This article describes authentication profiles in Smart ID Identity Manager (PRIME) and how to configure them. Authentication profiles are used to define how users can gain access to Identity Manager and what they gain access to.

Authentication is done in two steps:

Authentication: login in with a certain user credential. The user will be extracted from the credential depending on the authentication type.
Authorization: after successful authentication the assigned roles for the user are determined depending on the authentication type.

The following authentication profiles are available:

Authentication profile

Authentication / Login mechanism

User / Principal

Authorization / Roles / Permissions

Internal

In the runtime system (Identity Manager operator UI and Smart ID Self-Service), this profile type is not recommended for production. Usually, the administrator of Identity Manager Admin has an internal account.

Login with username and password based on internal user table
UsernameRoles from internal roles tableLDAP

External login mechanism based on LDAP

DN from LDAP configurationGroup membership in LDAP directory is mapped to internal rolesLDAP Core ObjectExternal login mechanism based on LDAPDN from LDAP configurationInternal roles mapped to core objects

Client Certificate and LDAP

Client certificate login based on LDAPConfigured attribute in certificateGroup membership in LDAP directory is mapped to internal roles

Client Certificate Internal

In the runtime system (Identity Manager operator UI and Smart ID Self-Service), this profile type is not recommended for production.

Client certificate login based on internal userConfigured attribute in certificateRoles from internal roles table

Client Certificate Core Object

Client certificate login based on Core Objects
Configured attribute in certificate

Internal roles mapped to core objects

Smart Card and Core Object

This authentication profile is deprecated, but can still be used for older versions of Identity Manager. From PRIME 3.9, use Client Certificate Core Object.

Smart card certificateConfigured attribute in certificate

Internal roles mapped to core objects

Username and Password Core ObjectLogin with username and password based on core objectsUsername

Internal roles mapped to core objects

SAML SSO Core Object

External login with SAML SSO

Configured attribute in SAML token

Internal roles mapped to core objects

SAML SSO LDAPExternal login with SAML SSO.

Configured attribute in SAML token

Group membership in LDAP directory is mapped to internal roles

Prerequisites

Expand

title	Prerequisites

The following prerequisites apply:

Install Identity Manager

You must have access to any required external systems, for example LDAP or SAML Identity provider (IDP).

For client certificate authentication, a working HTTPS configuration with client authentication on the Tomcat is required. See Configure https for Tomcat.

For SAML authentication, it is required to have an identity provider, such as Smart ID Digital Access component (Hybrid Access Gateway), with the correct configuration for Identity Manager authentication. For information and examples with Digital Access, see Enable two-factor authentication to Identity Manager clients via SAML federation.

Step-by-step instruction

Expand

title	Log in to Identity Manager Admin

Log in to Identity Manager Admin as an admin user.

Expand

title	Set up authentication profile

To set up an authentication profile:

Go to Home > Authentication Profiles.

Click +New to add an authentication profile.

Select a Profile type:
Image Removed

Note
The Internal profile is not available for selection, since it is created by default in any Identity Manager installation and only one internal profile is allowed.

Enter a unique Priority number.

Click Save + Edit.
A new tab is displayed where the authentication profile is configured. See the following sections for how to configure the authentication profile you have selected.

To edit an existing identity template, double-click on its name.

Configure profile types

The configuration of authentication profiles differs according to the different profile types.

Find your selected authentication profile type below and follow the instruction to set up the configuration.

Expand

title	Configure Internal profile

No further configuration required.

Expand

title	Configure internal profile with client certificate

In Certificate settings: select the method, which extracts the information from the certificate used to identify the user:
1. User Principal Name (UPN)
2. SAN Email (RFC822Name)
3. Subject CN
4. Subject Email

AnchorLDAPprofileLDAPprofile Expand

title	Configure LDAP profile

In Connection settings:

In Connection string, enter the URL of the LDAP server and base address in the directory service, for example:

Panel

title	Example: Connection string

Connection string: ldap://localhost:389/ou=NexusEmployees,dc=nexus,dc=local

where

ou = organizationalUnitName
dc = domainComponent
For more information on LDAP string attributes, see RFC 2253, LDAP (v3): UTF-8 String Representation of Distinguished Names.

