Versions Compared

Old Version 36

changes.mady.by.user Josefin Klang (Deactivated)

Saved on

compared with

New Version 37

changes.mady.by.user Josefin Klang (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Version published after converting to the new editor


Info

This article is valid for Smart ID 20.11 and later.

...

Expand
titleAdditional configurations for Smart ID Self-Service

Configure SAML in Smart ID Self-Service

Smart ID Self-Service has additional configuration options directly in the program. 

  • Multiple Self-Service instances with the same tenant, but different authentication methods, are allowed. If, for example, there are two Self-Service instances and both of them use the same tenant, one instance can use SAML whereas the other one doesn't.
  • Also, you can configure a button "Sign In with Single Sign-On" on the login page instead of automatically redirecting to the Identity Provider.

SAML and automatically redirecting are enabled by default, you can change this behavior in config.json.

  1. To disable SAML for a Self-Service instance, add "enabled": false to its config.json. By default it is enabled. 

  2. To turn of automatic redirecting to the Identity Provider, add "enforced": false to its config.json. By default it is enforced. This means that this instance of Self-Service will show a button "Sign In with Single Sign-On" on the login page. If SAML is disabled for this instance of Self-Service this property has no effect. With this option you can use Pre-Login Processes while having SAML enabled.
Code Block
languagejs
titleExample: config.json
/prime-ussp/assets/config/config.json
 
...
{
  ...
 
  "saml": {
    "enabled": true
    "enforced": true
  }
}


Set up communication between Smart ID Self-Service and Identity Manager

  1. Open the file \prime_ussp\WEB-INF\classes\application.yaml.
  2. Adapt the baseUrl so that it points to where the Identity Manager main client is deployed. If you use HTTPS instead of HTTP you must ensure that the SSL server certificate of Identity Manager is trusted by the java environment that runs the Smart ID Self-Service (tomcat).
  3. Make sure that cookie forwarding is activated, that is, that there are empty values for the property sensitiveHeaders for the SAML routes in the configuration file.

    This is the default configuration.

    Code Block
    titleExample: application.yaml
    prime:
  …
  baseUrl: http://localhost:8080/idm
 
…
 
zuul:
  …
  routes:
    …
    saml:
      path: /saml/**
      sensitiveHeaders:
      url: ${prime.baseUrl}/saml/


...

Expand
titleInstall Identity Provider server certificate

To have a secure communication between the identity provider and Identity Manager, server certificates must be provided by each server. 

Example - Add server certificate in Digital Access component: 

  1. Log in to Digital Access Admin.
  2. Go to Manage System > Certificates.
  3. In Server Certificates, click Add Server Certificate… 

  4. Enter a Display Name and browse for the files, to define Certificate and Key:

    Panel
    titleExample: Add server certificate

    Display Name: hag.local

    Certificate: hag.local.pem

    Key: key.pem


  5. Click Next > to finish the wizard. 

Set up identity provider, for example Digital Access component


Expand
titleImport Identity Provider SAML certificate

Private keys are used to digitally sign SAML messages and encrypt their content. Both parties need their own key-pair that could be created in self-signed mode (for testing purpose) or received from a public key infrastructure (for productive systems). 

Example - Enable Digital Access to use the SAML certificate for signing:

  1. Log in to Digital Access Admin.
  2. Go to Manage System > Certificates.
  3. In Server Certificates, click Add Server Certificate… 

  4. Enter a Display Name and browse for the files, to define Certificate and Key:

    Panel
    titleExample: Add SAML certificate

    Display Name: SAML IdP Signing

    Certificate: hag.saml.pem

    Key: hag.saml.key.pem


    Note

    The Digital Access SAML certificate must be trusted by the Java installation that runs Identity Manager to have a secure communication between them.

    To allow SSL communication between Identity Manager and Smart ID Self-Service, the SSL certificate needs to be trusted as well by the Java installation. The SSL certificate can be exported from the Java Key Store with the following command:

    Code Block
    titleExample: java keytool command
    keytool -export -keystore idm.jks -alias selfsigned -file idm.cer

     


  5. Click Next > to finish the wizard.

...

