Page History
Indledning
Denne omveksling kan modtage et NSP OIO SAML Bootstrap Token og returnere et NSP OIO IDWS Identity Token.
...
Der findes et komplet eksempel (incl. STS omveksling) sidst på siden.
Eksempel
Bootstrap Token
Læs OIO SAML Assertion fra IdP
En NSP OIO SAML Assertion der stammer fra en Identity Provider og er repræsenteret i et W3C element kan Seal.Java parse til et OIOBSTSAMLAssertion objekt på følgende måde:
...
Hvor den modtagne OIO SAML Assertion er indlæst i et Element i variablen assertionElement.
Opbyg OIO SAML Assertion
Seal.Java kan anvendes til at opbygge en OIO SAML Assertion. Dette vil typisk ske i forbindelse med test.
...
| Code Block |
|---|
// Byg OIOBSTSAMLAssertion
OIO3BSTSAMLAssertionBuilder oiosamlAssertionBuilder = factory.createOIO3BSTSAMLAssertionBuilder();
oiosamlAssertionBuilder.setIssuer("https://oio3bst-issuer.dk");
oiosamlAssertionBuilder.setNameId("KorsbaekKommune\\MSK");
oiosamlAssertionBuilder.setAudience("http://audience.nspoop.dk/dds");
oiosamlAssertionBuilder.setNotOnOrAfter(notOnOrAfter);
oiosamlAssertionBuilder.setCvr("20301823");
oiosamlAssertionBuilder.setOrganizationName("Korsbæk Kommune");
oiosamlAssertionBuilder.setHolderOfKeyCertificate(holderOfKey.getSystemCredentialPair().getCertificate());
oiosamlAssertionBuilder.setSigningVault(signingVault);
OIOBSTSAMLAssertion oiosamlAssertion = oiosamlAssertionBuilder.build(); |
STS Request
Opbygge STS request til testformål
Det samlede STS request med en NSP OIO SAML Assertion opbygges på denne måde:
...
Nu vil en STS kunne modtage det og veksle det til en NSP OIO IDWS Identity Token. Eksempel på hvordan Seal.Java kan anvendes til denne omveksling findes her: Seal.Java 3 - Guide til anvendere (STS) - Bootstrap Token til OIO-Idws Token
Request som stream
En consumer vil typisk have et NSP OIO SAML Bootstrap Token som en stream der kan sendes direkte til en STS. Dette vil man selv kunne deserialisere hvis man vil se indholdet:
...
Det er nu muligt for en STS at se indholdet af requestet og på baggrund af indholdet vil en STS kunne bygge et response.
STS Response
Når consumeren modtager svaret fra STS, så skal det først indlæses i et W3C Document:
...
| Code Block |
|---|
// Hent Identity Token fra STS svar
IdentityToken identityTokenResponse = consumerStsResponse.getIdentityToken();
// Verificer at det er et IDWS token samt at assurance level og audience er som forventet
Assert.assertEquals("DK-SAML-2.0", identityTokenResponse.getSpecVersion());
Assert.assertEquals("3", identityTokenResponse.getAssuranceLevel());
Assert.assertEquals("http://fmk-online.dk", identityTokenResponse.getAudienceRestriction()); |
Service Request
Når vi har STS svaret kan service requestet opbygges. Først skal der opbygges et IDWS request med den Body der passer til den service der skal kaldes. Den kan se sådan her ud, hvor Body elementet ikke er udfyldt:
...
