Page History
Indledning
Omveksler et eHDSI IDWS IDWS XUA Bootstrap token Token (DKNCPBST) udsted af "Danish National Contact Point" til et eHDSI IDWS XUA Identity Token (IDWS-eHDSI)
Et eHDSI IDWS XUA Bootstrap Token er baseret på OIO-IDWS og er en SAML 2.0 Assertion der repræsentere en borger. Den er udstedt af Danish National Contact Point (DKNCP). Det er muligt at opbygge et eHDSI IDWS XUA Bootstrap Token vha. Seal.Java, men det er typisk kun til testformål. Dette token kan valideres ved at kontrollere, at audience svarer til den modtager, det er udstedt til, at gyldighedsperioden ikke er udløbet, og at signaturen er gyldig. Signaturen for en SAML 2.0 Assertion valideres ved at benytte det indlejrede signeringscertifikat.
Det samlede request der sendes til en STS er signeret af en troværdig tredjepart. Det samlede request kan valideres vha. det Holder Of Key certifikat der er indlejret i NSP OIO Bootstrap Token.
Det omvekslede eHDSI IDWS Identity Token er stort set identisk med eHDSI DWS XUA Bootstrap Token og har de samme Saml attributter.Bemærk, at den eHDSI IDWS XUA Saml sikkerhedsbillet, der veksles fra, skal være signeret af troværdig tredjepart
I det følgende vises nogle stykker kode der viser hvordan man som anvender skal bruge Seal.Java til denne omveksling.
Der findes et komplet eksempel (incl. STS omveksling) sidst på siden der virker uden at det kræver tilretning.
Eksempel
eHSDI IDWS XUA Bootstrap Token
Læs eHSDI IDWS XUA Saml Assertion fra IdP
Der findes ikke metoder i EHDSIFactory der kan parse en eHDSI IDWS XUA Saml Assertion der stammer fra en Identity Provider (i et W3C Element) til et DkncpBootstrapSamlAssertion objekt.
Opbyg OIO SAML Assertion
Seal.Java kan anvendes til at opbygge en eHDSI IDWS XUA Saml Assertion. Dette vil typisk ske i forbindelse med test.
...
| Code Block |
|---|
DkncpBootstrapSamlAssertionBuilder dkncpBootstrapSamlAssertionBuilder = factory.createDkncpBootstrapSamlAssertionBuilder(vault, issuer);
dkncpBootstrapSamlAssertionBuilder.setIssuer("http://sosi");
dkncpBootstrapSamlAssertionBuilder.setAudienceRestriction("http://audience.nspoop.dk/dds");
dkncpBootstrapSamlAssertionBuilder.setNotBefore(notBeforeDateTime);
dkncpBootstrapSamlAssertionBuilder.setNotOnOrAfter(notOnOrAfterDateTime);
dkncpBootstrapSamlAssertionBuilder.setSubjectName("C=DK,O=LAKESIDE A/S // CVR:25450442,CN=Sårjournal TEST læge,Serial=CVR:25450442-RID:73570260");
dkncpBootstrapSamlAssertionBuilder.setSubjectNameID("nameid");
dkncpBootstrapSamlAssertionBuilder.setSubjectNameIDFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName");
dkncpBootstrapSamlAssertionBuilder.setDeliveryNotOnOrAfter(notOnOrAfterDateTime);
dkncpBootstrapSamlAssertionBuilder.setSigningVault(signingVault);
dkncpBootstrapSamlAssertionBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());
dkncpBootstrapSamlAssertionBuilder.setSubject("Alfonso Gonzalez");
dkncpBootstrapSamlAssertionBuilder.setRole("2221", "Nursing professionals");
List<String> permissions = new ArrayList<>();
permissions.add("urn:oasis:names:tc:xspa:1.0:subject:hl7:permission:PRD-004");
permissions.add("urn:oasis:names:tc:xspa:1.0:subject:hl7:permission:PRD-010");
dkncpBootstrapSamlAssertionBuilder.setPermissions(permissions);
dkncpBootstrapSamlAssertionBuilder.setOnBehalfOf("221", "Medical Doctors");
dkncpBootstrapSamlAssertionBuilder.setOrganization("Charité – Universitätsmedizin Berlin");
dkncpBootstrapSamlAssertionBuilder.setOrganizationId("urn:oid:1.3.6.1.4.1.44938");
dkncpBootstrapSamlAssertionBuilder.setHealthcareFacilityType("Hospital");
dkncpBootstrapSamlAssertionBuilder.setPurposeOfUse("TREATMENT");
dkncpBootstrapSamlAssertionBuilder.setLocality("Klinik am Berg, 83242 Reit im Winkl");
dkncpBootstrapSamlAssertionBuilder.setPatientId("0205756078^^^&1.2.208.176.1.2&ISO");
dkncpBootstrapSamlAssertionBuilder.setAssuranceLevelNIST(assuranceLevel);
dkncpBootstrapSamlAssertionBuilder.setSpecVersion("eHDSI-IDWS-XUA-1.0");
dkncpBootstrapSamlAssertionBuilder.setIssuancePolicy("urn:dk:sosi:sts:eHDSI-strict");
dkncpBootstrapSamlAssertionBuilder.setCountryOfTreatment("DE");
DkncpBootstrapSamlAssertion dkncpBootstrapSamlAssertion = dkncpBootstrapSamlAssertionBuilder.build(); |
STS Request
Det samlede STS request med en NSP OIO SAML Assertion opbygges på denne måde:
...
