Skip to main content
Skip table of contents

Certificate filtering for Smart ID authentication

This article describes how to set up certificate filtering for the Personal Mobile and Personal Desktop authentication methods in Digital Access. To do this, you add an extended property in the authentication method.

Prerequisites
  • The Personal Mobile and Personal Desktop authentication methods are set and enabled in Digital Access. Read more here: Set up Smart ID authentication.

  • A json is defined including the necessary information for the filtering. See examples in this article.

Step-by-step instruction to set up the filter

Log in to Digital Access Admin
  1. Log in to Digital Access Admin with an administrator account.

Edit the Personal Mobile or the Personal Desktop authentication method
  1. In Digital Access Admin, go to Manage System.

  2. Click Authentication Methods.

  3. Select the Personal Mobile or the Personal Desktop method in the list of Registered Authentication Methods.

  4. Go to the Extended Properties tab.

  5. Click Add Extended Property... 

  6. Select Certificate Filter. The value of this filter shall be a valid json constructed based on the type of filtering you want to achieve. More details about how to create the filter json can be found in the examples in this page.

  7. Click Save.

  8. Click Publish.

About the filter json with examples

Filter objects

Each filter object shall have an op parameter (operation), whose value signifies what type of filter operation it represents. If no operation is specified, the default operation and will be used. 

Logical filter

The logical filter contains a list of operations. The value (value) in a logic filter is a list of more filters.

The logical filter operations are:

  • and

  • or

  • not

Value filter

The value filter contains one parameter (param) (which depends on the operation) and a value (value).

The value filter operations are:

  • eq (Equals)

  • nq (Not Equals)

  • co (Contains)

  • sw (Starts with)

  • ew (Ends with)

  • lt (Less than)

  • gt (Greater than)

  • lte (Less than or equal to)
    'le' is implemented in the mobile apps

  • gte (Greater than or equal to)
    'ge' is implemented in the mobile apps


Examples of a filter json

A simple filter json:

Example: A simple filter that requests a key with ID 'signer'
JS
{
  "op": "eq",
  "param": "cert.issuer.o",
  "value": "Example company"
}

A complex filter json:

Example: A more complex filter
JS
{
  "op":"and",
  "value":[
    {
      "param": "key.id",
      "op":"eq", 
      "value": "signing" 
    },
    {
      "param": "cert.subject.cn", 
      "op":"eq", 
      "value": "Samuel" 
    },
    {
     "op":"or",
     "value":[
       {
        "op":"and",
        "value":[
          {
            "param": "key.type",
            "op":"eq", 
            "value": "RSA" 
                                 },
          {
            "param": "key.size",
            "op":"gte",
            "value":2048
          }
        ]
      },
      {
       "op":"and",
       "value":[
         {
           "param": "key.type",
           "op":"eq",
           "value": "ECC"
         },
         {
           "param": "key.size",
           "op":"gte",
           "value":192
         }
       ]
      }
     ]
    }
  ]
}


Supported request filter parameters

Supported request filter parameters

These are the supported request filters in Smart ID Mobile App, Smart ID Desktop App and Personal Desktop Client.

Name:

acronym:

Android:

iOS:

Desktop App:

Desktop Client:

Note

Constructed Filters:






"value" is a list of other filters, "param" is null

AND

and

(tick)

(tick)

(tick)

(tick)


OR

or

(tick)

(tick)

(tick)

(tick)


NOT (implemented as NOR)

not

(tick)

(tick)

(tick)

(tick)

No filter is allowed to be true if the evaluation of this filter is true








Value Filters:






"value" is string or number, "param" is one of the strings in the list below

CONTAINS

co

(tick)

(tick)

(tick)

(tick)

only string param value

STARTS WITH

sw

(tick)

(tick)

(tick)

(tick)

only string param value

ENDS WITH

ew

(tick)

(tick)

(tick)

(tick)

only string param value

EQUALS

eq

(tick)

(tick)

(tick)

(tick)

string or number supported

NOT EQUALS

nq

(tick)

(tick)

(tick)

(tick)

string or number supported

LESS THAN

lt

(tick)