| Code Block | ||
|---|---|---|
| ||
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:sbf="urn:liberty:sb" xmlns:sbfprofile="urn:liberty:sb:profile"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security mustUnderstand="1" wsu:Id="security">
<wsu:Timestamp wsu:Id="ts">
<wsu:Created>2025-10-01T09:16:10Z</wsu:Created>
</wsu:Timestamp>
<saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema"
ID="_55765161-0dc4-4dc7-9156-b862035c2584" IssueInstant="2025-10-01T09:16:10Z"
Version="2.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Issuer>TEST1-NSP-STS</saml:Issuer>
<ds:Signature Id="OCESSignature">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_55765161-0dc4-4dc7-9156-b862035c2584">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>0UrB5HZ5sM8/BFhYyGTypND09h8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
bzdd9rbaf7gBI/+f6ISkhC8M9XD1/VQ4Jo/7pr8RKCdnyBhZJTOkpqCrw6MG01PAWxgfGpVZZ+7ZS5kYBkRjFHUyPPDtJrQ1Tc6hNrw30bx57LfYCjU3+hKz0arUvD+ncxpGhGFgwqbvBZMCwr496186TcZwWW2QAymz3TmTKcGtdv0QnhVDnYFIbWS8sxjJ3sgGj9HC9adBLJ280l5IOYmBwDQ7f86TxwFtqGKzjTtfFcEH3q9gup7o2QD6NMRdW8Rg4DxPnqfewsfv06yPfPPwdwJWDFWyLmA4gcWzYs7Ao1UH6W5j4Zh5mbsNRP9YV1zVDk89Ny5V6n98WSzg1irgbLwJJsor/N52ZK/wMpilX3r/qH1gABI83kV40Rd6Tp4hJizKaJ+bPiw/DLTYVzwD8mz9pWPZnI7jjlIo9sJ9RRFiY3UameJJA/U2iqt3G17tdrG93VhzFZRqaMIqveKjaxKShEBWP96rloLyCf0GOsZX/xmVc07Lw2jeJ+5O</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIGiDCCBLygAwIBAgIUR5IfpZdXnxp/UHxA0KWAcKzWcm4wQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMGsxLTArBgNVBAMMJERlbiBEYW5za2UgU3RhdCBPQ0VTIHVkc3RlZGVuZGUtQ0EgMTETMBEGA1UECwwKVGVzdCAtIGN0aTEYMBYGA1UECgwPRGVuIERhbnNrZSBTdGF0MQswCQYDVQQGEwJESzAeFw0yMzA1MTIxMTIzMDFaFw0yNjA1MTExMTIzMDBaMIGeMR0wGwYDVQQDDBRTT1NJIFRlc3QgRmVkZXJhdGlvbjE3MDUGA1UEBRMuVUk6REstTzpHOjU4ZjEwNDNkLTNkMmYtNGRlZC1hYjUwLTk0MGRiNDc3NmExODEeMBwGA1UECgwVU3VuZGhlZHNkYXRhc3R5cmVsc2VuMRcwFQYDVQRhDA5OVFJESy0zMzI1Nzg3MjELMAkGA1UEBhMCREswggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCDqOcDXr2tsBXp3QqYpoZCyJAJQ4+rEtmOLJL/Qyol+5e2NyBOqIGdpXdcSI6hCTYEQu/67EDFRcO9yU6yD/u7xOcy+t3eCqx1ydOy20AZCdcKwRmxBzyQN5er+mBErG2+iprTWJdpwCw0mwjNt5edusm7Nwufk0AkN5nxvEEynwesTdTqgLzL99Jk1zdg0uokROg1s13CCvpenYks8+yXwgddO/36WmUn9V8N+1MIu+UpwsULB9zsNCU8qlDzlgg1u6nr8nnKTBBwT2mXl4xCOF2EEJF5lGUaJ+NOu/ljI2WN2pEUsiqpZPvsI14teJKucH4zCV2y7PhyCBacuti7rEZjuZ6ELeTiUvgs+TqqTFGn3dxCq6FOgz5z5N2ypPTPzg/ntBH0CqkjFn+loh5GIBcA8ff5AHNjqM3Ygu/u1p+BwszeGJLAwk0AUtp67aB4QBGuh73vWsaeERwg4Hc1HeNldv/I4iyMQFlp1qsZoAC6cApeoM6umihYcTfi7rMCAwEAAaOCAYYwggGCMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUfyif2XGZQuJ159c1di5NCCVtdl4wewYIKwYBBQUHAQEEbzBtMEMGCCsGAQUFBzAChjdodHRwOi8vY2ExLmN0aS1nb3YuZGsvb2Nlcy9pc3N1aW5nLzEvY2FjZXJ0L2lzc3VpbmcuY2VyMCYGCCsGAQUFBzABhhpodHRwOi8vY2ExLmN0aS1nb3YuZGsvb2NzcDAhBgNVHSAEGjAYMAgGBgQAj3oBATAMBgoqgVCBKQEBAQMHMDsGCCsGAQUFBwEDBC8wLTArBggrBgEFBQcLAjAfBgcEAIvsSQECMBSGEmh0dHBzOi8vdWlkLmdvdi5kazBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vY2ExLmN0aS1nb3YuZGsvb2Nlcy9pc3N1aW5nLzEvY3JsL2lzc3VpbmcuY3JsMB0GA1UdDgQWBBQoPAINYQR2GfgN1KAQMauutePL6jAOBgNVHQ8BAf8EBAMCBaAwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4IBgQC31Dtgc8+hxB0v+/RL1N3SsyfIxKNVJBhkl2Rfihn700Or5E+0ETyP8mV8MadraDBDYbwMkd3TNOzuF6Ct8c4X5mv+XKr8m0eDPlh7I7mMZ5zzpVw5Co4Wiwwiv9Hb59P/c182FaSPAA1bpmko9AH+duPcquiQELoSRfqW23B2cejACd95XbyXQVFdbCdhyCGAexbJ4egChJsXPU2zAOXq1/pa5bNSmJMsJgqP36bTbA6r+mjv0FArkrL76W1kmchpj6F4tSuDaaJlUmKvmzzBomwhlQRr/vxZc0FOamnJ8is9wC49tOaEMUx2l2iSWZKXMh4C6LQC8hQsjiXnYsERAWgeqwzqtVE3iKaGhOv+W7ECKFndGjYM95bdVK8x9BymTrPun63BCiVGqhMzsEc2RkvbKgBpb7L+Ont0EAahwcTshBzfe0jhA2thWHNGFxXpNqI0ZaAo/NKJpHK3I0EACAB0/VjiQZ/inSKtPnof1/nQZ32QWX3ij0VkX2mE2Pw=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
dk:gov:saml:attribute:CprNumberIdentifier:0101701234</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml:SubjectConfirmationData NotOnOrAfter="2025-10-01T10:06:10Z"
Recipient="https://fsk">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIGljCCBMqgAwIBAgIUSekWoKAJgAnqOOnhCpBxT0Y7+DIwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMGsxLTArBgNVBAMMJERlbiBEYW5za2UgU3RhdCBPQ0VTIHVkc3RlZGVuZGUtQ0EgMTETMBEGA1UECwwKVGVzdCAtIGN0aTEYMBYGA1UECgwPRGVuIERhbnNrZSBTdGF0MQswCQYDVQQGEwJESzAeFw0yNTAzMTAwOTM2NThaFw0yODAzMDkwOTM2NTdaMIGrMSIwIAYDVQQDDBlEUkcgRnVua3Rpb25zY2VydGlmaWthdGV0MTcwNQYDVQQFEy5VSTpESy1POkc6NWVjN2FmMDEtZTJkZC00NWRhLTkyZjMtZWE4ZWVlY2U5NmY2MSYwJAYDVQQKDB1UZXN0b3JnYW5pc2F0aW9uIG5yLiA5NTQ0NDk2MDEXMBUGA1UEYQwOTlRSREstOTU0NDQ5NjAxCzAJBgNVBAYTAkRLMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAm/9FRP56L/AY3JzWW5KKFa9uAAMdaE6F27Niz4kh/76NeRJ+v0SYGHrYeTojsuNIvoiL7igacO9HCxBJZ9eXkYEHN5oni1oix8WXrIiZ+lshndFCmzOkOUp4oKdmQYU4wFgxySDICkh4X1ZiV7zX2QSYYRIS0CT7BgCM8PUJj+3uQsK8/WmfnCagz33OY5j3zM6zIj/P3NFPSW/mOBJGd5NmPqiWIkE5TAi0v55V9KXKonTQNbyBNmtDFgAeOZuu9PcVQXT4XTZ29Nf9Q8DlOuJkgE5J4YslxKCZAVowtpZ4bvo6+AeBi/TGAyGwH8ZQSquLTRfu+XxA2NeQP/un9OOrb9tbgM879zEjTzRViJQb3DbzyTso3QdZ8ePzGo8or303T3Y1sBsmkgR4ca+WrGJYalHSSv24w/uX5ouYp9isYYigCd+on9EOGdhg1A+8yMfEEk1k6U+Xwk/PorTbaHiwTZzYVTtITYZwuo/AQAuv9fok1vyszLAA9LsRLRu3AgMBAAGjggGHMIIBgzAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFH8on9lxmULidefXNXYuTQglbXZeMHsGCCsGAQUFBwEBBG8wbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhMS5jdGktZ292LmRrL29jZXMvaXNzdWluZy8xL2NhY2VydC9pc3N1aW5nLmNlcjAmBggrBgEFBQcwAYYaaHR0cDovL2NhMS5jdGktZ292LmRrL29jc3AwIgYDVR0gBBswGTAIBgYEAI96AQEwDQYLKoFQgSkBAQEDBwEwOwYIKwYBBQUHAQMELzAtMCsGCCsGAQUFBwsCMB8GBwQAi+xJAQIwFIYSaHR0cHM6Ly91aWQuZ292LmRrMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jYTEuY3RpLWdvdi5kay9vY2VzL2lzc3VpbmcvMS9jcmwvaXNzdWluZy5jcmwwHQYDVR0OBBYEFA6of2eL0FrGUwTaBkf7OmPgvqMzMA4GA1UdDwEB/wQEAwIFoDBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASADggGBAMKj8r6/7oFNzN6Bj8IivsIKfES4R+Q7881DTvaMrtG8Oewi6tUNw6ZEW+/C3kS2eh1xl85tDEi1wN2EKFEgrHIo0RnICx8CCWgd9LPc6f3D8VyLMS5mDeZgjFtZ63SOsIAyeupVHuSx6UCaHKCLyp48Rc7VtHgVIzjFEq/BHzyAcEeSymfLRf4pPbob7zLNSF4jmWUXpyQ47IEYL5zWXBsJdzc++RIMQ5blphINN++auZoXCsy63yAjenfZkv5/hy6v3GZN7vHjdKTf+bOZNYvDoiFqCjsKTDHDOGShr2lGRYGZcOBd/c94wBMILn4/lzThoj3U2S7uUt5ommYD9Db9GVF7Bs71Ey3FLetIa5ynJI14qTkflp3Ij++GAJqdKuUPVCHpHrNJTkzypr4ZDr8AF9q0mvVg0IfMaf9INx0/dAzNUxOoaYKxuiK4r8a3IBBX59QXlctGlgG+CTR0YjPG6uftRB6dSQh1sb7fxDm2eX9+bqqH4Wi/YKDYqGq3RQ==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2025-10-01T09:11:10Z"
