This module implements Estonian Mobiil-ID authentication for SimpleSAMLphp AAI framework.
Refer to the DigiDocService documentation for details on the underlying architecture.
This code is considered production-ready.
This module handles all Mobiil-ID traffic, starting by asking for the phone number and ending in one of the two results:
-
successful authentication - the user's personal ID code is placed into
Attributes
array asisikukood
-
authentication failure for any number of reasons - the user will be presented with appropriate message and the session stops there.
It is possible to further customize the
status.php
page and include links to some troubleshooter or help center etc via normal SSP theming.
NB! SECURITY BREACH might result unless the ID code is further processed and authorization aplied. If this is not done, all Estonian Mobiil-ID users will be passed as valid users of the SSP site.
This module depends on a few PEAR modules. To get the latest versions, first instruct PEAR to prefer beta versions (older stables might not work):
pear config-set preferred_state beta
And then install modules:
pear install -a SOAP
pear install -a XML_Serializer
pear channel-discover phpseclib.sourceforge.net
pear install phpseclib/Crypt_RSA
Clone the module from GitHub into SSP modules
folder:
cd modules
git clone https://github.com/borgand/sspmod_MobiilID MobiilID
Note: the resulting folder name must be MobiilID or SimpleSAMLphp won't find the source files and the module won't work (see: SSP autoloader).
The module is disabled by default. Enable it by:
touch MobiilID/enable
Configure Mobiil-ID as an authsource in the config/authsources.php
file, e.g using the test DigiDocService:
'mobiilid' => array(
'MobiilID:MobiilID',
'endpoint' => 'https://www.openxades.org:8443/?wsdl',
'endpoint_certificate' => '/path/to/endpoint.cert',
'service_name' => 'Testimine',
'message_to_display' => 'Verify that codes match!',
'status_refresh' => 5,
),
This configures the authsource, but to actually use it, you must configure this as the default authsource in metadata/saml20-idp-hosted.php
or alternatively use SSP's MultiAuth module to use multiple authsources simultaneously.
It is based on the demo auth application published by AS Sertifitseerimiskeskus:
This module was developed at University of Tartu by:
- Laas Toom