Panel |
---|
|
...
Updating an existing IdP installation and configuration
Download the
...
German ID card login handler
Code Block |
---|
# Pre-compiled : cd $IDP_INSTALL_DIR/lib wget <<URL will be available shortly>> |
...
Gerenal settings
Enable the the nPA German ID card login servlet in web.xml
by adding the following snippet:
Code Block |
---|
<!-- Servlet for doing nPAGerman ID card authentication --> <servlet> <servlet-name>NPAAuthHandler</servlet-name> <servlet-class>com.securedimensions.shibboleth.idp.authn.provider.NPAAuthServlet</servlet-class> <init-param> <param-name>nPASigningKeyPath</param-name> <param-value>path to the private key that should be used for signing the AuthnRequest</param-value> </init-param> <init-param> <param-name>nPASigningKeyPassword</param-name> <param-value>password for the private key above</param-value> </init-param> <init-param> <param-name>nPAEncryptionCrtPath</param-name> <param-value>path to the certificate (containing the public key) for encrypting the AuthnRequest nPA extension</param-value> </init-param> <init-param> <param-name>nPASignatureCrtPath</param-name> <param-value>path to the certificate (containing the public key) for verifying the digital signature on the received Assertion</param-value> </init-param> <init-param> <param-name>nPADecryptionKeyPath</param-name> <param-value>path to the private key used for decrypting the (encrypted) Assertion received</param-value> </init-param> <init-param> <param-name>nPADecryptionKeyPassword</param-name> <param-value>password for the private key above</param-value> </init-param> <init-param> <param-name>nPAIdentifier</param-name> <param-value>The identifier as a "Diensteanbieter"</param-value> </init-param> <init-param> <param-name>nPADestination</param-name> <param-value>The eID-Service URL endpoint provided by the Bundesdruckerei</param-value> </init-param> <init-param> <param-name>nPAACSUrl</param-name> <param-value>https://<your server name/>/idp/Authn/nPA</param-value> </init-param> <!-- nPA Attributes to be requested --> </servlet> <servlet-mapping> <servlet-name>NPAAuthHandler</servlet-name> <url-pattern>/Authn/nPA</url-pattern> </servlet-mapping> |
...
You need to configure the nPA Login Handler which nPA Attributes are to be requested. This can
be achieved by including them as init-param elements. The param-name is the name of the
attribute to be requested, matching exactly (case-sensitive) the definition provided by the
Bundesdruckerei (available for "Diensteanbieter"). The param-value represents the required
attribute (true or false). The following example enable the Login Handler to request the
attributes "GivenNames" as optional and "FamilyNames" as required:
...
Also in $IDP_CONFIG_DIR/handler.xml
, add the nPA German ID card Login Handler:
Code Block |
---|
<!-- ... --> <!-- Login Handlers --> <!-- nPA Login Handler --> <LoginHandler xsi:type="npa:NPAUser" nPAServletPath="/Authn/nPA"> <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</AuthenticationMethod> </LoginHandler> <!-- ... --> |
...
In $IDP_CONFIG_DIR/attribute-resolver.xml
, add the configuration for the nPA German ID card data connector:
Code Block |
---|
<!-- nPA Data Connector --> <resolver:DataConnector id="AttributesDataConnector" xsi:type="AttributeLookup" xmlns="urn:com:securedimensions:npa:resolver"/> |
...
In $IDP_CONFIG_DIR/attribute-filter.xml
, enable all those nPA German ID card attributes that shall be released. For example, release the FamilyNames attributes to anyone:
...
Limitations in the current version
Querying Capabilities
The eID-Service German ID card interface supports the construction of queries:
...