Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.5

Table of Contents

...

The Swedish BankID authentication adapter is a standalone application which is deployed alongside Ubisecure SSO. It can be deployed to the same or different server. Currently, it is suggested that the application is deployed into the same server with Ubisecure SSO. Download the JAR file and on Linux for example, stored place it under

Code Block
/usr/local/ubisecure/ubilogin-sso-adapters/bankid-sweden

...

Note
titleSecuring HTTP connections

Although the application is currently deployed to the same node as Ubisecure SSO, it is suggested to secure the application using HTTPS in order to avoid leaking of sensitive information. This is especially suggested step that allows moving adapters to different servers than Ubisecure SSO. You can refer to Spring Boot Server SSL configuration instructions for more details.

Application configuration properties

The following configuration properties can be set using the configuration prefix:

...

In order to secure the application from unknown unauthorized clients, client authentication is based on OpenID Connect Core chapter 9, Client authentication. Both, the /bc-authorize and /token endpoints are secured. Currently, only private_key_jwt method is supported.

...

PropertyTypeRequiredDefaultDescription
trust-store.pathstringyes
The path to the key store where client public key certificate entries reside
trust-store.typestringnoPKCS12The type of the client key store
trust-store.passwordstringyes
The password of the key store
clientsobject arrayyes
An array of client objects. Each client having its own entry
clients[n].idstringyes
The client_id of the OpenID Connect client
clients[n].key-aliasesstring arrayyes
The aliases of client specific public key certificates stored in the key store denoted by ubisecure.sso.oidc.trust-store. If the client defines the kid JWT header, that is expected to be found in the key store. If the client is not setting kid JWK header, then each alias in this configuration is used to test for a matching key.
Info
titlekey-aliases for Ubisecure SSO

As of Ubisecure SSO 8.4.1 the clients[n].key-aliases entry has to match to the kid published by SSO in its JWKS metadata response. See OAuth 2.0 and OpenID Connect metadata - SSO for more details. 

Example configuration using external directory

...

Code Block
ubisecure:
  sso:
    oidc:
      trust-store:
        path: 'file:certs/client-trust-store'
        password: 'secret'
      clients:
        - id: 'ubisecure-sso'
          key-aliases:
          - 'ubisecure-sso-auth-keyWtrEl8hop6_inC1OK6oTgskR668'
    bankid:
      sweden:
        id-token:
          issuer: 'https://sso-bankid.example.com'
          signing-key-alias: 'id-token-signing-key'
          signing-key-password: 'secret'
        key-store:
          path: 'file:certs/bankid-cacerts'
          password: 'secret'
          authentication-key:
            alias: 'bankid-auth-key'
            password: 'secret'
          server-certificate:
            alias: 'bankid-server-certificate'

...

EndpointSecuredDescription
/oidc/bc-authorizeyesOpenID Connect CIBA backchannel authentication endpoint
/oidc/tokenyesOpenID Connect token endpoint with additional CIBA parameters
/oidc/.well-known/openid-configurationnoOpenID Provider configuration metadata endpoint
/oidc/jwksnoExposes JWKs provided by the service
/v2/api-docsnoSwagger 2.0 schema of the API
/swagger-ui.htmlnoSwagger UI to explore the API
/actuator/healthnoFor health checks. This only checks that the application is up and running. No external requests are made. Health check of the BankID provider is not included
/actuator/infonoFor application version information

...

Assuming that the application is deployed to localhost for Ubisecure SSO to access, the endpoints can be accessed as follows:

EndpointDescription
http(s)://localhost:<port>/oidc/.well-known/openid-configurationOpenID Connect Provider metadata
http(s)://localhost:<port>/oidc/jwksID Token signing keys and issuer metadata

...