Configure Identify system set up to support eID messages
After you create a tenant, login to the Admin site and navigate to the system setup page where you need to configure the following settings:
- Sign metadata: set it to “True”.
- SAML 2 Profile: select the eHerkenning profile.
- Security token resolver factory: select the option: “Safewhere.IdentityProvider.Saml2.Tokens.CustomSubResolverSecurityTokenResolverFactory, Safewhere.IdentityProvider.Saml2”
- Signing security token sub resolvers: select “Select All”
- Encrypting security token sub resolvers: select “Select All”
Here is the screenshot:
After saving all the changes by clicking on the Save button, you need to reset IIS so that the changes are applied.
Create and configure Level of Assurance (LoA)
In this step, you are going to set up LoA for eHerkenning by using Authentication context method class (ACMC)
- Go to the System Setup tab > Authentication context method class and create context classes as described in the link above.
- Saml2 Protocol (DV) connection: set the “Default requested authentication context class:” to a desired value.
- Identify sets it to AuthnRequest that is sent to the AD when an AuthnRequest from the DV doesn’t have it specified.
- It is also the LoA of the DV in the Service Catalog.
- Saml2 Authentication (AD) connection:
- Set “Authentication context method class” to a desired LoA.
- Check “Set RequestedAuthnContext to AuthnRequest” so that Identify can include LoA in AuthnRequest that it sent to the AD.
This value has two usages:
Create and configure a SAML 2.0 protocol connection for the DV
- Create a new SAML 2.0 protocol connection.
- Import metadata for the newly created SAML 2.0 protocol connection.
- Open the connection and choose “Eherkenning” for the SAML 2 profile:
Save the connection. After the page is saved and reloaded, it will look like this:
Because Eherkenning requires that assertion must not be encrypted, you need to stick on the “Do not encryption” option:
Create and configure a SAML 2.0 authentication connection for the AD
- Create a new SAML 2.0 authentication connection.
- Import metadata to the newly created connection.
- Open the connection and choose “Eherkenning” for the SAML 2 profile: