SafeNet IDPrime Virtual Server Setup
As a prerequisite, you must have a SafeNet IDPrime Virtual server that is up and running on your machine. The SafeNet IDPrime Virtual server runs in a docker container, and stores the configuration in a database.
Configuring Keycloak as your identity provider in SafeNet IDPrime Virtual requires:
- Configuring the Identity Provider Configuration File
- Running the IDPV Server and Setting Up the IDPV Tenant
Configuring the Identity Provider Configuration File
Perform the following steps to configure the idp-configuration.json configuration file:
-
Create or copy an existing
idp-configuration.jsonfile and place it in the/configdirectory mapped to the container. -
Access the WELL KNOWN CONFIGURATION URL (openid-connect discovery url) on the Keycloak Server to get the above parameters.
-
Login to Keycloak admin console, select the realm from the left pane.
-
Under the General tab, click OpenID Endpoint Configuration.
-
This lists the metadata related to this realm, copy the values of the following parameters:
- Issuer URL
- jwks-uri
-
In a browser, open the jwks_uri URL, and copy the values of the following keys and paste them in the text editor:
- kid
- n
- e
This file should contain following information relevant to Identity provider:
-
-
Open the
idp-configuration.jsonfile that is placed at the/configpath and enter the values of the parameters given in the below table:Parameter Value SigningKeys IdpPublicKeyModulus: Enter the value of n key copied from step 2.IdpPublicKeyExponent: Enter the value of e key copied from step 2.IdpKeyId: Enter the value of kid key copied from step 2.IdpIssuerUrl Enter the value of the Issuer url from ./well-known url. IdpClientId Enter the value of the Client ID that is configured on Keycloak server. IdpRedirectUrl Enter the VALID REDIRECT URL that is configured in client configuration on Keycoak server.
For executing IDPV client only:
URL structure:https://<server-host>/redirect
For example:https://www.idpvserver.com/redirect
For executing Self-Service Portal and IDPV client:
URL structure:https://<server-host>/redirect
For example:https://www.idpvserver.com/redirect
Note: This URL is updated as per IDPV server host name.IdentityProvider Enter SASPCE as the IDP type. RefreshTokenExpirationDuration By default, the value is 480. JwtExpiration Enter a timeframe (in seconds) to be used by the IDPV client. The IDPV client obtains the access token value during this timeframe preceding the expiration of the access token. JwtGroupClaim Enter Groups JwtUserClaim Enter preferred_username. IDPrimeVirtualAdmin Enter a list of administrator group claim names (same as configured on Keycloak). IDPrimeVirtualUser Enter a list of user group claim names (same as configured on Keycloak). OfflineTokenEnabledGroup Enter a list of group claim name for offline. IDPrimeVirtualProvisioningAdmin Enter a list of provisioning admin group.
Note: User must be a part of any of the groups mentioned in the IDPrimeVirtualUser or IDPrimeVirtualAdmin parameter.JwtAdminWhiteList Contains list of IDPrime Virtual Admin users. IdpScope The mandatory scope added in application on Keycloak. IdpScope parameter will read the IdpScopefield of tenant configuration. When the server is upgraded, old tenant will be populated with value asidpvscope openid offline_accessfor Keycloak IDP, if this field is not explicity provided. For new tenant, this field must be configured similar to Keycloak client side in theidp-configuration.jsonfile.
The JwtAdminWhiteList, IDPrimeVirtualProvisioningAdmin, and OfflineTokenEnableGroup are optional parameters and must be provided if the Provisioning and Offline mode functions are enabled.
Sample 1: idp-configuration.json file for 2.5 release
vim idp-configuration.json
{
"SigningKeys": [
{
"IdpPublicKeyModulus":"hQCqsdfsdfh9xpvrTyZ0IhkdB2Gyc_gD-kNQ9rMNQUjUuEkEApFoBQHy_YRKLnX1yIDXEdkZtiz3VXkvwuTII8qhAyJE813LzIsOIKPRhO9GlTjyI0PbGOUx7X3kjU8ZjDUKLqG-K_jax9ZuErkYgH5EzqJhCNCsSaCkBetx7bd9_5ejYzep40FjC32Sq1O_M9zk8zjkd00BUG-1se0uUHHJCBiZ_qL6eV1Kpd9oU6d6zU_2Y1foz554pWRPhrvQeC6AwiVy6yz0ByUsBbNuX1rbuRoN5vUBP47JKKvMx8RRDTDe2A2-_t9qB7V95_PSeF2IvhRu7euS9VZ43ZnMJSQ",
"IdpPublicKeyExponent": "AQAB",
"IdpKeyId": "9IpoJPir-Ord59Q8PvlpfdSy2vJlaOJ9j76r0K3xfYw"
}
],
"IdpClientId": "kcagent12",
"IdpIssuerUrl": "https://kc.bcd.local/auth/realms/SASPCE",
"IdpRedirectUrl": "https://www.idpvserver.com/redirect",
"JwtExpiration": "0000001e",
"IdentityProvider": "SASPCE",
"RefreshTokenExpirationDuration": 480,
"JwtExpiration": "0000001e",
"JwtGroupClaim": "groups",
"JwtUserClaim": "preferred_username",
"JwtAdminWhiteList":"",
"IDPrimeVirtualAdmin": "IDPrimeVirtualAdmin",
"IDPrimeVirtualUser": "IDPrimeVirtualUser",
"OfflineTokenEnabledGroup": "IDPrimeVirtualOffline",
"IDPrimeVirtualProvisioningAdmin": "IDPrimeVirtualProvisioningAdmin",
"IdpScope": "openid offline_access idpvscope"}