In Username and Password, enter the Active Directory domain user name and password.

In User search:

Select Direct binding or With password comparison. Direct binding attempts to bind to the LDAP with the user entered. With password comparison the data of the LDAP entry is retrieved and the password is compared with the entered password.

Enter a Search pattern. Here are two examples:

Panel

title	Example: Search pattern

Search pattern: (userPrincipalName={0})

Panel

title	Example: Search pattern using Distinguished Name (DN) of user

Search pattern: cn={0},ou=users

If password comparison was selected, enter the Attribute for password used in LDAP and, if applicable, the mechanism that LDAP uses for Password encryption.

In Group search:

In Basis for group search, enter the subpath to the group information in LDAP.
For example, if you find the group information under ou = groups, dc = myCompany, dc = de, enter the following:

Panel

title	Example: Basis for group search

Basis for group search: ou=groups

In Filter for group search, enter a filter expression, that defines the search starting with the subpath above.

For example, if the group membership of users is stored in a multi-value attribute member (via the DN), enter the following:

Panel

title	Example: Filter for group search

Filter for group search: (member={0})

In Attribute for group, enter an attribute with unique values to define the group belonging. The groups to which the user belongs are compared in the last step with the assignment to the roles in the system and access to the system is assigned based on the assigned roles.

For example, enter the following:

Panel

title	Example: Attribute for group

Attribute for group: cn

Group Permissions

Go to the LDAP Group Permissions tab to map the LDAP groups to internal Identity Manager roles.

Click + to add an LDAP group to the Groups list

Select the roles that should be assigned to that LDAP group in the Roles list.
ExpandtitleConfigure LDAP Core Object

This article describes authentication profiles in Smart ID Identity Manager and how to configure them. Authentication profiles are used to define how users can gain access to Identity Manager and what they gain access to.

Authentication is done in two steps:

Authentication: login in with a certain user credential. The user will be extracted from the credential depending on the authentication type.
Authorization: after successful authentication the assigned roles for the user are determined depending on the authentication type.

The following authentication profiles are available:

Authentication profile	Authentication / Login mechanism	User / Principal	Authorization / Roles / Permissions
Internal In the runtime system (Identity Manager operator UI and Smart ID Self-Service), this profile type is not recommended for production. Usually, the administrator of Identity Manager Admin has an internal account.	Login with username and password based on internal user table	Username	Roles from internal roles table
LDAP	External login mechanism based on LDAP	DN from LDAP configuration	Group membership in LDAP directory is mapped to internal roles
LDAP Core Object	External login mechanism based on LDAP	DN from LDAP configuration	Internal roles mapped to core objects
Client Certificate and LDAP	Client certificate login based on LDAP	Configured attribute in certificate	Group membership in LDAP directory is mapped to internal roles
Client Certificate Internal In the runtime system (Identity Manager operator UI and Smart ID Self-Service), this profile type is not recommended for production.	Client certificate login based on internal user	Configured attribute in certificate	Roles from internal roles table
Client Certificate Core Object	Client certificate login based on Core Objects	Configured attribute in certificate	Internal roles mapped to core objects
Smart Card and Core Object This authentication profile is deprecated, but can still be used for older versions of Identity Manager. From PRIME 3.9, use Client Certificate Core Object.	Smart card certificate	Configured attribute in certificate	Internal roles mapped to core objects
Username and Password Core Object	Login with username and password based on core objects	Username	Internal roles mapped to core objects
SAML SSO Core Object	External login with SAML SSO	Configured attribute in SAML token	Internal roles mapped to core objects
SAML SSO LDAP	External login with SAML SSO.	Configured attribute in SAML token	Group membership in LDAP directory is mapped to internal roles

