SuisseID

Étapes pour votre SuisseID

IdP Integration Guide - Technote

Introduction

The SuisseID IDP provides strong authentication and user attribute services. Claims-aware web applications in an Active Directory Domain can benefit through Active Directory Federation Services (AD FS) and Windows Identity Foundation from these functionalities.

This article describes how to SuisseID user attributes can be relayed, as claim, into a claims aware web application.

Preprequisites

The prerequisites comprise the following:

  1. A functional AD FS environment. Instructions are based on AD FS 2.0 on Windows Server 2008 R2 SP1.
  2. A functional SuisseID IDP configuration in AD FS. Configuration of the SuisseID IDP as claims provider in AD FS can be found in the technote on ADFS integration.
  3. Registered Service Provider. Every SAML Service Provider (or relying party) needs to be registered at the SuisseID IDP as an allowed partner. Use the Service Provider registration page.
  4. SuisseIDs. For authentication at the SuisseID IDP, the user muss posses a valid SuisseID. For the SuisseID IDP integration platform (typically used by developers), download a test SuisseID and install in the client Browser.

See the Resources section for links to the service provider registration and test certificates.

ADFS: Configuring incoming claims from the SuisseID IDP

Configure the incoming attributes (or claims) passed on by the SuisseID IDP, to be passed to downstream applications.

  1. Launch the "AD FS 2.0 Management" Windows application. Select the SuisseID IDP claims trust provider configuration and click "Edit claim rules".
  2. Create a rule to pass through the Email address from the "Pass Through or Filter an Incoming Claim" template.
    adfs-claims-config-idp-2
  3. For every attribute that should be passed or transformed, create the corresponding rule.
    adfs-claims-config-idp-1

Deploying a claims-aware web application

For tes purposes, vou can use a claims aware test application in C#, released under Apache Licence Version 2.0. It can be downloaded from http://code.msdn.microsoft.com/Claims-Aware-Web-d94a89ca . In this example, the web application runs on IIS Express (via Visual Studio) on port 44300 and is used as the reference for a relying party.

Make sure to adapt the Web.config of the web application with the proper federation settings. See the resources section for a sample configuration.

ADFS: Creating the relying party configuration for the claims-aware web application

  1. Launch the "AD FS 2.0 Management" Windows application
  2. Under AD FS 2.0 -> Trust Relationships -> '''Relying Party''' Trusts, add a new relying party trust
    adfs-rp-config-0
  3. Then “Enter relying party manually”
    adfs-rp-config-1
  4. Enter the display name, e.g. “MyClaimsAwareWebApplication”
    adfs-rp-config-2
  5. Pick the “AD FS 2.0 profile”.
    adfs-rp-config-3
  6. You do not have to configure an SP signing certificate (unless you provided one during the SP registration process).
    adfs-rp-config-4
  7. Enable support for the WS-Federation Portocol with a corresponding URL (e.g. https://localhost:44300)
    adfs-rp-config-5
  8. You can configure additional identifiers.
    adfs-rp-config-6
  9. Configure authorization rules.
    adfs-rp-config-7
  10. Almost done.
    adfs-rp-config-8
  11. Configuration finished.
    adfs-rp-config-9
  12. The new relying party in the AD FS 2.0 console.
    adfs-rp-config-end

Testing Claims via SuisseID IDP (WITHOUT claims mapping)

  1. Access the claims-aware web application with a web browser, e.g. https://localhost:44300/.
  2. You are re-directed to the configured claims provider. At the SuisseID IDP you are prompted for the PIN of your SuisseID (or Mobile Service credentials). Upon successful authentication, the SuisseID IDP confirmation page requests user consent. The actual attributes displayed depend on what was requested during Service Provider registration.
    adfs-rp-test-nomapping-1
  3. The claims aware web application displays the received claims. Note that these do not (yet) contain user data. This will be configured in the next section.
    adfs-rp-test-nomapping-2

ADFS: Configuring incoming claims for the claims-aware web application

In order to pass claims (attributes) to the downstream claims aware web application, they need to be passed through from the IDP through ADFS.

