PhenixID

Step by Step – Consume Norska ID-porten authentication with PhenixID Authentication and Signing Services

 

Summary

This document will guide you through the steps to configure PhenixID Authentication Services and/or PhenixID Signing Services to consume Norska ID-porten authentications.

PhenixID Authentication Services (PAS) will act as a SAML Service Provider against Norska ID-porten, acting as SAML Identity Provider.

Background

Many organizations use Norska ID-porten for norwegian eID authentication. With PhenixID, you can:

  • Sign documents and transactions electronically using your norwegian eID, using Norska ID-porten
  • Protect web- and cloud apps (SAML SPs, OIDC RPs) with your norwegian eID, using Norska ID-porten and PhenixID Authentication Services
  • Protect internal PhenixID web apps, such as the MyApps portal, with norwegian eID authentication, using Norska ID-porten

System requirements

Instruction

Configure PhenixID Authentication Services

Add authenticator

  • Login to Configuration Manager
  • Advanced->Authenticators-HTTP
  • Depending on the service you protect, you need to create an authenticator:

– Protecting internal web application (for example Myapps, self service, signing) -> SAMLServiceProviderAuthN. Please view this instruction.

– Protecting external service which is a SAML SP -> SAMLSPBroker. Please view this instruction.

– Protecting external service which is an OIDC RP -> OIDCToSAMLBroker. Please view this instruction.

Make sure to set these parameter on the authenticator:

“targetIDP”: “dummy-will-be-changed-later”,
“addsignature” : “true”

Make sure that this param is set on the SAML Service Provider object: "keystoreEncrypt" : "<keystore_id>"

Example configuration:

HTTP Authenticator:

{
  "id": "sp",
  "alias": "sp",
  "name": "SAMLServiceProviderAuthN",
  "displayName": "Norska ID-porten",
  "configuration": {
    "sp": "https://ubuntu.phenixid.local/saml/sp",
    "pipeID": "pipeAssertionConsumer",
    "successURL": "/myapps",
    "acsUrl": "https://ubuntu.phenixid.local:8443/myapps/authenticate/sp",
    "entityID": "https://ubuntu.phenixid.local/saml/sp",
    "targetIDP": "dummy-will-be-changed-later",
    "addsignature": "true"
  }
}


SAML SP:

{
"id": "https://ubuntu.phenixid.local/saml/sp",
"keystoreSign": "7329da7c-0ccf-46b1-bf9c-6e8c41ff5fc2",
"keystoreEncrypt": "7329da7c-0ccf-46b1-bf9c-6e8c41ff5fc2",
"entityID": "https://ubuntu.phenixid.local/saml/sp"
}

Fetch SAML SP Metadata

  • Fetch your sp metadata by opening the URL:

For a SAMLServiceProviderAuthN authenticator : <acsUrl_in_authenticator_conf>?getSPMeta

For a SAMLSPBroker or OIDCToSAMLBroker authenticator : <acsUrl_in_authenticator_conf>?getMeta

  • Save the produced metadata to a xml file.

Configure Norska ID-porten

  • Send the SAML SP metadata to your Norska ID-porten technical contact
  • Receive the SAML IdP metadata from your Norska ID-porten technical contact

Add trust to Norska ID-porten for PhenixID Authentication Services

Upload Norska ID-porten metadata

  • Open Configuration Manager
  • Scenarios->Federation->SAML Metadata upload
  • Upload the SAML IdP metadata file (or point to a URL if the metadata was delivered as a URL)

Set targetIdP

  • Open the SAML IdP metadata in a text editor
  • Locate the entityID value. Copy the value.
  • Open Configuration Manager->Advanced->Authenticators-HTTP
  • Locate the authenticator you previously created
  • Set the targetIDP value to the entityID value.

Configure attribute mapping

Norska ID-porten will send these attributes in the SAML Assertion. Please be aware of the the AuthMethod attribute defines which norwegian eID method was used. 

Base your mapping configuration on these values.

Test

  • Trigger the authentication flow where Norska ID-porten authentication is involved.
  • Your browser should be redirected to the Norska ID-porten
  • Authenticate using your norwegian eID
  • Your browser should be redirected back to PhenixID Authentication Services with a SAML assertion
  • You should now be logged in to the service protected by Norska ID-porten authentication

Debugging

  • Use a SAML debugging tool, such as SAML Tracer, to retrieve the SAML messages
  • Use PhenixID server.log in debug mode to find more details about the cause of the error.

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se