| Table of Contents |
|---|
Prerequisites
...
| BankID Adapter version | Ubisecure SSO version |
|---|---|
| 1.0.x | 8.3.x or newer* |
| 1.1.x | 8.8.x or newer |
| 2.x | 9.x or newer0.x - 9.3.x |
| 3.x | 9.4.x or newer |
*) Ubisecure SSO 8.4.1 requires specific key id configuration (see Client authentication for more details)
...
| Note | ||
|---|---|---|
| ||
Although the adapter is currently deployed to the same node as Ubisecure SSO (install on one node only if in HP), it is suggested to secure the adapter by configuring it to use HTTPS in order to avoid exposing of sensitive information. This suggested step allows moving adapters to different servers than Ubisecure SSO. You can refer to Spring Boot Server SSL configuration instructions for more details. |
Adapter configuration properties
The following configuration properties can be set using the configuration prefix:
...
Keys are stored in base64 encoded PKCS12 keystores in ubiloginPKCS12 attribute of the ubiloginKeyCredential objects.
The DNs for ubiloginKeyCredential objects used by the server can be found from the ubiloginKeyCredentialDN attribute values in cn=Server,ou=System,cn=Ubilogin,<LDAP suffix> entry.
After adding the certificates to the trust store modify application configuration to include the new kid in clients[n].key-aliases list.
...
| Endpoint | Secured | Description | |||
|---|---|---|---|---|---|
/ | oidcdevice/ | bc-authorize | yes | OpenID Connect CIBA backchannelBankID device authentication endpoint | |
/ | oidcdevice/token | yes | OpenID ConnectBankID device token endpoint with | additional CIBAspecific BankID parameters | |
/ | oidcdevice/.well-known/ | openidoauth2-configuration | no | OpenID ProviderBankID provider configuration | metadatametadat endpoint |
/oidcv3/jwks | no | Exposes JWKs provided by the service | |||
/device/authorize | yes | BankID device authentication endpoint | |||
/device/token | yes | BankID device token endpoint with specific BankID parameters | |||
/device/.well-known/oauth2-configuration | no | BankID provider configuration metadat endpoint | |||
/v3/api-docs | no | Swagger 3.0api-docs | no | Swagger 3.0.1 schema of the API | |
/swagger-ui/ | no | Swagger UI to explore the API | |||
/actuator/health | no | For health checks. This only checks that the adapter is up and running. No external requests are made. Health check of the BankID provider is not included | |||
/actuator/info | no | For adapter version information |
...
Configuring Ubisecure SSO to use Swedish BankID
See OpenID Connect CIBA authentication method for more details on how to configure Swedish BankID as an external authentication method to Ubisecure SSO.See Swedish BankID method for more details on how to configure Swedish BankID as a same device flow external authentication method to Ubisecure SSO.
...
| Endpoint | Description | |
|---|---|---|
http(s)://localhost:<port>/oidc/.well-known/openid-configuration | OpenID Connect Provider metadata | |
http(s)://localhost:<port>/oidc/jwks | ID Token signing keys and issuer metadata | |
http(s)://localhost:<port>/device/.well-known/oauth2-configuration | Swedish BankID provider metadata |
An example OpenID Connect Provider metadata response:
| Code Block | ||
|---|---|---|
| ||
{
"issuer": "https://sso-bankid.example.com",
"backchanneldevice_authenticationauthorization_endpoint": "http://localhost:8082/oidcdevice/bc-authorize",
"token_endpoint": "http://localhost:8082/oidcdevice/token",
"jwks_uri": "http://localhost:8082/oidc/jwks",
"response_types_supported": [
"id_token"
],
"grant_types_supported": [
"urn:openidietf:params:modrnaoauth:grant-type:backchannel_request",
"urn:openid:params:grant-type:ciba"
device_code"
],
"scopes_supported": [
"openid"
],
"id_token_signing_alg_values_supported": [
"RS512"
],
"token_endpoint_auth_methods_supported": [
"private_key_jwt"
],
"backchannel_token_delivery_modes_supported": [
"poll"
],
"token_endpoint_auth_signing_alg_values_supported": [
"RS256",
"RS512"
]
}
|
An example JWKS response:
...