Foregin eID (SAMLSPBroker)
eIDAS requires Swedish public authorities to provide their e-service with the option to log in with a foreign e-identification. Fortified ID has a solution for that.
Scenario
In this scenario, we will append the default installation with Foregin eID.
E-services that require electronic identification and that are used in public offices must be connected to the Swedish eIDAS node, Sweden Connect. The purpose of the requirement is to make it easier for EU citizens to use e-services across national borders.
According to the EU regulation eIDAS, each member state needs to provide a so-called country node, a connection point where e-identification traffic is controlled and "translated" to the respective country's identity method. In Sweden, the country node is Sweden Connect. Fortified ID Access can act as a bridge between your applications and the Swedish eIDAS node so your application will support Foreign ID as a login method.
In this use case:
Fortified ID Access will act as the bridge/proxy between application and Swedish eIDAS node
Fortified ID Access will act as a SAML SP to Sweden Connect eIDAS node
Fortified ID Access will act as a SAML IdP to SAML SP application
NOTE: This configuration is an example configuration to be used with the sandbox environment. Please make sure to adjust the configuration to suit your needs, this is extra important for production purposes.
Prerequisite
This use case assumes that you have good knowledge of the product in question.
Fortified ID Access installed and configured with the default configuration
Swedish eIDAS node (SAML IdP) You need an account on the Swedish eIDAS node provided by DIGG and Sweden Connect. In this use case we connect to the development and test environment found on this site, https://eid.svelegtest.se/mdreg/home.
Install and prepare configuration
Download this file
Add files and folders from ZIP-file to the config-folder, ex: C:\Program Files\FortifiedID\mgmt-center\data\customer\access
Append you globals with the following parameters and adjust them according to you needs
{
"samlspbroker_eidas_metadata_id": "fortifiedid_sp_eidas",
"samlspbroker_eidas_template": "${system.customer_home}/resources/fortifiedid_samlspbroker_eidas_template.xml",
"samlspbroker_eidas_spentityid": "${globals.default_saml_entity_id}/eidassp",
"samlspbroker_encryption_keystore_password": "password",
"samlspbroker_encryption_keystore_path": "${system.customer_home}/resources/fortifiedid.p12"
}
Append the translations file with the following translation
{
"samlspbroker_label": "Foregin eID (eIDAS)"
}
Append the selector with at reference to the new authenticator by appending this block to the default selector
{
"id": "7",
"target": "eidas",
"label": "samlspbroker_label",
"logo": "assets/svg/eidas.svg"
}
Append the SAML Module with the new SAML SP configuration
{
"id": "${globals.samlspbroker_eidas_metadata_id}",
"metadata_file_path": "${globals.samlspbroker_eidas_template}",
"sign_ref": [
{
"keystore": {
"key_password": "${globals.default_keystore_password}",
"password": "${globals.default_keystore_password}",
"path": "${globals.default_saml_keystore}"
}
}
],
"encryption_ref": [
{
"keystore": {
"key_password": "${globals.samlspbroker_encryption_keystore_password}",
"password": "${globals.samlspbroker_encryption_keystore_password}",
"path": "${globals.samlspbroker_encryption_keystore_path}"
}
}
]
}
Restart the Access service
Configure Sweden Connect eIDAS node
Login to Sweden Connect eIDAS node
Open a browser and browse to https://eid.svelegtest.se/mdreg/home
Login to access your Sweden Connect configuration
Fetch the SAML metadata for your Fortified ID WEB SAML SP
Make sure Fortified ID WEB is started
Open a browser and browser to https://dev.fortifiedid.se/saml/metadata/fortifiedid_sp_eidas Change dev.fortifiedid.se to your http address
A file named fortifiedid_sp_eidas.xml will be downloaded to your computer
Keep the file for the next step
Add the metadata of your SAML SP (Fortified ID WEB SAML SP)
Click New in the Metadata records
Give the record a name, paste your metadata into the Metadata dialog box from the file in the previous step
Click Save
It can take up to 10 minutes before your addition is active. Go and grab a cup of coffee.
Verify your addition
You can check your addition for warnings and/or errors to fix
Search for the name you give your metadata in the previous step
Look for any Errors and address them
Test the configuration
Browse to a site protected by the Access server. Optionally the default login url https://localhost:8443/access/authn/samllogin might be used.
The selector should now be displayed, including the new option for "Foregin eID (eIDAS)".
Select "Foregin eID (eIDAS)"
You will be redirected to the Sweden Connect authentication
After a successful authentication you will be redirected back to the Access server and finally to the selected application or the Fortified ID test application.
Last updated