External Login Methods

External Login Methods is a function that uses your external providers (Office 365, Active Directory, etc.) credentials to login in NSP.

You can configure NSP to provide Single Sign-On for your users so they do not have to enter separate login credentials for NSP. The authentication of the user is done by an extern identity provider you configure in NSP and the unique user attributes are sent back to NSP. NSP platform in this version has support for these identity providers: OpenID Connect, WS-Federation, SAMLv2, BankID, GrandID and IDPorten.

 

External Login Methods

If you want to use external identification via SSO your NSP installation must be published on https. You need to provide an URL like: https://auth.nspnilex.com.

This page contains a list of all external login method existing in database. Page also offer possibility for adding new external login method, edit or delete existing  and activate/deactivate configuration.

The external login method allows Agents and End Users to log in in NSP using login credentials from an external service provider. Login methods can be enabled/disabled for Agent Portal and Self Service Portal separately.

External Login Methods

   Name - This column contains Name of the external login method.

   Type - This column contains Type of the external identity provider, OidcIDentityProvider, WsFederationIdentyProvider, SamlIdentityProvider, BankID,  GrandID or IDPorten.

   Enabled in Agent Portal, Enabled in Self Service Portal - These columns contains http://nspdoc.nspnilex.com/10-7-3/en-US/Admin/ImagesExt/image312_108.jpg if external login method is enabled in respective portal. Login methods can be enabled/disabled on Agent portal and Self Service portal separately. More than one external login method can be activate at the same time. Each enabled external login method is displayed on login form.

   Auto login - This column contains http://nspdoc.nspnilex.com/10-7-3/en-US/Admin/ImagesExt/image312_108.jpg if external login method is selected for auto login. Auto login can be activated for one method only at the same time.

This list also contains a dropdown action for each login method:

   Edit - This option is used to edit external login method settings.

   View - This option is used to view external login method settings.

   Enable/Disable in Agent Portal/Self Service Portal - These options are used to enable/disable login method in respective portal.

Note! If you change Enable/Disable you need to restart the IIS on the Authentication server in order for the change to be shown in the GUI. This is important to do otherwise the user will get an error when trying to login.

   Enable/Disable auto login - Only available for enabled options. If you enable a login method for auto login and there is already other method auto login enabled, auto login will be turned off for this other method. Auto login can be activated for only one method at the same time.

   Delete – This option is used to delete external login method.

Also you can change position of external identity providers using drag and drop principle.

Add External login method

Just above the list is button Add External login method and by clicking that you can create new external login method.

First step is to select appropriate login method (provider type) from the list. Default types are OpenID Connect, WS-Federation, SAML2, BankID and GrandID.

After selecting login method, you will get a list of default properties which need to be edited based on selected login method.

OpenID Connect

   Name – insert login method name

   Image - choose image which will be shown on login page

   Authority - this information depends on the external login method settings

   Client ID - this information depends on the external login method settings

   Client Secret - this information depends on the external login method settings

   Parameters – you can set sending predefined parameters to the initial request according to some openID external authority. The parameter is formed by entering the name and value in the format that suits your needs, e.g. Name: Doxproject, value: demo.

   Black List Name Ids - If you want to prevent a user from logging into the system with a certain nameid value, enter the nameid value in this field

WS-Federation

   Name – insert login method name

   Image - choose image which will be shown on login page

   Metadata Address - insert metadata address, this address depends on the external login method and add following path to the address /federationmetadata/2007-06/federationmetadata.xml

   Wtream – this information depends on the external login method settings

   Black List Name Ids - If you want to prevent a user from logging into the system with a certain nameid value, enter the nameid value in this field

SAML2

   Name – insert login method name

   Image - choose image which will be shown on login page

   Metadata Address - insert metadata address, this address depends on the external login method and add following path to the address /federationmetadata/2007-06/federationmetadata.xml

   Entity id – this information depends on the external login method settings

   Service Provider Entity ID - this information depends on the external login method  settings

   Black List Name Ids - If you want to prevent a user from logging into the system with a certain nameid value, enter the nameid value in this field

BankID

   Name – insert login method name

   Image - choose image which will be shown on login page

   Target – select whether the BankID will be started from the same device, other device or any device

   Client Certificate – upload BankID Client Certificate

   CA Certificate – upload your CA Certificate

   Black List Name Ids - If you want to prevent a user from logging into the system with a certain nameid value, enter the nameid value in this field

GrandID

   Name – insert login method name

   Image - choose image which will be shown on login page

   ApiKey – insert your apikey from svensk e-identitet

   BankID Service Key – insert your BankID service key from svensk e-identitet

   Target – select whether the BankID will be started from the same device, other device or any device

   Black List Name Ids - If you want to prevent a user from logging into the system with a certain nameid value, enter the nameid value in this field

IDPorten

   Name – insert login method name

   Image - choose image which will be shown on login page

   Authority – this information contains authority URL for IDPorten (example https://oidc-ver2.difi.no/idporten-oidc-provider/)

   Client – this information contains Client Integration Identifier from IDPorten

   Client Secret– this information contains Client Secret from IDPorten

   Black List Name Ids - If you want to prevent a user from logging into the system with a certain nameid value, enter the nameid value in this field

 

Adjust Settings in IDPorten portal:

Application type:web

Valid redirect URI: NSP AuthServer URL/providerID

(example: https://nsp-auth.nspnilex.se/idporten:nspidporten

You can find the NSP ProviderID by clicking the View button in the external login methods list

Valid logout redirect URI: NSP AuthServer URL

(example: https://nsp-auth.nspnilex.se/)

Frontchannel log out URI: NSP AuthServel URL/connect/endsession

(Example:  https://nsp-auth.nspnilex.se/connect/endsession)

Frontchannel log out requires session ID: true

Back-uri: NSP AuthServer URL

(example: https://nsp-auth.nspnilex.se/)

 

Note: More information about external login methods can be read in documents included in NSP .msi package. See this document: