...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
This article describes how to set up certificate filtering for the Personal Mobile and Personal Desktop authentication methods in Digital Access. To do this, you add an extended property in the authentication method.
Prerequisites
Expand |
---|
|
The Personal Mobile and Personal Desktop authentication methods are set and enabled in Digital Access. Read more here: Set up Smart ID authentication. A json is defined including the necessary information for the filtering. See examples in this article.
|
Step-by-step instruction to set up the filter
Expand |
---|
title | Log in to Digital Access Admin |
---|
|
Log in to Digital Access Admin with an administrator account.
|
Expand |
---|
title | Edit the Personal Mobile or the Personal Desktop authentication method |
---|
|
In Digital Access Admin, go to Manage System.
Click Authentication Methods. Select the Personal Mobile or the Personal Desktop method in the list of Registered Authentication Methods. Go to the Extended Properties tab. Click Add Extended Property... Select Certificate Filter. The value of this filter shall be a valid json constructed based on the type of filtering you want to achieve. More details about how to create the filter json can be found in the examples in this page. Click Save. Click Publish.
|
About the filter json with examples
Expand |
---|
|
Each filter object shall have an op parameter (operation), whose value signifies what type of filter operation it represents. If no operation is specified, the default operation and will be used. Logical filterThe logical filter contains a list of operations. The value (value) in a logic filter is a list of more filters. The logical filter operations are: Value filterThe value filter contains one parameter (param) (which depends on the operation) and a value (value). The value filter operations are: |
Expand |
---|
title | Examples of a filter json |
---|
|
A simple filter json: |
...
...
Example: A simple filter that requests a key with ID 'signer' Code Block |
---|
| {
"op": "eq",
"param": "cert.issuer.o",
"value": "Example company"
} |
A complex filter json: |
...
Example: A more complex filter Code Block |
---|
| {
"op":"and",
"value":[
{
"param": "key.id",
"op":"eq",
"value": "signing"
},
{
"param": "cert.subject.cn",
"op":"eq",
"value": "Samuel"
},
{
"op":"or",
"value":[
{
"op":"and",
"value":[
{
"param": "key.type",
"op":"eq",
"value": "RSA"
},
{
"param": "key.size",
"op":"gte",
"value":2048
}
]
},
{
"op":"and",
"value":[
{
"param": "key.type",
"op":"eq",
"value": "ECC"
},
{
"param": "key.size",
"op":"gte",
"value":192
}
]
}
]
}
]
} |
|
Supported request filter parameters
Expand |
---|
title | Supported request filter parameters |
---|
|
These are the supported request filters in Smart ID Mobile App, Smart ID Desktop App and Personal Desktop Client. Name: | acronym: | Android: | iOS: | Desktop App: | Desktop Client: | Note |
---|
Constructed Filters: |
|
|
|
|
| "value" is a list of other filters, "param" is null | AND | and |
|
|
|
|
| OR | or |
|
|
|
|
| NOT (implemented as NOR) | not |
|
|
|
| No filter is allowed to be true if the evaluation of this filter is true |
|
|
|
|
|
|
| Value Filters: |
|
|
|
|
| "value" is string or number, "param" is one of the strings in the list below | CONTAINS | co |
|
|
|
| only string param value | STARTS WITH | sw |
|
|
|
| only string param value | ENDS WITH | ew |
|
|
|
| only string param value | EQUALS | eq |
|
|
|
| string or number supported | NOT EQUALS | nq |
|
|
|
| string or number supported | LESS THAN | lt |
|
|
|
| string or number supported | GREATER THAN | gt |
|
|
|
| string or number supported | LESS OR EQUAL | le |
|
|
|
| string or number supported | GREATER OR EQUAL | ge |
|
|
|
| string or number supported |
|
|
|
|
|
|
| Filter Param 'keys': |
|
|
|
|
|
| ISSUER COUNTRY | cert.issuer.c |
|
|
|
|
| ISSUER COMMON NAME | cert.issuer.cn |
|
|
|
|
| ISSUER LOCALITY | cert.issuer.l |
|
|
|
|
| ISSUER ORGANISATION | cert.issuer.o |
|
|
|
|
| ISSUER ORGANISATIONAL UNIT | cert.issuer.ou |
|
|
|
| fixed in android now | ISSUER STATE | cert.issuer.st |
|
|
|
|
| ISSUER STATE variant | cert.issuer.s |
|
|
|
|
| ISSUER STREET | cert.issuer.street |
|
|
|
|
| ISSUER EMAIL | cert.issuer.email |
|
|
|
|
| ISSUER UID | cert.issuer.uid |
|
|
|
|
| KEY USAGE | cert.keyusage |
|
|
|
| Use primarily with contains. We are concatenating all of them into one string | SERIAL | cert.serial |
|
|
|
|
| SUBJECT COUNTRY | cert.subject.c |
|
|
|
|
| SUBJECT COMMON NAME | cert.subject.cn |
|
|
|
|
| SUBJECT LOCALITY | cert.subject.l |
|
|
|
|
| SUBJECT ORGANISATION | cert.subject.o |
|
|
|
|
| SUBJECT ORG UNIT | cert.subject.ou |
|
|
|
|
| SUBJECT STATE | cert.subject.st |
|
|
|
|
| SUBJECT STATE variant | cert.issuer.s |
|
|
|
|
| SUBJECT STREET | cert.subject.street |
|
|
|
|
| SUBJECT EMAIL | cert.subject.email |
|
|
|
|
| SUBEJCT UID | cert.subject.uid |
|
|
|
|
| KEY ID | key.id |
|
|
|
|
| KEY PUBLIC KEY | key.publickey |
|
|
|
| BASE64 encoded DER (no PEM headers or newlines) | KEY SIZE | key.size |
|
|
|
|
| KEY TYPE | key.type |
|
|
|
| always 'RSA' so far | TOKEN ID | token.id |
|
|
|
| Profile ID for Hermod profiles | TOKEN TYPE | token.type |
|
|
|
| 'DIGITAL' and 'NFC' used in mobile. PDA version values: 'Microsoft Platform Crypto Provider', 'MICROSOFT BASE SMART CARD CRYPTO PROVIDER', 'MICROSOFT ENHANCED CRYPTOGRAPHIC PROVIDER V1.0', 'MICROSOFT SOFTWARE KEY STORAGE PROVIDER', 'MICROSOFT PASSPORT KEY STORAGE PROVIDER'
| TOKEN USER ID | token.userid |
|
|
|
| username tied to the token | TOKEN PROFILE TYPE | token.profiletype |
|
|
|
| VSC, SW, PLATFORMTPM, YUBI, HYBRID, FILEP12SW, FILEP12TPM, FILETPMYUBI, LOCALID06, FILEP12VSC |
|