Versions Compared

Old Version 6

changes.mady.by.user Juha Koponen

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


This configuration example is tested with SSO 8.4.0 and CustomerID 5.4.0

In this example we use Suomi.fi authentication portal which gives option to select eIDAS authentication. We want to configure also user driven federation to Ubisecure CustomerID so that users can link their eIDAS identity with existing account in CustomerID.

...

  1. Set up Suomi.fi authentication method 
    • Enable authentication method for CustomerID
  2. Set up UDF for SSO login
  3. Set up UDF for CustomerID registration 
    • Configure authorization policy
    • Create suomiUsers group, add workflow as allowed application and Suomi.fi as allowed method for the group.
    • Edit eidm2.properties and protection.properties for registration and protection configuration to enable UDF in CustomerID registration

Details of required configuration:

  1. Authentication method settings. Note SAML NameID Policy (set X509SubjectName) and Compatibility flag set.

...

3. UDF configuration is done following User driven federation - CustomerID documentation. Listing 6 needs to have ubiloginServiceInputParameter modified as below. Suomi.fi is sending sends either PersonIdentifier for eIDAS authentications or urn:oid:1.2.246.21 for other authentication methods. Below we are linking account regardless of which one of the two is returned from suomi.fi.

Code Block
titleListing 6
dn: cn=44a5a6c3-706e-419f-adf8-d31f182bcffa,cn=CustomerID User Mapping,cn=Server,ou=System,cn=Ubilogin,dc=example,dc=com
changetype: add
objectClass: ubiloginServiceUserMappingEntry
objectClass: ubiloginServiceReference
objectClass: top
ubiloginServiceDN: cn=CustomerID Federation,cn=Services,ou=System,cn=Ubilogin,dc=example,dc=com
ubiloginServiceInputParameter: subject ${method['http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier'].isEmpty() ? nameID.format('hetu').nameQualifier('tupas.group').spNameQualifier('tupas.group').spProvidedID(method['urn:oid:1.2.246.21']).value(method['urn:oid:1.2.246.21']) : nameID.format('PersonIdentifier').nameQualifier('eidas.group').spNameQualifier('eidas.group').spProvidedID(method['http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier']).value(method['http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier'])}

...

The above configuration will only enable

...

UDF linking and logging in if the user already has an

...

1. Authorization policy settings. CustomerID account, which must be separately linked during the first authentication with the eIDAS method. In the following section we look at how CustomerID should be configured to automatically set up eIDAS authentication for a registered user.

CustomerID registration configuration

Edit authorization policy settings in SSO management for workflow application which handles authentication to registration functions as shown in the following screenshots.

1. Open the workflow application

Image Added

2. Configure group

SetNameID value is "${method['http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier'].isEmpty() ? nameID.format('hetu').nameQualifier('tupas.group').spNameQualifier('tupas.group').spProvidedID(method['urn:oid:1.2.246.21']).value(method['urn:oid:1.2.246.21']) : nameID.format('PersonIdentifier').nameQualifier('eidas.group').spNameQualifier('eidas.group').spProvidedID(method['http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier']).value(method['http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier'])}"

Image Removed

2. Configure group

3. add method and group as allowed for workflow

...