Skip to Content
DocsIdentity Provider ProxyCIE

CIE

Introduction

In this guide we will see how to create login access via CIE on a public domain.

Onboarding Process

It is necessary to follow the guidance in the Operations Manual available at this link Processo di Onboarding up to the point 4.2.2 - Autorizzazione alla federazione. These steps are for a public or private entity to apply to the Ministry of the Interior to join the “Enter with CIE” identification scheme. Once the Ministero dell’Interno has approved the request, it will be possible to enter the Technical Data.

Creation of technical data

Precondition: The IP of the public domain MUST originate from Italy as the Ministero dell’Interno limits access for Italy only.

Before proceeding to enter the data within the portal following the guide 4.2.3 - Inserimento dei dati tecnici di federazione it is necessary to:

  1. Add a rewrite rule on the domain we want to protect with the “Enter with CIE” identification scheme;
  2. Generate the Entity Configuration (Federation Metadata), which is generated, automatically exposed and signed by the Oplon procedure.

Rewrite rule.

To allow the domain to expose the Entity Configuration that we are going to generate, we must first apply the header rewrite rule called CIE-IDP-Simple on the domain we intend to protect. To be compliant with log management, we need a digital certificate. Within the rewrite rule, we need to add 3 variables:

  1. LOG_CERT: path to the certificate (must be in p12 format);
  2. LOG_CERT_PWD: password of the certificate;
  3. LOG_CERT_ALIAS: alias of the certificate.

These 3 log variables are used for both CIE and SPID. Do not duplicate them on the same rewrite rule.

Variable example

Entity Configuration Generation.

Once the rewrite rule is applied, we need to create the Entity Configurantion.

EC Generator

From the left menu go to Identity Link -> CIE -> CIE Generator. Click the ’+’ button and enter the following data:

  • Select where to create the new file: select the node or cluster where we have applied the CIE-IDP-Simple header rewrite rule;
  • Select environment: there are two poissibilities, PREPROD meaning preproduction environment or PROD production environment. The choice must then also be applied during technical data entry;
  • Client ID: must be valorized with the HTTPS URL of the domain;
  • Organization Name: value entered during onboarding in the Organization Name field;
  • Email: same as organization name, in the Email field;
  • Home page URI: URI of the domain home page;
  • Logo URI: URI of the domain logo (logo format must be svg).

Once the data is entered, clicking the Generate button will generate the Entity Configuration, sign and expose it via the rewrite rule. In the Public Key field we will find the public key that must be entered in the Technical Data, so let’s save it.

Certificate Generation

To generate the certificate and keys, go to: Tools -> Key Generator. Fill in the following fields:

  • Expiration days: validity duration of the certificate;
  • CN: is the value of the variable ORGANIZATION_DISPLAY_NAME_n.

For generation just click on the “play” button in the upper-left corner. Copy and paste the PEM format results into the 3 variables: PRIVATE_KEY, PUBLIC_KEY and CERTIFICATE.

Translated with DeepL.com (free version)

Enter technical data on the portal

It is time to enter the technical data to the CIE portal.

  • Component ID: the value of the Client ID;
  • Federation Public Key: newly saved public key;
  • CIE button URL: domain URL + “/login”.

If all the checks and configurations of the technical component are positive, the system performs federation in the specified environment and notifies the following recipients of the result

  • Administrative Contact
  • Technical Contact
  • Entity

At this point, all we need to do is confirm the federation. To do this, go back to the Identity Link -> CIE -> CIE Generator section of the ADC, select the entry to be federated and click the Federate button. If the process is successful, users will be able to access the service with “Enter with CIE”.

Entity Configuration Expiration

If you exceed the expiration date, the “enter with CIE” service will no longer be provided. To rehabilitate the service, simply go to the Identity Link -> CIE -> CIE Generator section, select the expired entry and click the blue Resign button to refresh it.

Log Management

The information contained in the logs MUST be maintained and managed for a duration of not less than 24 months in full compliance with current national and European privacy regulations. To ensure confidentiality, data encryption mechanisms are adopted. Finally, the properties of integrity and non-repudiation are guaranteed in data storage.

The log files are located in: /TCOProject/bin/LBL/LBL_HOME/procsProfiles/<module>/federation_logs, where <module> is the module where the rewrite rule was applied, for example A10_LBLGoPlatform.

Below is the bash command to decrypt them:

# $encrypted_data replace with the file to be decrypted
# $cert replace with the certificate that encrypts the log (found in the rewrite rule)
# ${encrypted_data}.json replace with the name of the decrypted file
base64 -d "$encrypted_data" | openssl cms -decrypt -inform DER -recip "$cert" > "${encrypted_data}.json"

The deletion and management of logs is left to the system administrator.

Last updated on
APIsSPID