Prerequisites

Expand

title	Prerequisites

The following prerequisites apply:

Install Identity Manager
You must have access to any required external systems, for example LDAP or SAML Identity provider (IDP).
For client certificate authentication, a working HTTPS configuration with client authentication on the Tomcat is required. See Configure https for Tomcat.
For SAML authentication, it is required to have an identity provider, such as Smart ID Digital Access component (Hybrid Access Gateway), with the correct configuration for Identity Manager authentication. For information and examples with Digital Access, see Enable two-factor authentication to Identity Manager clients via SAML federation.

Step-by-step instruction

Expand

title	Log in to Identity Manager Admin

Log in to Identity Manager Admin as an admin user.

Expand

title	Set up authentication profile

To set up an authentication profile:

Go to Home > Authentication Profiles.
Click +New to add an authentication profile.
1. Select a Profile type:
  Image Added
  Note
  The Internal profile is not available for selection, since it is created by default in any Identity Manager installation and only one internal profile is allowed.
2. Enter a unique Priority number.
3. Click Save + Edit.
  
  A new tab is displayed where the authentication profile is configured. See the following sections for how to configure the authentication profile you have selected.
To edit an existing identity template, double-click on its name.

Configure profile types

The configuration of authentication profiles differs according to the different profile types.

Find your selected authentication profile type below and follow the instruction to set up the configuration.

Expand

title	Configure Internal profile

No further configuration required.

Expand

title	Configure internal profile with client certificate

In Certificate settings: select the method, which extracts the information from the certificate used to identify the user:
1. User Principal Name (UPN)
2. SAN Email (RFC822Name)
3. Subject CN
4. Subject Email

Anchor

	LDAPprofile
	LDAPprofile

Expand

title	Configure LDAP profile

In Connection settings:
1. In Connection string, enter the URL of the LDAP server and base address in the directory service, for example:
  Panel
  title Example: Connection string
  Connection string: ldap://localhost:389/ou=NexusEmployees,dc=nexus,dc=local
  where
  ou = organizationalUnitName
  dc = domainComponent
  
  For more information on LDAP string attributes, see RFC 2253, LDAP (v3): UTF-8 String Representation of Distinguished Names.
2. In Username and Password, enter the Active Directory domain user name and password.
In User search:
1. Select Direct binding or With password comparison. Direct binding attempts to bind to the LDAP with the user entered. With password comparison the data of the LDAP entry is retrieved and the password is compared with the entered password.
2. Enter a Search pattern. Here are two examples:
  Panel
  title Example: Search pattern
  Search pattern: (userPrincipalName={0})
  
  Panel
  title Example: Search pattern using Distinguished Name (DN) of user
  Search pattern: cn={0},ou=users
3. If password comparison was selected, enter the Attribute for password used in LDAP and, if applicable, the mechanism that LDAP uses for Password encryption.
In Group search:
1. In Basis for group search, enter the subpath to the group information in LDAP.
  For example, if you find the group information under ou = groups, dc = myCompany, dc = de, enter the following:
  Panel
  title Example: Basis for group search
  Basis for group search: ou=groups
2. In Filter for group search, enter a filter expression, that defines the search starting with the subpath above.
  For example, if the group membership of users is stored in a multi-value attribute member (via the DN), enter the following:
  Panel
  title Example: Filter for group search
  Filter for group search: (member={0})
3. In Attribute for group, enter an attribute with unique values to define the group belonging. The groups to which the user belongs are compared in the last step with the assignment to the roles in the system and access to the system is assigned based on the assigned roles.
  For example, enter the following:
  Panel
  title Example: Attribute for group
  Attribute for group: cn
Group Permissions
1. Go to the LDAP Group Permissions tab to map the LDAP groups to internal Identity Manager roles.
2. Click + to add an LDAP group to the Groups list
3. Select the roles that should be assigned to that LDAP group in the Roles list.

