Active Directory / LDAP with BankID as step-up-method
PreviousActive Directory Federation Services (ADFS) with BankID as step-up-methodNextEntra ID (Azure AD) with BankID as step-up-method
Last updated
Last updated
In this scenario, the web resource DNP (Digitala Nationella Prov) will be protected by a SAML IdP (Integrity Web), using Skolfederationen as the integration layer.
A user directory source, such as Active Directory, will be used for primary authentication, verifying forms-based authentication (username and password). The integration between Integrity and the user directory is based on LDAP. The LDAP source contains user attributes necessary for DNP. The LDAP source also contains an attribute with the mfa identifier value, in order for the step-up verification to work. These attributes will be fetched by Integrity and passed along the authentication chain.
Based on data passed in the initial SAML2 authnRequest from DNP to Integrity, a decision will be automatically made if the user should be prompted for step-up-authentication (BankID).
The identifier of the result of the BankID authentication will be compared to the mfa identifier value, to verify that the step-up was performed by the correct person.
! This scenario could easily be copied and modified to fulfill other DNP login requirements:
Using IWA as the primary authentication method, with username/password (forms) as backup.
Other DIGG-certified LOA3 step-up methods, such as Freja, SITHS, EFOS, AB Svenska Pass
Other primary authentication sources, such as Google, Entra, ADFS, or a combination of many primary authentication sources.
There are some prerequisite for this use case. You will need the following:
BankID certificate. To be able to communicate with bankid backend.
LDAP host
LDAP port
LDAP service account DN
LDAP service account password
Host (DNS) name of the Integrity service (external access)
Access to Skolfederationen metadata administration. To be able to upload metadata
eduPersonPrincipalName (eppn) stored on the LDAPuser object
Social security number (personnummer) stored on the LDAP user object (only for teachers (lärare/skolpersonal))
Outgoing TCP/443 communication. To be able to communicate with BankID backend and metadata services.
Open the folder where you have installed Web
Rename the customer folder to customer_OLD. Result should look like below: \..\FortifiedID\web\customer_OLD
Download the following ZIP-file, use_case_dnp_standalone-integrity_bankid.zip.
Unzip the file
Copy the customer_WEB folder to \..\FortifiedID\web\
Rename customer_WEB to customer, result should look like: \..\FortifiedID\web\customer
In this section we will look at parts of the configuration and add/replace data for your environment. In this use case we are using the globals concept which is using variables to easily replace data specific to an environment or if a value is used in many places just update it in one place.
First of all, open the file customer/config/globals.json. Change according to the instructions below.
base_dir
base_dir is the top folder where data is located that you do not want to be overwritten by an upgrade. Update the base_dir folder to map your installation.
For Windows the value should be: "base_dir": "../customer"
For Docker, the value should be: "base_dir": ".",
host Set the host value to your DNS name entry, including https://.
http
Update the http information to map your environment. This is the port that Integrity Web will use to host the SAML IdP service. ! The recommendation is to always use SSL to encrypt the communication to Integrity Web.
keystore - https
Either you use the test certificate provided by us, if so you do not need to change anything. If you have a keystore then update the values below to point to your keystore.
Find in section: keystore
keystore - bankid
For connecting against BankID test environment, you don't need to do anything. For production connectivity, please use your BankID keystore and change the variables below to reflect that. Truststore changes will not be needed. Find in section: keystore
keystore - signing and encryption The keystore used for signing and encrypting SAML messages, is configured in the last part of the keystore section. Either you use the test certificate provided by us, if so you do not need to change anything. If you have a keystore then update the values below to point to your keystore.
saml You define the SAML2 metadata URLs in the SAML section. To connect to Skolfederation Trial, leave the skolfederation_metadata url unchanged. To connect to production, you can find the correct url here.
ldap Change the parameters below to connect to your LDAP store. username_identifier_user_attribute is the user object attribute that will match the username value, entered by the end user. eppn_user_attrbute is the user object attribute containing the eppn value. mfa_identifier_user_attribute is the user object attribute containing the "personnummer" value.
bankid environment bid_mode controls which BankID environment to connect to, test or production. Leave unchanged for test. Change to production for production connectivity.
Save the globals.json file.
Update the IdP metadata, using this instruction, step 1-7.
Start the service and verify the start by looking through the server.log file.
Upload the IdP metadata to Skolfederationen, using this instruction.
Open a browser
Browse to https://fidustest.skolverket.se/DNP-staging/ (DNP test environment) or https://fidustest.skolverket.se/DNP/ (DNP production environment)
Select Inloggning med e-legitimation
Select your IdP
You should be redirected to Integrity
Enter your AD credentials
You should be prompted with BankID authentication
Fulfill BankID authentication
You should now be redirected back to DNP. If successful, this should be presented.
Tip. Use a SAML tracer tool for your browser to view the data added.
Open a browser
Browse to https://fidustest.skolverket.se/DNP-staging/ (DNP test environment) or https://fidustest.skolverket.se/DNP/ (DNP production environment)
Select Inloggning utan e-legitimation
Select your IdP
You should be redirected to Integrity
Enter your AD credentials
You should now be redirected back to DNP. If successful, this should be presented.
