Active Directory Federation Services (ADFS) with BankID as step-up-method
PreviousDigitala Nationella Prov (DNP) / SkolfederationNextActive Directory / LDAP with BankID as step-up-method
Last updated
Last updated
In this scenario, the web resource DNP (Digitala Nationella Prov) will be protected by a SAML IdP (Integrity Web), using Skolfederationen as the integration layer.
ADFS will be used for primary authentication. The integration between Integrity and ADFS is federation-based (SAML2). ADFS will pass user attributes necessary for DNP, and also an attribute (mfa_identifier) for the step-up verification to work.
Based on data passed in the initial SAML2 authnRequest from DNP to Integrity, a decision will be automatically made if the user should be prompted for step-up-authentication (BankID).
The identifier of the result of the BankID authentication will be compared to the mfa_identifier value, to verify that the step-up was performed by the correct person.
! This scenario could easily be copied and modified to fulfill other DNP login requirements:
Other DIGG-certified LOA3 step-up methods, such as Freja, SITHS, EFOS, AB Svenska Pass
Other primary authentication sources, such as Google, Entra, AD, or a combination of many primary authentication sources.
There are some prerequisite for this use case. You will need the following:
BankID certificate. To be able to communicate with bankid backend.
ADFS administration rights.
Host (DNS) name of the Integrity service (external access)
Host (DNS) name of the ADFS service
Access to Skolfederationen metadata administration. To be able to upload metadata
eduPersonPrincipalName (eppn) stored on the Active Directory user object
Social security number (personnummer) stored on the Active Directory user object (only for teachers (lärare/skolpersonal))
Outgoing TCP/443 communication. To be able to communicate with BankID backend and metadata services.
Follow these steps to setup the basic configuration. Once done, perform the steps below.
Trust need to be established between the primary IdP (ADFS) and the SP (Integrity Web).
Browse to https://<your_integrity_dns_name>/saml/metadata/integrity_skolfed_broker_sp. This should download the SP metadata to a file, integrity_skolfed_broker_sp.xml
Use RDP to login on the ADFS server, as an administrator
Copy the previously downloaded integrity_skolfed_broker_sp.xml to the Downloads folder on the ADFS server.
Open AD FS Management
Select Relying party trusts
Click Add relying party trust
Select Claims aware
Next
Select Import data about the relying party from a file
Point to integrity_skolfed_broker_sp.xml
Next
Enter a display name, Integrity Web
Next
Choose access policy = Permit everyone
Next
Next
Finish
Select the newly created Relying party and click Edit claims issuance policy
Click Add claim rule
Select Send LDAP Attributes as Claims
Configure the rule to send mfa_identifier (personnummer) and eppn. In the example below, the AD user object attribute serialNumber contains the personnummer. carLicense contains the eppn value. Change the AD attributes to match your environment.
Click OK.
Open the file customer/config/globals.json
Navigate to the saml part
Set authenticating_idp_metadata to https://<your_adfs_dns_name>/federationmetadata/2007-06/federationmetadata.xml Set authenticating_idp_entityid to http://<your_adfs_dns_name>/adfs/services/trust Replace <your_adfs_dns_name> with your ADFS DNS name.
Restart the Integrity service
Open a browser
Browse to https://fidustest.skolverket.se/DNP-staging/ (DNP test environment) or https://fidustest.skolverket.se/DNP/ (DNP production environment)
Select Inloggning med e-legitimation
Select your IdP
You should be redirected to Integrity and then to ADFS
If already logged in to ADFS, SSO should happen, otherwise enter your AD credentials
You should be redirected back to Integrity and prompted with BankID authentication
Fulfill BankID authentication
You should now be redirected back to DNP. If successful, this should be presented.
Tip. Use a SAML tracer tool for your browser to view the data added.
Open a browser
Browse to https://fidustest.skolverket.se/DNP-staging/ (DNP test environment) or https://fidustest.skolverket.se/DNP/ (DNP production environment)
Select Inloggning utan e-legitimation
Select your IdP
You should be redirected to Integrity and then to ADFS
If already logged in to ADFS, SSO should happen, otherwise enter your AD credentials
You should be redirected back to Integrity and redirected back to DNP. If successful, this should be presented.
