Versions Compared

Old Version 17

changes.mady.by.user Christian Gasser

Saved on

compared with

New Version Current

changes.mady.by.user Henrik Danielsen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Anvenders tilgang til DGWS services på STS kan ske med hjælp fra Seal.Java [SPG] eller Seal.NET [SN], som er biblioteker der bl.a. hjælper til med at understøtte brugen af DGWS herunder opbygning af requests til STS (NewSecurityTokenService).

Materiale omkring udsende udstedelse af et id-kort **CHG: Hvad menes der med 'udsende' her? **, samt eksempler på kald af servicen fra en java-applikation kan findes under STS - Kom Godt i Gang.

...

  • System Idkort (baseret på et VOCESOCES/FOCES OCES certifikat, niveau 3)
  • Bruger Idkort (baseret på et MOCES OCES certifikat, niveau 4)

Det er den samme service, der skal anvendes til begge typer af billetter, men indholdet af requesten vil være forskellige. I afsnittet nedenfor med eksempler på requests vil der gives eksempler på begge typer af requests. For Bruger Idkort vil der yderligere være eksempler på udstedelse til brugere med og uden sundhedsfaglig autorisation.

...

  • medcom:UserCivilRegistrationNumber: Brugerens CPR nummer. Dette kan valideres bliver valideret af STS vha OCES service til validering af RID-CPR (RID står i certifikatet) **CHG: Ikke 'kan', STS'en validerer det altid. Tilføj om UUID-CPR for MOCES3**
  • medcom:UserRole: Kan indeholde enten en uddannelseskode (for sundhedsfaglige) eller en national (SEB) rolle eller lokal rolle for brugere uden sundhedsfaglig autorisation.
  • medcom:UserAuthorizationCode: Kun relevant for sundhedsfaglige brugere. Valideres af STS ved hjælp af autorisationsregisteret.

...

  • Hvis der er angivet en national rolle (afgøres udfra prefix), så tjekker STS op i mod sin kopi af stamdata, at den pågældende bruger er i besiddelse af den angivne rolle.
  • Hvis claimet om en national rolle kommer fra en trusted anvender  (afgøres udfra CVR nummer op i mod STS konfiguration af trustede anvendere), så indsættes den nationale rolle uden tjek i stamdata.
  • Hvis en anvender ikke har angivet en national rolle i claim-attributten, men den pågældende medarbejder er i besiddelse af netop én nationale rolle i stamdata, så vil denne automatisk inkluderes i det udstedte SOSI Idkort.
  • Lokale roller (roller, der ikke har national rolle-prefix) inkluderes i det udstedte Idkort uden yderlige validering.

**CHG: Der er også mulighed for at angive at brugeren ikke vil anvende en eventuel autorisation (eller national rolle) ved at angive "urn:dk:healthcare:no-role" **

De nationale roller kan genkendes på, at de alle har prefixet urn:dk:healthcare:national-federation-role:

...

  • urn:dk:healthcare:national-federation-role:SundAssistR1
  • urn:dk:healthcare:national-federation-role:SundAssistR2

Der er også mulighed for at angive at brugeren ikke vil anvende en eventuel autorisation (eller national rolle). Dette gøres ved at angive "urn:dk:healthcare:no-role".

Skematisk ser algoritmen til validering/bestemmelse af rolle og/eller autorisationskode således ud: **CHG: Ret de mange sproglige fejl i boksene (smile). Tilføj håndtering af "urn:dk:healthcare:no-role" **

Gliffy Diagram
size1200
displayNamerolle-autorisations-algoritme
Gliffy Diagram
macroIdabbf8698-4170-479a-af8e-9636e01af0d2
namerolle-autorisations-algoritme
pagePin1

...

3

Service Endpoint

Afhængig af miljø udstilles tjenesten på:

...

Udstedelse af System Idkort sker på baggrund af et VOCES/FOCES OCES certifikat. Et System Idkort identificerer som navnet antyder et anvendersystem, der ønsker at kalde services på NSP. Det kunne f.eks. være et anvendersystem, der i batch overfører data til MinLog fra en patientjournal.

