Versions Compared

Old Version 2

changes.mady.by.user Arto Vainiolehto

Saved on

compared with

New Version 3

changes.mady.by.user Arto Vainiolehto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Prerequisites

...

Note
titleSecuring HTTP connections

Although the adapter is currently deployed to the same node as Ubisecure SSO (install on one node only if in HP), it is suggested to secure the adapter by configuring it to use HTTPS in order to avoid exposing of sensitive information. This suggested step allows moving adapters to different servers than Ubisecure SSO. You can refer to Spring Boot Server SSL configuration instructions for more details.

Adapter configuration properties

The following configuration properties can be set using the configuration prefix:

...

PropertyTypeRequiredDefaultDescription
default-polling-intervalintegerno5The polling interval returned to the client, i.e. Ubisecure SSO
default-request-expirationintegerno600The number of seconds when requests expire
urlstringnohttps://appapi2.bankid.comThe base URL to the BankID service provider API. This URL is defined in e.g. Environments (bankid.com)
auth.certificate-policiesstring arrayno1.2.752.78.1.5The BankID certificate policy requirements. Defaults to Mobile BankID app only. See /auth (bankid.com) for more details
id-token.issuerstringyes
The issuer of the ID token granted by the service
id-token.signing-key-aliasstringyes
The alias of the ID token signing key-pair in the key store
id-token.signing-key-passwordstringyes
The password of the ID token signing key-pair
id-token.expirationintno600The time in seconds after which ID tokens granted by this service expire. Note: Ubisecure SSO does not permit ID tokens that have expiration greater than 1 hour.
request-id.token-issuerstringnosso-bankidThe issuer of auth_req_id JWTs
request-id.key-idstringno(random uuid)The id of the key used to sign auth_req_id JWTs. kid will be set to this value
key-store.pathstringyes
The path to the key store where BankID key entries reside
key-store.passwordstringyes
The password of the key store
key-store.typestringnoPKCS12The type of the key store
key-store.authentication-key.aliasstringyes
The alias of the BankID client authentication key in the store
key-store.authentication-key.passwordstringyes
The password of the BankID client authentication private key
key-store.server-certificate.aliasstringyes
The alias of the BankID server certificate

responseTimeout

durationno

default configuration: 5s

if not set: 30s

BankID adapter timeout when accessing the BankID server

Adapter retries request in the following cases:

  • both authentication initialisation and status query request once after a 500 ms delay in case the BankID server is inaccessible
  • in authentication initialisation 3 times with minimum delay of 300 ms and exponential backoff strategy if the BankID server responds with service temporary unavailable error 

Therefore, if you configure responseTimeout > 5s you should also check the value for 

spring.mvc.async.request-timeout (default configuration value 1m). This value sets the timeout for a pending client (SSO) request to adapter to fail and it should cover the retry attempts.


user-certificate-policy

stringyes
The path to PKI Policy configuration file where the trust anchor and attribute mappings for user certificates resides. Example of such file is shown below.

Note that these parameters can be also supplied via the command line. See Spring Boot, Externalized configuration for more details.

Example User Certificate Policy

PKI Policy configuration file with Test BankID Root CA certificate as trust anchor and attributes user_certificate_cn and user_certificate_issuer_cn.

