Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated for 6.0.2 regarding signmessage

Smart ID Digital Access component (Hybrid Access Gateway) supports sending signing messages over SAML. If the SAML request contains a sign message, Digital Access forwards it to the signing interface of the app or client for authentication, so that it can be shown to the user when they are asked to sign.

To be used for signing, the SAML request must contain an authentication context for signing and a SignMessage element. For more information on authentication contexts and how to set them up in Digital Access, see Set up SAML authentication context in Digital Access.Once this is present, supporting authentication methods will use signing instead of authentication. Authentication methods without a dedicated signing option will still use authentication but display the signing message within the browser. 

Supported authentication methods

  • Swedish BankID
  • Nexus Personal Mobile
  • Nexus Personal Desktop

Pre-defined authentication contexts

Digital Access has these pre-defined SAML authentication contexts that will trigger signing instead of authentication if a service provider asks for it:

  • http://id.elegnamnden.se/loa/1.0/loa2-sigmessage

  • http://id.elegnamnden.se/loa/1.0/loa3-sigmessage

  • http://id.elegnamnden.se/loa/1.0/loa4-sigmessage

You can define other authentication contexts than the pre-defined.

Expandall

Define authentication context

Expand
titleDefine authentication context

Stop the administration service, by executing the following command:

Code Block
titleStop administration service
/etc/init.d/administration-service stop

Open the remote configuration file of the Administration service. You find the file under /opt/nexus/administration-service/config/.

Note

You need sudo privileges to change the file.

In the file, find the element mGlobalIdPConfiguration.

Note

If you don’t see the element mGlobalIdPConfiguration in your remote configuration file, you need to create at least one SAML Identity Provider or click Save on the Manage Global SAML Federation Settings... page once. See Set up Hybrid Access Gateway as identity provider to Nexus GO PDF Signing.

To define a new authentication context, extend this element with mAdditionalLOAShowMessage. Specify each new authentication context as item element.
See this example:
Code Block
titleExample
<attribute name="mGlobalIdPConfiguration" type="container" value="globalidpconfiguration"> 
<attribute name="mAdditionalLOAShowMessage" type="list"> 
<item type="string" value="http://id.elegnamnden.se/loa/1.0/loa3"/> 
</attribute> 
</attribute>

Start the administration service, by executing the following command:

Code Block
titleStart administration service
/etc/init.d/administration-service start
  • Log in to Digital Access Admin with an administrator account. 
    You will see a note: Configuration file has been manually modified
  • Select Accept modified configuration and click Continue to the Administration Interface >.
  • Click Publish to publish the updated configuration.
    The configuration in Digital Access is ready. 
  • Expand
    title Use the authentication context

    After adding a new authentication context, you can use it as SAML authentication context on the corresponding authentication method as Extended Property. For more information, see Set up SAML authentication context in Digital Access.

    This article is valid from Hybrid Access Gateway 5.13.2

    Use other authentication methods for signing

    Even if an authentication method does not support a certain signing functionality, it can still be used to authenticate a signature. For the supported authentication methods mentioned above, there is a certain signing interface that shows the signing message directly in the software (app or desktop application used). For other methods this signing message can be shown to the user within the browser.

    To do this:

    1. Change the branding of the following file:
      access-point/built-in-files/wwwroot/wa/authmech/base/GenericForm.html
      1. Add the following HTML code wherever the message should be displayed:

        Code Block
        languagexml
        titleDisplay signing message
        <div>[$#authorizationData]</div>