Expand

title	Configure LDAP Core Object profile

In Connection settings:
1. In Connection string, enter the URL of the LDAP server and base address in the directory service, for example:
  Panel
  title Example: Connection string
  Connection string: ldap://localhost:389/ou=NexusEmployees,dc=nexus,dc=local
  where
  ou = organizationalUnitName
  dc = domainComponent
  
  For more information on LDAP string attributes, see RFC 2253, LDAP (v3): UTF-8 String Representation of Distinguished Names.
2. In Username and Password, enter the Active Directory domain user name and password.
In User search:
1. Select Direct binding or With password comparison. Direct binding attempts to bind to the LDAP with the user entered. With password comparison the data of the LDAP entry is retrieved and the password is compared with the entered password.
2. Enter a Search pattern. Here are two examples:
  Panel
  title Example: Search pattern
  Search pattern: (userPrincipalName={0})
  
  Panel
  title Example: Search pattern using Distinguished Name (DN) of user
  Search pattern: cn={0},ou=users
3. If password comparison was selected, enter the Attribute for password used in LDAP and, if applicable, the mechanism that LDAP uses for Password encryption.
In User identification: enter details to map the userPrincipalName to a core object.
1. In Identity template, select one or more core object types, for example, Employee and Contractor, on which the core object search will be performed. The first matching template will be used.
2. In User name field, select the core object field to match the user principal, for example UPN or Email. Identity Manager will use it to search the core object in the selected identity template.
3. In User display, enter fields in a comma separated list, for example FirstName, LastName. These fields are used to display the logged in user in Identity Manager operator UI or Smart ID Self-Service.

is assigned based on the assigned roles.

For example, enter the following:

Expand

title	Configure Client Certificate and LDAP profile

Panel

title	Example: Attribute for group

Attribute for group: cn

In Certificate settings: select the method, which extracts the information from the certificate used to identify the user:

User Principal Name (UPN)
SAN Email (RFC822Name)
Subject CN
Subject Email

Group Permissions

Go to the LDAP Group Permissions tab to map the LDAP groups to internal Identity Manager roles.
Click + to add an LDAP group to the Groups list
Select the roles that should be assigned to that LDAP group in the Roles list.

ExpandtitleConfigure Client Certificate Core Object profile

In Connection settings:
1. In Connection string, enter the URL of the LDAP server and base address in the directory service, for example:
  Panel
  title Example: Connection string
  Connection string: ldap://localhost:389/ou=NexusEmployees,dc=nexus,dc=local
  where
  ou = organizationalUnitName
  dc = domainComponent
  
  For more information on LDAP string attributes, see RFC 2253, LDAP (v3): UTF-8 String Representation of Distinguished Names.
2. In Username and Password, enter the Active Directory domain user name and password.
In User search:
1. Select Direct binding or With password comparison. Direct binding attempts to bind to the LDAP with the user entered. With password comparison the data of the LDAP entry is retrieved and the password is compared with the entered password.
2. the Active Directory domain user name and password.
In User search:
1. Enter a Search pattern. Here are two examples:
  Panel
  title Example: Search pattern
  Search pattern: (userPrincipalName={0})
  
  Panel
  title Example: Search pattern using Distinguished Name (DN) of user
  Search pattern: cn={0},ou=users
2. If password comparison was selected, enter the the Attribute for password used in LDAP and, if applicable, the mechanism that LDAP uses for Password encryption.
In User identification: enter details to map the userPrincipalName to a core object.
In Identity template, select one or more core object types, for example, Employee and Contractor, on which the core object search will be performed. The first matching template will be used.
In User name field, select the core object field to match the user principal, for example UPN or Email. Identity Manager will use it to search the core object in the selected identity template.

In

User display

, enter fields in a comma separated list

, for example FirstName, LastName.

T

hese fields are used

to display the logged in user in Identity Manager operator UI or Smart ID Self-Service.

