Step 1: Copy
the Redirect URI from IDaaSNets E-Ident is an identification broker service. You can integrate Nets E-Ident with IDaaS. When integrated, your users can log in using IDaaS authentication or log in using their Nets E-Ident credentials. For more information about Nets E-Ident Identity Provider, see https://www.nets.eu/developer/E-Ident/getstarted/Pages/default.aspx.
Step 1: Copy
the Redirect URI from IDaaS1. In IDaaS, click 
> Security > Identity
Providers. The Identity Providers List
page appears.
2. Click Add. The Add Identity Provider page appears.
3. Locate the Redirect URI and copy it to a text file. You need this value in Step 2: Register with Nets E-Ident.
4. Save the
Step 2: Register
IDaaS with Nets E-Ident1. Contact Nets E-Ident to register IDaaS. Nets will provide you with an E-Ident/FTN Customer application context form to complete.
https://www.nets.eu/solutions/digitisation-services/Pages/Contact.aspx
2. In E-Ident/FTN Customer application context form, enter the following:
● Redirect URI—Enter the Redirect URI you copied in Step 1: Copy the Redirect URI from IDaaS.
● Style URL—The style URL is based on the Redirect URI (for example, https://<tenant>.trustedauth.com/api/oidc).
● Trusted Domain—The Trusted Domain is based on the Redirect URI (for example: <tenant>.trustedauth.com).
3. Once you complete the registration, Nets returns the following information:
● Merchant ID (for reference purposes only)
● Issuer
● Client ID
● Client Secret
You need this information to complete Step 3: Add Nets E-Ident as an Identity Provider in IDaaS.
Step
3: Add Nets E-Ident as an Identity Provider in IDaaS1. Before you begin, have the information that was provided to you when you completed the registration process in Step 2: Register IDaaS with Nets E-Ident. This includes the following:
● Issuer
● Client ID
● Client Secret
2. In
IDaaS, click >
Security > Identity Providers. The Identity Providers List page appears.
3. Click Add. The Add Identity Provider page appears.
4. Enter a Name for your Identity Provider, for example, Nets E-Ident.
5. In the Client ID field, paste the Client ID from Nets E-Ident registration.
6. In the Client Secret field, enter the Client Secret from Nets E-Ident registration.
7. In the Issuer field, enter the Issuer from Nets E-Ident registration.
8. Click Fetch Configuration to obtain the fields for the OIDC Endpoints and populate the Scopes.
Note: If the Identity Provider uses User Info Endpoint is used, then select Require User Info Signature if you want to require signature verification for responses to requests for user information. If this is enabled, then User Info responses must be signed.
9. Enter the Requested information from the Identity Provider.
a. Enter the Scopes. OIDC sends scopes to the Identity Provider to retrieve information.
Associated with each scope are claims. The Identity Provider returns multiple claims based on the requested scopes. The openid scope is mandatory to do authentication or verification.
b. Enter the ID Tokens Claims. Separate each value with a space. Leave this setting blank to omit the feature.
Id token claims requests from the Identity Provider define specific claims that can also be requested for inclusion in the returned id token. This can be used in addition to the requested scopes.
c. Enter the User Information Claims. Separate each value with a space. Leave this setting blank to omit the feature.
User information claims requests from the Identity Provider define specific claims that can also be requested for inclusion in the returned userinfo response. This can be used in addition to the requested scopes.
10. Enter the Max Authentication Age to set the allowed elapsed time, in seconds, since the last time a user was actively authenticated at the Identity Provider.
For example, if you set a value of 300 seconds, if a user authenticated with the Identity Provider more than 300 seconds ago, they must re-authenticate. Leave this setting blank to omit this feature.
11. Enter the Auth Method Request Values that are used by your Identity Provider. Separate each value with a space. Leave this setting blank to omit this feature.
12. Configure Branding as follows:
a. Enter the Login Button Text. This is the text that appears on the IDaaS log in page.
b. If your Identity Provider has a login button image, enter the URL in the Login Button Image field. The login button appears on the IDaaS log in page.
13. Configure User Management by mapping the users using one of the following options:
a. Select Create User to create the user whose information is returned from the Identity Provider if it does not already exist.