Code Block
titleUser Certificate Policy
<Policy xmlns="http://ubisecure.com/schema/certagent.xsd">
  <PKI>
    <!-- CN=Test BankID Root CA v1 Test,OU=BankID Member Banks CA,O=Finansiell ID-Teknik BID AB -->
    <Trust>
MIIF0jCCA7qgAwIBAgIISpGbuE9LL/0wDQYJKoZIhvcNAQENBQAwbTEkMCIGA1UE
CgwbRmluYW5zaWVsbCBJRC1UZWtuaWsgQklEIEFCMR8wHQYDVQQLDBZCYW5rSUQg
TWVtYmVyIEJhbmtzIENBMSQwIgYDVQQDDBtUZXN0IEJhbmtJRCBSb290IENBIHYx
IFRlc3QwHhcNMTEwOTIyMTQwMTMzWhcNMzQxMjMxMTQwMTMzWjBtMSQwIgYDVQQK
DBtGaW5hbnNpZWxsIElELVRla25payBCSUQgQUIxHzAdBgNVBAsMFkJhbmtJRCBN
ZW1iZXIgQmFua3MgQ0ExJDAiBgNVBAMMG1Rlc3QgQmFua0lEIFJvb3QgQ0EgdjEg
VGVzdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANPXoOB9BQOW8i2C
Kk7U/d8rFNB0ktVlcgBSh8CKvnTsW3i+NrAM5LY9jgAO9vkHT3bl3nK626zePhmh
dhVXMKAanbcF/NJ/oSF+DKCGx/VgPmCCqVyTMLjID/59diiLg3xNH3NaaBM69qnw
5yOCYkB2wXxcATLO0eTxvL0vdKGJ2HU2AcEtaMMxrScuNCztPuwjYNP0KrYI+y/J
Gkf2dBhomAhDLdQSSW3zXqYgbQvJ8La2ECgo3rGQQRZG9/5MZ5dOWtpAx0ybeCbh
CPO8XIBCHrPZxv60gZK1CTwlZUoMTBSivv+vmFrH8JdmUnOP9e/wNhuM9/fQ0h5t
4BGXoz8M5nxdH6uNJG5SpdxaXYflezBb7YdjgNiF9Yqo3DYTRrZT7dyRLYqlmKQh
T1pqEov1tkXktQF8r1QJkTJO3x1QEzMNCnHyN8iDOqENSE4nhkzU9ESbXNOhFpnc
XJqoFwvbeAJpV7fVwn+Jumyc/zsD9t+1Vo1lM95q1geVPfnA5z7NZ+uaayJx4DhL
MvufDI17fqgiWHe+BMA/vGd8OjFK3JUmCV+7QeG/Z3JWbzU0GeDljqO+H4CQ0+LO
4E4JGEZtxfUu4/XuOkCqiZ4/shoPOOxaXcZlBEMHsDzei0tNSKIxB+PoDTje/BQC
lunVZvjcG2ehpeF540EXgzzECaNLAgMBAAGjdjB0MB0GA1UdDgQWBBRK96NqCNoI
OBcZUyjI2qbWNNhaujAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFEr3o2oI
2gg4FxlTKMjaptY02Fq6MBEGA1UdIAQKMAgwBgYEKgMEBTAOBgNVHQ8BAf8EBAMC
AQYwDQYJKoZIhvcNAQENBQADggIBAJVcP9Sm2tukKW0Qx8EZG9gdXfCmNMrHXF3g
via5zpuSMl9wdXHd1FPdGFshRZJ2sW4mb9vRI81vBIXMFVtLZFzeGHoKyz1g8hfj
uuLKpItw0OwVNdvSRq/TKKxjVKpvt50Eydgnz4Q59YkFlGVyi7+z74mGfvN06Ssj
2WIRtr3UD+IC6Tie6Lm/zuZs4gu0ZP/fddKh7gC3syHLNXQmN+9Y0wkdO7H98K/9
uuIrxWtSOFVatxesw7XJRnq+uYI0IdP8xP8U4S680rTse7nsTguQxzRs2vOyoaXm
Fdf7XQ03btd15Z4yJlEfs9/4ohgafMs49PMkACqyX45/4WBygO0QwMGVIUnKNFBt
/I+0T2SkWFa2JdcRCSTObb7tesoeTIPgI9UcrMvNOG3gxGpB/H5/s7jTV0AOoDgM
hOxieGgyTsZ3oP0k6bc47FJ4nE+vifAluyeXioB5JaN2kvm8eqfzC05zSF40V9GA
zElVDbsBPR/2CE6CMyR+eqip4gDSZ6mnZYPeBecEXU4Xu+RAgqYxjKosfxOpMZsN
+2BSm5QSRLhHacPQTnoQxujnGuUzh5TdAbWqmS0cKEZJ+CACmVLyOphdRoeEQCqQ
8DYAyOtq2S4+hAJW+2Xq4NCdvmjm99r2RFkibSlLtqctj1JyzUC6huUiQXx9KZ8n
FA0TsFHG
    </Trust>
  </PKI>
  <Subject KeyInfoConfirmationData="true"/>
  <Attributes>
    <Add name="user_certificate_cn">
      <Attribute source="subject" oid="2.5.4.3" />
    </Add>
    <Add name="user_certificate_issuer_cn">
      <Attribute source="issuer" oid="2.5.4.3" />
    </Add>
  </Attributes>
</Policy>

Client authentication

In order to secure the adapter from unauthorized clients, client authentication is based on OpenID Connect Core chapter 9, Client authentication. Both, the /device/authorize and /device/token endpoints are secured. Currently, only private_key_jwt method is supported.

...

Keys are stored in base64 encoded PKCS12 keystores in ubiloginPKCS12 attribute of the ubiloginKeyCredential objects.

The DNs for ubiloginKeyCredential objects used by the server can be found from the ubiloginKeyCredentialDN attribute values in cn=Server,ou=System,cn=Ubilogin,<LDAP suffix> entry.

After adding the certificates to the trust store modify application configuration to include the new kid in clients[n].key-aliases list.

...