Expand

title	Configure Client Certificate and LDAP profile

In Connection settings:

In Connection string, enter the URL of the LDAP server and base address in the directory service, for example:

Panel

title	Example: Connection string

Connection string: ldap://localhost:389/ou=NexusEmployees,dc=nexus,dc=local

where

ou = organizationalUnitName
dc = domainComponent
For more information on LDAP string attributes, see RFC 2253, LDAP (v3): UTF-8 String Representation of Distinguished Names.

In Username and Password, enter the Active Directory domain user name and password.

In User search:

Enter a Search pattern. Here are two examples:

Panel

title	Example: Search pattern

Search pattern: (userPrincipalName={0})

Panel

title	Example: Search pattern using Distinguished Name (DN) of user

Search pattern: cn={0},ou=users

If password comparison was selected, enter the Attribute for password used in LDAP and, if applicable, the mechanism that LDAP uses for Password encryption.

In Group search:

In Basis for group search, enter the subpath to the group information in LDAP.
For example, if you find the group information under ou = groups, dc = myCompany, dc = de, enter the following:

Panel

title	Example: Basis for group search

Basis for group search: ou=groups

In Filter for group search, enter a filter expression, that defines the search starting with the subpath above.

For example, if the group membership of users is stored in a multi-value attribute member (via the DN), enter the following:

Panel

title	Example: Filter for group search

Filter for group search: (member={0})

In Attribute for group, enter an attribute with unique values to define the group belonging. The groups to which the user belongs are compared in the last step with the assignment to the roles in the system and access to the system

1. for Password encryption.
In Group search:
1. In Basis for group search, enter the subpath to the group information in LDAP.
  For example, if you find the group information under ou = groups, dc = myCompany, dc = de, enter the following:
  Panel
  title Example: Basis for group search
  Basis for group search: ou=groups
2. In Filter for group search, enter a filter expression, that defines the search starting with the subpath above.
  For example, if the group membership of users is stored in a multi-value attribute member (via the DN), enter the following:
  Panel
  title Example: Filter for group search
  Filter for group search: (member={0})
3. In Attribute for group, enter an attribute with unique values to define the group belonging. The groups to which the user belongs are compared in the last step with the assignment to the roles in the system and access to the system is assigned based on the assigned roles.
  For example, enter the following:
  Panel
  title Example: Attribute for group
  Attribute for group: cn
In Certificate settings: select the method, which extracts the information from the certificate used to identify the user:
1. User Principal Name (UPN)
2. SAN Email (RFC822Name)
3. Subject CN
4. Subject Email
Group Permissions
1. Go to the LDAP Group Permissions tab to map the LDAP groups to internal Identity Manager roles.
2. Click + to add an LDAP group to the Groups list
3. Select the roles that should be assigned to that LDAP group in the Roles list.

Expand

title	Configure Client Certificate Core Object profile

In Certificate settings: select the method, which extracts the information from the certificate used to identify the user:
1. User Principal Name (UPN)
2. SAN Email (RFC822Name)
3. Subject CN
4. Subject Email
In User identification: enter details to map the userPrincipalName to a core object.
1. In Identity template, select one or more core object types, for example, Employee and Contractor, on which the core object search will be performed. The first matching template will be used.
2. In User name field, select the core object field to match the user, for example UPN or Email. Identity Manager will use it to search the core object in the selected identity template.
3. In User display, enter fields in a comma separated list, for example FirstName,LastName. These fields are used to display the logged in user in Identity Manager operator UI or Smart ID Self-Service.

Expand

title	Configure Smart Card and Core Object profile

Note
This authentication profile is deprecated, but can still be used for older versions of Identity Manager. From PRIME 3.9, use the Client Certificate Core Object profil.

In Certificate settings: select the method, which extracts the information from the certificate used to identify the user:
1. User Principal Name (UPN)
2. SAN Email (RFC822Name)
3. Subject CN
4. Subject Email
In User identification: enter details to map the userPrincipalName to a core object.

