Use Cases
HomeIntegrityControlManagement CenterSolutions
  • Get Started
  • Integrity | Access
    • Auth. methods
      • LDAP (Username/Password)
      • LDAP (Username/Password) + OTP (SMTP)
      • LDAP (Username/Password) + OTP (SMS)
      • Swedish BankID
      • Microsoft Entra ID (SAMLSPBroker)
      • Certificate-Based Authentication
      • Foregin eID (SAMLSPBroker)
    • Auth. methods (SAML)
      • One-Time Password (OATH)
      • Inera IdP (SITHS) (SAMLSPBroker)
      • ID-porten (Norway) (SAML IdP with OIDC RP)
      • Multiple SAML IdP's configured
        • Multiple JSON files
    • Auth. methods (OIDC)
      • Static values (OIDC) - Test only
      • Swedish BankID (OIDC)
      • UID/PWD (OIDC)
    • Auth. methods (MISC)
      • Selector filtering
      • AuthZ control
      • External links and Cancel location
    • Add a Federation or SAML SP
    • Add Fortified ID app to Access
    • Use Access as logout
  • Integrity | Portal
    • Portal
  • Integrity | Enrollment
    • Software token (OATH)
    • Best practice configuration
  • Integrity | Radius
    • UID/OATH token
    • UID/Password/OATH token
    • UID/Password/SMTP
  • Integrity | API
    • Swedish Siths eID
    • Oath Token
    • OIDC M2M Authentication & Token Service
  • Control | Password Reset
    • Active Directory
    • Password Reset for Entra ID
    • Password Reset for Google Workspace
  • OPERATION
    • Rolling upgrade - cluster
  • TROUBLESHOOTING
    • Wrong relaystate
  • Misc
    • Address configuration externally
    • ADFS
      • Protect Fortified ID apps
      • Install and configure Fortified ID ADFS adapter for Siths eID
      • Install and configure Fortified ID ADFS adapter for Oath
    • AWS
      • Protect AWS Cognito with eID MFA
      • Protect AWS IAM Identity Center with eID MFA
    • Change look and feel
    • Dependency-Track - protect with eID MFA and SSO
    • Digitala Nationella Prov (DNP) / Skolfederation
      • Active Directory Federation Services (ADFS) with BankID as step-up-method
      • Active Directory / LDAP with BankID as step-up-method
      • Entra ID (Azure AD) with BankID as step-up-method
      • Google with BankID as step-up-method
      • Generate eduPersonPrincipalName (eppn) and store in Google
      • Generate eduPersonPrincipalName (eppn) and store in Entra ID
      • Common configuration
    • Encrypt configuration secrets
    • Microsoft Entra
      • Protect Entra ID (Azure AD) with eID MFA
      • Entra External - Support for eID (SAML)
      • Entra External - Support for eID (OIDC)
    • Expressions
    • Google
      • Common configuration for Google Workspace - Directory API
      • Common configuration for Google Workspace - authentication for Fortified ID products
      • Delegated administration for Google Workspace - teacher updates student guardians
      • Delegated administration for Google Workspace - teacher updates student password
      • Protect Google Workspace with eID MFA
    • HTTPS
    • Protect sensitive data, such as social security numbers, through obfuscation
    • Reverse proxy
      • Install Apache Web Server on Windows
      • Add SSL certificate and enable https
      • Add a Fortified ID virtual host
      • mTLS in Apache HTTPD using a Self-Signed CA and Client Certificates
    • Set AuthnContextClassRef
    • Wiki.js - OpenID Connect (OIDC)
    • Add roles based on memberOf
    • ScriptEval Examples
Powered by GitBook
On this page
  • Scenario
  • Prerequisite
  • Configuration
  • Download and modify configuration
  • Update the configuration to map to your environment
  • Test the use case
  • OIDC well-known information
  • Use Postman to test the OIDC flow
  • Complete config.json file
  1. Integrity | Access
  2. Auth. methods (OIDC)

Swedish BankID (OIDC)

PreviousStatic values (OIDC) - Test onlyNextUID/PWD (OIDC)

Last updated 3 months ago

Scenario

In this scenario, we will use Postman acting as a OIDC Relying Party (RP) and Integrity Web as an OpenID Connect Provider (OP). The guide is done for a Windows installation but can be changed for Docker and Linux installations as well. In production environments, it is common to use an LDAP directory to obtain additional user attributes for the OIDC claim, but this scenario does not include it. Authentication will be done with Swedish BankID test environment.

Prerequisite

There are some prerequisite for this use case. You will need the following:

  • A Swedish BankID test account setup either on a computer or mobile device. See the following link to setup test BankID: https://www.bankid.com/utvecklare/test/skaffa-testbankid/test-bankid-get

  • Server platform. Docker, Windows or Linux. In this use case we have used a Windows server.

  • The current version of FortifiedID Integrity Web is installed.

  • Basic knowledge about Postman and Postman installed on the local computer with access to the Integrity server. You will also need the following preconfigured Postman Collection https://download.fortifiedid.se/FID.postman_collection.zip

Note. All configuration and testing is done on the scenario server.