(tick)

(tick)

(tick)

string or number supported

GREATER THAN

gt

(tick)

(tick)

(tick)

(tick)

string or number supported

LESS OR EQUAL

le

(tick)

(tick)

(tick)

(tick)

string or number supported

GREATER OR EQUAL

ge

(tick)

(tick)

(tick)

(tick)

string or number supported








Filter Param 'keys':







ISSUER COUNTRY

cert.issuer.c

(tick)

(tick)

(tick)

(tick)


ISSUER COMMON NAME

cert.issuer.cn

(tick)

(tick)

(tick)

(tick)


ISSUER LOCALITY

cert.issuer.l

(tick)

(tick)

(tick)

(tick)


ISSUER ORGANISATION

cert.issuer.o

(tick)

(tick)

(tick)

(tick)


ISSUER ORGANISATIONAL UNIT

cert.issuer.ou

(tick)

(tick)

(tick)

(tick)

fixed in android now

ISSUER STATE

cert.issuer.st

(tick)

(tick)

(tick)

(tick)


ISSUER STATE variant

cert.issuer.s

(error)

(error)

(tick)

(error)


ISSUER STREET

cert.issuer.street

(tick)

(tick)

(tick)

(tick)


ISSUER EMAIL

cert.issuer.email

(error)

(error)

(tick)

(error)


ISSUER UID

cert.issuer.uid

(error)

(error)

(tick)

(error)


KEY USAGE

cert.keyusage

(tick)

(tick)

(tick)

(error)

Use primarily with contains. We are concatenating all of them into one string

SERIAL

cert.serial

(tick)

(tick)

(tick)

(error)


SUBJECT COUNTRY

cert.subject.c

(tick)

(tick)

(tick)

(tick)


SUBJECT COMMON NAME

cert.subject.cn

(tick)

(tick)

(tick)

(tick)


SUBJECT LOCALITY

cert.subject.l

(tick)

(tick)

(tick)

(tick)


SUBJECT ORGANISATION

cert.subject.o

(tick)

(tick)

(tick)

(tick)


SUBJECT ORG UNIT

cert.subject.ou

(tick)

(tick)

(tick)

(tick)


SUBJECT STATE

cert.subject.st

(tick)

(tick)

(tick)

(tick)


SUBJECT STATE variant

cert.issuer.s

(error)

(error)

(tick)

(error)


SUBJECT STREET

cert.subject.street

(tick)

(tick)

(tick)

(tick)


SUBJECT EMAIL

cert.subject.email

(error)

(error)

(tick)

(error)


SUBEJCT UID

cert.subject.uid

(error)

(error)

(tick)

(error)


KEY ID

key.id

(tick)

(tick)

(tick)

(tick)


KEY PUBLIC KEY

key.publickey

(tick)

(tick)

(tick)

(error)

BASE64 encoded DER (no PEM headers or newlines)

KEY SIZE

key.size

(tick)

(tick)

(tick)

(tick)


KEY TYPE

key.type

(tick)

(tick)

(tick)

(tick)

always 'RSA' so far

TOKEN ID

token.id

(tick)

(tick)

(tick)

(tick)

Profile ID for Hermod profiles

TOKEN TYPE

token.type

(tick)

(tick)

(tick)

(error)

'DIGITAL' and 'NFC' used in mobile. PDA version values: 'Microsoft Platform Crypto Provider', 'MICROSOFT BASE SMART CARD CRYPTO PROVIDER', 'MICROSOFT ENHANCED CRYPTOGRAPHIC PROVIDER V1.0', 'MICROSOFT SOFTWARE KEY STORAGE PROVIDER', 'MICROSOFT PASSPORT KEY STORAGE PROVIDER'

TOKEN USER ID

token.userid

(tick)

(tick)

(tick)

(tick)

username tied to the token

TOKEN PROFILE TYPE

token.profiletype

(error)

(error)

(tick)

(error)

VSC, SW, PLATFORMTPM, YUBI, HYBRID, FILEP12SW, FILEP12TPM, FILETPMYUBI, LOCALID06, FILEP12VSC




JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.