Protected CustomerID workflows
This configuration example is tested with SSO 8.3.0 and CustomerID 5.3.0
In this configuration example we show how to use an external authentication service to verify user identities for CustomerID workflows. We show two examples:
- New user registration
- Additional identity verification for an existing user
Related product documentation:
Self-registration workflow configuration - CustomerID
Protection URL configuration - CustomerID
Prerequisites
An external authentication method and a group configured in SSO. In this example we use method telia.ftn.1 and group FTN Users.
The external authentication method configured n CustomerID configuration file eidm2.properties:
methods.protected = password.2, telia.ftn.1
Example 1: New user registration
This configuration example shows how to on-board a new user based on external authentication and how to pass user attributes from the authentication service to CustomerID workflow.
Step 1. Create a workflow without authentication
Add following workflow configuration to eidm2.properties. Instead of nr. 1 select the next unused registration number.
registration.1 = newuser
registration.1.enabled = true
registration.1.protection.configuration =
registration.1.protectiononly = false
registration.1.inviteonly = false
registration.1.newuseronly = true
registration.1.email.confirmation = false
registration.1.approval = false
registration.1.mobile.confirmation = false
registration.1.methods = [ { "name" : "password.2", "mandatory" : "true", "visible" : "false", "default" : "true" } ]
registration.1.userinfo.fields = firstname, surname, email, mobile, ssn, password
registration.1.userinfo.optional = mobile, ssn
#registration.1.userinfo.disabled = ssn
registration.1.summary.enabled = true
registration.1.summary.fields = login, firstname, surname, email, mobile
registration.1.temporary.fields = ssn
registration.1.organizations = [ { "path" : "Users" } ]
Restart Wildfly and test the workflow in address like https://login.example.com/eidm2/wf/register/newuser. Make sure it works and you can register a new user successfully.
Step 2. Add authentication
Change the workflow configuration as follows:
registration.1.protection.configuration = 1 registration.1.protectiononly = true registration.1.userinfo.disabled = ssn
Add the authentication configuration to file protection.properties. Instead of nr. 1 please use the first unused number.
protection.1.methods = telia.ftn.1 protection.1.sso.template = default protection.1.continue = https://login.example.com/eidm2/wf/register/newuser protection.1.customeriduseronly = false
On SSO management UI add the authentication method and the group for the CustomerID workflow application:
Restart Wildfly and test the workflow at address like https://login.example.com/eidm2/wf/protection/1. You should be able to authenticate in the authentication service and be transferred to the CustomerID workflow, but the user attributes should not be populated.
Step 3. Configure SSO Authorizaton Policy
Next we configure the Authorization Policy for the CustomerID workflow (workflow.policy) to pass user attributes from the authentication service to the workflow. We want to get attributes firstname, surname and ssn defined in the workflow configuration. We need to know the claim names used by the authentication service for these attributes. In our example these are as follows:
| firstname | urn:oid:1.2.246.575.1.14 |
| surname | urn:oid:2.5.4.4 |
| ssn | urn:oid:1.2.246.21 |
On SSO management UI open workflow.policy: eIDM Services → Authorization Policies → workflow.policy. On Attributes tab add attributes user.firstname and user.surname, and add value to attrubute user.ssn as follows:
| Name | Value |
|---|---|
| user.firstname | method:urn:oid:1.2.246.575.1.14 |
| user.surname | method:urn:oid:2.5.4.4 |
| user.ssn | method:urn:oid:1.2.246.21 |
Note that the attribute name after the prefix "user." must match the workflow definition in eidm2.properties:
registration.1.userinfo.fields = firstname, surname, email, mobile, ssn, password
Now test the workflow again and you should see the configured attributes populated with values received from the authentication service:
Example 2: Verify existing user
In this configuration example we verify the identity of an existing user and add a role indicating the the user identity has been verified. The user might originally have used self-service registration without verification, or the user account might have been migrated from an old user directory.
Create a workflow configuration and protection configuration as follows.
registration.2 = verifieduser registration.2.enabled = true registration.2.protection.configuration = 2 registration.2.verification.protection.configuration = 3 registration.2.protectiononly = true registration.2.inviteonly = false registration.2.newuseronly = false registration.2.email.confirmation = false registration.2.approval = false registration.2.mobile.confirmation = false registration.2.userinfo.fields = firstname, surname, email, mobile, ssn registration.2.userinfo.optional = mobile registration.2.userinfo.disabled = ssn registration.2.summary.enabled = false registration.2.roles = [ "Users/verified_user" ]
protection.2.methods = password.2 protection.2.sso.template = default protection.2.continue = https://login.example.com/eidm2/wf/register/verifieduser protection.2.customeriduseronly = true protection.3.methods = telia.ftn.1 protection.3.sso.template = default protection.3.continue = protection.3.customeriduseronly = false
Restart Wildfly and test the workflow on address like https://login.example.com/eidm2/wf/protection/2
As the first step, authenticate at the configured authentication service, and then complete the workflow. Verify that the user gets assigned the defined role verified_user.
