Help and Support

Would you like to report an error or share a suggestion with us?
Please primarily use the ticket system for Nextcloud at https://github.com/eid-login/eid-login-nextcloud/issues, for WordPress at https://github.com/eid-login/eid-login-wordpress/issues and for TYPO3 at https://github.com/eid-login/eid-login-typo3/issues for this purpose.

Do you have another problem or a question that is not answered in the frequently asked questions?
In this case, please contact our support team!

You can reach our support team on working days from Monday to Friday from 9:00 a.m. to 5:00 p.m.
by E-mail at eID-Login@ecsec.de.



FAQ

For Users


N1: What is the eID-Login application?

The eID-Login application enables users to log in to their user account with an electronic identity (eID) instead of a combination of username and password. For this purpose, an external service is used which makes the eID accessible for the application.

N2: What is eID and what are the benefits of using it?

The benefit of electronic identification solutions (eID) for login is primarily a security gain for the users of the platform. Questions about the background and benefits of eID are answered on the German National Identity Card portal provided by the Federal Ministry of the Interior, Building and Community. This page on the same portal is dedicated to the security mechanisms.

N3: What are the requirements for using the eID-Login?

To use the eID-Login function, you need an eID (e.g. the online ID function of a German eID) as well as the possibility to access it with a card reader or smartphone and an eID client.

N4: Why should I deactivate the login with password?

Deactivating the login with password increases the security of your account. Should your password ever fall into the wrong hands, your user account is still protected.

N5: I no longer have access to my eID or have received a new ID card, how can I still register?

If you no longer have access to your eID, you can use the "forgotten password" function to assign yourself a new password for your account. Any deactivation of logging in with a password will be cancelled during this process.

N6: What information related to the eID is stored in the database?

In the standard configuration of the application, a pseudonym associated with the eID is stored in the database. In addition, administrators have the option to read and store other attributes of the eID, such as first and last names. Please contact the administrator of the site using eID-Login for more information.

N7: How can I set up the eID login for my user account?

In order to log in to your account with the eID login, an eID must first be linked to the account. The possibility to do this can be found on the page of your personal profile (for Nextcloud on the subpage 'Security' and for TYPO3 the location is chosen by the administrator of the page). Click there on `Create link to eID`. After the link has been successfully created, you can use the eID login to access your account.

N8: How can I delete the link between an eID and my account?

An existing link between your account and an eID can also be deleted again. The option to do this can be found on the page of your personal profile (for Nextcloud on the subpage `Security` and for TYPO3 the location is chosen by the administrator of the page). Click there on `Delete link to eID`.



For Administrators

General

A1: What is the eID-Login application?

The eID-Login plugin allows users to access their user account with an electronic identity (eID) instead of a username and password combination.

A2: What is eID and what are the benefits of using it?

The benefit of eID for login is primarily a security gain for the users of the platform. Questions about the background and benefits of eID are answered on the German National Identity Card portal provided by the Federal Ministry of the Interior, Building and Community. This page on the same portal is dedicated to the security mechanisms.

A3: Is another system involved in the eID-Login?

In order to make the eID accessible, an external service is used. This service, called Identity Provider, takes care of the authentication of users. The eID-Login App accesses information from the Identity Provider in order to log users in and provide them with the Appropriate rights.

A4: What types of Identity Providers are supported?

All Identity Providers that use the SAML protocol to communicate with Nextcloud can be connected. In addition, it is possible to use services that provide an eID server according to BSI TR-03130, which is also based on SAML. The easiest way to connect is to use the SkIDentity Service, which is already pre-configured for uncomplicated use.

A5: What is the SAML protocol?

The Security Assertion Markup Language (SAML) is an open, widely used standard for exchanging authentication and authorisation information. For Nextcloud to be part of such communication, it provides information about its role and properties under the SAML Metadata URL. More information about SAML can be found at OASIS.

A6: Is there anything to consider for the connection according to BSI TR-03130?

If a connection in accordance with BSI TR-03130 is being considered, there are a few things to consider. The AuthnRequestExtension XML element must be configured in the App settings. This determines which information is requested from the Identity Provider by Nextcloud. Please contact the operator of the Identity Provider for more detailed information.
Due to the use of SAML redirect binding when processing the authentication response, a very long URL is called up which cannot be processed by typical web servers in the standard configuration. Therefore, the web server configuration must be adapted to avoid the occurrence of an HTTP 414 error: * Apache * NGINX

A7: What information is provided by the Identity Provider for the application?

The basis for the link between a user account and an eID is the `eIdentifier´. Depending on the provider, this is a derived date or a date contained in the eID that can be uniquely assigned to an eID. In addition, depending on the authorisation of the Identity Provider, further attributes of the eID can be queried by the application. These attributes are stored in the database and can then be used further. For further information regarding the possible attributes and the configuration required for querying, please contact the operator of the respective Identity Provider.

A8: What does the use of an Identity Provider cost?

The costs for using an Identity Provider depend on the provider. The use of the SkIDentity service in connection with the eID-Login App is free of charge if only the eIdentifier is requested.

