SuisseID

Étapes pour votre SuisseID

IdP Integration Guide - Technote

Introduction

The SuisseID IDP provides strong authentication and user attribute services. Claims-aware web applications in a Microsoft Active Directory Domain can benefit through Active Directory Federation Services (AD FS) and Windows Identity Foundation from these functionalities.

This article describes how to add the SuisseID IDP as a claims provider to an AD FS environment.

Prerequisites

The prerequisites comprise the following:

  1. A functional AD FS environment. Instructions in this article are based on AD FS 2.0 on Windows Server 2008 R2 SP1.
  2. Registered Service Provider. Every SAML Service Provider (or relying party) needs to be registered at the SuisseID IDP as an allowed partner. Use the Service Provider registration page.
  3. SuisseIDs. For authentication at the SuisseID IDP, the user muss posses a valid SuisseID. For the SuisseID IDP integration platform (typically used by developers), download a test SuisseID and install in the client Browser.

See the Resources section for links to the service provider registration and test certificates.

ADFS: Configuring SuisseID IDP as Claims Provider - Manually

Intially we examine the step-by-step configuration of the ADFS claims provider before we look at the slightly quicker process via the IDP Metadata. We assume the hostname of the machine running ADFS to be corp.sp.com.

  1. Launch the "AD FS 2.0 Management" Windows application
    adfs-idp-config-0
  2. Under AD FS 2.0 -> Trust Relationships -> Claims Provider Trusts, add a new claims provider trust
  3. Then “Enter claims provider trust data manually”
    adfs-idp-config-manual-1-1
  4. Enter the display name, e.g. “SuisseID IDP (Production)”
    adfs-idp-config-manual-1-2
  5. Pick the “AD FS 2.0 profile” as the SuisseID IDP is a SAML2 compliant identity provider.
    adfs-idp-config-manual-1-3
  6. Set the IDP's SAML SSO Endpoint.
    IDP Integration
    https://idp.suisseid-idp.signdemo.com/suisseid/SSOPOST/metaAlias/suisseid/idp_v15
    IDP Production https://idp.suisseid-idp.ch/suisseid/SSOPOST/metaAlias/suisseid/idp_v15

    adfs-idp-config-manual-1-4
  7. Set the claim provider trust identifier.
    IDP Integration https://idp.suisseid-idp.signdemo.com/suisseid_v15
    IDP Production https://idp.suisseid-idp.ch/suisseid_v15

    adfs-idp-config-manual-1-5
  8. Add the SuisseID IDP assertion signer certificate. The certificate can be downloaded from the IDP documentation resources area (see Resources section below).
    adfs-idp-config-manual-1-6
  9. Complete the configuration.
    adfs-idp-config-manual-1-7
  10. Initial configured finished.
    adfs-idp-config-manual-1-8
  11. First update to the configuration: Click the newly created claims provider and go to the “Endpoints” tab and set the binding for the SSO endpoint to POST.
    adfs-idp-config-manual-post-binding
  12. Second update to the configuration: Click the newly created claims provider and go to the “Advanced” tab and set the “Secure hash algorithm” to SHA-1
    adfs-idp-config-manual-sha

ADFS: Configuring SuisseID IDP as Claims Provider - via Metadata

It is also possible to configure the AD FS claims provider over the published IDP Metadata:

IDP Integration https://idp.suisseid-idp.signdemo.com/idp.suisseid-idp.signdemo.com_v15-meta.xml
IDP Production https://idp.suisseid-idp.ch/idp.suisseid-idp.ch_v15-meta.xml

It is mandatory in a subsequent step to manually set the "Secure Hash Algorithm" to SHA-1.

Testing Authentication via SuisseID IDP

Authentication via the SuisseID IDP can be tested via an AD FS application at URL https://<ADFS_FQDN>;/adfs/ls/IdpInitiatedSignon.aspx - we assume the ADFS hostname to be corp.sp.com.

  1. Point a browser to the above URL, for example https://corp.sp.com/adfs/ls/IdpInitiatedSignon.aspx and select “Sign in to this site”
    adfs-idp-test-adfs-idp-login
  2. Select the previously configured SuisseID IDP (Production) as the server to login with
    adfs-idp-test-adfs-idp-login-2
  3. You are redirected to the SuisseID IDP and required to login with a valid SuisseID or the corresponding Mobile Service credentials.
  4. Upon successful authentication at the SuisseID IDP, you are re-directed back to the test application which states “You are signed in.”.
    adfs-idp-test-adfs-idp-login-3

Resources

 

 

SuisseID est une marque déposée de SwissSign SA.