eidas-connector
Configuration Reference for the Swedish eIDAS Connector
The Swedish eIDAS Connector is built using the Spring Security SAML Identity Provider libraries. Therefore, all the configuration of the SAML IdP part of the Connector is done according to this library’s configuration, see below.
SAML IdP Configuration
See the Configuration for the Spring Security SAML Identity Provider.
eIDAS Connector Configuration
Description: Configuration specific for the eIDAS Connector.
Java class: ConnectorConfigurationProperties
| Property | Description | Type | Default value |
|---|---|---|---|
connector.domain |
The domain for the eIDAS connector. | String | - |
connector.base-url |
The base URL of the Connector, including protocol, domain and context path. | String | https://${connector.domain}${server.servlet.context-path} |
connector.backup-directory |
Directory where caches and backup files are stored during execution. | File | - |
connector.development-mode |
Tells whether we are running the connector in “development mode”. This can mean that we allow any TLS server certificates or that other settings are setup with less security. | Boolean | false |
connector.country |
The country code for the eIDAS Connector. | String | SE |
connector.idp.* |
Configuration for the IdP part of the eIDAS Connector. See Connector IdP Configuration below. | ConnectorIdpProperties | - |
connector.eidas.* |
The configuration for the eIDAS authentication. See eIDAS Authentication Configuration below. | EidasAuthenticationProperties | - |
connector.eu-metadata.* |
Configuration for retrieval of aggregated EU metadata. See EU Metadata Configuration below. | EuMetadataProperties | - |
connector.prid.* |
Configuration for the PRID Service. | PridServiceProperties | - |
connector.idm.* |
Configuration for integration against the Identity Matching Service. | IdmProperties | Not active |
Connector IdP Configuration
Description: Configuration of the IdP part of the eIDAS Connector. Most part of this configuration is performed by configuring the Spring Security SAML Identity Provider. This section describes additional settings concerning the SAML IdP.
Java class: ConnectorIdpProperties
| Property | Description | Type | Default value |
|---|---|---|---|
supported-loas |
The authentication context class reference URI:s (i.e., LoA:s or Level of Assurance URI:s) supported by this IdP. | List of strings | See below. |
entity-categories |
The SAML metadata entity categories that this SAML IdP declares. See Entity Categories for the Swedish eID Framework for possible values. | List of strings | An empty list |
ping-whitelist |
A list of SAML entityID:s for the SP:s that are allowed to send special “eIDAS ping” authentication requests to the connector. If the list is empty, no ping requests will be served. | List of strings | An empty list (ping is disabled). |
By default the eIDAS Connector IdP will support the following authentication context class reference URI:s:
http://id.elegnamnden.se/loa/1.0/eidas-lowhttp://id.elegnamnden.se/loa/1.0/eidas-nf-lowhttp://id.elegnamnden.se/loa/1.0/eidas-subhttp://id.elegnamnden.se/loa/1.0/eidas-nf-subhttp://id.elegnamnden.se/loa/1.0/eidas-highhttp://id.elegnamnden.se/loa/1.0/eidas-nf-high
eIDAS Authentication Configuration
Description: The configuration for the eIDAS authentication.
Java class: EidasAuthenticationProperties
| Property | Description | Type | Default value |
|---|---|---|---|
entity-id |
The SAML entityID for the eIDAS SP. Note: Care should be taken if changing this value from its defaults since many eIDAS countries expect the entityID to be the same as the metadata location (which is fixed). |
String | ${connector.base-url}/metadata/sp |
credentials.* |
The credentials for the SP part of the eIDAS Connector. If not assigned, the keys configured for the SAML IdP will be used also for the SP. See Credentials Configuration for how to configure the different credentials. | CredentialConfigurationProperties | - |
provider-name |
The “provider name” that we should include in AuthnRequest messages being sent to the foreign country. |
String | “Swedish eIDAS Connector” |
requires-signed-assertions |
Whether we require signed eIDAS assertions. | Boolean | false |
preferred-binding |
The preferred binding to use when sending authentication requests. Possible values are urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST and urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect |
String | urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
supported-name-ids |
An ordered list of supported NameID formats. | List of strings | persistent, transient, unspecified* |
skip-scoping-for |
Some eIDAS countries can not handle the Scoping element in AuthnRequest messages. This setting contains the country codes for those countries that we should not include this element for. |
List of strings | - |
metadata.* |
Configuration for eIDAS SP SAML metadata. See eIDAS SP Metadata Configuration below. | EidasSpMetadataProperties | - |
[*]:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent,urn:oasis:names:tc:SAML:2.0:nameid-format:transient,urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
eIDAS SP Metadata Configuration
Description: Configuration for the eIDAS SP SAML metadata.
Java class: EidasSpMetadataProperties
The metadata configuration inherits from the https://github.com/swedenconnect/saml-identity-provider project and most of the configuration is documented for in the Metadata Configuration section. Below follows the settings that extend the above configuration.
| Property | Description | Type | Default value |
|---|---|---|---|
application-identifier-prefix |
The value to insert for the eIDAS entity category http://eidas.europa.eu/entity-attributes/application-identifier. The current version of the connector will always be appended to this value. |
String | SE:connector: |
protocol-versions |
The values to use for the eIDAS entity category http://eidas.europa.eu/entity-attributes/protocol-version. |
A list of version strings. | - |
node-country |
The node country extension to include. | String | SE |
EU Metadata Configuration
Description: Configuration for retrieval of aggregated EU metadata.