NotOnOrAfter="2025-10-01T10:06:10Z">
<saml:AudienceRestriction>
<saml:Audience>https://fsk</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Attribute Name="dk:gov:saml:attribute:SpecVer"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">DK-SAML-2.0</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="dk:gov:saml:attribute:AssuranceLevel"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">3</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="dk:gov:saml:attribute:CprNumberIdentifier"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">0101701234</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
<wsse:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
wsu:Id="str">
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">
_55765161-0dc4-4dc7-9156-b862035c2584</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#body">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>lbWOchC8WPqugicDmHUOwQR0iug=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#ts">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>6DJcxPGqNVFB2n1Kdj1KYYjUssk=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#str">
<ds:Transforms>
<ds:Transform
Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
<wsse:TransformationParameters>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</wsse:TransformationParameters>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>0rM6QpH6WBKezKgwF6Lw/2X9yfU=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#messageID">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>Bn0NvtRUO5U2fts3sQTgKR9OV4c=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#action">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>nFVfWu71MwSlvS2L2n7kca+otEQ=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#sbf">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>DrMuEoWp7Uik1KTUOuvtisxvpXA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
DHSQ8NecqemsFcmzrWXB85stEUO9Z64fjJ4VwbTcV+6/fZAQ3udCjHQERu9wQhODphSlMnQt9pN9ozjFPUKYteX7bm6O6W4+6cnA+NnX/RoAePn9KXBkKrTSni503MlmCXyp5mKf3uzxoPqggP5Kx12pG9pIuuNdGnKGJER5W6KYAnCkHV6pHp/wfHoESL2T+UqC79Eed157oJOZBY3g2i8U18UIChlrM+XdVVAzKJBS+dzkUObZbiWC92hZ156Z4kt5ZRJN3R839fStdreb1wpvG9scom37UYG3HNezVhwEsZPFA0PTFjZLCc0Chkt3+hzqhfi1w77TpGP/2vTwaNIx0PQ0KG+P/t2ptvMenSjQTRpD5z3STTBRTbdgMk7g+zem32LIV9Rk3KGgDgUOLdx++nR4X8zEM5kgSjuJ+4WFVwFw+TWxQIeE215Se3xTFw2Jscw3FHo0+YFwo9pWWnIowjCISfgtgSqevnH4OAEiuVh/EmJdDRym3n4wAlIi</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
wsu:Id="sigStr">
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">
