...
This section shows how to integrate with DanID / NemID’s danish single signon sign-on as a service provider.
First, add an X.509 certificate authentication plugin to the session controllers, e.g. “dk.itp.security.authentication.x509useradm.X509CertificatePlugin” – usually your organisation will have a customized version of this plugin.
...
Also note that you will need to switch to keystores with your own private keys for your own certificates instead of the sample ones in on the list.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<property name="ca.certificates" value="${portalprotect.home}/ppcfg/x509/nemid/danidexttest.cer" description="pkcs#7 files containing CA certificate"/>
<property name="ca.provider.nemidtest.allow.obsolete.crl" value="true" description="Allow logons to complete if CRL is obsolete"/>
<property name="ca.provider.nemidtest.check.ocsp" value="false" description="If true, certificate validity will be checked online using the OCSP protocol"/>
<property name="ca.provider.nemidtest.class" value="dk.itp.security.authentication.x509.CA_NEMID_TEST" description="implementation class"/>
<property name="ca.provider.nemidtest.clientcert.keystore.type" value="PKCS12" description="keystore type"/>
<property name="ca.provider.nemidtest.crl" value="" description="url where to get certificate revocation list for specificed issuer"/>
<property name="ca.provider.nemidtest.ssl.providername" value="SunJSSE" description="Name of SSL provider"/>
<property name="ca.provider.nemidtest.ssl.protocol" value="TLS" description="SSL Protocol"/>
<property name="ca.provider.nemidtest.nemid.appletparam.10.jceprovider" value="BC" description="JCE provider used for signing"/>
<property name="ca.provider.nemidtest.nemid.appletparam.10.keystore.certalias" value="alias" description="Keystore alias for certificate to use for signing"/>
<property name="ca.provider.nemidtest.nemid.appletparam.10.keystore.file" value="${portalprotect.home}/ppcfg/x509/nemid/applet-parameter-signing-keystore-cvr30808460-uid1263281782319.jks" description="Providers signing certificate"/>
<property name="ca.provider.nemidtest.nemid.appletparam.10.keystore.password" value="Test1234" description="Password for the file"/>
<property name="ca.provider.nemidtest.nemid.appletparam.10.keystore.privkeyalias" value="alias" description="Keystore alias for private key to use when signing"/>
<property name="ca.provider.nemidtest.nemid.appletparam.10.keystore.provider" value="SUN" description="Keystore provider is SUN"/>
<property name="ca.provider.nemidtest.nemid.appletparam.10.keystore.type" value="JKS" description="Keystore type is java keystore"/>
<property name="ca.provider.nemidtest.nemid.providerid" value="10" description="List of NemID provider IDs"/>
<property name="ca.providers" value="nemidtest" description="list of certificate issuers (providers)"/> |
...
Next, the code calls generator.generateJSON() which generates the signed parameters – the generation and signing takes place take place on the PortalProtect server, which has access to the private keys so the aplications themselves applications themselves using PP only needs the Agent API and does not itself need access to any private keys.
Like with the applet, we have a form used to transmit the result of the NemID action to a server, in this case called PPForm.
The followingfollowingsigning takes
| Code Block |
|---|
<script type="text/x-nemid" id="nemid_parameters"><%=nemidparams%></script> |
...
Finally, we have the javascript code which communicates with the iframe, initiallly initially sets the nemid params, and obtains the result of the authentication, puts it in the form and submits it.
...