Foregin eID (SAMLSPBroker)

eIDAS requires Swedish public authorities to provide their e-service with the option to log in with a foreign e-identification. Fortified ID has a solution for that.

Scenario

In this scenario, we will append the default installation with Foregin eID.

E-services that require electronic identification and that are used in public offices must be connected to the Swedish eIDAS node, Sweden Connect. The purpose of the requirement is to make it easier for EU citizens to use e-services across national borders.

According to the EU regulation eIDAS, each member state needs to provide a so-called country node, a connection point where e-identification traffic is controlled and "translated" to the respective country's identity method. In Sweden, the country node is Sweden Connect. Fortified ID Access can act as a bridge between your applications and the Swedish eIDAS node so your application will support Foreign ID as a login method.

In this use case:

Fortified ID Access will act as the bridge/proxy between application and Swedish eIDAS node
- Fortified ID Access will act as a SAML SP to Sweden Connect eIDAS node
- Fortified ID Access will act as a SAML IdP to SAML SP application

NOTE: This configuration is an example configuration to be used with the sandbox environment. Please make sure to adjust the configuration to suit your needs, this is extra important for production purposes.

Prerequisite

This use case assumes that you have good knowledge of the product in question.
Fortified ID Access installed and configured with the default configuration
Swedish eIDAS node (SAML IdP) You need an account on the Swedish eIDAS node provided by DIGG and Sweden Connect. In this use case we connect to the development and test environment found on this site, https://eid.svelegtest.se/mdreg/home.

Install and prepare configuration

Download this file
Add files and folders from ZIP-file to the config-folder, ex: C:\Program Files\FortifiedID\mgmt-center\data\customer\access
Append you globals with the following parameters and adjust them according to you needs

{
  "samlspbroker_eidas_metadata_id": "fortifiedid_sp_eidas",
  "samlspbroker_eidas_template": "${system.customer_home}/resources/fortifiedid_samlspbroker_eidas_template.xml",
  "samlspbroker_eidas_spentityid": "${globals.default_saml_entity_id}/eidassp",
  "samlspbroker_encryption_keystore_password": "password",
  "samlspbroker_encryption_keystore_path": "${system.customer_home}/resources/fortifiedid.p12"
}

Append the translations file with the following translation

{
  "samlspbroker_label": "Foregin eID (eIDAS)"
}

Append the selector with at reference to the new authenticator by appending this block to the default selector

{
    "id": "7",
    "target": "eidas",
    "label": "samlspbroker_label",
    "logo": "assets/svg/eidas.svg"
}

Append the SAML Module with the new SAML SP configuration

{
  "id": "${globals.samlspbroker_eidas_metadata_id}",
  "metadata_file_path": "${globals.samlspbroker_eidas_template}",
  "sign_ref": [
    {
      "keystore": {
        "key_password": "${globals.default_keystore_password}",
        "password": "${globals.default_keystore_password}",
        "path": "${globals.default_saml_keystore}"
      }
    }
  ],
  "encryption_ref": [
    {
      "keystore": {
        "key_password": "${globals.samlspbroker_encryption_keystore_password}",
        "password": "${globals.samlspbroker_encryption_keystore_password}",
        "path": "${globals.samlspbroker_encryption_keystore_path}"
      }
    }
  ]
}

Restart the Access service

Configure Sweden Connect eIDAS node

Open a browser and browse to https://eid.svelegtest.se/mdreg/home
Login to access your Sweden Connect configuration

Fetch the SAML metadata for your Fortified ID WEB SAML SP

Make sure Fortified ID WEB is started
Open a browser and browser to https://dev.fortifiedid.se/saml/metadata/fortifiedid_sp_eidas Change dev.fortifiedid.se to your http address
A file named fortifiedid_sp_eidas.xml will be downloaded to your computer
Keep the file for the next step

Add the metadata of your SAML SP (Fortified ID WEB SAML SP)

Click New in the Metadata records
Give the record a name, paste your metadata into the Metadata dialog box from the file in the previous step
Click Save
It can take up to 10 minutes before your addition is active. Go and grab a cup of coffee.

Verify your addition

You can check your addition for warnings and/or errors to fix

Browse to https://validator.swedenconnect.se/md?federationId=sandbox
Search for the name you give your metadata in the previous step
Look for any Errors and address them

Test the configuration

Browse to a site protected by the Access server. Optionally the default login url https://localhost:8443/access/authn/samllogin might be used.
The selector should now be displayed, including the new option for "Foregin eID (eIDAS)".
Select "Foregin eID (eIDAS)"
You will be redirected to the Sweden Connect authentication
After a successful authentication you will be redirected back to the Access server and finally to the selected application or the Fortified ID test application.