_55765161-0dc4-4dc7-9156-b862035c2584</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<wsa:MessageID wsu:Id="messageID">c32e833f-0c92-41bd-b9d4-fd3ab36ab1f6</wsa:MessageID>
<wsa:Action wsu:Id="action">
http://sundhedsdatastyrelsen.dk/skr/2024/01/01#GetPersonalDataCard</wsa:Action>
<sbf:Framework sbfprofile:profile="urn:liberty:sb:profile:basic" version="2.0" wsu:Id="sbf" />
</soapenv:Header>
<soapenv:Body wsu:Id="body">
...
</soapenv:Body>
</soapenv:Envelope> |
Service Response
Seal.Java kan nu benyttes til at validere det samlede response fra servicen. Ved kald til en IDWS service kan man vha. kald til Seal.Java tjekke om svaret indeholder en fejl og evt. fejlbesked og fejlkode.
...
| Code Block |
|---|
Federation federation = new SOSITestFederation(new Properties());
OIOBootstrapToIdentityTokenResponse response = new OIOBootstrapToIdentityTokenResponseModelBuilder().build(serviceConsumerResponseDocument);
// Verify IDWS service response for errors
if (response.isFault()) {
log.error("Response error: " + response.getFaultString() + ", error code: " + response.getFaultCode());
return false;
}
// Validate IDWS service response
try {
response.validateSignature();
response.validateSignatureAndTrust(federation);
} catch (ModelBuildException e) {
log.error("Validation error: " + e.getMessage());
return false;
}
return true; |
Komplet eksempel (incl. STS delen)
| Code Block | ||
|---|---|---|
| ||
public class TestFactoryFlow {
@Test
public void testBst2Idws() {
/**
* Consumer sender request
*/
// CredentialVault og Factory
CredentialVault signingVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Medarbejdercertifikat", "Kodeord til Medarbejdercertifikat");
CredentialVault holderOfKeyVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Holder of key certifikat", "Kodeord til Holder of key certifikat");
OIOSAMLFactory factory = new OIOSAMLFactory();
// Byg OIOBSTSAMLAssertion
OIO3BSTCitizenSAMLAssertionBuilder oio3bstCitizenSAMLAssertionBuilder = factory.createOIO3BSTCitizenSAMLAssertionBuilder();
oio3bstCitizenSAMLAssertionBuilder.setAudience("http://fmk-online.dk");
oio3bstCitizenSAMLAssertionBuilder.setIssuer("Issuer");
oio3bstCitizenSAMLAssertionBuilder.setNameId("NameId");
oio3bstCitizenSAMLAssertionBuilder.setAssuranceLevel(AssuranceLevel.NSIS.Substantial);
oio3bstCitizenSAMLAssertionBuilder.setCpr("0101701234");
oio3bstCitizenSAMLAssertionBuilder.setNotOnOrAfter(notOnOrAfter);
oio3bstCitizenSAMLAssertionBuilder.setSigningVault(signingVault);
oio3bstCitizenSAMLAssertionBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());
OIOBSTSAMLAssertion oiobstsamlAssertion = oio3bstCitizenSAMLAssertionBuilder.build();
// Byg STS request
OIOBootstrapToIdentityTokenRequestDOMBuilder requestDomBuilder = factory.createOIOBootstrapToIdentityTokenRequestDOMBuilder();
requestDomBuilder.setOIOBootstrapToken(oiobstsamlAssertion);
requestDomBuilder.setAudience("http://fmk-online.dk");
