Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


This article describes how to set up certificate filtering for the Personal Mobile and Personal Desktop authentication methods in Digital Access. To do this, you add an extended property in the authentication method.

Expand/Collapse All

Prerequisites

  • The Personal Mobile and Personal Desktop authentication methods are set and enabled in Digital Access. Read more here: Set up Smart ID authentication.
  • A json is defined including the necessary information for the filtering. See examples in this article.

Step-by-step instruction to set up the filter

  1. Log in to Digital Access Admin with an administrator account.
  1. In Digital Access Admin, go to Manage System.
  2. Click Authentication Methods.
  3. Select the Personal Mobile or the Personal Desktop method in the list of Registered Authentication Methods.
  4. Go to the Extended Properties tab.
  5. Click Add Extended Property... 
  6. Select Certificate Filter. The value of this filter shall be a valid json constructed based on the type of filtering you want to achieve. More details about how to create the filter json can be found in the examples in this page.
  7. Click Save.
  8. Click Publish.

About the filter json with examples

Each filter object shall have an op parameter (operation), whose value signifies what type of filter operation it represents. If no operation is specified, the default operation and will be used. 

Logical filter

The logical filter contains a list of operations. The value (value) in a logic filter is a list of more filters.

The logical filter operations are:

  • and
  • or
  • not

Value filter

The value filter contains one parameter (param) (which depends on the operation) and a value (value).

The value filter operations are:

  • eq (Equals)
  • nq (Not Equals)
  • co (Contains)
  • sw (Starts with)
  • ew (Ends with)
  • lt (Less than)
  • gt (Greater than)
  • lte (Less than or equal to)
    'le' is implemented in the mobile apps
  • gte (Greater than or equal to)
    'ge' is implemented in the mobile apps

A simple filter json:

Example: A simple filter that requests a key with ID 'signer'
{
  "op": "eq",
  "param": "cert.issuer.o",
  "value": "Example company"
}

A complex filter json:

Example: A more complex filter
{
  "op":"and",
  "value":[
    {
      "param": "key.id",
      "op":"eq", 
      "value": "signing" 
    },
    {
      "param": "cert.subject.cn", 
      "op":"eq", 
      "value": "Samuel" 
    },
    {
     "op":"or",
     "value":[
       {
        "op":"and",
        "value":[
          {
            "param": "key.type",
            "op":"eq", 
            "value": "RSA" 
                                 },
          {
            "param": "key.size",
            "op":"gte",
            "value":2048
          }
        ]
      },
      {
       "op":"and",
       "value":[
         {
           "param": "key.type",
           "op":"eq",
           "value": "ECC"
         },
         {
           "param": "key.size",
           "op":"gte",
           "value":192
         }
       ]
      }
     ]
    }
  ]
}

Supported request filter parameters

These are the supported request filters in Smart ID Mobile App, Smart ID Desktop App and Personal Desktop Client.

Name:

acronym:

Android:

iOS:

Desktop App:

Desktop Client:

Note

Constructed Filters:




"value" is a list of other filters, "param" is null
ANDand(tick)(tick)(tick)

(tick)


ORor(tick)(tick)(tick)(tick)
NOT (implemented as NOR)not(tick)(tick)(tick)(tick)

No filter is allowed to be true if the evaluation of this filter is true








Value Filters:




"value" is string or number, "param" is one of the strings in the list below
CONTAINSco(tick)(tick)(tick)(tick)only string param value
STARTS WITHsw(tick)(tick)(tick)(tick)only string param value
ENDS WITHew(tick)(tick)(tick)(tick)only string param value
EQUALSeq(tick)(tick)(tick)(tick)string or number supported
NOT EQUALSnq(tick)(tick)(tick)(tick)string or number supported
LESS THANlt(tick)(tick)(tick)(tick)string or number supported
GREATER THANgt(tick)(tick)(tick)(tick)string or number supported
LESS OR EQUALle(tick)(tick)(tick)(tick)string or number supported
GREATER OR EQUALge(tick)(tick)(tick)(tick)string or number supported







Filter Param 'keys':





ISSUER COUNTRYcert.issuer.c(tick)(tick)(tick)(tick)
ISSUER COMMON NAMEcert.issuer.cn(tick)(tick)(tick)(tick)
ISSUER LOCALITYcert.issuer.l(tick)(tick)(tick)(tick)
ISSUER ORGANISATIONcert.issuer.o(tick)(tick)(tick)(tick)
ISSUER ORGANISATIONAL UNITcert.issuer.ou(tick)(tick)(tick)(tick)fixed in android now
ISSUER STATEcert.issuer.st(tick)(tick)(tick)(tick)
ISSUER STATE variantcert.issuer.s(error)(error)(tick)(error)
ISSUER STREETcert.issuer.street(tick)(tick)(tick)(tick)
ISSUER EMAILcert.issuer.email(error)(error)(tick)(error)
ISSUER UIDcert.issuer.uid(error)(error)(tick)(error)
KEY USAGEcert.keyusage(tick)(tick)(tick)(error)Use primarily with contains. We are concatenating all of them into one string
SERIALcert.serial(tick)(tick)(tick)(error)
SUBJECT COUNTRYcert.subject.c(tick)(tick)(tick)(tick)
SUBJECT COMMON NAMEcert.subject.cn(tick)(tick)(tick)(tick)
SUBJECT LOCALITYcert.subject.l(tick)(tick)(tick)(tick)
SUBJECT ORGANISATIONcert.subject.o(tick)(tick)(tick)(tick)
SUBJECT ORG UNITcert.subject.ou(tick)(tick)(tick)(tick)
SUBJECT STATEcert.subject.st(tick)(tick)(tick)(tick)
SUBJECT STATE variantcert.issuer.s(error)(error)(tick)(error)
SUBJECT STREETcert.subject.street(tick)(tick)(tick)(tick)
SUBJECT EMAILcert.subject.email(error)(error)(tick)(error)
SUBEJCT UIDcert.subject.uid(error)(error)(tick)(error)
KEY IDkey.id(tick)(tick)(tick)(tick)
KEY PUBLIC KEYkey.publickey(tick)(tick)(tick)(error)BASE64 encoded DER (no PEM headers or newlines)
KEY SIZEkey.size(tick)(tick)(tick)(tick)
KEY TYPEkey.type(tick)(tick)(tick)(tick)always 'RSA' so far
TOKEN IDtoken.id(tick)(tick)(tick)(tick)Profile ID for Hermod profiles
TOKEN TYPEtoken.type(tick)(tick)(tick)(error)'DIGITAL' and 'NFC' used in mobile. PDA version values: 'Microsoft Platform Crypto Provider', 'MICROSOFT BASE SMART CARD CRYPTO PROVIDER', 'MICROSOFT ENHANCED CRYPTOGRAPHIC PROVIDER V1.0', 'MICROSOFT SOFTWARE KEY STORAGE PROVIDER', 'MICROSOFT PASSPORT KEY STORAGE PROVIDER'
TOKEN USER IDtoken.userid(tick)(tick)(tick)(tick)username tied to the token
TOKEN PROFILE TYPEtoken.profiletype(error)(error)(tick)(error)VSC, SW, PLATFORMTPM, YUBI, HYBRID, FILEP12SW, FILEP12TPM, FILETPMYUBI, LOCALID06, FILEP12VSC


  • No labels