Versions Compared

Old Version 89

changes.mady.by.user Henrik Eidnes Nielsen

Saved on

compared with

New Version 90

changes.mady.by.user Henrik Eidnes Nielsen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Konfigurationen er det samme som ved Direkte kald i forrige afsnit.
<endpoint
address="https://test2.fmk.netic.dk/fmk12/ws/MedicineCard"
behaviorConfiguration="sealbehavior"
binding="basicHttpBinding"
bindingConfiguration="MedicineCardBinding"
contract="MedicinCard.MedicineCardPortType"
name="MedicineCardPort"
/>
<basicHttpBinding>
<binding name="MedicineCardBinding">
<security mode="Transport"/>
</binding>
</basicHttpBinding>
<behavior name="sealbehavior" >
<sbhe/>
</behavior>
<behaviorExtensions>
<add name="sbhe" type="dk.nsi.seal.SealBehaviorExtentionElement, Seal" />
</behaviorExtensions>

Secure browser logon

Efterfølgende kode og konfiguration viser hvordan der oprettes en krypteret Assertion som kan benyttes til SBO.

  1. SOSIFactory factory = CreateFactory();

UserInfo userInfo = new UserInfo(user.Cpr, user.GivenName, user.SurName, user.Email, user.Occupation, user.Role, user.AuthCode);
var idCardRequest = factory.CreateNewUserIdCard(system.SystemName, userInfo, new CareProvider(system.CareProviderIdFormat, system.CareProviderId, system.CareProviderName), AuthenticationLevel.MocesTrustedUser, "", "", user.Certificate, "");
idCardRequest.Sign<Assertion>(factory.SignatureProvider);

  1. var id = SealUtilities.SignIn(idCardRequest, "http://www.ribeamt.dk/EPJ", Properties.Settings.Default.SecurityTokenService);
  2. using (var stsClient = new Seal2SamlStsClient("Seal2EncSaml")) {
  3. stsClient.ChannelFactory.Credentials.ClientCertificate.Certificate = g.global.NsiLge1;
  4. var d = stsClient.ExchangeAssertion(id, "http://sundhed.dk/") as GenericXmlSecurityToken;
  5. var elm = d.TokenXml;

...

SOSI Gateway

Nå SOSI Gateway skal benyttes skal der ført oprettes en service reference SOSI Gateway. Hvis ikke det allerede er oprettet, oprettes også en service reference til servicen, i nedenstående eksempel FMK.
Følgende kode opretter et login på SOSI Gateway.

...

SOSI Gateway

Nå SOSI Gateway skal benyttes skal der ført oprettes en service reference SOSI Gateway. Hvis ikke det allerede er oprettet, oprettes også en service reference til servicen, i nedenstående eksempel FMK.
Følgende kode opretter et login på SOSI Gateway.


using GW = SealTest.SosiGWReference;
private static Assertion LoginToGateway(IdCard idc, X509Certificate2 certificate)
{
// Convert the dgwsType Assertion into a sosi gateway Assertion.
var assertion = idc.GetAssertion<GW.AssertionType>();
var security = new GW.Security
{
Timestamp = new GW.Timestamp { Created = DateTimeEx.UtcNowRound - TimeSpan.FromMinutes(5) },
Assertion = assertion
};
using (var gwClient = new GW.SosiGWFacadeClient())
{
// Get an digest form the sosi gateway that should be signed
var dig = gwClient.requestIdCardDigestForSigning(security, "whatever");
// Create SHA1 hash of digest
var sha1Managed = new SHA1Managed();
var computeHash = sha1Managed.ComputeHash(dig.DigestValue);
// Get the private key
var privateKey = (RSACryptoServiceProvider) certificate.PrivateKey;
// Calculate the needed signature
var signatureValue = privateKey.SignHash(computeHash, CryptoConfig.MapNameToOID("SHA1"));
var cardRequestBody = new GW.signIdCardRequestBody
{
SignatureValue = signatureValue,
KeyInfo = new GW.KeyInfo
{
Item = new GW.X509Data {Item = certificate.Export(X509ContentType.Cert)}
}
};
// The unsigned id-card in the cache is combined with the signature and the certificate and is sent to STS.
// The STS signed card is saved in the sosiGw cache and is used for future calls through the proxy
var res = gwClient.signIdCard(security, cardRequestBody);
if (res != GW.signIdCardResponse.ok)
{
throw new Exception("Gateway logon error");
}
// Convert the GW Assertion to a dgwsType Assertion for later use.
idc.Xassertion = SerializerUtil.Serialize(security.Assertion).Root;
return idc.GetAssertion<Assertion>(typeof(GW.AssertionType).Name);
}

