4.2. Implementation via SAML¶
SAML is a protocol that historically precedes the newer OpenID protocols. If your system already supports SAML (for example an installation of Shibboleth system or similar), it is also possible to use this protocol to enable MojeID.
SAML 2.0 implementation is based on specifications available at https://wiki.oasis-open.org/security/FrontPage
To enable MojeID, you need to send the service’s metadata to techsupport@mojeid.cz, and you might also need to register MojeID metadata listed at https://mojeid.cz/saml/idp.xml. The certificate listed in metadata can change, so the metadata need to be updated from time to time. Metadata signature can be verified using the certificate at https://mojeid.cz/saml/cert.
Because SAML messages are base64-encoded and deflated, you can convert them to a readable XML for the debugging purposes (you can use for example https://www.samltool.com/decode.php).
The list of data that can be transferred by the protocol (including their identifiers) is available in the Appendix 3 – List of Data to be Handed Over (SAML) and Appendix 4 – List of Data to be Handed Over (SAML specs.nic.cz).
Examples and solutions of error messages can be found in the Appendix 6 – Examples and Solution of Error Messages.
4.2.1. Identity verification request with a NIA-paired account¶
Identity verification request with a NIA-paired MojeID account is requested using
AuthnContextClassRef (Authentication Context Class Reference) class.
Values for requesting specific level of assurance are summed in the table below.
AuthnContextClassRef |
Description |
|---|---|
|
eIDAS level of assurance “substantial” |
|
eIDAS level of assurance “high” |
Usage example:
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
http://eidas.europa.eu/LoA/substantial
</saml:AuthnContextClassRef>
