": [
{
"name": "HttpClient",
"config": {
"name": "default",
"idle_timeout_ms": 5000,
"connect_timeout_ms": 5000
}
},
{
"name": "SAML",
"config": {
"metadata_cache": "${globals.saml.idp1.metadata_cache}",
"http_port": "${globals.http.port}",
"enable_http": true,
"metadata_template": [
{
"id": "${globals.saml.idp1.metadata_id}",
"metadata_file_path": "${globals.saml.idp1.metadata_file_path}",
"sign_ref": [
{
"keystore": {
"alias": "${globals.keystore.saml.sign_ref_keystore_alias}",
"key_password": "${globals.keystore.saml.sign_ref_keystore_key_password}",
"password": "${globals.keystore.saml.sign_ref_keystore_password}",
"path": "${globals.keystore.saml.sign_ref_keystore_path}"
}
}
],
"metadata": [
{
"path": "${globals.file_paths.base_dir}/config/../sp_portal.xml"
},
{
"path": "${globals.file_paths.base_dir}/config/../sp_pwdreset.xml"
},
{
"url": "https://eid.svelegtest.se/metadata/mdx/role/idp.xml"
},
{
"url": "https://login.microsoftonline.com/../federationmetadata/2007-06/federationmetadata.xml?appid=.."
}
]
}
},
{
"name": "AuthN",
"enabled": true,
"config": {
"context_path": "/authn",
"webroot_dir": "web",
"http_csrf": {
"enabled": false
},
"authenticators": [
{
"id": "auth00",
"type": "SAMLIDP",
"config": {
"context_path": "/saml/authn/chain",
"base_path": "/saml/authn",
"expiry": "PT1S",
"force_re_auth": false,
"verbose": false,
"idp": "${globals.saml.idp1.idp_entityid}",
"chain": [
{
"id": "selector_root",
"required": true
}
],
"assertion_config": [
{
"target_sp": [
"FortifiedID_Portal"
],
"nameid_parameter": "mail",
"auth_context_parameter": "AuthnContextClassRef",
"additional_attribute_parameter": [
"givenName",
"sn",
"mail",
"roles",
"display_name",
"distinguishedName"
],
"pre_assertion_pipe": "Retrieve_data_for_SAML_response_for_Portal"
},
{
"target_sp": [
"FortifiedID_PWD_Reset"
],
"nameid_parameter": "mail",
"auth_context_parameter": "AuthnContextClassRef",
"additional_attribute_parameter": [
"email",
"display_name",
"on_behalf_of_display_name",
"on_behalf_of_user_name",
"on_behalf_of_email",
"distinguishedName",
"pwd_last_set",
"pwd_last_set_allowed_days"
],
"pre_assertion_pipe": "Retrieve_data_for_SAML_response_for_PWDReset"
}
]
}
},
{
"id": "selector_root",
"type": "Selector",
"config": {
"base_path": "/saml/authn",
"webroot_dir": "web/authenticator/selector",
"verbose": false,
"overlay_dirs": [
"${globals.file_paths.base_dir}/config/resources_external/overlays/1_selector_root",
"${globals.file_paths.base_dir}/config/resources_external/overlays/0_look_and_feel"
],
"options": [
{
"id": "1",
"target": "customer",
"label": "customer_label"
}
]
}
}
},
{
"name": "Pipes",
"config": {
"pipes": [
{
"id": "Retrieve_data_for_SAML_response_for_Portal",
"config": {
"valves": [
{
"name": "DumpRequest",
"config": {
"label": "*** DumpRequest från DumpData Portal****"
}
},
{
"name": "DumpExports",
"config": {
"label": "*** DumpExports från DumpData Portal****"
}
},
{
"name": "ExportsPut",
"exec_if_expr": "exports.used_auth == ('BankID')",
"enabled": true,
"config": {
"name": "LDAP_search_filter",
"value": "wbemPath={{{exports.personalNumber}}}",
"replace": true
}
},
{
"name": "ExportsPut",
"exec_if_expr": "exports.used_auth == ('Freja')",
"enabled": true,
"config": {
"name": "LDAP_search_filter",
"value": "mail={{{exports.mail}}}",
"replace": true
}
},
{
"name": "ExportsPut",
"exec_if_expr": "(exports.used_auth == ('username_password')|| exports.used_auth == ('UID_OATH'))",
"enabled": true,
"config": {
"name": "LDAP_search_filter",
"value": "mail={{{exports.username}}}",
"replace": true
}
},
{
"name": "ExportsPut",
"exec_if_expr": "(exports.used_auth == ('webauthn_passkeys')|| exports.used_auth == ('fortifiedid_mobile'))",
"enabled": true,
"config": {
"name": "LDAP_search_filter",
"value": "mail={{{exports.username}}}",
"replace": true
}
},
{