Configuration

Download and modify configuration

  1. To download the ZIP file containing the configuration and all other necessary files for Integrity Web, click USE_CASE_LINK to download the customer folders for the web..

  2. Copy the customer_WEB folder to you \..\fortifiedid\web\ folder. Rename the existing customer folder to customer_ORG and rename customer_Web to customer.

Update the configuration to map to your environment

The downloaded folders contains all needed files. For example, test certificates files are included and configured to work with the example application. However, some data needs to be changed to map your environment. Since this example was done on a Windows server you might need to update file paths if you run something else. Also the http ports might need to be changed if they are not available in your environment. To make it easy the application folder have a file called globals.json that contains the data you need to change. Config.json uses the variables in globals.json.

  1. Open globals.json for \..\fortifiedid\enrollment\customer\config and \..\fortifiedid\web\customer\config folder and update:

    1. File path

    2. HTTP port if needed

  2. When updated, start the Integrity Web service.

    1. Wait until Integrity Web service has started before continuing.

Test the use case

OIDC well-known information

  1. Open a browser on the Integrity Web server

  2. Browse to https://localhost:8443/oidc/tenant1/.well-known/openid-configuration

  3. Verify that the well-known page opens

Use Postman to test the OIDC flow

  1. Download the file https://download.fortifiedid.se/FID.postman_collection.zip

  2. Unzip the file and import the collection to Postman. The collection will be called "FID-OIDC-UseCases" in Postman

  3. Open the Request "OIDC Case 4" in the "FID-OIDC-UseCases" collection

  4. Select the Authorization tab of the request

  5. Click on the button "Get New Access Token"

  6. Scan the QR-code with the BankID app to login with your test BankID account

  7. Copy the content of the ID-token and verify the content by pasting the content in the Encoded form of the web page https://jwt.io/

Complete config.json file

The config.json for Integrity Web can be found in the included ZIP file associated with this use case.