Det i eksemplet anvendte VOCES certifikat Selve requestet til STS ser således ud:

Code Block
languagexml
titleVOCES certifikat for systembruger(DGWS) Request til STS for System Idkort
collapsetrue
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1537969157 (0x5bab8c05)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=DK, O=TRUST2408, CN=TRUST2408 Systemtest XXII CA
        Validity
            Not Before: Apr 30 09:07:17 2019 GMT
            Not After : Apr 30 09:06:38 2022 GMT
        Subject: C=DK, O=Sundhedsdatastyrelsen // CVR:33257872/serialNumber=CVR:33257872-FID:18911861, CN=SOSI Test Federation (funktionscertifikat)
        Subject Public Key Info:<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="Envelope">
  <soapenv:Header>
    <wsse:Security id="AAABdiOU1800JWZmH8DNZ1NPU0k=">
      <wsu:Timestamp>
        <wsu:Created>2020-12-02T13:12:05Z</wsu:Created>
    Public Key Algorithm: rsaEncryption</wsu:Timestamp>
                Public-Key: (2048 bit)
                Modulus:</wsse:Security>
  </soapenv:Header>
  <soapenv:Body>
    <wst:RequestSecurityToken Context="www.sosi.dk">
               00:ca:8e:7b:87:d1:3f:84:ce:60:8a:6c:5a:0e:01:<wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion:</wst:TokenType>
      <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
      <wst:Claims>
        c1<saml:d0:c2:dc:81:57:d7:18:96:d0:87:ff:0e:0b:5b:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2020-12-02T13:09:57Z" Version="2.0" id="IDCard">
          <saml:Issuer>TheSOSILibrary</saml:Issuer>
          <saml:Subject>
            d3:74:3b:02:50:8c:c8:c1:17:79:94:91:3e:69:da:<saml:NameID Format="medcom:cvrnumber">46837428</saml:NameID>
            <saml:SubjectConfirmation>
         3c:ba:b1:c5:ed:49:8a:b9:b1:59:cd:f0:8f:76:ea:
         <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:holder-of-key</saml:ConfirmationMethod>
              <saml:SubjectConfirmationData>
                11:bf:d6:f7:4e:43:55:29:a8:b1:88:75:0c:b4:fe:<ds:KeyInfo>
                    1e:81:b2:fc:bd:c8:32:6a:59:36:f1:c3:50:75:49:
<ds:KeyName>OCESSignature</ds:KeyName>
                </ds:KeyInfo>
              3c:7f:7e:26:83:c6:ad:82:f7:78:e4:49:c8:2b:3d:</saml:SubjectConfirmationData>
                    a2:07:ec:a3:b3:98:2e:24:f0:c1:83:63:85:49:b3:</saml:SubjectConfirmation>
          </saml:Subject>
          f4:af:9d:cd:53:c7:d5:4e:ad:da:2e:d0:e9:0d:59:
<saml:Conditions NotBefore="2020-12-02T13:09:57Z" NotOnOrAfter="2020-12-03T13:09:57Z"/>
          <saml:AttributeStatement id="IDCardData">
            e4:c6:cc:a3:35:0e:c7:38:5b:73:6a:fc:8c:9c:ac:<saml:Attribute Name="sosi:IDCardID">
              <saml:AttributeValue>KvW1gwopeh2o87ezfec5uA==</saml:AttributeValue>
         74:bc:38:1a:7c:4b:eb:51:1d:d6:4d:22:c2:1a:3b:   </saml:Attribute>
            <saml:Attribute Name="sosi:IDCardVersion">
              b8:69:42:20:dd:38:60:ad:65:c0:ee:2d:e5:3c:80:<saml:AttributeValue>1.0.1</saml:AttributeValue>
            </saml:Attribute>
        17:75:5f:26:42:69:58:df:09:ff:90:80:62:c8:8a:
    <saml:Attribute Name="sosi:IDCardType">
               2d:98:5f:7c:52:c1:24:7a:df:ec:c6:92:4d:90:9e:<saml:AttributeValue>system</saml:AttributeValue>
            </saml:Attribute>
            91:e8:05:29:c6:71:80:a4:20:cf:d4:5c:36:06:0c:
<saml:Attribute Name="sosi:AuthenticationLevel">
              <saml:AttributeValue>3</saml:AttributeValue>
            40:41:65:ab:b4:3f:dc:e4:8a:08:67:01:96:35:f2:</saml:Attribute>
            <saml:Attribute Name="sosi:OCESCertHash">
       e0:a4:91:33:7e:19:ee:21:92:7b:05:fb:3d:46:61:
       <saml:AttributeValue>xe/OtYMBaE1RFJ7l9lN2zAuiXAU=</saml:AttributeValue>
             c5:75</saml:Attribute>
          </saml:AttributeStatement>
      Exponent: 65537 (0x10001)
  <saml:AttributeStatement id="SystemLog">
     X509v3 extensions:
      <saml:Attribute Name="medcom:ITSystemName">
     X509v3 Key Usage: critical
      <saml:AttributeValue>Test</saml:AttributeValue>
          Digital Signature, Key Encipherment, Data Encipherment, Key Agreement </saml:Attribute>
            <saml:Attribute Name="medcom:CareProviderID" NameFormat="medcom:cvrnumber">
            Authority Information Access: 
<saml:AttributeValue>46837428</saml:AttributeValue>
            </saml:Attribute>
      OCSP - URI:http://ocsp.systemtest22.trust2408.com/responder
    <saml:Attribute Name="medcom:CareProviderName">
           CA Issuers - URI:http://f.aia.systemtest22.trust2408.com/systemtest22-ca.cer

