The eID-Login application enables users to log in to their user account with an electronic identity (eID) instead of a combination of username and password. For this purpose, an external service is used which makes the eID accessible for the application.

The benefit of electronic identification solutions (eID) for login is primarily a security gain for the users of the platform. Questions about the background and benefits of eID are answered on the German National Identity Card portal provided by the Federal Ministry of the Interior, Building and Community. This page on the same portal is dedicated to the security mechanisms.

To use the eID-Login function, you need an eID (e.g. the online ID function of a German eID) as well as the possibility to access it with a card reader or smartphone and an eID client.

Deactivating the login with password increases the security of your account. Should your password ever fall into the wrong hands, your user account is still protected.

If you no longer have access to your eID, you can use the "forgotten password" function to assign yourself a new password for your account. Any deactivation of logging in with a password will be cancelled during this process.

In the standard configuration of the application, a pseudonym associated with the eID is stored in the database. In addition, administrators have the option to read and store other attributes of the eID, such as first and last names. Please contact the administrator of the site using eID-Login for more information.

In order to log in to your account with the eID login, an eID must first be linked to the account. The possibility to do this can be found on the page of your personal profile (for Nextcloud on the subpage 'Security' and for TYPO3 the location is chosen by the administrator of the page). Click there on `Create link to eID`. After the link has been successfully created, you can use the eID login to access your account.

An existing link between your account and an eID can also be deleted again. The option to do this can be found on the page of your personal profile (for Nextcloud on the subpage `Security` and for TYPO3 the location is chosen by the administrator of the page). Click there on `Delete link to eID`.

The eID-Login plugin allows users to access their user account with an electronic identity (eID) instead of a username and password combination.

The benefit of eID for login is primarily a security gain for the users of the platform. Questions about the background and benefits of eID are answered on the German National Identity Card portal provided by the Federal Ministry of the Interior, Building and Community. This page on the same portal is dedicated to the security mechanisms.

In order to make the eID accessible, an external service is used. This service, called Identity Provider, takes care of the authentication of users. The eID-Login App accesses information from the Identity Provider in order to log users in and provide them with the Appropriate rights.

All Identity Providers that use the SAML protocol to communicate with Nextcloud can be connected. In addition, it is possible to use services that provide an eID server according to BSI TR-03130, which is also based on SAML. The easiest way to connect is to use the SkIDentity Service, which is already pre-configured for uncomplicated use.

The Security Assertion Markup Language (SAML) is an open, widely used standard for exchanging authentication and authorisation information. For Nextcloud to be part of such communication, it provides information about its role and properties under the SAML Metadata URL. More information about SAML can be found at OASIS.

If a connection in accordance with BSI TR-03130 is being considered, there are a few things to consider. The AuthnRequestExtension XML element must be configured in the App settings. This determines which information is requested from the Identity Provider by Nextcloud. Please contact the operator of the Identity Provider for more detailed information.
Due to the use of SAML redirect binding when processing the authentication response, a very long URL is called up which cannot be processed by typical web servers in the standard configuration. Therefore, the web server configuration must be adapted to avoid the occurrence of an HTTP 414 error: * Apache * NGINX

The basis for the link between a user account and an eID is the `eIdentifier´. Depending on the provider, this is a derived date or a date contained in the eID that can be uniquely assigned to an eID. In addition, depending on the authorisation of the Identity Provider, further attributes of the eID can be queried by the application. These attributes are stored in the database and can then be used further. For further information regarding the possible attributes and the configuration required for querying, please contact the operator of the respective Identity Provider.

The costs for using an Identity Provider depend on the provider. The use of the SkIDentity service in connection with the eID-Login App is free of charge if only the eIdentifier is requested.

• PHP version 7.4
• PHP modules: openssl (usually also available from low-cost providers)
• Use of TLS

Optional: but recommended:

• Correctly set up e-mail setup for notifying administrators
• Correctly set up cronjob setup for background tasks

The installation of the application follows the standard procedure of the target platform. After the application has been installed, a separate page is available for its setup. During the first setup, a wizard guides you through the necessary steps.

The SAML protocol provides for the possibility to transmit authentication responses of the identity provider only in encrypted form. In the case of a connection according to TR-03130, for example, this is required. However, since communication with the identity provider is already secured via transport encryption, many identity providers do not offer this option. Therefore, make sure beforehand that the identity provider you are using supports this option. For more information, please contact the respective identity provider.

After the setup, the settings are directly visible under the application-specific page and can be changed manually there.

Certificates are needed for communication with the Identity Provider. Depending on the connection, these are used for the signature and, if necessary, also for the encryption of messages. The certificates are automatically created with a validity of two years when they are set up. A task running in the background regularly checks the validity of these certificates. Before the end of the validity, two actions are performed by this background task:

• Two months before the end of validity, new certificates are created and prepared for use via publication in the SAML metadata. Depending on the provider, the Identity Provider may still have to be informed by the administrator about the existence of the new certificates if they are not imported from the SAML metadata of Nextcloud.
• One month before the end of validity, the existing certificates are saved in the database and the prepared certificates are used from now on.

If the settings are reset, the wizard is available again on the application-specific page under settings. Please note that when resetting, all eID links of all accounts will be deleted!

The eID-Login application stores the settings in its own database tables in the global configuration of the platform.

In addition, separate database tables are created for storing eID-specific data and data that is generated during operation. Their exact naming varies depending on the platform, but each table contains 'eIDlogin' as part of its name.

The eID link can be manually removed by the user at any time. In addition, it is automatically removed when the user is deleted. Depending on the platform, all eID links are removed when the settings are reset by the administrator and when the application is finally deleted. When deactivated, however, they are retained.

The application is currently available for Nextcloud 20, 21 and 22.

The setup is done via the module `eID-Login` under `Settings` and `Administration`.

After setting up the application, an eID login button is displayed on the login page. In addition, all existing users are notified of the eID login option. This includes a link directly to the personal profile settings where a user can link their account to an eID. More information on this can be found in the user documentation of the eID-Login plugin. The notification is also stored for all newly created users as long as the plugin is installed and set up.

Remove the application in the usual way and then manually delete the database tables of the application.

There is a screencast (german only) for Nextcloud which will help you to do this.

The application is currently available for WordPress 5.7.

The setup is done via the module `eID-Login` under `Settings`.

After setting up the application, an eID login button is displayed on the login page. In addition, all existing users are notified of the eID login option. This includes a link directly to the personal profile settings where a user can link their account to an eID. More information on this can be found in the user documentation of the eID-Login plugin. The notification is also stored for all newly created users as long as the plugin is installed and set up.

General information and information on the limitations of cronjobs with WordPress can be found on this page.

Problems can also occur if WordPress is protected using Basic Auth or is operated within a Docker Container. In this case, name resolution via DNS is not possible. In both cases, Cron is not triggered because calls to the script (https://example.com/wp-cron.php) are not possible. If these problems cannot be solved, Cron can be triggered using the following setting in `wp-config.php`:

php define('ALTERNATE_WP_CRON', true);

It is sufficient to delete the application in the usual way.

There is a screencast (german only) for Wordpress which will help you to do this.

The application is currently available for TYPO3 >= 10.4.

The setup is done via the backend module `eID-Login`.

The users must be made aware of the possibility via a prominent integration of the frontend plug-ins 'eID link' and 'eID settings'. In addition, a separate communication of the eID login option to the users via the usual channels is recommended.

Unfortunately, TYPO3 requires some manual steps for uninstallation. More detailed instructions can be found in the README.md in the application repository.

There is a screencast (german only) for TYPO3 which will help you to do this.