PhenixID

Step by Step – Nedap Ons MFA and SSO with PhenixID Authentication Services

Summary

This document will guide you through the steps to enable multi-factor authentication and Single-Sign On for the dutch healthcare administration solution Nedap Ons (https://nedap-healthcare.com/), using OpenID Connect.

System Requirements

  • PhenixID Authentication Server 4.0 or higher
  • Nedap technical contact

Instruction

Overview

This document will guide you through the steps to enable multi-factor authentication and Single-Sign on for Nedap Ons.

PhenixID Authentication Services acting as OpenID Connect Provider

Setup PAS as OpenID Connect Provider

  1. Login to Configuration Manager.
  2. Scenarios->OIDC
  3. Add a new relying party:
    – client_id = nedap
    – client_password = <create a password and set>
    – Allowed redirect uri:s = <ask the Nedap admin which value(s) to use>
  4. Create a new OpenID Connect provider by selecting the desired authentication method. Follow the scenario guidelines for values.
    Use the Authorization Code Flow.
    Allow nedap as an allowed RP to use the OP.
  5. (Points 6-9 below is only necessary with PAS version 4.0 or previous).
  6. Click Execution flow
  7. Expand Token endpoint
  8. Click Add Valve
  9. Select PropertyAddValve
  10. Enter name = token_type and value = Bearer. Make sure the valve is placed last in the execution flow.
  11. Save the changes
  12. Set the proper amr claim value by following this guide.
  13. Click General
  14. Click View OP Discovery
  15. Copy the jwks_uri value.
    Example:
  16. Open the copied address
  17. Copy the row defining the kid value. Paste the result in a text editor (for temporary storage).
  18. Go back to Configuration Manager->Scenarios->Your OP->Execution flow
  19. Expand token endpoint
  20. Expand the GenerateJwtTokenVavle
  21. Click Advanced
  22. Copy the ID valve
  23. Click the top Advanced tab
  24. Click on the pen to the right of pipe valves
  25. Search, paste the ID value
  26. In the GenerateJWTTokenVavle configuration, add the kid-value to the configuration. Example:
    .
    .
    “config”: {
    “subjectattribute”: “{{session.user_id}}”,
    “keystore”: “45g324-123rwe-23412-123”,
    “expire_seconds”: “90”,
    “kid”: “aDsxKfK5yr3jp3zRJwicxBV3B5o”,
    .
  27. Click Stage changes and Commit changes
  28. Click Advanced->Pipes.
  29. Add the pipe below.
    {
    “id”: “nedap_userinfo”,
    “valves”: [
    {
    “name”: “ItemCreateValve”,
    “config”: {
    “dest_id”: “userinfo_props”
    }
    },
    {
    “name”: “PropertyAddValve”,
    “config”: {
    “name”: “authorization”,
    “value”: “{{request.authorization}}”
    }
    },
    {
    “name”: “PropertyReplaceValve”,
    “config”: {
    “source”: “authorization”,
    “dest”: “access_token”,
    “token”: “Bearer “,
    “replacement”: “”
    }
    },
    {
    “name”: “SessionResolveValve”,
    “config”: {
    “alias”: “{{item.access_token}}”,
    “require_session”: “true”,
    “require_auth_session”: “false”
    }
    },
    {
    “name”: “PropertyAddValve”,
    “config”: {
    “name”: “nonce”,
    “value”: “{{session.nonce}}”
    }
    },
    {
    “name”: “PropertyAddValve”,
    “config”: {
    “name”: “given_name”,
    “value”: “{{session.givenName}}”
    }
    },
    {
    “name”: “PropertyAddValve”,
    “config”: {
    “name”: “family_name”,
    “value”: “{{session.sn}}”
    }
    },
    {
    “name”: “PropertyAddValve”,
    “config”: {
    “name”: “sub”,
    “value”: “{{session.user_id}}”
    }
    },
    {
    “name”: “PropertyAddValve”,
    “config”: {
    “name”: “employee_number”,
    “value”: “{{session.user_id}}”
    }
    },
    {
    “name”: “PropertyAddValve”,
    “config”: {
    “name”: “email”,
    “value”: “{{session.mail}}”
    }
    },
    {
    “name”: “PropertyRemoveValve”,
    “config”: {
    “name”: “access_token,authorization”
    }
    }
    ]
    }
  30. Click Stage changes and commit changes
  31. Click Advanced->OIDC OP
  32. Locate the OP created in previous step
    – Add a userinfo_endpoint param.
    “userinfo_endpoint”: “https://<your_phenixid_server_domain>/api/authentication/nedap_userinfo?tenant=<the tenant id>”,
    Add values to the claims_supported array:
    “email”,
    “employee_number”,
    “amr”

    Example:
  33. Click Stage changes and commit changes
  34. Click Scenarios->OIDC-><Your OP>
  35. Click View OP Discovery
  36. Copy the OP discovery URL and send it, together with client_id and client_secret, to the Nedap administrator

Configure Nedap

  1. The Nedap administrator will handle this part.

Test

The Nedap administrator will supply instructions on how to test the setup.


DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se