Identity Provider Proxy
CIE

CIE

Introduction

In this guide we will see how to create login access via CIE on a public domain.

Onboarding Process

It is necessary to follow the guidance in the Operations Manual available at this link Processo di Onboarding (opens in a new tab) up to the point 4.2.2 - Autorizzazione alla federazione (opens in a new tab). These steps are for a public or private entity to apply to the Ministry of the Interior to join the “Enter with CIE” identification scheme. Once the Ministero dell'Interno has approved the request, it will be possible to enter the Technical Data.

Creation of technical data

Precondition: The IP of the public domain MUST originate from Italy as the Ministero dell'Interno limits access for Italy only.

Before proceeding to enter the data within the portal (opens in a new tab) following the guide 4.2.3 - Inserimento dei dati tecnici di federazione (opens in a new tab) it is necessary to:

  1. Add a rewrite rule on the domain we want to protect with the “Enter with CIE” identification scheme;
  2. Generate the Entity Configuration (Federation Metadata), which is generated, automatically exposed and signed by the Oplon procedure.

Rewrite rule.

To allow the domain to expose the Entity Configuration that we are going to generate, we must first apply the header rewrite rule called CIE-IDP-Simple on the domain we intend to protect. To be compliant with log management (opens in a new tab), we need a digital certificate. Within the rewrite rule, we need to add 3 variables:

  1. CERT: path to the certificate (must be in p12 format);
  2. CERT_PWD: password of the certificate;
  3. CERT_ALIAS: alias of the certificate.

Variable example

Entity Configuration Generation.

Once the rewrite rule is applied, we need to create the Entity Configurantion.

EC Generator

From the left menu go to CIE -> CIE Generator. Click the '+' button and enter the following data:

  • Select where to create the new file: select the node or cluster where we have applied the CIE-IDP-Simple header rewrite rule;
  • Select environment: there are two poissibilities, PREPROD meaning preproduction environment or PROD production environment. The choice must then also be applied during technical data entry;
  • Client ID: must be valorized with the HTTPS URL of the domain;
  • Organization Name: value entered during onboarding (opens in a new tab) in the Organization Name field;
  • Email: same as organization name, in the Email field;
  • Home page URI: URI of the domain home page;
  • Logo URI: URI of the domain logo (logo format must be svg).

Once the data is entered, clicking the Generate button will generate the Entity Configuration, sign and expose it via the rewrite rule. In the Public Key field we will find the public key that must be entered in the Technical Data, so let's save it.

Enter technical data on the portal

It is time to enter the technical data (opens in a new tab) to the CIE portal.

  • Component ID: the value of the Client ID;
  • Federation Public Key: newly saved public key;
  • CIE button URL: domain URL + "/login".

If all the checks and configurations of the technical component are positive the system performs federation in the specified environment and notifies the following recipients of the result

  • Administrative Contact
  • Technical Contact
  • Entity

At this point, all we need to do is confirm the federation. To do this, go back to the CIE -> CIE Generator section of the ADC, select the entry to be federated and click the Federate button. If the process is successful, users will be able to access the service with "Enter with CIE".

Entity Configuration Expiration

If you exceed the expiration date, the “enter with CIE” service will no longer be provided. To rehabilitate the service, simply go to the CIE -> CIE Generator section, select the expired entry and click the blue Resign button to refresh it.