/images/resources/howtos/authentication/siths/siths-authentication.png

SITHS Authentication With Attributes From Active Directory

tutorials
On this page

SITHS, short for Säker IT Hälsa och Sjukvård (Swedish), is a system used to issue electronic IDs for users and systems. The area of use is authentication to systems, electronic signing as well as securing system-to-system communication. In the case of IDs for users, the information can be securely stored on a smart card that is used for access control to for example buildings as well as logging in to systems.

When using SITHS smart card for authentication, it is likely that you want to bring in additional attributes from an external source. This guide explains how to get those attributes from an Active Directory.

Required components:

  • Windows Connector
  • SITHS Authenticator
  • Active Directory Data Source
  • Data Source Action

SITHS Authenticator Configuration

To be able to handle smart card authentication and Integrated Windows Authentication (IWA), the Curity Identity Server needs an additional application installed on IIS. This application is called the Windows Connector and the installation is covered in the Windows Authenticator documentation.

Configure a SITHS authenticator named siths and point to the IIS configured above.

Test the Configuration

To show the available attributes for a user, add the Debug Attribute action to the authenticator. If not yet available, create a Debug Attribute action first. You can remove the action after you confirmed that the configuration is correct.

In the following examples, the authentication profile is called "Authentication Service" and is identified via the id authentication-service. Adapt the values according to your setup.

Create a Debug Attribute action.

  1. Navigate to ProfilesAuthentication ServiceActions.
  2. Click on + New Action.
  3. Enter debug in the name field.
  4. Select the action called "Debug Attribute".
  5. Click Next and close the wizard.
Create Debug Attribute Action

Then add the action to the authenticator.

  1. Navigate to ProfilesAuthentication ServiceAuthenticators.
  2. Select the SITHS authenticator.
  3. Under Actions click on + Add in the login pipeline and select the action from above.
Add Debug Attribute Action to Authenticator

At the end, commit the changes under ChangesCommit.

To test the configuration, use an existing application if applicable or set up a dummy application. It will not need to point to an existing application, since the browsers developer tools can be used to inspect the result.

Add a service provider TestApp1 to authentication profile authentication-service (Authentication Service):

  1. Go to ProfilesAuthentication ServiceService Providers.
  2. Click New Service Provider.
  3. Name it TestApp1.
  4. Add the Target URL https://localhost:7777/auth-done.

This should result in an added Service Provider:

Add a Service Provider
  1. Open ProfilesAuthenticationServiceGeneral.
  2. Enter the target url to the list of approved redirect URLs (Redirect URL Whitelist).
  3. Then commit the changes through ChangesCommit.
Approve Redirect URL

Make sure you have access to a computer with Secmaker Net iD installed, and a SITHS smart card.

Open up a new browser window in private mode.

  • Access the Curity Identity Server in your browser by visiting https://localhost:8443/authn/authentication?serviceProviderId=TestApp1. You will be prompted with the available authentication methods. If multiple authenticators are displayed, select siths.
  • Authenticate using your newly configured SITHS authenticator. You should be prompted for the PIN.
  • In the next view, study the subject attributes. The only attribute in the list is the subject attribute with the HSA-ID from the SITHS smart card.
  • Finish the authentication flow.
  • The result will be POSTed to the URL of TestApp1. Your browser will show a connection error as no application is listening on the URL. You can safely ignore that.

If the subject attribute matches the HSA-ID from the SITHS smart card, then you configured the SITHS authenticator correctly. Otherwise, double-check the SITHS Authenticator Configuration.

Active Directory Data Source

To be able to find a user account corresponding to the smart card, the HSA-ID needs to be in the directory somehow. It is typically stored in a custom attribute like extensionAttribute1, but any string attribute could be used.

Configure an LDAP Data Source with the type Active Directory:

  1. Go to FacilitiesData Sources
  2. Click the + to add a new Data Source and give it a name, activeDirectory
  3. Select ldap as the type.
  4. Configure the Hostname, Client ID (username), Client Secret (password) and Default Root according to your AD environment
  5. Scroll down and set the Ldap Server Type to active-directory
  6. Scroll down to the bottom and in the Attributes section set Search Filter to (extensionAttribute1={})
  7. ChangesCommit

Note the search filter. It will return the attributes of a user with extensionAttribute1 being the same as the HSA-ID from the authentication.

Tip

To speed up the search, make sure that the Active Directory indexes the attribute. Otherwise, the directory will need to check each object.

This configuration will return all attributes from the directory. See the LDAP documentation for how to only return selected attributes.

Data Source Action

You now have the SITHS authenticator in place, and you have configured a data source to fetch the attributes from. A Data Source Action needs to be configured to connect the two to add the attributes to the authentication.

Create a new action of type "Data Source".

  1. Navigate to Profiles and open the Authentication Service profile
  2. Select Actions from the left panel menu.
  3. Click on + New Action. Give it a name, getAdAttribute.
  4. Choose Data Source as the type and click next.
  5. Select activeDirectory from the list of available attribute sources.
  6. Close the window and commit the changes via ChangesCommit.

This is a simple configuration and will add all attributes from the directory as is.

Add the Data Source Action to the Authenticator

Finally, to make sure the attribute transformer runs, add it to the authenticator:

  1. Navigate to ProfilesAuthentication ServiceAuthenticators
  2. Select SITHS authenticator from the list.
  3. Under actions, click on + Add in the Login pipeline
  4. Choose the getAdAttributes action.
  5. Drag and drop the action before the Debug Attribute action.
  6. Commit the changes.
Authentication Flow

Test the Configuration

Restart your private mode browser, to clear the login state. Then go through Test the configuration again.

The subject should now contain all the user's attributes from Active Directory.

Join our Newsletter

Get the latest on identity management, API Security and authentication straight to your inbox.

Start Free Trial

Try the Curity Identity Server for Free. Get up and running in 10 minutes.

Start Free Trial
  1. Home
  2. Resources
  3. SITHS Authentication With Attributes From Active Directory

Was this helpful?