  1. Launch the "AD FS 2.0 Management" Windows application
  2. Under AD FS 2.0 -> Trust Relationships -> '''Relying Party''', select the replying party configured for the claims aware web application
  3. Then “Edit Claim Rules..."
  4. Create a rule to pass through the Email address from the "Pass Through or Filter an Incoming Claim" template.
    adfs-rp-claims-1
  5. For every attribute that should be passed or transformed, create the corresponding rule.
    adfs-rp-claims-2

Testing Claims via SuisseID IDP (WITH claims mapping)

  1. Access the claims-aware web application with a web browser, e.g. https://localhost:44300/.
  2. You are re-directed to the configured claims provider. At the SuisseID IDP, proceed with the logn and consent to submit user data. Note that claims aware web application now received user specific attributes.
    adfs-rp-test-mapping-1

Resources

 

 

 

<?xml version="1.0" encoding="utf-8"?>
<!--
  For more information on how to configure your ASP.NET application, please visit
  http://go.microsoft.com/fwlink/?LinkId=169433
  -->
<configuration>
  <configSections>
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
    <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
  </configSections>
  <appSettings>
    <add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
    <add key="ValidationSettings:UnobtrusiveValidationMode" value="WebForms" />
    <add key="ida:FederationMetadataLocation" value="https://corp.sp.com/FederationMetadata/2007-06/FederationMetadata.xml" />
    <add key="ida:ProviderSelection" value="productionSTS" />
    <add key="ida:Issuer" value="https://corp.sp.com/adfs/ls/" />
  </appSettings>
  <location path="FederationMetadata">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <system.web>
    <authorization>
      <deny users="?" />
    </authorization>
    <authentication mode="None" />
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime requestValidationMode="4.5" targetFramework="4.5" encoderType="System.Web.Security.AntiXss.AntiXssEncoder, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    <pages controlRenderingCompatibilityVersion="4.5" />
    <machineKey compatibilityMode="Framework45" />
    <!--Commented out by Identity and Access VS Package-->
    <!--<authentication mode="Forms"><forms loginUrl="~/Account/Login.aspx" timeout="2880" /></authentication>-->
    <profile defaultProvider="DefaultProfileProvider">
      <providers>
        <add name="DefaultProfileProvider" type="System.Web.Providers.DefaultProfileProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" applicationName="/" />
      </providers>
    </profile>
    <membership defaultProvider="DefaultMembershipProvider">
      <providers>
        <add name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
      </providers>
    </membership>
    <roleManager defaultProvider="DefaultRoleProvider">
      <providers>
        <add name="DefaultRoleProvider" type="System.Web.Providers.DefaultRoleProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" applicationName="/" />
      </providers>
    </roleManager>
    <sessionState mode="InProc" customProvider="DefaultSessionProvider">
      <providers>
        <add name="DefaultSessionProvider" type="System.Web.Providers.DefaultSessionStateProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" applicationName="/" />
      </providers>
    </sessionState>
  </system.web>
  <connectionStrings>
    <add name="DefaultConnection" connectionString="Data Source=(LocalDb)\v11.0;Initial Catalog=aspnet-ClaimsAwareWebApp-20120303011752;Integrated Security=True" providerName="System.Data.SqlClient" />
  </connectionStrings>
  <system.webServer>
    <modules>
      <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
      <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
      <remove name="FormsAuthentication" />
    </modules>
  </system.webServer>
  <system.identityModel>
    <identityConfiguration>
      <audienceUris>
        <add value="https://localhost:44300/" />
      </audienceUris>
      <!-- The certificateValidationMode="None" setting is insecure and used only to ease running this sample application. This setting should not be used in production deployments. -->
      <certificateValidation certificateValidationMode="None" />
      <!--Commented by Identity and Access VS Package-->
      <!--<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"><trustedIssuers><add thumbprint="9B74CB2F320F7AAFC156E1252270B1DC01EF40D0" name="LocalSTS" /></trustedIssuers></issuerNameRegistry>-->
      <!--Commented by Identity and Access VS Package-->
      <!--<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry"><authority name="LocalSTS"><keys><add thumbprint="9B74CB2F320F7AAFC156E1252270B1DC01EF40D0" /></keys><validIssuers><add name="LocalSTS" /></validIssuers></authority></issuerNameRegistry>-->
      <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
        <authority name="http://corp.sp.com/adfs/services/trust">
          <keys>
            <add thumbprint="1198864DB83EB7C22CB36D3828E7130F67215157" />
          </keys>
          <validIssuers>
            <add name="http://corp.sp.com/adfs/services/trust" />
          </validIssuers>
        </authority>
      </issuerNameRegistry>
    </identityConfiguration>
  </system.identityModel>
  <system.identityModel.services>
    <federationConfiguration>
      <wsFederation passiveRedirectEnabled="true" issuer="https://corp.sp.com/adfs/ls/" realm="https://localhost:44300/" requireHttps="false" />
      <cookieHandler requireSsl="false" />
    </federationConfiguration>
  </system.identityModel.services>
</configuration>

SuisseID est une marque déposée de SwissSign SA.