Note
This authentication profile is deprecated, but can still be used for older versions of Identity Manager. From PRIME 3.9, use the Client Certificate Core Object profil.

In Certificate settings: select the method, which extracts the information from the certificate used to identify the user:
1. User Principal Name (UPN)
2. SAN Email (RFC822Name)
3. Subject CN
4. Subject Email
In User identification:
1. In Identity template, select select one or more core object types, for example, Employee and Contractor, on which the core object search will be performed. The first matching template will be used.
2. In User name field, select the core object field to match the user, for example UPN or Email. Identity Manager will use it to search the core object in the selected identity template.
3. In User display, enter fields in a comma separated list, for example FirstName,LastName. These fields are used to display the logged in user in Identity Manager operator UI or Smart ID Self-Service.

Expand

title	Configure Smart Card and Core Object profile

1. .
2. In User name field, select the core object field to match the user, for example UPN or Email. Identity Manager will use it to search the core object in the selected identity template.
3. In User display, enter fields in a comma separated list, for example FirstName,LastName. These fields are used to display the logged in user in Identity Manager operator UI or Smart ID Self-Service.

Expand

title	Configure Username with Password Core Object profile

In User identification: enter details to map the userPrincipalName to a core object.In User identification: enter details to map the userPrincipalName to a core object
1. In Identity template, select select one or more core object types, for example, Employee and Contractor, on which the core object search will be performed. The first matching template will be used.
2. In User name field, select the core object field to match the username, for example UPN or Email. Identity Manager will use it to search the core object in the selected identity template.
3. In Password field, select the core object field to match the user, for example UPN or Email. Identity Manager will use it to search the core object in the selected identity template.
4. In User display, enter fields in a comma separated list, for example FirstName,LastName. These fields are used to display the logged in user in Identity Manager operator UI or Smart ID Self-Service.

Expand

title	Configure Username with Password Core Object profile

1. the core object field holding the password, for example PasswordHash.
2. In User display, enter fields in a comma separated list, for example FirstName,LastName. These fields are used to display the logged in user in Identity Manager operator UI or Smart ID Self-Service.

Prepare the required SAML configuration files. For file examples, refer to Enable two-factor authentication to Identity Manager clients via SAML federation.

You need one metadata file for each Service Provider, that is, one file for Identity Manager operator UI, one file for Smart ID Self-Service and one file for other Service Providers that you configure.
You also need the metadata file of your Identity Provider and a keystore containing all the keys you would like to use for encryption or signing.

Expand

title	Configure SAML SSO Core Object profile

Prepare the required SAML configuration files. For file examples, refer to Enable two-factor authentication to Identity Manager clients via SAML federation.
1. You need one metadata file for each Service Provider, that is, one file for Identity Manager operator UI, one file for Smart ID Self-Service and one file for other Service Providers that you configure.
2. You also need the metadata file of your Identity Provider and a keystore containing all the keys you would like to use for encryption or signing.

Excerpt
Go to the General tab and do the following settings: In User identification, select SAML SSO Core Object. In Identity template, select one or more core object types, for example, Employee and Contractor, on which the core object search will be performed. The first matching template will be used. In User name field,

1. select

the

1. the core object field to match the

username

1. user principal, for example UPN or Email. Identity Manager will use it to search

the core object in the selected identity template.In Password field, select

1. the core object

field holding the password, for example PasswordHash

1. in the selected identity template.
2. In User display, enter fields in a comma separated list, for example FirstName, LastName. These fields are used to display the logged in user in Identity Manager operator UI or Smart ID Self-Service.

Expand

title	Configure SAML SSO Core Object profile

Excerpt

Go to the General tab and do the following settings:

Check Activate SAML Authentication.
With this switch you decide if SAML authentication should be used or not. This switch is disabled by default.
In User identification, select SAML SSO Core Object.
1. In Identity template, select one or more core object types, for example, Employee and Contractor, on which the core object search will be performed. The first matching template will be used.
2. In User name field, select the core object field to match the user principal, for example UPN or Email. Identity Manager will use it to search the core object in the selected identity template.
3. In User display, enter fields in a comma separated list, for example FirstName, LastName. These fields are used to display the logged in user in Identity Manager operator UI or Smart ID Self-Service.

