Skip to content

Configuration

Application config

To make the endpoints work, there are a few things that needs to be in the application config. The base should always contain at least:

portal:
  authentication:
    limetype: '_limeobject_' # e.g. coworker
    error_page_redirect_uri: 'https://YOUR_CUSTOMER_DOMAIN.portal.lime-crm.com'

Limetype coworker - username & password

For this configuration, you need to specify which fields holds the username and password on the coworker. In the below example, the user logs in with email which is stored on the field email. The password is stored on the portal_password field. We also specify the field which should contain the generated token, which is used when a user resets their password. That is defined as password_reset_token_prop in the example below.

portal:
  authentication:
    limetype: 'coworker'
    error_page_redirect_uri: 'https://YOUR_CUSTOMER_DOMAIN.portal.lime-crm.com'
    limecrm:
      username_identifier: 'email'
      password_identifier: 'portal_password'
      pw_reset_token_prop: 'portal_reset_token'

Limetype person - BankID

When using BankID to log in, you must specify the field which holds the users personal number(i.e. personal identity number). Important! the personal number is always stored as 12 digits, i.e. YYYYMMDDNNNN.

portal:
  authentication:
    limetype: 'person'
    error_page_redirect_uri: 'https://YOUR_CUSTOMER_DOMAIN.portal.lime-crm.com'
    bankid:
      personal_number_prop: 'personal_number'

Since we are using BankID, we need to supply credentials defined in Lime eServices BankID service. This should be put in the secrets config.

bankid:
  base_url: 'https://bankid.lime-technologies.com/' # can point to dev environment
  token: '_secret-token_'
  api_key: '_secret-api-key_'

OpenID

When using this method the customer has the ability to choose a provider, like Okta or Criipto. The provider has their own Active Directory with users, which we will fetch and find in CRM. openid.provider_username_prop points to the property on the object returned by the provider, which holds the value which to search for in CRM, e.g. "email".

portal:
  authentication:
    limetype: 'person'
    error_page_redirect_uri: 'https://YOUR_CUSTOMER_DOMAIN.portal.lime-crm.com'
    openid:
        username_identifier: 'email'
        provider_username_prop: 'email'
        client_id: '_client_id_'
        base_url: 'https://limeportaltest.okta.com/oauth2/v1/'
        access_token_path: 'token'
        authorize_path: 'authorize'
        server_metadata_url: 'https://limeportaltest.okta.com/.well-known/openid-configuration'
        portal_redirect_uri: 'https://customer.lime-portal.se/auth/openid/login'

When using OpenID you will be handed a secret for authentication using the OAuth2 standard. This should be put in the secrets config.

openid:
  client_secret: '_secret_'

Info

Lime Portal does not support both of the methods above at the same time, only one can be used per portal.

Lime Portal

To be able to use this package, you have to enable the feature switch in your Lime Portal installation. Read more about how to do that here

Provider configuration

In the following section we will go through a few of the most common providers used with this package.

Criipto

Criipto is a widely used provider for when you need Norwegian BankID or Danish MitID. Other options like Swedish BankD are available as well. Multiple methods used for logging in can be enabled simultaneously. To use Criipto, you need an account and a license with them. You can read more about them here.

Application settings

To use Criipto with this package, some settings need to be done in the Criipto dashboard. Make sure the following settings are correct:

  • Whitelisting the redirect URI. This is done on the applications settings page.

Method specific settings

For Norwegian BankID, there are two specific settings that needs to be enabled. This to ensure that the social security number is sent to this package for identification.

Info

The social security number in Norway is considered a secret. However, it's the only way to identify a user when using BankID. The package will not store the social security number, but it will be used to identify the user.

  • Enable dynamic scopes
  • This needs to be enabled for the package to work properly. Under the "General" tab on your application, you will find the setting.
  • Require SSN
  • To enable it, go to: "ID Providers" --> "Norwegian BankID" --> Enable "Require SSN". You don't need to enable the "Remember SSN" setting.
Back to top