PreviousCertificate-Based Authentication NextAuth. methods (SAML)

Last updated 2 months ago

Foregin eID (SAMLSPBroker)

eIDAS requires Swedish public authorities to provide their e-service with the option to log in with a foreign e-identification. Fortified ID has a solution for that.

Scenario

In this scenario, we will append the default installation with Foregin eID.

In this use case:

Fortified ID Access will act as the bridge/proxy between application and Swedish eIDAS node
- Fortified ID Access will act as a SAML SP to Sweden Connect eIDAS node
- Fortified ID Access will act as a SAML IdP to SAML SP application

Prerequisite

This use case assumes that you have good knowledge of the product in question.
Fortified ID Access installed and configured with the default configuration
Swedish eIDAS node (SAML IdP) You need an account on the Swedish eIDAS node provided by DIGG and Sweden Connect. In this use case we connect to the development and test environment found on this site, https://eid.svelegtest.se/mdreg/home.

Install and prepare configuration

Download this file
Add files and folders from ZIP-file to the config-folder, ex: C:\Program Files\FortifiedID\mgmt-center\data\customer\access
Append you globals with the following parameters and adjust them according to you needs

{
  "samlspbroker_eidas_metadata_id": "fortifiedid_sp_eidas",
  "samlspbroker_eidas_template": "${system.customer_home}/resources/fortifiedid_samlspbroker_eidas_template.xml",
  "samlspbroker_eidas_spentityid": "${globals.default_saml_entity_id}/eidassp",
  "samlspbroker_encryption_keystore_password": "password",
  "samlspbroker_encryption_keystore_path": "${system.customer_home}/resources/fortifiedid.p12"
}

Append the translations file with the following translation

{
  "samlspbroker_label": "Foregin eID (eIDAS)"
}

Append the selector with at reference to the new authenticator by appending this block to the default selector

{
    "id": "7",
    "target": "eidas",
    "label": "samlspbroker_label",
    "logo": "assets/svg/eidas.svg"
}

Append the SAML Module with the new SAML SP configuration

{
  "id": "${globals.samlspbroker_eidas_metadata_id}",
  "metadata_file_path": "${globals.samlspbroker_eidas_template}",
  "sign_ref": [
    {
      "keystore": {
        "key_password": "${globals.default_keystore_password}",
        "password": "${globals.default_keystore_password}",
        "path": "${globals.default_saml_keystore}"
      }
    }
  ],
  "encryption_ref": [
    {
      "keystore": {
        "key_password": "${globals.samlspbroker_encryption_keystore_password}",
        "password": "${globals.samlspbroker_encryption_keystore_password}",
        "path": "${globals.samlspbroker_encryption_keystore_path}"
      }
    }
  ]
}

Restart the Access service

Configure Sweden Connect eIDAS node

Open a browser and browse to https://eid.svelegtest.se/mdreg/home
Login to access your Sweden Connect configuration

Fetch the SAML metadata for your Fortified ID WEB SAML SP

Make sure Fortified ID WEB is started
Open a browser and browser to https://dev.fortifiedid.se/saml/metadata/fortifiedid_sp_eidas Change dev.fortifiedid.se to your http address
A file named fortifiedid_sp_eidas.xml will be downloaded to your computer
Keep the file for the next step

Add the metadata of your SAML SP (Fortified ID WEB SAML SP)

Click New in the Metadata records
Give the record a name, paste your metadata into the Metadata dialog box from the file in the previous step
Click Save
It can take up to 10 minutes before your addition is active. Go and grab a cup of coffee.

Verify your addition

You can check your addition for warnings and/or errors to fix

Browse to https://validator.swedenconnect.se/md?federationId=sandbox
Search for the name you give your metadata in the previous step
Look for any Errors and address them

Test the configuration

Browse to a site protected by the Access server. Optionally the default login url https://localhost:8443/access/authn/samllogin might be used.
The selector should now be displayed, including the new option for "Foregin eID (eIDAS)".
Select "Foregin eID (eIDAS)"
You will be redirected to the Sweden Connect authentication
After a successful authentication you will be redirected back to the Access server and finally to the selected application or the Fortified ID test application.

PreviousCertificate-Based Authentication NextAuth. methods (SAML)

Last updated 2 months ago

Scenario

Prerequisite

Install and prepare configuration

Configure Sweden Connect eIDAS node

Login to Sweden Connect eIDAS node

Fetch the SAML metadata for your Fortified ID WEB SAML SP

Add the metadata of your SAML SP (Fortified ID WEB SAML SP)

Verify your addition

Test the configuration

Scenario

Prerequisite

Install and prepare configuration

Configure Sweden Connect eIDAS node

Login to Sweden Connect eIDAS node

Fetch the SAML metadata for your Fortified ID WEB SAML SP

Add the metadata of your SAML SP (Fortified ID WEB SAML SP)

Verify your addition

Test the configuration