Foreign eID (SAMLSPBroker)
eIDAS requires Swedish public authorities to provide their e-service with the option to log in with a foreign e-identification. Fortified ID has a solution for that.
Last updated
eIDAS requires Swedish public authorities to provide their e-service with the option to log in with a foreign e-identification. Fortified ID has a solution for that.
Last updated
E-services that require electronic identification and that are used in public offices must be connected to the Swedish eIDAS node, Sweden Connect. The purpose of the requirement is to make it easier for EU citizens to use e-services across national borders.
According to the EU regulation eIDAS, each member state needs to provide a so-called country node, a connection point where e-identification traffic is controlled and "translated" to the respective country's identity method. In Sweden, the country node is Sweden Connect. Fortified ID WEB can act as a bridge between your applications and the Swedish eIDAS node so your application will support Foreign ID as a login method.
In this use case:
This use case assumes that you have good knowledge of the product in question.
Fortified ID WEB will act as the bridge between application and Swedish eIDAS node
Fortified ID WEB will act as a SAML SP to Sweden Connect eIDAS node
Fortified ID WEB will act as a SAML IdP to SAML SP application (in our example Fortified ID Portal)
Fortified ID Portal (SAML SP) < - > (SAML IdP) Fortified ID WEB (SAML SP) < - > (SAML IdP) eIDAS
The user will also be authorized against an LDAP directory for additional attributes to be fetched. This step is optional.
There are some prerequisite for this use case. You will need the following environment:
Swedish eIDAS node (SAML IdP) You need an account on the Swedish eIDAS node provided by DIGG and Sweden Connect. In this use case we connect to the development and test environment found on this site, https://eid.svelegtest.se/mdreg/home.
Fortified ID WEB (SAML IdP and SP) Installed
LDAP directory. (Authorisation data source) The remote authenticated users are validated against this directory and attributes are fetched from the LDAP object. The example configuration is configured using an Active Directory. We are using mail attribute on the Active Directory user for authentication.
Fortified ID Portal (SAML SP) Installed. Any SAML SP connected to Fortified ID WEB SAML IdP can be used instead of Fortified ID Portal.
Note. All configuration and testing is done on the scenario server.
Download and install Fortified ID Web and Fortified ID Portal
To install Integrity Web and Integrity Portal, see separate documentation and installation.
Add files and folders from ZIP-file to Fortified ID Web and Fortified ID Portal.
Download the foreign_id_use_case.zip.
Replace the customer folders for your installations with the ones from the zip-file. Note. This use case was initially done on a Windows server, if you run Container/Docker or Linux you might have to change some parameters to work in your environments like file paths e.g..
Open the globals.json in both customer folders and update them to match your environment.
e.g., file paths, ports and LDAP
In summary there are few things to change to make this use case work in your environment
The SAML metadata for your Fortified ID installation when acting as SAML SP
SAML entityID to match your organisation. It will work with the name in use case but is recommended to change to match your solution
You can have globals.json open as reference.
There are three (3) parts in config.json to mention.
Verify URL to Sweden Connect test environment. This is the site where Fortified ID WEB SAML SP will read eIDAS metadata from.
Go to line 83
This is the URL to Sweden Connect test environment
Change URL above if working towards other environment, e.g. production.
Change SAML SP entityID and verify/change SAML IdP entityID This is the configuration for the SAMLSPBroker authenticator.
This is the entityID for the IdP and SP respectively.
SAML SP entityID You must change the SAML SP entityID to something different than this use case or it will not work. Note. Save this value for later, you need to update metadata template file also.
SAML IdP entityID The IdP entityID will be same although different if accessing the eIDAS production environment. Note. Do not change this value unless you are working towards another Sweden Connect environment.
Go to line 151-161
On line 5 you see the entityID of your SAML SP
On line 6 you see the entityID of your Sweden Connect eIDAS instance
Verify configuration for SAML metadata for Fortified ID WEB acting as SAML SP.
Go to line 53-76
This is data you might like to change this or use the use case data when testing.
Make sure the entityID name in the metadata template file match the name added in previous step.
In file system, open folder drive:\FortifiedID\web\customer\config\resources_internal\saml\metadata_template
Open the file fortifiedid_samlspbroker_eidas_template.xml
In entityID you will find the value we used in previous step when looking in config.json to use as entityID for this Fortified ID WEB SAML SP We use https://fortifiedid.se/sp_eidas as entityID If you changed it in the previous step, make sure to update it in this file.
In Location you will find the value for eIDAS IdP to find the Fortified ID SAML SP https://dev.fortifiedid.se/saml/authn/eidas Change the URI for Location from dev.fortifiedid.se to your address.
Also change under Organization and Contact the value that represents your organisation.
Open a browser and browse to https://eid.svelegtest.se/mdreg/home
Login to access your Microsoft Entra tenant
Make sure Fortified ID WEB is started
Open a browser and browser to https://dev.fortifiedid.se/saml/metadata/fortifiedid_sp_eidas Change dev.fortifiedid.se to your http address
A file named fortifiedid_sp_eidas.xml will be downloaded to your computer
Keep the file for the next step
Click New in the Metadata records
Give the record a name, paste your metadata into the Metadata dialog box from the file in the previous step
Click Save
It can take up to 10 minutes before your addition is active. Go and grab a cup of coffee.
You can check your addition for warnings and/or errors to fix
Search for the name you give your metadata in the previous step
Look for any Errors and address them
Start the service and verify the start by looking thru the server.log file.
Start the service and verify the start by looking thru the server.log file
Open a browser
Browse to https://dev.fortifiedid.se/portal/ Change dev.fortifiedid.se to map your environment.
Pick a user, e.g. Bernt Olof Larsson (193911137077) and click Authenticate
Verify the data of the user you selected and click Submit
You should now be logged in to your application, in this use case Fortified ID Portal
Tip. Use a SAML tracers for your browser to view the data added.
Click Foreign eID (eIDAS) link
Click XA Test Country