Versions Compared

Version Old Version 2 New Version Current
Changes made by

John Jellema

John Jellema

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

As discussed in Swedish BankID - SSO before acting as a BankID Relying Party one has to obtain the CA root certificate for communicating with the BankID service provider and the client authentication certificate.

SSO

...

BankID Adapter

Installing

The SSO CIBA BankID Adapter, used with Swedish BankID, is a standalone application which is deployed alongside Ubisecure SSO. It can be deployed to the same or different server. Currently, it is suggested that the adapter is deployed into the same server with Ubisecure SSO. Download the JAR file and on Linux for example, place it under

...

Note
titleSecuring HTTP connections

Although the adapter is currently deployed to the same node as Ubisecure SSO (install on one node only if in HP), it is suggested to secure the adapter by configuring it to use HTTPS in order to avoid exposing of sensitive information. This suggested step allows moving adapters to different servers than Ubisecure SSO. You can refer to Spring Boot Server SSL configuration instructions for more details.

Adapter configuration properties

The following configuration properties can be set using the configuration prefix:

...

Keys are stored in base64 encoded PKCS12 keystores in ubiloginPKCS12 attribute of the ubiloginKeyCredential objects.

The DNs for ubiloginKeyCredential objects used by the server can be found from the ubiloginKeyCredentialDN attribute values in cn=Server,ou=System,cn=Ubilogin,<LDAP suffix> entry.

After adding the certificates to the trust store modify application configuration to include the new kid in clients[n].key-aliases list.

...

EndpointSecuredDescription
/oidc/bc-authorizeyesOpenID Connect CIBA backchannel authentication endpoint
/oidc/tokenyesOpenID Connect token endpoint with additional CIBA parameters
/oidc/.well-known/openid-configurationnoOpenID Provider configuration metadata endpoint
/oidc/jwksnoExposes JWKs provided by the service
/
v3/api-
device/authorize
yesBankID device authentication endpoint
/device/token
yesBankID device token endpoint with specific BankID parameters
/device/.well-known/oauth2-configuration
noBankID provider configuration metadat endpoint
/v3/api-docsnoSwagger 3.0.1 schema of the API
/swagger-ui/noSwagger UI to explore the API
/actuator/healthnoFor health checks. This only checks that the adapter is up and running. No external requests are made. Health check of the BankID provider is not included
/actuator/infonoFor adapter version information

...

See OpenID Connect CIBA authentication method for more details on how to configure Swedish BankID as an external authentication method to Ubisecure SSO.

See Swedish BankID method for more details on how to configure Swedish BankID as a same device flow external authentication method to Ubisecure SSO. 

Obtaining OpenID Connect Provider metadata for SSO Backchannel Authentication Adapter method configuration

...

EndpointDescription
http(s)://localhost:<port>/oidc/.well-known/openid-configurationOpenID Connect Provider metadata
http(s)://localhost:<port>/oidc/jwksID Token signing keys and issuer metadata
http(s)://localhost:<port>/device/.well-known/oauth2-configurationSwedish BankID provider metadata

An example OpenID Connect Provider metadata response:

...