Foregin eID (SAMLSPBroker)

Scenario

In this scenario, we will append the default installation with Foregin eID.

E-services that require electronic identification and that are used in public offices must be connected to the Swedish eIDAS node, Sweden Connect. The purpose of the requirement is to make it easier for EU citizens to use e-services across national borders.

According to the EU regulation eIDAS, each member state needs to provide a so-called country node, a connection point where e-identification traffic is controlled and "translated" to the respective country's identity method. In Sweden, the country node is Sweden Connect. Fortified ID Access can act as a bridge between your applications and the Swedish eIDAS node so your application will support Foreign ID as a login method.

In this use case:

• Fortified ID Access will act as the bridge/proxy between application and Swedish eIDAS node

  • Fortified ID Access will act as a SAML SP to Sweden Connect eIDAS node

  • Fortified ID Access will act as a SAML IdP to SAML SP application

NOTE: This configuration is an example configuration to be used with the sandbox environment. Please make sure to adjust the configuration to suit your needs, this is extra important for production purposes.

Prerequisite

• This use case assumes that you have good knowledge of the product in question.

• Fortified ID Access installed and configured with the default configuration

• Swedish eIDAS node (SAML IdP) You need an account on the Swedish eIDAS node provided by DIGG and Sweden Connect. In this use case we connect to the development and test environment found on this site, https://eid.svelegtest.se/mdreg/home.

Install and prepare configuration

1. Download this file

2. Add files and folders from ZIP-file to the config-folder, ex: C:\Program Files\FortifiedID\mgmt-center\data\customer\access

3. Append you globals with the following parameters and adjust them according to you needs

{
  "samlspbroker_eidas_metadata_id": "fortifiedid_sp_eidas",
  "samlspbroker_eidas_template": "${system.customer_home}/resources/fortifiedid_samlspbroker_eidas_template.xml",
  "samlspbroker_eidas_spentityid": "${globals.default_saml_entity_id}/eidassp",
  "samlspbroker_encryption_keystore_password": "password",
  "samlspbroker_encryption_keystore_path": "${system.customer_home}/resources/fortifiedid.p12"
}

1. Append the translations file with the following translation

{
  "samlspbroker_label": "Foregin eID (eIDAS)"
}

1. Append the selector with at reference to the new authenticator by appending this block to the default selector

{
    "id": "7",
    "target": "eidas",
    "label": "samlspbroker_label",
    "logo": "assets/svg/eidas.svg"
}

1. Append the SAML Module with the new SAML SP configuration

{
  "id": "${globals.samlspbroker_eidas_metadata_id}",
  "metadata_file_path": "${globals.samlspbroker_eidas_template}",
  "sign_ref": [
    {
      "keystore": {
        "key_password": "${globals.default_keystore_password}",
        "password": "${globals.default_keystore_password}",
        "path": "${globals.default_saml_keystore}"
      }
    }
  ],
  "encryption_ref": [
    {
      "keystore": {
        "key_password": "${globals.samlspbroker_encryption_keystore_password}",
        "password": "${globals.samlspbroker_encryption_keystore_password}",
        "path": "${globals.samlspbroker_encryption_keystore_path}"
      }
    }
  ]
}

1. Restart the Access service

Configure Sweden Connect eIDAS node

Login to Sweden Connect eIDAS node

1. Open a browser and browse to https://eid.svelegtest.se/mdreg/home

2. Login to access your Sweden Connect configuration

Fetch the SAML metadata for your Fortified ID WEB SAML SP

1. Make sure Fortified ID WEB is started

2. Open a browser and browser to https://dev.fortifiedid.se/saml/metadata/fortifiedid_sp_eidas Change dev.fortifiedid.se to your http address

3. A file named fortifiedid_sp_eidas.xml will be downloaded to your computer

4. Keep the file for the next step

Add the metadata of your SAML SP (Fortified ID WEB SAML SP)

1. Click New in the Metadata records

2. Give the record a name, paste your metadata into the Metadata dialog box from the file in the previous step

3. Click Save

4. It can take up to 10 minutes before your addition is active. Go and grab a cup of coffee.

   

Verify your addition

You can check your addition for warnings and/or errors to fix

1. Browse to https://validator.swedenconnect.se/md?federationId=sandbox

2. Search for the name you give your metadata in the previous step

3. Look for any Errors and address them

Test the configuration

1. Browse to a site protected by the Access server. Optionally the default login url https://localhost:8443/access/authn/samllogin might be used.

2. The selector should now be displayed, including the new option for "Foregin eID (eIDAS)".

3. Select "Foregin eID (eIDAS)"

4. You will be redirected to the Sweden Connect authentication

5. After a successful authentication you will be redirected back to the Access server and finally to the selected application or the Fortified ID test application.