Attention: Create user allows anyone with access to your chosen Identity Provider to create a user in your IDaaS account. Depending on your IDaaS configuration, new users created by your IDP will be able to access all the resources controlled by your IDaaS account. This may be a concern if your Identity Provider has no limits on who can create an account or if it has a large userbase. Analyze the risks before enabling this option.
b. Select Update User (Authentication) to update the IDaaS user to match the Identity Provider during authentication.
If you select Update User (Authentication), the IDaaS system user attributes and any existing IDaaS custom user attributes can be set based on claim mappings. After user authentication, if the user exists in IDaaS, IDaaS compares the attributes of the existing user to the claims returned from the Identity Provider If they are different, the IDaaS user attributes are updated with the claim values.
c. Select Update User (Verification) to update the IDaaS user to match the Identity Provider during verification.
If you select Update User (Verification), the IDaaS system user attributes and any existing IDaaS custom user attributes can be set based on claim mappings. After user verification, the IDaaS user attributes are updated with the claim values.
14. Configure Groups and role mapping.
a. Select applicable groups from the Select Group drop-down list to assign created users to groups.
b. In the Group Mapping field, enter the claim containing the group membership for users.
Only existing groups are mapped. If a group is not found, it is not mapped. The mapping does not remove any existing groups. If group mapping is not configured, existing groups remain.
Attention: Group Mapping allows anyone with access to this Identity Provider to have their IDaaS groups include the groups defined by the Identity Provider. Groups set the policies applied to users. Enabling this setting could result in users having access to unexpected policies, especially if the Identity Provider has different user access policies than IDaaS. Analyze the risks before configuring this option.
c. In the Role Mapping field, enter the claim containing the role membership for users.
Only existing roles are mapped. If the role is not found, it is not mapped. The mapping does not remove an existing role. If a role is mapped and is different from the existing role, the existing role is replaced. If role mapping is not configured and if there is an existing role exist, the existing role remains.
Attention: Role Mapping allows anyone with access to this Identity Provider to have their IDaaS account role defined by the Identity Provider, including the super administrator role that has access to all the resources controlled by your IDaaS account. Enabling this setting could result in unexpected access, especially if your Identity Provider has different user access policies than IDaaS. Analyze the risks before configuring this option.
15. Configure User Authentication as follows:
a. Select Enabled for User Authentication.
During authentication, the Identity Provider returns a claim value that is used to find the IDaaS user based on a user attribute. The attribute mappings in the claim must uniquely identify the IDaaS user for mapping to be successful. If mapped successfully, the Identity Provider can be used as an alternative authentication method.
b. From the drop-down list, select the User Attribute used to identity the user to map a claim returned from the Identity Provider to the IDaaS user (for example, User ID/Alias).
c. Enter the Claim used to identify the user, (for example, email).
Example: If you set User ID/Alias as the user attribute, and you set email as the claim to use, the email address is then used to locate the user in IDaaS using the user's User ID/Alias value.
Note:
A claim value must be mapped for mandatory system attributes. If you
do not map a claim value, user creation fails. Claim values must be
valid (for example, the Email attribute
requires a valid email address). Prior to mapping claims to attributes,
confirm with your Identity Provider that the claim value exists.
The same also applies to any custom user attributes that are mandatory.
Prior to mapping claims to attributes, confirm with your Identity
Provider that the claim value exists.
d. Configure at least one User Match Mapping.
– You must configure at least one matching attribute.
– Every configured attribute must match the corresponding Identity Provider claim value and the IDaaS user attribute, which must both exist and match.
– User matching is case-insensitive.
– You can map both system and custom user attributes.
16. Optional. Under User Verification, do the following:
a. Select Enable for User Verification if you want the Identity Provider to be used for verification. For example, you want do this to allow an Open ID Connect Identity Provider to validate a user's photo or private identification information and return corresponding claims that are mapped to the IDaaS user attributes.
b. Configure at least one User Match Mapping.
– You must configure at least one matching attribute.
– Every configured attribute must match the corresponding Identity Provider claim value and the IDaaS user attribute, which must both exist and match.
– User matching is case insensitive.
– You can map both system and custom user attributes.
Note: See Manage policies, registration, and verification for more information on the verification process.
17. Click Save.