Schritte zu Ihrer SuisseID
Bestätigen Sie Ihre E-Mail-Adresse jetzt
This article is intended for organizations that investigate or plan to integrate user authentication SuisseID services in their environment or software. The SuisseID Identity Provider provides authentication and qualified attribute services.
The authentication services include SuisseID Smartcard and SuisseID Mobile Service (2-Factor authentication with username / password and SMS passcode). User attributes are qualified based on official documents (e.g. passport) and a face-to-face validation.
Transport of authentication and attribute information between the SuisseID Identity Provider and the relying parties is based on the SAML2 specification.
The IDP Login is different from the "direct" X.509 authentication. Many applications(e.g. Apache HTTPD) provide certificate login capabilities directly. However the IDP Login is based on the SAML2 HTTP-Post Browser Profile. With IDP Login, the user still authenticates using the SuisseID certificate (or Mobile Service), but against the IDP, not the application. The IDP then generates a signed SAML token which is consumed by the application. This approach allows to better support mobile devices and allows the application to retrieve qualified user attributes from the Identity Provider.
Prior to looking into how integration can be done, it is useful to examine the following questions :
Requirements to SuisseID integration can be multiple and existing environments diverse. Here are some typical scenarios where integration and choice of SAML frameworks are similar.
Internet facing portals (e.g swisslos.ch, guichet.jura.ch) offer or mandate SuisseID IDP authentication. This type of portal often integrates programmatically SuisseID authentication either via the SuisseID SDK/Java or the SuisseID SDK/.Net or any other SAML2 capabable SDK (opensaml, oiosaml, simplesamlphp, shibboleth) . The advantage of this approach is that it provides great flexibility in how to use the SAML protocols.
SuisseID authentication can be added to existing enterprise security frameworks (i.e. identity and access management). In this process, the technical integration depends on the existing technology. Often there is very limited flexibility as existing technologies rarely provide programmatic extension points. The SuisseID IDP is typically integrated as a standard SAML2 identity provider. For guidelines on how to integrate Microsoft Active Directory Federation Services (ADFS), see the resources section  .
Cloud services like GoogleApps, salesforce.com provide standard SAML interfaces for 3rd party authentication. These applications are "black-boxs" supporting only a subset of SAML. Thus the integration is application specific. For guidelines on how to integrate GoogleApps, see the resources section .
In a fully integrated internet portal scenario, the user will typically find a SuisseID button on the web application to trigger login via SuisseID. A SuissID smartcard (e.g. via USB reader) should be inserted prior to opening the web browser. This example from swisslos.com illustrates a SuisseID login button on the front page:
After clicking the SuisseID login button, the user browser is re-directed to the SuisseIDP IDP authentication URL. If the Smartcard was inserted, the browser will prompted for the PIN (otherwise the user might reach the SuisseID Mobile Service context). After successful authentication at the SuisseID IDP, the user must agree to disclose data to the web portal which initiated the Login. The confirmation dialogue is a post process of the authentication and mandatory before sending user data to the relying party.
After confirming the disclosure of data by the user, the user finds the initiating web portal again.
The diagram depicts the process of the SAML Login via the HTTP-POST binding. The user initiates the process, the Service Provider issues a SAML AuthnRequest to the Identity Provider. After successful user authentication, the Identity Provider provides a digitally signed SAML token back to the Service Provider so that the user can be logged in locally.
A Service Provider generally has to address the following areas for a successful SuisseID IDP Login integration:
A common approach to map a user to a local account at the Service Provider is by the SuisseID number. If the user has already enrolled at the service provider and possesses username and password, a preliminary step is that the user links the SuisseID number to this account. This typically requires a specific process at the Service Provider involving a login with username and password at the Service Provider and, within the same session, a SuisseID login either through the IDP or via the X.509 certificate directly. Then the local account can be linked to a SuisseID number and user for the account mapping process.
User registration (or enrollment) at the Service Provider can also integrate a SuisseID IDP login prior to the registration finalization. The advantage here is that the IDP provides qualified user attributes like email address, firstname, lastname, date of birth, nationality, etc., so that the user does not need to type them again. The Service Provider has the benefit that these attributes are verified. In this case, the linking of the local account to a SuisseID number can be done during the registration process.
Before utilizing the IDP for authentication, a Service Provider must register at the Service Provider Registration page (see ). Note that some parameters might depend on the SAML framework used (e.g. assertion consumer URL, issuer name).
A great level of flexibility is offered by SAML software development kits. This allows to control the request generation and the response validation as opposed to "black-box" SAML implementations which typically allow only configuration, but not programmatic customization.
The SuisseID SDK (in Java and .Net) is available specifically to those Service Providers who wish to use SuisseID specific extensions, like requesting attributes in an AuthnRequest or validating QC-signed attributes transmitted by the IDP. 
 Security Assertion Markup Language. (2014, May 22). In Wikipedia, The Free Encyclopedia. Retrieved 13:33, May 22, 2014, from https://en.wikipedia.org/w/index.php?title=Security_Assertion_Markup_Language&;;oldid=609667390
 Technote: Integrating the SuisseID IDP as an ADFS Claims Provider
 Technote: SuisseID IDP Claims Mapping into ADFS
 Technote: GoogleApps Integration with SuisseID IDP Authentication
 SuisseID 1.5 Specification: https://www.ech.ch/vechweb/page?p=dossier&documentNumber=eCH-0113&documentVersion=1.0
 SAML 2 Core Specification: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
 SAML 2 Bindings Specification: https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
 Service Provider Registration: https://postsuisseid.ch/de/support/anleitungen/techdoc/service-provider-registration
 SuisseID SDK/Java and .Net: https://www.e-service.admin.ch/wiki/display/suisseid/Home
 OpenSAML2: https://wiki.shibboleth.net/confluence/display/OpenSAML/Home