Sample 2: idp-configuration.json file for 2.4.1 release
vim idp-configuration.json
{
"IdpPublicKeyModulus": "hQCqsdfsdfh9xpvrTyZ0IhkdB2Gyc_gD-kNQ9rMNQUjUuEkEApFoBQHy_YRKLnX1yIDXEdkZtiz3VXkvwuTII8qhAyJE813LzIsOIKPRhO9GlTjyI0PbGOUx7X3kjU8ZjDUKLqG-K_jax9ZuErkYgH5EzqJhCNCsSaCkBetx7bd9_5ejYzep40FjC32Sq1O_M9zk8zjkd00BUG-1se0uUHHJCBiZ_qL6eV1Kpd9oU6d6zU_2Y1foz554pWRPhrvQeC6AwiVy6yz0ByUsBbNuX1rbuRoN5vUBP47JKKvMx8RRDTDe2A2-_t9qB7V95_PSeF2IvhRu7euS9VZ43ZnMJSQ",
"IdpPublicKeyExponent": "AQAB",
"IdpKeyId": "9IpoJPir-Ord59Q8PvlpfdSy2vJlaOJ9j76r0K3xfYw",
"IdpClientId": "kcagent12",
"IdpIssuerUrl": "https://kc.bcd.local/auth/realms/SASPCE",
"IdpRedirectUrl": "https://www.idpvserver.com/redirect",
"JwtExpiration": "0000001e",
"IdentityProvider": "SASPCE",
"RefreshTokenExpirationDuration": 480,
"JwtGroupClaim": "groups",
"JwtUserClaim": "preferred_username",
"JwtAdminWhiteList":"",
"IDPrimeVirtualAdmin": "IDPrimeVirtualAdmin",
"IDPrimeVirtualUser": "IDPrimeVirtualUser",
"OfflineTokenEnabledGroup": "IDPrimeVirtualOffline",
"IDPrimeVirtualProvisioningAdmin": "IDPrimeVirtualProvisioningAdmin",
"IdpScope": "openid offline_access idpvscope"}
If Full group path parameter is set to ON. In the idp-configuration.json file, the keycloak server prefixes '/' to user groups.
Sample: policy-configuration.json file
{
"UserPinPolicy": {
"MaxRetries": 5,
"IsMustChange": false
},
"AdminPinPolicy": {
"MaxRetries": 5,
"IsMustChange": false
},
"OfflineTokenPolicy": {
"ValidityDurationInHours": 120,
"PrivateKeyExportLevel": "All"
}
}
Sample: sws-config.json file
{
"_comment1": "(Mandatory for SWS API) The commercial name of the remote service. The maximum size of the string is 255 characters.",
"Name": "Thales Signing Web Service",
"_comment2": "(Mandatory for SWS API) The ISO 3166-1 [22] Alpha-2 code of the Country where the remote service provider is established (e.g. ES for Spain).",
"Region": "US",
"_comment3": "(Mandatory for SWS API) The URI of the image file containing the logo of the remote service which SHALL be published online. The image SHALL be in either JPEG or PNG format
and not larger than 256x256 pixels.",
"Logo": "https://example.com/SWSLogo.png",
"_comment4": "(Mandatory for SWS API) The maximum size of the string is 255 characters.",
"Description": "The Signing web service (SWS) APIs are based on Cloud Signature Consortium (CSC) standards and it supports web and mobile applications and comply with the most demanding electronic signature regulations in the world.' # (Mandatory for SWS API) The maximum size of the string is 255 characters."
}
Running the IDPV Server and Setting Up the IDPV Tenant
After configuring the other SafeNet IDPrime Virtual Server files, you need to perform the following steps to create IDPV tenant:
-
Run the IDPV server, refer to Running the IDPV Server section.
-
Run the following command to create an SafeNet IDPrime Virtual (IDPV) tenant.
SetupTenant create -i <Config/idp-staclassic-redirect.json> -p <Config/policy-configuration.json> -k true (or false) -a <IDP_client_secret> -k true (or false) -n <tenant_name> -u true (or false) -c <IDPV (or SWS) > -m false (or true) -s <sws-config.json>Where,
- -i is for idp-configuration.json file (Mandatory).
- -p is for policy-configuration.json file (Mandatory).
- -k is true or false for the HSM export key flag. It is true by default (Optional). If -k is set to true explicitly, then the tenant is created for the export mode provided, and HSM supports it.
- -a accepts the IDP Client Secret (Mandatory).
- -n accepts a tenant name.
- -c accepts the tenant category (Optional). Use SafeNet IDPrime Virtual (IDPV) or Signature Web Service (SWS) to specify a tenant category. If -c is not given, the default value is IDPV.
- -m accepts true or false for the SKS mode flag. The default value is set to false.
- -s accepts a
jsonfile as a sws configuration file. - -u accepts true or false. When -u is true, the IDPV Admin needs to provision the smart card for the user by using Connecting on behalf of the user functionality. When -u is false, the user can provision the smart card on his own, by connecting with the IDPV Client.
Example for IDPV Tenant:
SetupTenant create -i Config/idp-staclassic-redirect.json -p Config/policy-configuration.json -k true -a fd1b4b61-32ba-47b3-a0c9-cf8bda938b4d -n 'IDPV-Tenant' -u true -c IDPVExample for SWS Tenant:
SetupTenant create -i Config/idp-staclassic-redirect.json -p Config/policy-configuration.json -k true -a fd1b4b61-32ba-47b3-a0c9-cf8bda938b4d -n 'SWS-Tenant' -c SWS -m True -s Confg/sws-config.json -
After running the above command, a Tenant ID is generated and saved as a text file in the
/publish/Tenant/<TenantGUID>.txtdirectory and displayed on the console. -
Copy the Tenant ID to the machine using the following command:
docker cp idprime-virtual-server-containername:/publish/Tenant/<TenantGUID>.txt <location on host>