Nu vil en STS kunne modtage det og veksle det til et eHDSI IDWS XUA Identity Token der kan anvendes på NSP platformen. Eksempel på hvordan Seal.Java kan anvendes til denne omveksling findes her: Seal.Java - Guide til anvendere (STS) - Dkncp Boostrap token til eHDSI Identity token
Request som stream
En consumer vil typisk have et eHDSI IDWS XUA Bootstrap token som en stream der kan sendes direkte til en STS. Dette vil man selv kunne deserialisere hvis man vil se indholdet:
...
Det er nu muligt at se indholdet af requestet
STS Response
Når consumeren modtager svaret fra STS, så skal det først indlæses i et Document:
...
| Code Block |
|---|
// Hent Identity Token fra STS svar
EhdsiIdwsXuaEmployeeIdentityToken employeeIdentityToken = response.getEhdsiIdwsXuaEmployeeIdentityToken();
// Verificer at det er et eHDSI IDWS XUA Identity Token og et par øvrige attributter:
Assert.assertEquals("eHDSI-IDWS-XUA-1.0", employeeIdentityToken.getSpecVersion());
Assert.assertEquals("3", employeeIdentityToken.getAssuranceLevel());
Assert.assertEquals("Alfonso Gonzalez", employeeIdentityToken.getSubject()); |
Service Request
Der er pt. ikke muligt at opbygge service requests for denne omveksling.
Service Response
Der er pt. ikke muligt at modtage service responses for denne omveksling.
Komplet eksempel (incl. STS delen)
| Code Block | ||
|---|---|---|
| ||
public class TestFactoryFlow extends AbstractUserIDCardTest {
@Test
public void testDKNCPBST2EHDSIIdws() {
/**
* Consumer sender request
*/
// CredentialVault og Factory
CredentialVault signingVault = CredentialVaultTestUtil.getVoces3CredentialVault();
CredentialVault holderOfKeyVault = CredentialVaultTestUtil.getVocesHolderOfKeyCredentialVault();
EHDSIFactory factory = new EHDSIFactory();
// Build Dkncp Boostrap SAML Assertion
String issuer = "http://sosi";
DkncpBootstrapSamlAssertionBuilder dkncpBootstrapSamlAssertionBuilder = factory.createDkncpBootstrapSamlAssertionBuilder(signingVault, issuer);
dkncpBootstrapSamlAssertionBuilder.setIssuer(issuer);
dkncpBootstrapSamlAssertionBuilder.setAudienceRestriction("https://fmk");
Date now = new Date();
dkncpBootstrapSamlAssertionBuilder.setNotBefore(notBefore);
dkncpBootstrapSamlAssertionBuilder.setNotOnOrAfter(notOnOrAfter);
dkncpBootstrapSamlAssertionBuilder.setDeliveryNotOnOrAfter(notOnOrAfter);
dkncpBootstrapSamlAssertionBuilder.setSubjectName("C=DK,O=LAKESIDE A/S // CVR:25450442,CN=Sårjournal TEST læge,Serial=CVR:25450442-RID:73570260");
dkncpBootstrapSamlAssertionBuilder.setSubjectNameID("nameid");
dkncpBootstrapSamlAssertionBuilder.setSubjectNameIDFormat(SAMLValues.NAMEID_FORMAT_X509_SUBJECT_NAME);
dkncpBootstrapSamlAssertionBuilder.setSigningVault(signingVault);
dkncpBootstrapSamlAssertionBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());
// Mandatory attribute values
dkncpBootstrapSamlAssertionBuilder.setSubject("Alfonso Gonzalez");
dkncpBootstrapSamlAssertionBuilder.setRole("2221", "Nursing professionals");
dkncpBootstrapSamlAssertionBuilder.setOrganization("Charité – Universitätsmedizin Berlin");
dkncpBootstrapSamlAssertionBuilder.setOrganizationId("urn:oid:1.3.6.1.4.1.44938");
dkncpBootstrapSamlAssertionBuilder.setHealthcareFacilityType("Hospital");
dkncpBootstrapSamlAssertionBuilder.setPurposeOfUse("TREATMENT");
dkncpBootstrapSamlAssertionBuilder.setLocality("Klinik am Berg, 83242 Reit im Winkl");
dkncpBootstrapSamlAssertionBuilder.setPatientId("0205756078^^^&1.2.208.176.1.2&ISO");
dkncpBootstrapSamlAssertionBuilder.setAssuranceLevelNIST("3");
dkncpBootstrapSamlAssertionBuilder.setSpecVersion("eHDSI-IDWS-XUA-1.0");
