Configure Identify System Setup to Support eID Messages
After you create a tenant, log in to the Admin site and navigate to the System Setup page where you need to configure the following settings:
- Sign metadata: Set it to True.
- SAML 2 Profile: Select the eHerkenning profile.
- Security token resolver factory: Select the option: “Safewhere.IdentityProvider.Saml2.Tokens.CustomSubResolverSecurityTokenResolverFactory, Safewhere.IdentityProvider.Saml2”.
- Signing security token sub resolvers: Select Select All.
- Encrypting security token sub resolvers: Select Select All.
Here is the screenshot:
After saving all the changes by clicking the Save button, you need to reset IIS so that the changes are applied.
Create and Configure Level of Assurance (LoA)
In this step, you are going to set up LoA for eHerkenning by using the Authentication context method class (ACMC):
- Go to the System Setup tab > Authentication context method class and create context classes, as described in the link above.
- Saml2 Protocol (DV) Connection: Set the “Default requested authentication context class:” to a desired value.
This value has two usages:
- Identify sets it to AuthnRequest that is sent to the AD when an AuthnRequest from the DV doesn’t have it specified.
- It is also the LoA of the DV in the Service Catalog.
- Saml2 Authentication (AD) Connection:
- Set “Authentication context method class” to a desired LoA.
- Check “Set RequestedAuthnContext to AuthnRequest” so that Identify can include LoA in AuthnRequest that it sent to the AD.
Create and Configure a SAML 2.0 Protocol Connection for the DV
- Create a new SAML 2.0 Protocol Connection.
- Import metadata for the newly created SAML 2.0 Protocol Connection.
- Open the connection and choose Eherkenning for the SAML 2 Profile:
Save the connection. After the page is saved and reloaded, it will look like this:
Because Eherkenning requires that assertion must not be encrypted, enable the “Do not encrypt assertions” option:
Create and Configure a SAML 2.0 Authentication Connection for the AD
- Create a new SAML 2.0 Authentication Connection.
- Import metadata to the newly created connection.
- Open the connection and choose Eherkenning for the SAML 2 Profile.