Expand
titleCreate SAML Federation

The identity provider must be configured to define the SAML federation with the service provider, using the metadata created in Identity Manager. 

Example - Add service provider in Digital Access:

  1. Go to Manage Resource Access > SAML Federation.
  2. Click Add SAML Federation....
  3. Enter a Display Name, for example IDENTITYMANAGER.
  4. Check Acting as Identity Provider.
  5. Uncheck Import metadata automatically.
  6. Go to the Export tab.
  7. Give a unique Entity ID: for example https://hag.local/idp.
  8. Select the Signing Certificate, for example SAML IdP Signing.
  9. Go to the Role Identity Provider tab and click Add service provider...
  10. Verify that SAML 2.0 is checked.
  11. Upload SAML 2.0 metadata, click Choose file and select the file that was created before (for example IdM_saml_metadata.xml). Click Next.
  12. Confirm the message about the signer certificate by clicking Yes.
  13. Click Finish Wizard.
  14. Click on the created service provider, to open it.
    The Display Name and Entity ID is now updated according to the metadata file.


    Note

    Entity ID must be unique within the federation, for example https://<idmhost>/sp

    Service Provider URL is where the IdP will redirect the user after successful authentication, so this must be an exact match with the SP domain, in this case https://<idmhost>/saml/SSO 

    Example: https://<idmhost>/saml/SSO  

    <idmhost> must be the same as the url that was called initially. To be sure that the SAML request and response belong together, the communication must go to the same url and protocol (http or https), and both IdP and SP must be synchronized in terms of time.

    To set up NTP in Digital Access, see Deploy Digital Access component.

     

  15. Disable Require signed authentication request 

  16. Go to the Assertion Settings tab.

  17. In Subject > Select source of subject: select E-mail. This is the unique identifier Identity Manager uses in standard cases, and will be used when Digital Access sends a SAML ticket to Identity Manager.

  18. Go to the tab Manage Access Rules.

  19. Select any suitable access rule or leave it as Any Authentication 

  20. Click Finish Wizard and then Add. 

  21. Repeat the same steps to add Smart ID Self-Service as an additional service provider.  

...

Expand
titleDownload SAML metadata

After the service provider was configured successfully in the identity provider, the SAML metadata must be downloaded and uploaded in Identity Manager.

Example - Download the metadata from Digital Access: 

  1. Go to Manage Resource Access > SAML Federation.
  2. Click on the created service provider, to open it.
  3. Go to the tab Export.
  4. Click Download metadata.

  5. Upload the metadata file to the SAML Authentication Profile in Identity Manager and select the Type as METADATA. No File Properties needs to be configured for the identity provider meta-data.

Note

Make sure that the Identity Manager server and the Digital Access server have the same time configured.


Upload identity provider metadata to Identity Manager

Expand
titleUpload identity provider metadata to SAML authentication profile in Identity Manager

After the metadata files have been created they must be uploaded to the authentication profile in Identity Manager Admin. This section describes how to upload the identity provider metadata files. 

  1. Open the SAML SSO authentication profile that was created earlier.
  2. Go to the SAML Configuration tab.  
  3. Under Identity Provider Configuration, do the following:
    1. In Configuration File, click the upload symbol to browse for and select the metadata file that has been provided from the identity provider, for example downloaded from Digital Access. 
    2. In Attribute Type, select either option for where the authentication information shall be communicated: 
      1. NameID refers to the subject of a SAML response. Use an appropriate value that matches the desired field in the CoreObject.
      2. Attribute Statement refers to attributes associated with the subject of a SAML response.
    3. If Attribute Statement was selected, then also enter one or more names in Attribute Name
Note

Make sure that the Identity Manager server and the Identity Provider server (for example Digital Access) have the same time configured.


Additional information

Expand
titleUseful links

...