Up-party - Connect NemLog-in3 (Danish IdP) with SAML 2.0
FoxIDs can be connected to NemLog-in3 with a up-party SAML 2.0. Where NemLog-in3 is a SAML 2.0 Identity Provider and FoxIDs is acting as an SAML 2.0 Relying Party (RP) / Service Provider (SP).
NemLog-in3 is a Danish Identity Provider (IdP) which uses the SAML 2.0 based OIOSAML 3. FoxIDs support NemLog-in3 / OIOSAML 3 including logging, issuer naming, required certificates and it is possible to support NSIS.
NemLog-in3 beta test environment:
- Guide https://www.nemlog-in.dk/vejledningertiltestmiljo
- Create your service provider https://testportal.test-devtest4-nemlog-in.dk/TU
- The administration https://administration.devtest4-nemlog-in.dk/
- FOCES test certificate https://www.nemlog-in.dk/media/fvshwrp0/serviceprovider.p12, password:
NemLog-in3 test and production environment:
- Test portal https://test-nemlog-in.dk/testportal/. Where you can find the NemLog-in3 IdP-metadata for test and production.
A sample showing the NemLog-in3 integrations is configured in the FoxIDs
test-corpwith the up-party name
nemlogin_saml. The configuration uses a separate track where the NemLog-in3 integrations is configured.
You can test NemLog-in3 login with the
AspNetCoreOidcAuthorizationCodeSamplesample application by clicking
OIDC NemLog-in Log in.
Consider separate track
NemLog-in3 requires the Relying Party (RP) to use a OSES certificate and a high level of logging. Therefore, consider connecting NemLog-in3 in a separate track where the OCES certificate and log level can be configured without affecting any other configuration.
Two FoxIDs tracks can be connected with OpenID Connect. Please see the connect FoxIDs with OpenID Connect guide. The track with a up-party connected to NemLog-in3 is called the parallel FoxIDs track in the guide.
Additional to the guide:
- Remove the default created
loginup-party in the parallel track
- Add the JWT claims mapped from SAML 2.0 claims to the OpenID Connect up-parties and down-parties
NemLog-in3 requires all requests (authn and logout) from the Relying Party (RP) to be signed. Furthermore, NemLog-in3 requires the RP to sign with a OCES certificate. It is not possible to use a certificate issued by another certificate authority, a self-signed certificate or a certificate issued by FoxIDs.
A OCES certificate is valid for three years where after it manually has to be updated.
.P12 OCES certificate file is added as the primary certificate in the track.
It is subsequently possible to add a secondary certificate and to swap between the primary and secondary certificates.
Configuring NemLog-in 3 as Identity Provider (IdP)
The following configuration description is made from at track called
test-nemlogin. The required OCES certificate is pre-configured.
You need to configure the OCES certificate before following this configuration.
1 - Start by creating your service provider in NemLog-in3
If you do not already have a service provider.
- Go to https://testportal.test-devtest4-nemlog-in.dk/TU
- Select if the service provider type should be public or private
- Create your service provider
2 - Then create an IT system in NemLog-in3 for the FoxIDs up-party
- Go to https://administration.devtest4-nemlog-in.dk/
IT system provider
Add new IT system
- Create the IT system
- Grant someone else or your self access
- Login with the account you granted access (if you grant yourself access, then do logout and relogin to get access)
- Click on the IT system you just created
- Download the NemLog-in metadata. The metadata file is used to configure the FoxIDs SAML 2.0 up-party in the next step.
3 - Then create an SAML 2.0 up-party in FoxIDs Control Client
- Add the name
- Select show advanced settings
- Select the dot URL binding pattern
- Set the session lifetime to 1800 (30 minutes)
- Disable automatic update
- Click Read metadata from file and select the NemLog-in metadata
- Configure a custom SP issuer, the issuer is required to start with
- The issuer in this example
- The issuer in this example
- Configure claims, the following claims is most often used:
- In production only! Set certificate validation mode to
Chain trustand revocation mode to
- Select to include the encryption certificate in metadata
- Set the NameID format in metadata to
- Add an attribute consuming service in metadata and add the service name.
- Add all the claims configured in step 8 as requested attributes with the format
urn:oasis:names:tc:SAML:2.0:attrname-format:uri. Optionally set each attribute as required.
- Add at least one technical contact person
- Click create
- Re-open the SAML 2.0 up-party you just created
- Download the SAML 2.0 up-party metadata. The metadata file is used to configure the NemLog-in IT system.
4 - Then go to the IT system you created in NemLog-in3
- Click upload metadata file and upload the SAML 2.0 up-party metadata file
- Click apply for integration test (two times)
5 - Add SAML 2.0 claim to JWT claim mappings in FoxIDs Control Client
FoxIDs internally converts SAML 2.0 clams to JWT claims. NemLog-in3 / OIOSAML 3 defines a set of SAML 2.0 claims where JWT mappings need to be added.
- Go to settings and claim mappings
- Add mappings for all the claims configured in step 3.8
- Click update
You are done. The SAML 2.0 up-party can now be used as an up-party for down-parties in the track.
A down-party will only issue added claims.
Therefor, remember to add the JWT claims to OpenID Connect down-parties and SAML 2.0 claims to SAML 2.0 down-party.
NemLog-in requires requests and responses to be logged including the signature proof. It is also required to log which identity have done login and logout of which session, at what time and the IP address.
FoxIDs default log errors and events including the time and the IP address.
It can be configured which logs should be logged to the Application Insights which is part of the FoxIDs installation or to an external repository with a log stream.
The required log level is configured in the FoxIDs log settings:
log info trace
log claims trace
log message trace
Request authentication context
You can request a desired NSIS assurance level as an authn context class reference.
Possible NSIS assurance levels:
You can likewise specify ID type as an authn context class reference.
Possible ID types:
And possible credential types:
In the case you need to provide different sets of authn context class references. You need to create multiple SAML 2.0 up-parties connected to NemLog-in as different IT systems.
E.g., if you need to support step-up authentication. Then you would create one SAML 2.0 up-party with authn context class reference
https://data.gov.dk/concept/core/nsis/loa/Substantial and another SAML 2.0 up-party with authn context class reference