Go to the SAML Configuration tab and do the following settings:

In Identity Provider Configuration:

Upload a Configuration file
Here you can upload and delete the metadata file for an identity provider. The metadata file must contain only one identity provider configuration and no service provider configurations.
Select an Attribute Type
This is the identifying element of a SAML response. Despite the name, it can contain other elements than attributes. It can have two values, Name ID and Attribute Statement. Name ID refers to the subject of a SAML response, Attribute Statement refers to attributes associated with the subject of a SAML response.
Enter Attribute Name
This field is only active when Attribute Statement is selected as Attribute Type. It can be any arbitrary value.

In Keystore Configuration:

Upload a Configuration file
Here you can upload and delete key store file. The key store file must contain the certificates and the private key used for signing and decryption. A key store is mandatory. When a key store is uploaded, the key store's password must be entered. Objects in the key store, if protected with a password, must have the same password as the key store itself.
Available key aliases
List of the aliases that mark private keys in the key store.

In Service Provider Configurations:

Click on the + button to add a service provider.
This view lists the aliases of the service providers. Any arbitrary number of service providers is allowed but at least one service provider is required. An uploaded service provider must use only private keys available in the key store. If you upload a service provider metadata file that violates the SAML metadata schema, this triggers an error message.

In Service Provider Details:Alias
In this context, Alias refers to the location and thus the service provider to use when sending the SAML response to the application for processing. An Alias is mandatory.
This is an example of an excerpt from a typical metadata file that defines the Assertion Consumer Service responsible for processing the SAML response. The Alias in this case is "explorer".

Code Block

title	Example: Excerpt from a metadata file

...
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://hostname:8080/prime_explorer/saml/SSO/alias/explorer" index="0" isDefault="true"/>
...

Configuration File
Click on the upload symbol and select the metadata file.
This field is mandatory. The metadata file must contain only one service provider configuration and no identity provider configurations. If the file is deleted and re-uploaded, Alias must be reset according to the metadata file.

Alias for Signing Key
The alias from the key store for the private key to use for signing. This field is mandatory.

Alias for Encryption Key
The alias from the key store for the private key to use for encryption purposes. This field is mandatory.

Expand

title	Configure SAML SSO LDAP profile

Go to the General tab.
1. Check Activate SAML Authentication.
  With this switch you decide if SAML authentication should be used or not. This switch is disabled by default.
2. In User identification, select SAML SSO LDAP.
Go to the SAML Configuration tab.
1. Do the same settings as described above under heading "Configure SAML SSO Core Object profile".

Go to the LDAP Configuration tab.

If you have already a configured LDAP profile, copy the information to here. See heading "Configure LDAP profile" above.

Note
The Direct binding and With password comparison selection are NOT used for the SAML SSO LDAP profile.

Go to the LDAP Group Permissions tab.See under heading "Configure LDAP profile" above.Go to the SAML Configuration tab and do the following settings:

In Identity Provider Configuration:
1. Upload a Configuration file
  Here you can upload and delete the metadata file for an identity provider. The metadata file must contain only one identity provider configuration and no service provider configurations.
2. Select an Attribute Type
  This is the identifying element of a SAML response. Despite the name, it can contain other elements than attributes. It can have two values, Name ID and Attribute Statement. Name ID refers to the subject of a SAML response, Attribute Statement refers to attributes associated with the subject of a SAML response.
3. Enter Attribute Name
  This field is only active when Attribute Statement is selected as Attribute Type. It can be any arbitrary value.
In Keystore Configuration:
1. Upload a Configuration file
  Here you can upload and delete key store file. The key store file must contain the certificates and the private key used for signing and decryption. A key store is mandatory. When a key store is uploaded, the key store's password must be entered. Objects in the key store, if protected with a password, must have the same password as the key store itself.
2. Available key aliases
  List of the aliases that mark private keys in the key store.
In Service Provider Configurations:
1. Click on the + button to add a service provider.
2. This view lists the aliases of the service providers. Any arbitrary number of service providers is allowed but at least one service provider is required. An uploaded service provider must use only private keys available in the key store. If you upload a service provider metadata file that violates the SAML metadata schema, this triggers an error message.