A9: What are the system requirements for using the eID-Login?
  • PHP version 7.4
  • PHP modules: openssl (usually also available from low-cost providers)
  • Use of TLS

Optional: but recommended:

  • Correctly set up e-mail setup for notifying administrators
  • Correctly set up cronjob setup for background tasks
A10: How is the App installed and set up?

The installation of the application follows the standard procedure of the target platform. After the application has been installed, a separate page is available for its setup. During the first setup, a wizard guides you through the necessary steps.

A11: What does the option 'Enforce encryption of authentication responses' mean?

The SAML protocol provides for the possibility to transmit authentication responses of the identity provider only in encrypted form. In the case of a connection according to TR-03130, for example, this is required. However, since communication with the identity provider is already secured via transport encryption, many identity providers do not offer this option. Therefore, make sure beforehand that the identity provider you are using supports this option. For more information, please contact the respective identity provider.

A12: How can the settings be adjusted later?

After the setup, the settings are directly visible under the application-specific page and can be changed manually there.

A13: What is it about certificates and changing them?

Certificates are needed for communication with the Identity Provider. Depending on the connection, these are used for the signature and, if necessary, also for the encryption of messages. The certificates are automatically created with a validity of two years when they are set up. A task running in the background regularly checks the validity of these certificates. Before the end of the validity, two actions are performed by this background task:

  • Two months before the end of validity, new certificates are created and prepared for use via publication in the SAML metadata. Depending on the provider, the Identity Provider may still have to be informed by the administrator about the existence of the new certificates if they are not imported from the SAML metadata of Nextcloud.
  • One month before the end of validity, the existing certificates are saved in the database and the prepared certificates are used from now on.

The administrators of this platform will be informed about these steps by email.
If a change of certificates is to happen at an earlier point in time, this is possible via the settings of the application.

A14: How can the wizard be run again for setup?

If the settings are reset, the wizard is available again on the application-specific page under settings. Please note that when resetting, all eID links of all accounts will be deleted!

A15: What data are stored in the database?

The eID-Login application stores the settings in its own database tables in the global configuration of the platform.

In addition, separate database tables are created for storing eID-specific data and data that is generated during operation. Their exact naming varies depending on the platform, but each table contains 'eIDlogin' as part of its name.

A16: When are the eID links deleted?

The eID link can be manually removed by the user at any time. In addition, it is automatically removed when the user is deleted. Depending on the platform, all eID links are removed when the settings are reset by the administrator and when the application is finally deleted. When deactivated, however, they are retained.


Platform Nextcloud

AN1: For which versions is the application available?

The application is currently available for Nextcloud 20, 21 and 22.

AN2: Where is the application-specific page for setup or configuration?

The setup is done via the module `eID-Login` under `Settings` and `Administration`.

AN3: How do users find out about the eID login option?

After setting up the application, an eID login button is displayed on the login page. In addition, all existing users are notified of the eID login option. This includes a link directly to the personal profile settings where a user can link their account to an eID. More information on this can be found in the user documentation of the eID-Login plugin. The notification is also stored for all newly created users as long as the plugin is installed and set up.

AN4: How can I completely remove the application from my system?

Remove the application in the usual way and then manually delete the database tables of the application.

AN5: Do you need help with configuration?

There is a screencast (german only) for Nextcloud which will help you to do this.


Platform Wordpress

AW1: For which versions is the application available?

The application is currently available for WordPress 5.7.

AW2: Where is the application-specific page for setup or configuration?

The setup is done via the module `eID-Login` under `Settings`.

AW3: How do users find out about the eID login option?

After setting up the application, an eID login button is displayed on the login page. In addition, all existing users are notified of the eID login option. This includes a link directly to the personal profile settings where a user can link their account to an eID. More information on this can be found in the user documentation of the eID-Login plugin. The notification is also stored for all newly created users as long as the plugin is installed and set up.

AW4: Why do cronjobs not work?

General information and information on the limitations of cronjobs with WordPress can be found on this page.

Problems can also occur if WordPress is protected using Basic Auth or is operated within a Docker Container. In this case, name resolution via DNS is not possible. In both cases, Cron is not triggered because calls to the script (https://example.com/wp-cron.php) are not possible. If these problems cannot be solved, Cron can be triggered using the following setting in `wp-config.php`:

php define('ALTERNATE_WP_CRON', true);

AW5: How can I completely remove the application from my system?

It is sufficient to delete the application in the usual way.

AW6: Do you need help with configuration?

There is a screencast (german only) for Wordpress which will help you to do this.


Plattform TYPO3

AT1: For which versions is the application available?

The application is currently available for TYPO3 >= 10.4.

AT2: Where is the application-specific setup/configuration page located?

The setup is done via the backend module `eID-Login`.

AT3: How do users find out about the eID login option?

The users must be made aware of the possibility via a prominent integration of the frontend plug-ins 'eID link' and 'eID settings'. In addition, a separate communication of the eID login option to the users via the usual channels is recommended.

AT4: How can I completely remove the application from my system?

Unfortunately, TYPO3 requires some manual steps for uninstallation. More detailed instructions can be found in the README.md in the application repository.

AT5: Do you need help with configuration?

There is a screencast (german only) for TYPO3 which will help you to do this.