Common configuration

Configuration

Download and extract configuration files

1. Open the folder where you have installed Web

   1. Rename the customer folder to customer_OLD. Result should look like below: \..\FortifiedID\web\customer_OLD

2. Download the following ZIP-file,

   1. Unzip the file

   2. Copy the customer_WEB folder to \..\FortifiedID\web\

   3. Rename customer_WEB to customer, result should look like: \..\FortifiedID\web\customer

Update configuration to map your environment

Globals

In this section we will look at parts of the configuration and add/replace data for your environment. In this use case we are using the globals concept which is using variables to easily replace data specific to an environment or if a value is used in many places just update it in one place.

First of all, open the file customer/config/globals.json. Change according to the instructions below.

1. base_dir

   1. base_dir is the top folder where data is located that you do not want to be overwritten by an upgrade. Update the base_dir folder to map your installation.

      1. For Windows the value should be: "base_dir": "../customer"

      2. For Docker, the value should be: "base_dir": ".",

   Copy

   "base_dir": "../customer"

2. host Set the host value to your DNS name entry, including https://.

   Copy

   "host": "https://skolfed.integrity.local",

3. http

   Update the http information to map your environment. This is the port that Integrity Web will use to host the SAML IdP service. ! The recommendation is to always use SSL to encrypt the communication to Integrity Web.

   Copy

    "http": {
               "http_port": 443,
               "http_use_ssl": true
           }

4. keystore - https

   Either you use the test certificate provided by us, if so you do not need to change anything. If you have a keystore then update the values below to point to your keystore.

   1. Find in section: keystore

      Copy

      "https": {
                      "ref": {
                          "path": "${globals.base_dir}/config/resources_internal/certificates/fortifiedid.p12",
                          "password": "password"
                      },
                      "http_key_alias": "1",
                      "http_key_password": "password"
                  },

5. keystore - bankid

   For connecting against BankID test environment, you don't need to do anything. For production connectivity, please use your BankID keystore and change the variables below to reflect that. Truststore changes will not be needed. Find in section: keystore

   Copy

              "bid": {
                   "ssl_keystore_path": "${globals.base_dir}/config/resources_internal/certificates/BankID/bankid_test_rp.p12",
                   "ssl_keystore_password": "qwerty123",
                   "ssl_key_alias": "1",
                   "ssl_key_password": "qwerty123",
                   "ssl_truststore_path": "${globals.base_dir}/config//resources_internal/certificates/trust_jks/bankidtrust.jks",
                   "ssl_truststore_password": "password"
               },

6. keystore - signing and encryption The keystore used for signing and encrypting SAML messages, is configured in the last part of the keystore section. Either you use the test certificate provided by us, if so you do not need to change anything. If you have a keystore then update the values below to point to your keystore.

   Copy

   "alias": "1",
   "key_password": "password",
   "password": "password",
   "path": "${globals.base_dir}/config/resources_internal/certificates/fortifiedid.p12"

7. saml You define the SAML2 metadata URLs in the SAML section. To connect to Skolfederation Trial, leave the skolfederation_metadata url unchanged. To connect to production, you can find the correct url . Leave authenticating_idp_metadata, authenticating_idp_entityid and authenticating_idp_metadata_path unchanged for now, these will be changed in later step.

   Copy

   "saml": {
     "skolfederation_metadata": "https://fed.skolfederation.se/trial/md/skolfederation-trial-3_1.xml",
     "authenticating_idp_metadata": "",
     "authenticating_idp_entityid" : "",
     "authenticating_idp_metadata_path": ""
    },

8. bankid environment bid_mode controls which BankID environment to connect to, test or production. Leave unchanged for test. Change to production for production connectivity.

   Copy

   "bid_mode" : "test"

Save the globals.json file.

XML metadata templates

Integrity web will act as a SAML IdP against DNP, and a SAML SP against the authenticating IDP. The metadata for the IdP and the SP will be used to establish trust.

The downloaded configuration contains the metadata templates needed. The DNS/host name must be changed to your environment.

1. Open customer/config/resources_internal/saml_templates/integrity_skolfed_idp_template.xml

2. Change to your hostname, by performing a search-replace: Search for: skolfed.integrity.local Replace with: <Enter your DNS name>

3. Change to your organization name. by performing a search-replace: Search for: Fortified ID Replace with: <Enter your organization name, such as Grevlinge Kommun>

5. Change to your email address. by performing a search-replace: Search for: skolfed@fortifiedid.se Replace with: <Enter your email, such as info@grevlinge.se>

6. Change/remove scope values (row 21-23). The values must match the suffix(es) of the eppn values used in your organization.

7. Save the file

Start the Integrity WEB service

Start the service and verify the start by looking through the server.log file.

Upload the IdP metadata to Skolfederationen

DNP trusts the Skolfederationen identity federation. Hence, the Integrity Web SAML IdP metadata needs to be uploaded to Skolfederationen.

Upload the IdP metadata to Skolfederationen

Fetch the metadata file of the IdP and upload it to the SP.

1. Open a browser and browse to: https://<YOUR_DNS>:<YOUR_PORT>/saml/metadata/integrity_skolfed_idp example: https://skolfed.integrity.local/saml/metadata/integrity_skolfed_idp

2. This will download the metadata XML-file for your IdP.