This configuration example is tested with SSO 8.3.0 and CustomerID 5.3.0

In this configuration example we show how to use an external authentication service to verify user identities for CustomerID workflows. We show two examples:

New user registration
Additional identity verification for an existing user

Related product documentation:

Self-registration workflow configuration - CustomerID

Protection URL configuration - CustomerID

Prerequisites

An external authentication method and a group configured in SSO. In this example we use method telia.ftn.1 and group FTN Users.

The external authentication method configured n CustomerID configuration file eidm2.properties:

eidm2.properties

methods.protected = password.2, telia.ftn.1

Example 1: New user registration

This configuration example shows how to on-board a new user based on external authentication and how to pass user attributes from the authentication service to CustomerID workflow.

Step 1. Create a workflow without authentication

Add following workflow configuration to eidm2.properties. Instead of nr. 1 select the next unused registration number.

eidm2.properties

registration.1 = newuser
registration.1.enabled = true
registration.1.protection.configuration = 
registration.1.protectiononly = false
registration.1.inviteonly = false
registration.1.newuseronly = true
registration.1.email.confirmation = false
registration.1.approval = false
registration.1.mobile.confirmation = false
registration.1.methods = [ { "name" : "password.2", "mandatory" : "true", "visible" : "false", "default" : "true" } ]
registration.1.userinfo.fields = firstname, surname, email, mobile, ssn, password
registration.1.userinfo.optional = mobile, ssn
#registration.1.userinfo.disabled = ssn
registration.1.summary.enabled = true
registration.1.summary.fields = login, firstname, surname, email, mobile
registration.1.temporary.fields = ssn
registration.1.organizations = [ { "path" : "Users" } ]

Restart Wildfly and test the workflow in address like https://login.example.com/eidm2/wf/register/newuser. Make sure it works and you can register a new user successfully.

Step 2. Add authentication

Change the workflow configuration as follows:

eidm2.properties

registration.1.protection.configuration = 1
registration.1.protectiononly = true
registration.1.userinfo.disabled = ssn

Add the authentication configuration to file protection.properties. Instead of nr. 1 please use the first unused number.

protection.properties

protection.1.methods = telia.ftn.1
protection.1.sso.template = default
protection.1.continue = https://login.example.com/eidm2/wf/register/newuser
protection.1.customeriduseronly = false

On SSO management UI add the authentication method and the group for the CustomerID workflow application:

Restart Wildfly and test the workflow at address like https://login.example.com/eidm2/wf/protection/1. You should be able to authenticate in the authentication service and be transferred to the CustomerID workflow, but the user attributes should not be populated.

Step 3. Configure SSO Authorizaton Policy

Next we configure the Authorization Policy for the CustomerID workflow (workflow.policy) to pass user attributes from the authentication service to the workflow. We want to get attributes firstname, surname and ssn defined in the workflow configuration. We need to know the claim names used by the authentication service for these attributes. In our example these are as follows:

firstname	urn:oid:1.2.246.575.1.14
surname	urn:oid:2.5.4.4
ssn	urn:oid:1.2.246.21

On SSO management UI open workflow.policy: eIDM Services → Authorization Policies → workflow.policy. On Attributes tab add attributes user.firstname and user.surname, and add value to attrubute user.ssn as follows:

Name	Value
user.firstname	method:urn:oid:1.2.246.575.1.14
user.surname	method:urn:oid:2.5.4.4
user.ssn	method:urn:oid:1.2.246.21

Note that the attribute name after the prefix "user." must match the workflow definition in eidm2.properties:

eism2.properties

registration.1.userinfo.fields = firstname, surname, email, mobile, ssn, password

Now test the workflow again and you should see the configured attributes populated with values received from the authentication service:

Example 2: Verify existing user

In this configuration example we verify the identity of an existing user and add a role indicating the the user identity has been verified. The user might originally have used self-service registration without verification, or the user account might have been migrated from an old user directory.

Create a workflow configuration and protection configuration as follows.

eidm2.properties

registration.2 = verifieduser
registration.2.enabled = true
registration.2.protection.configuration = 2
registration.2.verification.protection.configuration = 3
registration.2.protectiononly = true
registration.2.inviteonly = false
registration.2.newuseronly = false
registration.2.email.confirmation = false
registration.2.approval = false
registration.2.mobile.confirmation = false
registration.2.userinfo.fields = firstname, surname, email, mobile, ssn
registration.2.userinfo.optional = mobile
registration.2.userinfo.disabled = ssn
registration.2.summary.enabled = false
registration.2.roles = [ "Users/verified_user" ]

protection.properties

protection.2.methods = password.2
protection.2.sso.template = default
protection.2.continue = https://login.example.com/eidm2/wf/register/verifieduser
protection.2.customeriduseronly = true


protection.3.methods = telia.ftn.1
protection.3.sso.template = default
protection.3.continue = 
protection.3.customeriduseronly = false

Restart Wildfly and test the workflow on address like https://login.example.com/eidm2/wf/protection/2

As the first step, authenticate at the configured authentication service, and then complete the workflow. Verify that the user gets assigned the defined role verified_user.

Browser not supported