Versions Compared

Old Version 3

changes.mady.by.user Arto Vainiolehto

Saved on

compared with

New Version 4

changes.mady.by.user ubisebastian

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

The Swedish BankID authentication adapter is a standalone application which is deployed alongside Ubisecure SSO. It can be deployed to the same or different server. Currently, it is suggested that the application is deployed into the same server with Ubisecure SSO. Download the JAR file and on Linux for example, stored place it under

Code Block
/usr/local/ubisecure/ubilogin-sso-adapters/bankid-sweden

...

Note
titleSecuring HTTP connections

Although the application is currently deployed to the same node as Ubisecure SSO, it is suggested to secure the application using HTTPS in order to avoid leaking of sensitive information. This is especially suggested step that allows moving adapters to different servers than Ubisecure SSO. You can refer to Spring Boot Server SSL configuration instructions for more details.

Application configuration properties

The following configuration properties can be set using the configuration prefix:

...

In order to secure the application from unknown unauthorized clients, client authentication is based on OpenID Connect Core chapter 9, Client authentication. Both, the /bc-authorize and /token endpoints are secured. Currently, only private_key_jwt method is supported.

...

PropertyTypeRequiredDefaultDescription
trust-store.pathstringyes
The path to the key store where client public key certificate entries reside
trust-store.typestringnoPKCS12The type of the client key store
trust-store.passwordstringyes
The password of the key store
clientsobject arrayyes
An array of client objects. Each client having its own entry
clients[n].idstringyes
The client_id of the OpenID Connect client
clients[n].key-aliasesstring arrayyes

The aliases of client specific public key certificates stored in the key store denoted by ubisecure.sso.oidc.trust-store. If the client defines the kid JWT header, that is expected to be found in the key store. If the client is not setting kid JWK header, then each alias in this configuration is used to test for a matching key.


Info
titlekey-aliases for Ubisecure SSO

As of Ubisecure SSO 8.4.1 the clients[n].key-aliases entry has to match to the kid published by SSO in its JWKS metadata response. See /wiki/spaces/IDS/pages/1044054030 for more details. 

Example configuration using external directory

As documented in Spring Boot External Configuration guide, one easy way to configure the application is to store a file in a directory named config which is located in the same directory with the application executable. So, as an example one could have a following structure:

...

Code Block
ubisecure:
  sso:
    oidc:
      trust-store:
        path: 'file:certs/client-trust-store'
        password: 'secret'
      clients:
        - id: 'ubisecure-sso'
          key-aliases:
          - 'ubisecure-sso-auth-keyWtrEl8hop6_inC1OK6oTgskR668'
    bankid:
      sweden:
        id-token:
          issuer: 'https://sso-bankid.example.com'
          signing-key-alias: 'id-token-signing-key'
          signing-key-password: 'secret'
        key-store:
          path: 'file:certs/bankid-cacerts'
          password: 'secret'
          authentication-key:
            alias: 'bankid-auth-key'
            password: 'secret'
          server-certificate:
            alias: 'bankid-server-certificate'

...

EndpointSecuredDescription
/oidc/bc-authorizeyesOpenID Connect CIBA backchannel authentication endpoint
/oidc/tokenyesOpenID Connect token endpoint with additional CIBA parameters
/oidc/.well-known/openid-configurationnoOpenID Provider configuration metadata endpoint
/oidc/jwksnoExposes JWKs provided by the service
/v2/api-docsnoSwagger 2.0 schema of the API
/swagger-ui.htmlnoSwagger UI to explore the API
/actuator/healthnoFor health checks. This only checks that the application is up and running. No external requests are made. Health check of the BankID provider is not included
/actuator/infonoFor application version information

...

Assuming that the application is deployed to localhost for Ubisecure SSO to access, the endpoints can be accessed as follows:

EndpointDescription
http(s)://localhost:<port>/oidc/.well-known/openid-configurationOpenID Connect Provider metadata
http(s)://localhost:<port>/oidc/jwksID Token signing keys and issuer metadata

An example OpenID Connect Provider metadata response:

Code Block
languagejs
{
  "issuer": "https://sso-bankid.example.com",
  "backchannel_authentication_endpoint": "http://localhost:8082/oidc/bc-authorize",
  "token_endpoint": "http://localhost:8082/oidc/token",
  "jwks_uri": "http://localhost:8082/oidc/jwks",
  "response_types_supported": [
    "id_token"
  ],
  "scopes_supported": [
    "openid"
  ],
  "id_token_signing_alg_values_supported": [
    "RS512"
  ],
  "token_endpoint_auth_methods_supported": [
    "private_key_jwt"
  ]
}

...