  1. var factory = CreateFactory();


var idCardRequest = factory.CreateNewUserIdCard(system.SystemName, userInfo, new CareProvider(system.CareProviderIdFormat, system.CareProviderId, system.CareProviderName), AuthenticationLevel.MocesTrustedUser, "", "", user.Certificate, "");

  1. LoginToGateway(idCardRequest, global.NsiLge1);


  1. var client = new MedicineCardPortTypeClient("SosiGWFMK");
  2. var response = client.GetMedicineCard_2015_06_01(

new GetMedicineCardRequest_2015_06_01
{
Security = SecurityHeaderUtil.MakeSecurityUsingDgwsTypes(idc),
Header = requestHeader,
WhitelistingHeader = makeWhitelistingHeader,
GetMedicineCardRequest = new GetMedicineCardRequestType
{
PersonIdentifier = new PersonIdentifierType
{
source = "CPR",
Value = requestCpr
}
}
});


1. Opretter en SosiFactory og IdCardRequest
2. Kalder LoginToGateway som har inline kommentar
3. FMK klient oprettes.
4. Service kaldes
Konfiguration:
SOSIGW
<endpoint address="http://test2.ekstern-test.nspop.dk:8080/sosigw/service/sosigw"
binding="basicHttpBinding"
contract="SosiGwService.SosiGWFacade"
name="SosiGWSoapBinding"/>
FMK
<endpoint address="https://test2.fmk.netic.dk/fmk12/ws/MedicineCard"
behaviorConfiguration="AddressingBehavior"
binding="customBinding"
bindingConfiguration="Soap11Http"
contract="MedicinCard.MedicineCardPortType"
name="SosiGWFMK"/>
<customBinding>
<binding name="Soap11Http">
<textMessageEncoding messageVersion="Soap11WSAddressing10" writeEncoding="utf-8" />
<httpTransport />
</binding>
</customBinding>

<behavior name="AddressingBehavior">
<clientVia viaUri="http://test2.ekstern-test.nspop.dk:8080/sosigw/proxy/soap-request"/>
</behavior>

SOSI Gateway SBO

SOSI Gateway kan bruges til SBO (Sikker Browser Opstart).

Det første der skal gøres er at logge ind i SOSI GW. Dette gøres ved at sende det ID kort man har til SOSI Gateway, som vil gemme kortet i dens cache.

Ved efterfølgende kald til SOSI GW vil den kun kigge på Name ID (også kaldet alternativeIdentifier i andre sammenhænge) i ID kortet man sender, 

og kigge i dens cache om den har et ID kort med samme Name ID liggende. Hvis den har, vil den erstatte ID kortet i det request den har modtaget, med det der ligger i dens cache.


Efterfølgende kode og konfiguration viser hvordan der oprettes en krypteret assertion som kan benyttes til SBO.

