Consuming identities from eIDAS IdP

CAS can be configured to accept identities from eIDAS IdP, thus enabling government (and other) institutions in the European Union to authenticate users (citizens) against their eIDAS providers. Users then can access and use various government agendas through the internet.

eIDAS standard builds upon the SAML2 authentication protocol and the configuration of the provider is analogous to the configuration of generic SAML2 IdP Delegated Authentication.

Registering CAS at eIDAS IdP

Registration process is subject to local laws and may differ between countries. Consult your IdP documentation.

Integrating with eIDAS IdP

During the registration process at the IdP, you need to provide the CAS’s (SP) metadata. CAS creates them automatically based on the provided configuration.

Create new configuration file in the /data/volumes/cas/cas.properties.d/. In this example, we will use name 002_eIDAS.properties. For details, see the commented example below.

Please note this is a somewhat minimal example and some metadata fields (organization, contact information, etc.) are missing. Full list of configuration options can be found here.
002_eIDAS.properties
# Path to IdP metadata file. If you provide URL, CAS will automatically refresh the metadata.
# If you provide local file, the refresh is up to you.
cas.authn.pac4j.saml[0].identity-provider-metadata-path=https://someidp.eidas/url/path/FederationMetadata.xml
# If using local metadata file, we recommend to put it into /etc/cas/saml/ .
#cas.authn.pac4j.saml[0].identity-provider-metadata-path=/etc/cas/saml/eid-idp-FederationMetadata.xml

# Our (SP) metadata location.
cas.authn.pac4j.saml[0].service-provider-metadata-path=/etc/cas/saml/eid-sp-FederationMetadata.xml
# Internal name used by CAS, for example to generate redirects and hyperlinks.
cas.authn.pac4j.saml[0].client-name=eID
# Integration is enabled.
cas.authn.pac4j.saml[0].enabled=true
# Label on the clickable button on CAS login screen.
cas.authn.pac4j.saml[0].display-name=Citizen eID
# "Issuer" in the SAML2 AuthnRequest. Hostname should ideally match the ${cas.server.name}.
cas.authn.pac4j.saml[0].service-provider-entity-id=https://iam-appliance.tld/cas/samlsp-eid
# Whether to enable eIDAS attribute handling for this SAML2 integration.
# If false, it will behave like ordinary SAML2.
cas.authn.pac4j.saml[0].enable-eidas=true

# List of attributes to request from the IdP. See documentation of your eIDAS provider for a complete list.
# Each attribute has four configuration properties. Name-format is URI by default.
#
#cas.authn.pac4j.saml[0].requested-attributes[0].name-format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri
cas.authn.pac4j.saml[0].requested-attributes[0].name=http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier
cas.authn.pac4j.saml[0].requested-attributes[0].friendly-name=PersonIdentifier
cas.authn.pac4j.saml[0].requested-attributes[0].required=true
#cas.authn.pac4j.saml[0].requested-attributes[1].name-format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri
cas.authn.pac4j.saml[0].requested-attributes[1].name=http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName
cas.authn.pac4j.saml[0].requested-attributes[1].friendly-name=CurrentGivenName
cas.authn.pac4j.saml[0].requested-attributes[1].required=true
#cas.authn.pac4j.saml[0].requested-attributes[2].name-format=urn:oasis:names:tc:SAML:2.0:attrname-format:uri
cas.authn.pac4j.saml[0].requested-attributes[2].name=http://eidas.europa.eu/attributes/naturalperson/CurrentFamilyName
cas.authn.pac4j.saml[0].requested-attributes[2].friendly-name=CurrentFamilyName
cas.authn.pac4j.saml[0].requested-attributes[2].required=true
# ... other attributes as needed ...

# Level of Assurance (LoA).
cas.authn.pac4j.saml[0].authn-context-class-ref=http://eidas.europa.eu/LoA/low
cas.authn.pac4j.saml[0].authn-context-comparison-type=minimum

# Signatures. May need fiddling.
cas.authn.pac4j.saml[0].sign-authn-request=true
cas.authn.pac4j.saml[0].sign-service-provider-logout-request=true
cas.authn.pac4j.saml[0].sign-service-provider-metadata=true

# Where to generate and store certificates for our SP.
cas.authn.pac4j.saml[0].keystore-path=/etc/cas/saml/eid-sp-keystore.jks
cas.authn.pac4j.saml[0].keystore-password=*****
cas.authn.pac4j.saml[0].private-key-password=*****

# This is handy so you can recognize SP's certificates at the first sight.
cas.authn.pac4j.saml[0].certificate-name-to-append=eid
# Default is SHA-1 which is too weak.
cas.authn.pac4j.saml[0].certificate-signature-alg=SHA256WithRSA

# Debugging, if needed.
#cas.authn.pac4j.saml[0].all-signature-validation-disabled=true
#logging.level.org.pac4j=TRACE
#logging.level.org.opensaml=TRACE
#logging.level.org.apereo.cas=TRACE
#logging.level.net.shibboleth=TRACE

After you create the configuration, restart the CAS service. After it starts, access the login page from your browser. At this instant, CAS will generate SP metadata according to your configuration.

Caveats

There are number of caveats when integrating with eIDAS IdP’s.

  • SAML2 attribute request statement does not match the usual SAML2 format. That is why the enable-eidas=true/false switch is needed.

  • Only eIDAS SPType=public is supported at this time.

  • When there is not PersonIdentifier specified in the requested attributes, the eIDAS IdP may issue transient identifier.

  • When there is PersonIdentifier specified in the requested attributes, the eIDAS IdP will issue persistent identifier.

    • Such identifier has structure of XX/YY/????? where:

      • XX is the IdP country in ISO format.

      • YY is the SP country in ISO format.

      • ????? is the persistent identifier for the particular IdP-SP integration.

        • This identifier should not be used as user identifier for integrations with other government systems. It may or may not be viable for your use-case, though. Consult IdP documentation for details.

        • There is no guarantee on how the identifier will look (hex string, uppercase hex string, uuid, etc.) as this differs between countries.

  • eIDAS authentication standard allows only small subset of user information pass from one country to other. This severely limits its usability for retrieving information about persons from other EU countries. This is a limitation of the standard itself.

  • eIDAS uses AuthnContextClassRef with minimum comparison type and custom LoA levels.

    • This is not supported by CAS/pac4j out-of-box and is provided by our custom patch.

    • When using http://eidas.europa.eu/LoA in AuthnContextClassRef, the CAS automatically expects minimum comparison type.