dkncpBootstrapSamlAssertionBuilder.setIssuancePolicy("urn:dk:sosi:sts:eHDSI-strict");
dkncpBootstrapSamlAssertionBuilder.setCountryOfTreatment("DE");
DkncpBootstrapSamlAssertion dkncpBootstrapSamlAssertion = dkncpBootstrapSamlAssertionBuilder.build();
dkncpBootstrapSamlAssertion.validateSchema();
dkncpBootstrapSamlAssertion.validateSignatureAndTrust(signingVault);
// Build Dkncp Bootstrap request
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestDOMBuilder requestDomBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestDOMBuilder();
requestDomBuilder.setAudience("https://sosi");
requestDomBuilder.setSigningVault(holderOfKeyVault);
requestDomBuilder.setDkncpBootstrapToken(dkncpBootstrapSamlAssertion);
// Serialize request to the same form as received by the STS
Document consumerStsRequestDocument = requestDomBuilder.build();
/**
* Send request over netværk
*/
String consumerStsRequestXml = XmlUtil.node2String(consumerStsRequestDocument, false, false);
consumerStsRequestDocument = readXml(System.getProperties(), consumerStsRequestXml, false);
/**
* STS modtager request
*/
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequest request = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestModelBuilder().build(consumerStsRequestDocument);
// validate request
request.validateSignatureAndTrust(holderOfKeyVault);
request.validateHolderOfKeyRelation();
// Validate assertion
DkncpBootstrapSamlAssertion assertion = request.getDkncpBootstrapSamlAssertion();
// The DKNCP BST Assertion can be schema validated after serialize/deserialize
assertion.validateSchema();
assertion.validateSignatureAndTrust(signingVault);
// Verify all attributes
Assert.assertEquals("Alfonso Gonzalez", assertion.getSubject());
Assert.assertEquals(EHDSI_ROLE_XSI_TYPE, assertion.getRoleType());
Assert.assertEquals("2221", assertion.getRoleCode());
Assert.assertEquals(EHDSI_ROLE_CODE_SYSTEM, assertion.getRoleCodeSystem());
Assert.assertEquals(EHDSI_ROLE_CODE_SYSTEM_NAME, assertion.getRoleCodeSystemName());
Assert.assertEquals("Nursing professionals", assertion.getRoleDisplayName());
Assert.assertEquals("Charité – Universitätsmedizin Berlin", assertion.getOrganization());
Assert.assertEquals("urn:oid:1.3.6.1.4.1.44938", assertion.getOrganizationId());
Assert.assertEquals("Hospital", assertion.getHealthcareFacilityType());
Assert.assertEquals("TREATMENT", assertion.getPurposeOfUseCode());
Assert.assertEquals("Klinik am Berg, 83242 Reit im Winkl", assertion.getLocality());
Assert.assertEquals("0205756078^^^&1.2.208.176.1.2&ISO", assertion.getPatientId());
Assert.assertEquals("3", assertion.getAssuranceLevelNIST());
Assert.assertEquals("eHDSI-IDWS-XUA-1.0", assertion.getSpecVersion());
Assert.assertEquals("urn:dk:sosi:sts:eHDSI-strict", assertion.getIssuancePolicy());
Assert.assertEquals("DE", assertion.getCountryOfTreatment());
/**
* STS bygger response
*/
// Build Ehdsi Idws Xua Employee identity token
EhdsiIdwsXuaEmployeeIdentityTokenBuilder tokenBuilder = factory.createEhdsiIdwsXuaEmployeeIdentityTokenBuilder();
tokenBuilder.setIssuer("http://sosi");
tokenBuilder.setAudienceRestriction("https://fmk");
tokenBuilder.setNotBefore(notBefore);
tokenBuilder.setNotOnOrAfter(notOnOrAfter);
tokenBuilder.setDeliveryNotOnOrAfter(notOnOrAfter);
tokenBuilder.setSubjectNameID("C=DK,O=Ingen organisatorisk tilknytning,CN=Lars Larsen,Serial=PID:9208-2002-2-514358910503");
tokenBuilder.setSubjectNameIDFormat(SAMLValues.NAMEID_FORMAT_X509_SUBJECT_NAME);
tokenBuilder.setSigningVault(signingVault);
tokenBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());
tokenBuilder.setSubject("Alfonso Gonzalez");
tokenBuilder.setRole("2221", "Nursing professionals");
tokenBuilder.setOrganization("Charité – Universitätsmedizin Berlin");
tokenBuilder.setOrganizationId("urn:oid:1.3.6.1.4.1.44938");
tokenBuilder.setHealthcareFacilityType("Hospital");
tokenBuilder.setPurposeOfUse("TREATMENT");
tokenBuilder.setLocality("Klinik am Berg, 83242 Reit im Winkl");
tokenBuilder.setPatientId("0205756078^^^&1.2.208.176.1.2&ISO");
tokenBuilder.setAssuranceLevel("3");
tokenBuilder.setSpecVersion("eHDSI-IDWS-XUA-1.0");
tokenBuilder.setIssuancePolicy("urn:dk:sosi:sts:eHDSI-strict");
tokenBuilder.setCountryOfTreatment("DE");
EhdsiIdwsXuaEmployeeIdentityToken ehdsiIdwsXuaEmployeeIdentityToken = tokenBuilder.build();
// Validate Identity Token
ehdsiIdwsXuaEmployeeIdentityToken.validateSchema();
ehdsiIdwsXuaEmployeeIdentityToken.validateSignatureAndTrust(signingVault);
// Build Ehdsi Idws Xua Employee response
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder responseBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder();
responseBuilder.setEhdsiIdwsXuaEmployeeIdentityToken(ehdsiIdwsXuaEmployeeIdentityToken);
responseBuilder.setSigningVault(holderOfKeyVault);
responseBuilder.setRelatesTo("relatesTo");
responseBuilder.setContext("context");
Document consumerStsResponseDocument = responseBuilder.build();
/**
* Send response over netværk
*/
String consumerStsResponseXml = XmlUtil.node2String(consumerStsResponseDocument, false, false);
consumerStsResponseDocument = readXml(System.getProperties(), consumerStsResponseXml, false);
/**
* Consumer modtager response
*/
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseModelBuilder responseModelBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseModelBuilder();
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponse response = responseModelBuilder.build(consumerStsResponseDocument);
// Validate entire response
response.validateSignature();
// Validate the Ehdsi Idws Xua Employee Identity token from the response
EhdsiIdwsXuaEmployeeIdentityToken employeeIdentityToken = response.getEhdsiIdwsXuaEmployeeIdentityToken();
// The Ehdsi Idws Xua Employee Identity token can be schema validated after serialize/deserialize
employeeIdentityToken.validateSchema();
employeeIdentityToken.validateSignatureAndTrust(signingVault);
// Verify all attributes
assertEquals("3", employeeIdentityToken.getAssuranceLevel());
assertEquals("Alfonso Gonzalez", employeeIdentityToken.getSubject());
Assert.assertEquals("2221", employeeIdentityToken.getRoleCode());
Assert.assertEquals("Nursing professionals", employeeIdentityToken.getRoleDisplayName());
Assert.assertEquals("Charité – Universitätsmedizin Berlin", employeeIdentityToken.getOrganization());
Assert.assertEquals("urn:oid:1.3.6.1.4.1.44938", employeeIdentityToken.getOrganizationId());
Assert.assertEquals("Hospital", employeeIdentityToken.getHealthcareFacilityType());
Assert.assertEquals("TREATMENT", employeeIdentityToken.getPurposeOfUseCode());
Assert.assertEquals("Klinik am Berg, 83242 Reit im Winkl", employeeIdentityToken.getLocality());
Assert.assertEquals("0205756078^^^&1.2.208.176.1.2&ISO", employeeIdentityToken.getPatientId());
Assert.assertEquals("3", employeeIdentityToken.getAssuranceLevel());
Assert.assertEquals("eHDSI-IDWS-XUA-1.0", employeeIdentityToken.getSpecVersion());
Assert.assertEquals("urn:dk:sosi:sts:eHDSI-strict", employeeIdentityToken.getIssuancePolicy());
Assert.assertEquals("DE", employeeIdentityToken.getCountryOfTreatment());
}
} |
...