"name": "ExportsPut",
"exec_if_expr": "exports.used_auth == ('eidas')",
"enabled": true,
"config": {
"name": "LDAP_search_filter",
"value": "url={{{exports.eidasPersonIdentifier}}}",
"replace": true
}
},
{
"name": "ExportsPut",
"exec_if_expr": "exports.used_auth == ('microsoft_entra')",
"enabled": true,
"config": {
"name": "LDAP_search_filter",
"value": "mail={{{exports.username_from_entra}}}",
"replace": true
}
},
{
"name": "LDAPSearch",
"enabled": true,
"config": {
"destination": "${globals.ldap.ldap1.name}",
"base_dn": "${globals.ldap.ldap1.connection.base_dn}",
"scope": "SUB",
"filter": "{{{exports.LDAP_search_filter}}}",
"attributes": [
{
"name": "givenName",
"multivalue": false
},
{
"name": "sn",
"multivalue": false
},
{
"name": "sAMAccountName",
"multivalue": false
},
{
"name": "mail",
"multivalue": false
},
{
"name": "carLicense",
"multivalue": true
},
{
"name": "memberOf",
"multivalue": true
},
{
"name": "displayName",
"multivalue": false
},
{
"name": "distinguishedName",
"multivalue": false
}
]
}
},
{
"name": "ExportsPut",
"enabled": true,
"config": {
"name": "username",
"value": "{{{item.mail}}}",
"replace": true
}
},
{
"name": "ItemPropertyAdd",
"enabled": true,
"config": {
"name": "display_name",
"value": "{{{item.displayName}}}"
}
},
{
"name": "ItemPropertyRename",
"enabled": true,
"config": {
"old_name": "carLicense",
"new_name": "roles"
}
},
{
"name": "DumpExports",
"config": {
"label": "*** DumpExports från DumpData Portal****"
}
},
{
"name": "DumpState",
"config": {
"label": "*** DumpState ***"
}
}
]
}
},
{
"id": "Retrieve_data_for_SAML_response_for_PWDReset",
"config": {
"valves": [
{
"name": "DumpRequest",
"config": {
"label": "*** DumpRequest from PWD RESET ASSERTION****"
}
},
{
"name": "DumpExports",
"config": {
"label": "*** DumpExports from PWD RESET ASSERTION****"
}
},
{
"name": "LDAPSearch",
"enabled": true,
"config": {
"destination": "${globals.ldap.ldap1.name}",
"base_dn": "${globals.ldap.ldap1.connection.base_dn}",
"scope": "SUB",
"filter": "mail={{{exports.username}}}",
"attributes": [
{
"name": "sAMAccountName",
"multivalue": false
},
{
"name": "mail",
"multivalue": false
},
{
"name": "displayName",
"multivalue": false
},
{
"name": "pwdLastSet",
"multivalue": false
}
]
}
},
{
"name": "ExportsPut",
"enabled": true,
"config": {
"name": "username",
"value": "{{{item.mail}}}",
"replace": true
}
},
{
"name": "ItemPropertyRename",
"config": {
"new_name": "user_name",
"old_name": "sAMAccountName"
}
},
{
"name": "ItemPropertyRename",
"config": {
"new_name": "email",
"old_name": "mail"
}
},
{
"name": "ItemPropertyRename",
"config": {
"new_name": "display_name",
"old_name": "displayName"
}
},
{
"name": "ItemPropertyRename",
"config": {
"new_name": "pwd_last_set",
"old_name": "pwdLastSet"
}
},
{
"name": "ItemPropertyAdd",
"config": {
"name": "pwd_last_set_allowed_days",
"value": "0"
}
},
{
"name": "LDAPSearch",
"enabled": true,
"config": {
"destination": "${globals.ldap.ldap1.name}",
"base_dn": "${globals.ldap.ldap1.connection.base_dn}",
"scope": "SUB",
"filter": "mail={{{request.object_id}}}",
"attributes": [
{
"name": "sAMAccountName",
"multivalue": false
},
{
"name": "mail",
"multivalue": false
},
{
"name": "displayName",
"multivalue": false
}
]
}
},
{
"name": "ItemPropertyRename",
"config": {
"new_name": "on_behalf_of_user_name",
"old_name": "sAMAccountName"
}
},
{
"name": "ItemPropertyRename",
"config": {
"new_name": "on_behalf_of_display_name",
"old_name": "displayName"
}
},
{
"name": "ItemPropertyRename",
"config": {
"new_name": "on_behalf_of_email",
"old_name": "mail"
}
},
{
"name": "ItemMerge",
"config": {
"id": "ItemMergePWD",
"keep_items": false
}
},
{
"name": "ItemPropertyAdd",
"config": {
"name": "mail",
"value": "{{{exports.username}}}"
}
},
{
"name": "DumpState",
"config": {
"label": "*** DumpState ***"
}
}
]
}
}
]
}
}
]
}