  1. SOSIFactory factory = CreateFactory();

UserInfo userInfo = new UserInfo(user.Cpr, user.GivenName, user.SurName, user.Email, user.Occupation, user.Role, user.AuthCode);
var

  1. var factory = CreateFactory();

var idCardRequest = factory.CreateNewUserIdCard(system.SystemName, userInfo, new CareProvider(system.CareProviderIdFormat, system.CareProviderId, system.CareProviderName), AuthenticationLevel.MocesTrustedUser, "", "", user.Certificate, "");

...

idCardRequest.Sign<Assertion>(factory.SignatureProvider);

  1. var client = new MedicineCardPortTypeClient("SosiGWFMK");
  2. var response = client.GetMedicineCard_2015_06_01(

new GetMedicineCardRequest_2015_06_01
{
Security = SecurityHeaderUtil.MakeSecurityUsingDgwsTypes(idc),
Header = requestHeader,
WhitelistingHeader = makeWhitelistingHeader,
GetMedicineCardRequest = new GetMedicineCardRequestType
{
PersonIdentifier = new PersonIdentifierType
{
source = "CPR",
Value = requestCpr
}
}
});

  1. id = SealUtilities.SignIn(idCardRequest, "http://www.ribeamt.dk/EPJ", Properties.Settings.Default.SecurityTokenService);
  2. using (var stsClient = new Seal2SamlStsClient("Seal2EncSaml")) {
  3. stsClient.ChannelFactory.Credentials.ClientCertificate.Certificate = g.global.NsiLge1;
  4. var d = stsClient.ExchangeAssertion(id, "http://sundhed.dk/") as GenericXmlSecurityToken;
  5. var elm = d.TokenXml;


1. Et IdCard oprettes fra SOSIFactory.
2. Et nyt IdCard oprettes underskrevet af STS.
3. En proxy til STS der veksler IdCard oprettes.
4. ClientCredentials sættes.
5. STS til konvertering af assertion kaldes.
6. Det genererede krypterede kort hentes som XML.
Konfiguration:
<endpoint address="http://test1.ekstern-test.nspop.dk:8080/sts/services/Sosi2OIOSaml"
binding="customBinding"
bindingConfiguration="Soap11Http"
behaviorConfiguration="SealSigning"
contract="System.ServiceModel.Security.IWSTrustChannelContract"
name="Seal2EncSaml1. Opretter en SosiFactory og IdCardRequest
2. Kalder LoginToGateway som har inline kommentar
3. FMK klient oprettes.
4. Service kaldes
Konfiguration:
SOSIGW
<endpoint address="http://test2.ekstern-test.nspop.dk:8080/sosigw/service/sosigw"
binding="basicHttpBinding"
contract="SosiGwService.SosiGWFacade"
name="SosiGWSoapBinding"/>
FMK
<endpoint address="https://test2.fmk.netic.dk/fmk12/ws/MedicineCard"
behaviorConfiguration="AddressingBehavior"
binding="customBinding"
bindingConfiguration="Soap11Http"
contract="MedicinCard.MedicineCardPortType"
name="SosiGWFMK" />

<customBinding>
<binding name="Soap11Http">
<textMessageEncoding messageVersion="Soap11WSAddressing10" writeEncoding="utf-8" />
<httpTransport />
</binding>
</customBinding>
<behavior name="AddressingBehaviorSealSigning">
<clientVia viaUri="http://test2.ekstern-test.nspop.dk:8080/sosigw/proxy/soap-requestSealSigningBE/>
</behavior>
<behaviorExtensions>
<add name="SealSigningBE" type="dk.nsi.seal.SealSigningBehaviorExtentionElement, Seal"/>
</behaviorbehaviorExtensions>

SOSI Gateway SBO

En token til SBO kan hentes fra SOSI Gateway på nedenstående måde. Det forudsættes at der er logget på SOSI Gateway og dermed er assertion initieret.
Endpoint refererer til STS og ClientVia refererer til SOSI Gateway.
using (var stsClient = new Seal2SamlStsClient("GWFetchCard"))
using (var scope = new OperationContextScope((IContextChannel)stsClient.Channel.Channel))
{
var factory = CreateFactory();
OperationContext.Current.OutgoingMessageHeaders.Add(new IdCardMessageHeader( factory.DeserializeIdCard(assertion)));
var d = stsClient.ExchangeAssertionViaGW( "http://sundhed.dk/") as GenericXmlSecurityToken;
var elm = d.TokenXml;
}

...