In Service Provider Details:

Alias
In this context, Alias refers to the location and thus the service provider to use when sending the SAML response to the application for processing. An Alias is mandatory.

This is an example of an excerpt from a typical metadata file that defines the Assertion Consumer Service responsible for processing the SAML response. The Alias in this case is "explorer".

Code Block

title	Example: Excerpt from a metadata file

...
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://hostname:8080/prime_explorer/saml/SSO/alias/explorer" index="0" isDefault="true"/>
...

Configuration File
Click on the upload symbol and select the metadata file.

This field is mandatory. The metadata file must contain only one service provider configuration and no identity provider configurations. If the file is deleted and re-uploaded, Alias must be reset according to the metadata file.
Alias for Signing Key
The alias from the key store for the private key to use for signing. This field is mandatory.
Alias for Encryption Key
The alias from the key store for the private key to use for encryption purposes. This field is mandatory.

Expand

title	Configure SAML SSO LDAP profile

Go to the General tab.
1. Check Activate SAML Authentication.
  With this switch you decide if SAML authentication should be used or not. This switch is disabled by default.
2. In User identification, select SAML SSO LDAP.
Go to the SAML Configuration tab.
1. Do the same settings as described above under heading "Configure SAML SSO Core Object profile".
Go to the LDAP Configuration tab.
1. If you have already a configured LDAP profile, copy the information to here. See heading "Configure LDAP profile" above.
  Note
  The Direct binding and With password comparison selection are NOT used for the SAML SSO LDAP profile.
Go to the LDAP Group Permissions tab.
1. See under heading "Configure LDAP profile" above.

Tenant ID settings

Expand

title	Tenant ID settings

Using the correct URL, the desired authentication method can be called directly. You need to give a valid tenant ID (language will depend on browser language).

Read more under headings "Login" and "Admin page" in Identity Manager Operator.

Authentication method Certificate

Use this URL: https://<idmhost>:<idmPort>/<idmApplicationName>/cert/login?tenantId=X (Example: https://localhost:8444/idm-admin/cert/login?tenantId=32768)

The port (default is 8444) must be configured in system.properties.

Authentication method SAML

Use this URL: https://<idmhost>:<idmPort>/<idmApplicationName>/saml/login?tenantId=X (Example: http://localhost:8080/idm/saml/login?tenantId=1)

Validate tenant id

You can use the flag "tenantContextFilter.shouldValidateTenant" in system.properties of Identity Manager for validation of the tenant id:

If set to true, an error page is shown when selected tenant (passed in the URL) does not exist.
If set to false, the user will be redirected to the login page.
Default: tenantContextFilter.shouldValidateTenant=false

Configure Smart ID Self-Service login page

Expand

title	Configure Smart ID Self-Service login page

Smart ID Self-Service has additional configuration options for the login page.

You can enable or disable the different login mechanism in config.json, see this table:

Property

Possible Values

Default

Looks like

userPassword.enabled

true / false

true

saml.enabled

saml.enforced

For more information, see Enable two-factor authentication to Identity Manager clients via SAML federation

true

clientCert.enabled

true / false

true

This article is valid for Smart ID 2021.11 04 and later.

Related information

Smart ID Identity Manager

Versions Compared

Old Version 12

New Version 13

Key

Prerequisites

Step-by-step instruction

Configure profile types

Prerequisites

Step-by-step instruction

Configure profile types