Open eCard

This is a duplicate of #640.

Unfortunately this is the case. As it can be seen in the referenced issue, this is a problem for a long time. In a nutshell, the eID Server is set up in a way that a same origin check (SOP) fails and the app terminates. They claim that for attached eID Servers using SAML this check must not be performed, but after reading the relevant parts of TR 03124 and TR 03130, we came to the conclusion that a SOP check is required. The issue contains excerpts of these sections.
It basically boils down to the fact that an attached eID Server is a construct where the eID Server and the eService are reachable under the same domain. Their interpretation is that only the SAML SP must be reachable under the same domain. This however breaks the strong channel binding between eService and eID-Server, which is established through the eService URL in the Authorisation Certificate (Berechtigungszertifikat).

Now considering that the Open eCard App was certified, there were tests executed during this process, proving that the termination criteria are correctly implemented. Obviously this is also the case for the AusweisApp2, which leads me to the conclusion that there is probably some deficiency in the testing process. The right way to deal with this situation is to let the officials from the BSI clarify what the intended behaviour of the system should be. We'll gladly adapt the code then, in the case we are doing it wrong. It turned out to be quite difficult to get a disputing statement. The provider/ eID Server manufacturer of course have the same point of view. Their software is checked and so there will be no change without an official instruction to change the behaviour.

Das Problem besteht immer noch. Wann gibt es eine Lösung?