requestDomBuilder.setCPRNumberClaim("0101701234");
requestDomBuilder.setSigningVault(signingVault);
Document consumerStsRequestDocument = requestDomBuilder.build();
/**
* Send request over netværk
*/
String consumerStsRequestXml = XmlUtil.node2String(consumerStsRequestDocument, false, false);
consumerStsRequestDocument = XmlUtil.readXml(new java.util.Properties(), consumerStsRequestXml, false);
/**
* STS modtager request
*/
OIOBootstrapToIdentityTokenRequest stsRequest = factory.createOIOBootstrapToIdentityTokenRequestModelBuilder().build(consumerStsRequestDocument);
// Her vil STS'en verificere ID kortet. I dette eksempel verificeres følgende tre attributter:
oiobstsamlAssertion = stsRequest.getOIOBSTSAMLAssertion();
Assert.assertEquals("OIO-SAML-3.0", oiobstsamlAssertion.getSpecVersion());
Assert.assertEquals("Substantial", oiobstsamlAssertion.getAssuranceLevel());
Assert.assertEquals("http://fmk-online.dk", oiobstsamlAssertion.getAudienceRestriction());
/**
* STS bygger response
*/
// Byg IdentityToken
CitizenIdentityTokenBuilder identityTokenBuilder = factory.createCitizenIdentityTokenBuilder();
identityTokenBuilder.setAudienceRestriction("http://fmk-online.dk");
identityTokenBuilder.setRecipientURL("https://fmk");
identityTokenBuilder.setIssuer("Issuer");
identityTokenBuilder.setNotBefore(notBefore);
identityTokenBuilder.setNotOnOrAfter(notOnOrAfter);
identityTokenBuilder.setDeliveryNotOnOrAfter(notOnOrAfter);
identityTokenBuilder.setCprNumberAttribute("0101701234");
identityTokenBuilder.setSubjectNameID("SubjectNameID");
identityTokenBuilder.setSubjectNameIDFormat("SubjectNameIDFormat");
identityTokenBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());
identityTokenBuilder.setSigningVault(signingVault);
IdentityToken identityToken = identityTokenBuilder.build();
// Byg STS response
AbstractOIOToIdentityTokenResponseDOMBuilder<?> responseBuilder = factory.createOIOBootstrapToIdentityTokenResponseDOMBuilder();
responseBuilder.setIdentityToken(identityToken);
responseBuilder.setSigningVault(signingVault);
responseBuilder.setRelatesTo("relatesTo");
responseBuilder.setContext("context");
Document consumerStsResponseDocument = responseBuilder.build();
/**
* Send response over netværk
*/
String consumerStsResponseXml = XmlUtil.node2String(consumerStsResponseDocument, false, false);
consumerStsResponseDocument = XmlUtil.readXml(new Properties(), consumerStsResponseXml, false);
/**
* Consumer modtager response
*/
OIOBootstrapToIdentityTokenResponse consumerStsResponse = factory.createOIOBootstrapToIdentityTokenResponseModelBuilder().build(consumerStsResponseDocument);
IdentityToken identityTokenResponse = consumerStsResponse.getIdentityToken();
Assert.assertEquals("DK-SAML-2.0", identityTokenResponse.getSpecVersion());
Assert.assertEquals("3", identityTokenResponse.getAssuranceLevel());
Assert.assertEquals("http://fmk-online.dk", identityTokenResponse.getAudienceRestriction());
}
} |
...