All official Belgium eID applications are eventually wrappers around the by FedICT provided eid-sdk, which on its turn is a Java applet… This Java applet has the possibility to authenticate any known Belgium eID against FedICT’s database. Even FedICT’s FAS service can be used as a saml-compatible authententication provider (adfs!)… But you don’t always want to use Java, or FAS…
Did you know, you can fully integrate the Belgium eID in a Windows environment?
Yes, ADFS, yes RDP, yes Windows logons, yes IIS… The fun part, it’s all built-in and you don’t need Java, and you don’t need FAS! ❤
Downside: you’ll need to do some user mapping yourself: your servers still need to map you to an account, and it still needs to authorize that account… So a little administrative overhead here (with FAS FedICT does this for you)
There are some other tricks needed, as for example to enable your client to read both certificates on the smartcard, and to map your eid to a “Windows” user account, but when that’s set-up, you’re good to go!
The key to all this is the implicit certificate mapping feature of Active Directory Certificate Services working together with an enterprise PKI.
For IIS, the “
SSLVerifyClient require” http specification is used to leverage cert-based client authentication. This should even work in other HTTP-servers, and in all major browsers.
For the tricks above, you’ll need a functional Active Directory including integrated enterprise PKI environment.
Thanks to Vincent of mysmartcardlogon you can also run it stand-alone on your computer!
Unless you’re running Windows Enterprise, like me 😦
Plus, my laptop doesn’t has a built-in cardreader, so it’s ugly having to take an USB-cardreader to logon at mornings 🙂
Strong “Multi-factor” authentication is strong.
A certificate in either a virtual or a physical smartcard is always a bunch more secure than a password you’ll have to remember as a simple human being.
And an eID is obligatory in Belgium, you have to buy it anyway, so why buy yet another token for Multifactor AuthN from a 3th party provider instead of the one you already have?
It’s not confidential or secret technology, so if you’re interested in the exact how and what, just leave a comment 🙂