Google with BankID as step-up-method

Scenario

In this scenario, the web resource DNP (Digitala Nationella Prov) will be protected by a SAML IdP (Integrity Web), using Skolfederationen as the integration layer.

Google will be used for primary authentication. The integration between Integrity and Google is federation-based (SAML2). Google will pass user attributes necessary for DNP, and also an attribute (mfa_identifier) for the step-up verification to work.

Based on data passed in the initial SAML2 authnRequest from DNP to Integrity, a decision will be automatically made if the user should be prompted for step-up-authentication (BankID).

The identifier of the result of the BankID authentication will be compared to the mfa_identifier value, to verify that the step-up was performed by the correct person.

! This scenario could easily be copied and modified to fulfill other DNP login requirements:

• Other DIGG-certified LOA3 step-up methods, such as Freja, SITHS, EFOS, AB Svenska Pass

• Other primary authentication sources, such as Entra, ADFS, AD, or a combination of many primary authentication sources.

Prerequisite

There are some prerequisite for this use case. You will need the following:

• BankID certificate. To be able to communicate with bankid backend.

• Google administration rights.

• Host (DNS) name of the Integrity service (external access)

• Access to Skolfederationen metadata administration. To be able to upload metadata

• eduPersonPrincipalName (eppn) stored on the Google user object

• Social security number (personnummer) stored on the Google user object (only for teachers (lärare/skolpersonal))

• Outgoing TCP/443 communication. To be able to communicate with BankID backend and metadata services.

Configuration

Update Google to trust Integrity

Trust need to be established between the primary IdP (Google) and the SP (Integrity Web).

Create custom SAML app

• Login to Google admin console (admin.google.com) as an administrator

• In the left hand menu, select Apps->Web and mobile apps

• Click Add app -> Add custom SAML app

• Enter a name of the app, Skolfederationen Integrity

• Continue

• Click Download IdP metadata

• Below Option 2, copy the Entity ID value. This will be used in a later step.

• Continue

• Enter ACS URL = https://<your_integrity_dns_name>/saml/authn/integrity_skolfed_broker_sp

• Enter Entity ID = https://<your_integrity_dns_name>/saml/authn/integrity_skolfed_broker_sp

• Leave the Name ID part unchanged

• Continue

• Click Add mapping

• Select the Google Directory attribute field containing the eppn value

• Enter App attributes = urn:oid:1.3.6.1.4.1.5923.1.1.1.6

• Click Add mapping

• Select the Google Directory attribute field containing the mfa identifier value

• Enter App attributes = mfa_identifier

• Finish

• On the User Access part of the app configuration, click Expand (down arrow)

• Change the Service status to ON For everyone

Update Integrity to trust Google

• Move the downloaded Google IdP metadata file to the server folder customer/config/resources_external/saml_metadata/. Verify that the file name is GoogleIDPMetadata.xml. (If not, just change the file name to GoogleIDPMetadata.xml)

• Open the file customer/config/globals.json

• Navigate to the saml part

• Set authenticating_idp_metadata_path to ${globals.base_dir}/config/resources_external/saml_metadata/GoogleIDPMetadata.xml Set authenticating_idp_entityid to the Google Entity ID value copied in previous step. Example:

 "saml": { 
  "authenticating_idp_metadata": "",
  "authenticating_idp_entityid" : "https://accounts.google.com/o/saml2?idpid=sdf234wdfs23dsf",
  "authenticating_idp_metadata_path": "${globals.base_dir}/config/resources_external/saml_metadata/GoogleIDPMetadata.xml"
 },

• Restart the Integrity service

Test the configuration

Login to DNP with step-up (lärare / skolpersonal)

1. Open a browser

3. Select Inloggning med e-legitimation

4. Select your IdP

5. You should be redirected to Integrity and then to Google

6. If already logged in to Google, SSO should happen, otherwise enter your Google credentials

7. You should be redirected back to Integrity and prompted with BankID authentication

8. Fulfill BankID authentication

9. You should now be redirected back to DNP. If successful, this should be presented.

Tip. Use a SAML tracer tool for your browser to view the data added.

Login to DNP without step-up (elev)

1. Open a browser

3. Select Inloggning utan e-legitimation

4. Select your IdP

5. You should be redirected to Integrity and then to Google

6. If already logged in to Google, SSO should happen, otherwise enter your Google credentials

7. You should be redirected back to Integrity and redirected back to DNP. If successful, this should be presented.