eIDAS SAML Attribute Profile Support via WSO2 Identity Server

eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation on electronic identification and trust services for electronic transactions in the internal market.

You can integrate WSO2 Identity Server with an eIDAS node, and then configure WSO2 Identity Server to support the eIDAS SAML attribute profile.

The following sections walk you through the steps you need to follow to integrate an eIDAS node with WSO2 Identity Server, and configure WSO2 Identity Server to support the eIDAS SAML attribute profile:

Do the following configuration change in the eIDAS node:

• Edit the eidas_Specific.xml file and change it as follows to specify that authentication should be handled by an external IdP:

  <entry key="external.authentication">yes</entry> <entry key="idp.url">https://<ISHostname>:<ISPort>/samlsso</entry> <!--For Super Tenant--> <entry key="idp.metadata.url"> https://<ISHostname>:<ISPort>/identity/metadata/saml2</entry> <!-- For Tenant--> <entry key="idp.metadata.url"> https://<ISHostname>:<ISPort>/identity/t/<tenant_domain>/metadata/saml2</entry>

For assertion encryption, you need to use the public certificate of the eIDAS proxy service. When the authentication response is sent to the eIDAS proxy service from WSO2 IS, you can decrypt the assertion from the proxy service using the private key.

• Use the following command to export the public certificate from the eIDAS proxy service keystore in a corresponding eIDAS node:

  keytool -export -alias cpeps-ca-demo-certificate -file eidasCrt.crt -keystore <eIDAS_proxyservice_keystore_location> -storepass local-demo

• Import the certificate that you exported in the previous step to the WSO2 IS keystore.

  • If the service provider is configured in super tenant, use the following command to import the certificate to the primary keystore configured in the carbon.xml file:

    keytool -import -trustcacerts -alias eidasCrt -file eidasCrt.crt -keystore wso2carbon.jks

  • If the service provider is configured in a tenant, follow the steps below to import the certificate into the tenant keystore using the management console:
    
    

    1. Sign in to the the management console as the tenant admin.

    2. On the Main tab of the management console, go to Home -> Manage -> Keystores, and click List. This displays all available keystores.

    3. On the list, click Import Cert in the tenant keystore to import the certificate to it.

SAML authentication request from the eIDAS node are signed using the private key of the eIDAS proxy service. To validate the signature of SAML authentication requests, you need to use the public certificate of the eIDAS proxy service.

Therefore, as mentioned in the Adding the certificate for assertion encryption section, you need to import the certificate of the eIDAS proxy service to the primary keystore or tenant keystore of WSO2 IS.

To support eIDAS cryptographic requirements, it is required to sign SAML assertions/responses using the Elliptic Curve Digital Signature Algorithm (ECDSA). For that you need to use an ECDSA certificate. Since the default wso2carbon certificate is not an ECDSA certificate, you should create a new ECDSA certificate and import it to the WSO2 IS keystore.

• If the service provider is configured in super tenant, follow the steps below:

  1. Use the following command to import the ECDSA certificate to the wso2carbon.jks keystore:

     keytool -genkeypair -alias ec -keyalg EC -keysize 256 -sigalg SHA256withECDSA -keypass wso2carbon -validity 365 -storetype JKS -keystore wso2carbon.jks -storepass wso2carbon

  2. Configure parameters as follows in the <IS_HOME>/repository/conf/carbon.xml file under the <Security> element:

     <KeyStore> <!-- Keystore file location--> <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location> <!-- Keystore type (JKS/PKCS12 etc.)--> <Type>JKS</Type> <!-- Keystore password--> <Password>wso2carbon</Password> <!-- Private Key alias--> <KeyAlias>ec</KeyAlias> <!-- Private Key password--> <KeyPassword>wso2carbon</KeyPassword> </KeyStore>

     Here, the certificate CN should be the hostname of WSO2 IS because you use this in the SSL HTTPS handshake.

  3. To use the default wso2carbon certificate for internal encryption purposes, configure the following internal keystore in the <IS_HOME>/repository/conf/carbon.xml file under the <Security> element:

     <InternalKeyStore> <!-- Keystore file location--> <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location> <!-- Keystore type (JKS/PKCS12 etc.)--> <Type>JKS</Type> <!-- Keystore password--> <Password>wso2carbon</Password> <!-- Private Key alias--> <KeyAlias>wso2carbon</KeyAlias> <!-- Private Key password--> <KeyPassword>wso2carbon</KeyPassword> </InternalKeyStore>

• If the service provider is configured in a tenant, create a new tenant keystore and import the ECDSA certificate to that as the public certificate of the tenant keystore (i.e., The certificate alias should be the tenant domain name and certificate CN should be localhost because you use this in the SSL HTTPS handshake).
  This validates the SAML response signature in the eIDAS proxy service using the WSO2 IS public certificate. Here, the WSO2 IS certificate is retrieved from the SAML metadata of WSO2 IS using the metadata URL. 

  The SAML metadata URL is extracted from the issuer of the SAML response. You can change the WSO2 IS issuer value from management console as follows:
  

  • If the service provider is configured in the super tenant, specify the Identity Provider Entity Id as follows:

    https://<ISHostname>:<ISPort>/identity/metadata/saml2

  • If the service provider is configured in a tenant, specify the Identity Provider Entity Id as follows:

    https://<ISHostname>:<ISPort>/identity/t/<tenant_domain>/metadata/saml2

  Since the WSO2 IS metadata URL is HTTPS, there will be a SSL handshake. For that, you need to add the WSO2 IS public certificate as a trusted certificate in the truststore of the eIDAS node.

Follow the steps below to configure the sample application:

1. Start WSO2 Identity Server and access the Management Console via https://localhost:9443/carbon/.

2. Navigate to Service Providers ->Add, enter a name for the new service provider and click Register.

3. Expand the Claim Configuration section.

4. Add http://eidas.europa.eu/attributes/naturalperson  and  http://eidas.europa.eu/attributes/legalperson as service provider claim dialects.

   Open

   

   
   
   

5. Expand Inbound Authentication Configuration, then expand SAML2 Web SSO Configuration, and click Configure.

6. Provide values as follows:

   1. Issuer: http://<EidasNodeHostname>:<EidasNodePort>/EidasNode/ServiceRequesterMetadata

   2. Assertion Consumer URLs: http://<EidasNodeHostname>:<EidasNodePort>/EidasNode/IdpResponse

   3. Specify the application certificate alias for signature validation and encryption as the value of Certificate Alias.

   4. Configure the Response Signing Algorithm, Response Digest Algorithm, Assertion Encryption Algorithm, and Key Encryption Algorithm as in the diagram below:
      

      Open

      

   5. Select the following:
      
      

      • Enable Response Signing

      • Enable Signature Validation inAuthentication Requests and Logout Requests

      • Enable Assertion Encryption.

7. Click Register. This configures the service provider with the provided SAML2 Web SSO configuration.

Consider a sample scenario where a sample service provider is a certificate authority (CA)  member state (MS), and the citizen member state is also a CA.