Active Directory Federation Services (ADFS) with BankID as step-up-method

Scenario

In this scenario, the web resource DNP (Digitala Nationella Prov) will be protected by a SAML IdP (Integrity Web), using Skolfederationen as the integration layer.

ADFS will be used for primary authentication. The integration between Integrity and ADFS is federation-based (SAML2). ADFS will pass user attributes necessary for DNP, and also an attribute (mfa_identifier) for the step-up verification to work.

Based on data passed in the initial SAML2 authnRequest from DNP to Integrity, a decision will be automatically made if the user should be prompted for step-up-authentication (BankID).

The identifier of the result of the BankID authentication will be compared to the mfa_identifier value, to verify that the step-up was performed by the correct person.

! This scenario could easily be copied and modified to fulfill other DNP login requirements:

• Other DIGG-certified LOA3 step-up methods, such as Freja, SITHS, EFOS, AB Svenska Pass

• Other primary authentication sources, such as Google, Entra, AD, or a combination of many primary authentication sources.

Prerequisite

There are some prerequisite for this use case. You will need the following:

• BankID certificate. To be able to communicate with bankid backend.

• ADFS administration rights.

• Host (DNS) name of the Integrity service (external access)

• Host (DNS) name of the ADFS service

• Access to Skolfederationen metadata administration. To be able to upload metadata

• eduPersonPrincipalName (eppn) stored on the Active Directory user object

• Social security number (personnummer) stored on the Active Directory user object (only for teachers (lärare/skolpersonal))

• Outgoing TCP/443 communication. To be able to communicate with BankID backend and metadata services.

Configuration

Follow these steps to setup the basic configuration. Once done, perform the steps below.

Update ADFS to trust Integrity

Trust need to be established between the primary IdP (ADFS) and the SP (Integrity Web).

Add relying party to ADFS

• Browse to https://<your_integrity_dns_name>/saml/metadata/integrity_skolfed_broker_sp. This should download the SP metadata to a file, integrity_skolfed_broker_sp.xml

• Use RDP to login on the ADFS server, as an administrator

• Copy the previously downloaded integrity_skolfed_broker_sp.xml to the Downloads folder on the ADFS server.

• Open AD FS Management

• Select Relying party trusts

• Click Add relying party trust

• Select Claims aware

• Next

• Select Import data about the relying party from a file

• Point to integrity_skolfed_broker_sp.xml

• Next

• Enter a display name, Integrity Web

• Next

• Choose access policy = Permit everyone

• Next

• Next

• Finish

• Select the newly created Relying party and click Edit claims issuance policy

• Click Add claim rule

• Select Send LDAP Attributes as Claims

• Configure the rule to send mfa_identifier (personnummer) and eppn. In the example below, the AD user object attribute serialNumber contains the personnummer. carLicense contains the eppn value. Change the AD attributes to match your environment.

• Click OK.

Update Integrity to trust ADFS

• Open the file customer/config/globals.json

• Navigate to the saml part

• Set authenticating_idp_metadata to https://<your_adfs_dns_name>/federationmetadata/2007-06/federationmetadata.xml Set authenticating_idp_entityid to http://<your_adfs_dns_name>/adfs/services/trust Replace <your_adfs_dns_name> with your ADFS DNS name.

 "saml": { 
  "authenticating_idp_metadata": "https://<your_adfs_dns_name>/federationmetadata/2007-06/federationmetadata.xml",
  "authenticating_idp_entityid" : "http://<your_adfs_dns_name>/adfs/services/trust",
  "authenticating_idp_metadata_path": ""
 },

• Restart the Integrity service

Test the configuration

Login to DNP with step-up (lärare / skolpersonal)

1. Open a browser

2. Browse to https://fidustest.skolverket.se/DNP-staging/ (DNP test environment) or https://fidustest.skolverket.se/DNP/ (DNP production environment)

3. Select Inloggning med e-legitimation

4. Select your IdP

5. You should be redirected to Integrity and then to ADFS

6. If already logged in to ADFS, SSO should happen, otherwise enter your AD credentials

7. You should be redirected back to Integrity and prompted with BankID authentication

8. Fulfill BankID authentication

9. You should now be redirected back to DNP. If successful, this should be presented.

Tip. Use a SAML tracer tool for your browser to view the data added.

Login to DNP without step-up (elev)

1. Open a browser

2. Browse to https://fidustest.skolverket.se/DNP-staging/ (DNP test environment) or https://fidustest.skolverket.se/DNP/ (DNP production environment)

3. Select Inloggning utan e-legitimation

4. Select your IdP

5. You should be redirected to Integrity and then to ADFS

6. If already logged in to ADFS, SSO should happen, otherwise enter your AD credentials

7. You should be redirected back to Integrity and redirected back to DNP. If successful, this should be presented.