Java class: EuMetadataProperties
| Property | Description | Type | Default value |
|---|---|---|---|
location |
The location of the metadata. Can be an URL, a file, or even a classpath resource. | Resource | - |
https-trust-bundle |
If location is an HTTPS resource, this setting may be used to specify a Spring SSL Bundle that specifies the trusted root certificates to be used for TLS server certificate verification. If no bundle is given, the Java trust defaults will be used. |
String | - |
backup-location |
If the location setting is an URL, a “backup location” may be assigned to store downloaded metadata. |
File | - |
validation-certificate |
The certificate used to validate the metadata. | Resource pointing at the certificate resource. | - |
skip-hostname-verification |
Whether to skip TLS hostname verification. Useful during testing. | Boolean | false |
http-proxy.* |
If the location setting is an URL and a HTTP proxy is required this setting configures this proxy. |
MetadataProviderConfigurationProperties.HttpProxy | - |
PRID Configuration
Description: Configuration for the PRID (Provisional Identifier) calculation.
Java class: PridServiceProperties
| Property | Description | Type | Default value |
|---|---|---|---|
policy-resource |
A Resource pointing at the file containing the PRID configuration, see eIDAS Connector Provisional Identifier (PRID) Calculation. | Resource | - |
update-interval |
Indicates how often the policy should be re-loaded (value is given in seconds). | Integer | 600 (10 minutes) |
Identity Matching Configuration
Description: Configuration for the integration against the Identity Matching service.
The connector needs to obtain a valid OAuth2 access token in order to invoke the Identity Matching API. Therefore, OAuth2 configuration settings need to be supplied.
Java class: IdmProperties
| Property | Description | Type | Default value |
|---|---|---|---|
active |
Whether the IdM feature is active or not. | Boolean | false |
service-url |
The URL to the Identity Matching service. Will be displayed in the “select country” view. | String | - |
api-base-url |
The base URL for the Identity Matching Query API. Must not end with a ‘/’. | String | service-url |
trust-bundle |
A reference to a Spring Boot SSL Bundle holding the trust configuration for TLS-calls against the IdM server. If no bundle is set, the system defaults are used. | String | - |
oauth2.client-id |
The Connector OAuth2 client ID. Used for check calls. | String | - |
oauth2.check-scopes |
The scope(s) to request for making check calls the IdM Query API. | List of strings | - |
oauth2.get-scopes |
The scope(s) to request for making get calls the IdM Query API. | List of strings | - |
oauth2.resource-id |
The OAuth2 ID for the Identity Matching service. | String | - |
oauth2.credential.* |
The credential to use for authentication against the Authorization Server (if the connector acts as an OAuth2 client) OR for use of signing of access tokens (if the connector also acts as an OAuth2 Authorization Server). If not assigned, the connector default credential will be used. See credentials-support for how to configure credentials. |
PkiCredentialConfigurationProperties | The default IdP credential |
oauth2.server.issuer |
Assigned when the connector acts as an OAuth2 AS. The issuer ID to use for the issued access tokens. | String | - |
oauth2.server.lifetime |
The duration (lifetime) for issued access tokens. | Duration | 1 hour |
Note: The connector either sends a token request to the configured OAuth2 Authorization Server in order to obtain the Access Token (client-settings should be supplied) OR the connector can act as an OAuth2 Authorization Server itself (server-settings should be set).
eIDAS Connector UI Configuration
Description: Configuration specific for the UI of the eIDAS Connector.
Java class: UiConfigurationProperties
| Property | Description | Type | Default value |
|---|---|---|---|
ui.languages[].* |
A list of the supported languages where the fields are tag containing the two-letter ISO-language code and text contains the text to display in the UI for changing to this language. |
List of language | - |
ui.selected-country-cookie.* |
Cookie settings for the cookie that is used to remember a user’s selection of a country (in between sessions). See Cookie Configuration below. | UiConfigurationProperties.Cookie | Default settings for the cookie with the name set to selectedCountry |
ui.selected-country-session-cookie.* |
Cookie settings for the cookie that is used to remember a user’s selection of a country within a session. Used for signing services. See Cookie Configuration below. | UiConfigurationProperties.Cookie | Default settings for the cookie with the name set to selectedCountrySession |
ui.idm-consent-session-cookie.* |
Cookie settings for the cookie that is used to remember a user’s consent to obtaining the user’s Identity Matching within a session. Used for signing services. See Cookie Configuration below. | UiConfigurationProperties.Cookie | Default settings for the cookie with the name set to idmConsentSession |
ui.idm-hide-banner-cookie.* |
Cookie settings for the cookie that controls whether the IdM banner (at the country selection page) should be hidden. See Cookie Configuration below. | UiConfigurationProperties.Cookie | Default settings for the cookie with the name set to idmHideBanner |
ui.accessibility-url |
URL to the eIDAS Connector web accessibility report. | String | - |
Cookie Configuration
Description: Configuration for a Connector cookie.
Java class: UiConfigurationProperties.Cookie
Java class: UiConfigurationProperties
| Property | Description | Type | Default value |
|---|---|---|---|
name |
The cookie name. | String | - |
domain |
The cookie domain. | String | ${connector.domain} |
path |
The cookie path. | String | ${server.servlet.context-path} |
Copyright © 2017-2025, Myndigheten för digital förvaltning - Swedish Agency for Digital Government (DIGG). Licensed under version 2.0 of the Apache License.