{
    "globals": "@include:globals.json",
    "modules": [
        {
            "name": "HttpClient",
            "config": {
                "name": "bid",
                "idle_timeout_ms": 5000,
                "connect_timeout_ms": 5000,
                "request_timeout_ms": 5000,
                "ssl_keystore_path": "${globals.keystore.bid.ssl_keystore_path}",
                "ssl_keystore_password": "${globals.keystore.bid.ssl_keystore_password}",
                "ssl_key_alias": "${globals.keystore.bid.ssl_key_alias}",
                "ssl_key_password": "${globals.keystore.bid.ssl_key_password}",
                "ssl_truststore_path": "${globals.keystore.bid.ssl_truststore_path}",
                "ssl_truststore_password": "${globals.keystore.bid.ssl_truststore_password}"
            }
        },
        {
            "name": "OIDCModule",
            "enabled": true,
            "config": {
                "providers": [
                    {
                        "http_context": "/oidc",
                        "http_port": "${globals.http.port}",
                        "http_use_ssl": true,
                        "http_keystore_ref": {
                            "type": "${globals.keystore.https.ref.type}",
                            "path": "${globals.keystore.https.ref.path}",
                            "password": "${globals.keystore.https.ref.password}"
                        },
                        "http_keystore_type": "${globals.keystore.https.type}",
                        "http_key_alias": "${globals.keystore.https.http_key_alias}",
                        "http_key_password": "${globals.keystore.https.http_key_password}",
                        "discovery_meta": {
                            "issuer": "${globals.oidc.op1.oidc_op_address}/oidc/tenant1",
                            "authorization_endpoint": "${globals.oidc.op1.oidc_op_address}/test/authn/oidc",
                            "token_endpoint": "${globals.oidc.op1.oidc_op_address}/oidc/tenant1/token-endpoint",
                            "userinfo_endpoint": "${globals.oidc.op1.oidc_op_address}/oidc/tenant1/userinfo-endpoint",
                            "jwks_uri": "${globals.oidc.op1.oidc_op_address}/oidc/tenant1/.well-known/openid-configuration/jwks",
                            "end_session_endpoint": "${globals.oidc.op1.oidc_op_address}/test/authn/oidc/logout",
                            "scopes_supported": [
                                "openid"
                            ],
                            "response_types_supported": [
                                "code"
                            ],
                            "grant_types_supported": [
                                "authorization_code"
                            ],
                            "subject_types_supported": [
                                "public"
                            ],
                            "id_token_signing_alg_values_supported": [
                                "RS256"
                            ],
                            "token_endpoint_auth_methods_supported": [
                                "client_secret_post",
                                "client_secret_basic"
                            ],
                            "claims_supported": [
                                "iss",
                                "ver",
                                "sub",
                                "given_name",
                                "family_name"
                            ],
                            "request_parameter_supported": true
                        },
                        "tenant_op_path": "/tenant1",
                        "keystore": {
                            "path": "${globals.keystore.oidc.path}",
                            "password": "${globals.keystore.oidc.password}",
                            "type": "${globals.keystore.oidc.type}",
                            "alias": "${globals.keystore.oidc.alias}"
                        },
                        "sign_jwt_keystore_password": "${globals.keystore.oidc.password}",
                        "sign_jwt_keystore_alias": "${globals.keystore.oidc.alias}",
                        "rps": [
                            {
                                "client_id": "${globals.oidc.op1.client_id}",
                                "client_secret": "${globals.oidc.op1.client_secret}",
                                "redirect_uri": [
                                    "${globals.oidc.op1.redirect_uri}"
                                ],
                                "post_logout_redirect_uris": [
                                    "${globals.oidc.op1.post_logout_redirect_uris}"
                                ]
                            }
                        ]
                    }
                ]
            }
        },
        {
            "name": "AuthN",
            "enabled": true,
            "config": {
                "context_path": "/authn",
                "webroot_dir": "web",
                "http_port": "${globals.http.port}",
                "http_use_ssl": true,
                "http_keystore_ref": {
                    "type": "${globals.keystore.https.ref.type}",
                    "path": "${globals.keystore.https.ref.path}",
                    "password": "${globals.keystore.https.ref.password}"
                },
                "http_keystore_type": "${globals.keystore.https.type}",
                "http_key_alias": "${globals.keystore.https.http_key_alias}",
                "http_key_password": "${globals.keystore.https.http_key_password}",
                "authenticators": [
                    {
                        "id": "oidc",
                        "type": "OIDCAuthCodeFlow",
                        "config": {
                            "base_path": "/test/authn",
                            "failure_location": "/authn/failure.html",
                            "simple_logout": true,
                            "_required_request_parameters": [
                                "response_type",
                                "client_id",
                                "redirect_uri",
                                "scope",
                                "nonce"
                            ],
                            "required_request_parameters": [
                                "response_type",
                                "client_id",
                                "redirect_uri",
                                "scope"
                            ],
                            "required_authenticators": [
                                "auth01"
                            ],
                            "jwt_headers": {
                                "kid": ""
                            },
                            "jwt_claims": {
                                "secret_id": "{{{session.id}}}",
                                "aud": "app",
                                "sub": "{{{item.subject}}}",
                                "nonce": "{{{request.nonce}}}",
                                "test_boolean": true,
                                "lastname": "{{{item.surname}}}",
                                "givenName": "{{{item.givenName}}}",
                                "fullname": "{{{item.name}}}",
                                "amr": "{{{item.amr}}}"
                            },
                            "userinfo_claims": {
                                "secret_id": "{{{session.id}}}",
                                "userinfo_claim_test": "static_claim",
                                "email": "test.test@fortifiedid.se",
                                "email_verified": true,
                                "subject": "{{{item.subject}}}"
                            },
                            "token_endpoint_ttl": 60000,
                            "userinfo_endpoint_ttl": 60000,
                            "keystore": {
                                "path": "${globals.keystore.oidc.path}",
                                "password": "${globals.keystore.oidc.password}",
                                "type": "${globals.keystore.oidc.type}",
                                "alias": "${globals.keystore.oidc.alias}"
                            },
                            "sign_jwt_keystore_password": "${globals.keystore.oidc.password}",
                            "sign_jwt_keystore_alias": "${globals.keystore.oidc.alias}",
                            "rps": [
                                {
                                    "client_id": "${globals.oidc.op1.client_id}",
                                    "client_secret": "${globals.oidc.op1.client_secret}",
                                    "redirect_uri": [
                                        "${globals.oidc.op1.redirect_uri}"
                                    ],
                                    "post_logout_redirect_uris": [
                                        "${globals.oidc.op1.post_logout_redirect_uris}"
                                    ]
                                }
                            ]
                        }
                    },
                    {
                        "id": "auth01",
                        "type": "Selector",
                        "config": {
                            "base_path": "/test/authn",
                            "webroot_dir": "web/authenticator/selector",
                            "options": [
                                {
                                    "id": "2",
                                    "target": "bidomd",
                                    "label": "Mobilt bank ID"
                                }
                            ]
                        }
                    },
                    {
                        "id": "bidood",
                        "type": "BidOnOtherDevice",
                        "config": {
                            "base_path": "/test/authn",
                            "mode": "test",
                            "internal_http_destination": "bid",
                            "webroot_dir": "web/authenticator/bankid/osd",
                            "exports": [
                                {
                                    "name": "amr",
                                    "value": "swk"
                                }
                            ]
                        }
                    },
                    {
                        "id": "bidomd",
                        "type": "BidOnMobileDevice",
                        "config": {
                            "base_path": "/test/authn",
                            "mode": "test",
                            "internal_http_destination": "bid",
                            "webroot_dir": "web/authenticator/bankid/omd",
                            "exports": [
                                {
                                    "name": "amr",
                                    "value": "swk"
                                }
                            ]
                        }
                    }
                ]
            }
        }
    ]
}

Sammanfattning av användningsfall