...
Many eID implementations across EU are offering OAuth 2.0 based integration options.
ID Austria (
...
Austria)
Test Environment - USP Service "E-ID Serviceprovider (Q)"
Info |
---|
Please also see the following documentation about ID Austria (German documentation only): https://eid.egiz.gv.at/anbindung/direkte-anbindung/anbindung-oidc/ |
Step 1: Create "Service Provider" in USP.GV.AT
- Assign necessary "Verfahrensrechte"
as described in https://eid.egiz.gv.at/anbindung/registrierung/registrierung-von-privaten-service-providern/ - Create your Service provider
as described in https://eid.egiz.gv.at/anbindung/registrierung/registrierung-von-privaten-service-providern/ Undergo the necessary accreditation steps (on test environment (Q) the accreditation will be completed within one hour automatically without "real" accredidation)
On every status change, you will get an automatic email so that you know when you can proceed:From: sp-registrierung@brz.gv.at <sp-registrierung@brz.gv.at>
To: <your USP registered email address>
Subject: Status Ihres ServiceProvider "eSignAnyWhere Demo" wurde aktualisiert. Umgebung Q
Sehr geehrte Damen und Herren,
Der Status eines Ihrer Serviceprovider "<Service Provider name)" wurde geändert. Für mehr Informationen gehen Sie bitte auf <Link to USP administrative interface for the service provider>.
Mit freundlichen Grüßen- Don't forget to activate your service provider version.
As a result, you know the (self-defined) client-ID (must be an URL) and your client-secret.
Step 2: Configure eSignAnyWhere
Open Settings > Identity Providers and add a new OAuth2 provider. Enter the ID Austria credentials and configuration values as below.
Client ID: | your Client ID |
Client Secret: | your Client Secret |
Scope: | openid profile |
Authorization URI: | https://eid2.oesterreich.gv.at/auth/idp/profile/oidc/authorize |
Token URI: | https://eid2.oesterreich.gv.at/auth/idp/profile/oidc/token |
Logout URI: | |
JWKS URI: | |
Issuer: | https://eid2.oesterreich.gv.at |
On-Off Sliders: |
The URIs are documented in https://eid.egiz.gv.at/anbindung/direkte-anbindung/anbindung-oidc/ - if above's URIs don't work, check if there was an update on this page.
Add the following field mapping configurations:
Field property path | Validate/Update | Data Field |
---|---|---|
given_name | Update | Recipient First Name |
family_name | Update | Recipient Last Name |
['urn:pvpgvat:oidc.bpk'] | Update | Disposable Certificate identification number |
After setting these values, the JWT and field mapping configuraiton should look similar to the following screenshot.
Please note that the disposable certificate identification number will be updated with this configuration. If you want to override the identification number as it is shown in the configuration please also make sure to add a disposable certificate for the signer.
Production Environment - USP Service "E-ID Serviceprovider"
Registration steps are similar to the one explained above for the test environment. Note that it requires for production use an acceditation and approval process triggered via USP, which may take some time.
Configuration is similar to the settings described above for "E-ID Serviceprovider (Q)" but with following changes (in short: "eid" instead of "eid2" in all URIs):
Authorization URI: | https://eid.oesterreich.gv.at/auth/idp/profile/oidc/authorize |
Token URI: | https://eid.oesterreich.gv.at/auth/idp/profile/oidc/token |
JWKS URI: | |
Issuer: | https://eid.oesterreich.gv.at |
Early Adopter Environment
Info |
---|
Please also see the following documentation about ID Austria (German documentation only): https://eid.egiz.gv.at/anbindung/direkte-anbindung/anbindung-oidc/ |
Step 1: Request early adopter access
Current process is published on ID Austria related technical documentation. In the past, it was a process that required to obtain client_secret via an email request.
We understood that registration for the "early adopter" environment is not available any more and interrested service providers should register for the "E-ID Serviceprovider (Q)" test environment via USP.GV.AT (see above).
Step 2: Configure eSignAnyWhere
Open Settings > Identity Providers and add a new OAuth2 provider. Enter the ID Austria credentials as below.
...
Field property path | Validate/Update | Data Field |
---|---|---|
given_name | Update | Recipient First Name |
family_name | Update | Recipient Last Name |
['urn:pvpgvat:oidc.bpk'] | Update | Disposable Certificate document typeidentification number |
Please note that the disposable certificate identification number will be updated with this configuration. If you want to override the identification number as it is shown in the configuration please also make sure to add a disposable certificate for the signer.
Czech BankID (Czech Republic)
...
- Login to eSignAnyWhere with a user that has administrative permissions on your Organization.
- Open the Settings > Identity Providers page and add new OAuth Settings for User Authentication.
- Note in case of ADFS that there are no forward slashes at the end. A mistake with the URL will result in the setup not working.
Provider Name | If "Share on login page" is enabled, this name will be displayed on the login page, so make sure it identifies your organization. e.g.: ADFS Oauth for <Organization name> |
Direct access url | If "Share on login page" is disabled, this link is needed to login to eSignAnyWhere with OAuth 2.0. Make sure you bookmark this link. |
Redirect Url | This is already set and has to be added in the Application Group. We already entered this URL in Step 1. Make sure it is the correct URL. |
Client Id | your Client Identifier from Step 1 |
Client Secret: | The shared secret that you saved earlier. |
Scope: | openid email |
Authorization URI: | https://FQDN/adfs/oauth2/authorize |
Token URI: | https://FQDN/adfs/oauth2/token |
Logout URI: | can be blank |
Share on login page | Depending on the server settings this property might not be visible to you. If enabled your provider name will show up on the login page. |
JWKS URI: | https://FQDN/adfs/discovery/keys |
Issuer: | Click on "Add field" and enter "email" and map it to "User Email Address" |
- Click on Update to save the configuration
- Click on the slider to enable the OAuth provider
...