<saml:AttributeValue>Statens Serum Institut</saml:AttributeValue>
            </saml:Attribute>
 X509v3 Certificate Policies: 
      </saml:AttributeStatement>
          Policy<ds: 1.3.6.1.4.1.31313.2.4.6.4.2
Signature id="OCESSignature">
            <ds:SignedInfo>
        CPS:       <ds:CanonicalizationMethod Algorithm="http://www.trust2408.com/repositoryw3.org/2001/10/xml-exc-c14n#"/>
              <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
   User Notice:
          <ds:Reference URI="#IDCard">
         Organization: DanID
      <ds:Transforms>
              Number: 1
   <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                Explicit Text: DanID test certifikater fra denne CA udstedes under OID 1.3.6.1.4.1.31313.2.4.6.4.2. DanID test certificates from this CA are issued under OID 1.3.6.1.4.1.31313.2.4.6.4.2.

<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
               X509v3 CRL Distribution Points: 

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                Full Name:
   <ds:DigestValue>7wotC+2VeHeSVglwz/ETmnSoD5I=</ds:DigestValue>
               URI:http://crl.systemtest22.trust2408.com/systemtest221.crl

</ds:Reference>
                Full Name:</ds:SignedInfo>
                  DirName: C = DK, O = TRUST2408, CN = TRUST2408 Systemtest XXII CA, CN = CRL142

<ds:SignatureValue>HUPt3Yn9yeSQEIHTM1FvoqxG2c1mQiXUMpSLszmFbgByaRinPnL3vLp6PcB9nlBFWHqsXoX3LfzPme3dyM0TYqSaM1Wk38Vc190KPO5E7SwcZqEz8iQdbGGn5t+TaqnROPQrCtaSfG7UtHMvbP4jGBJusnTqifk3Q2eWf9VIqffLgS3jkXl7toUdAqmLJG1l7DnpuVxMn1I0wahl9821bvmhAvMKyxlMAUMt6xgMGO2aO2jRJsQZWdBxT2U8llnK0N3ePQ0c4znOzMz7IRsyl6k0s+leHR2xs247XM78taSYtgdfpjswayw68UgJ9q3sGvWynf2ZggZTEZbnF6muyw==</ds:SignatureValue>
            <ds:KeyInfo>
            X509v3 Authority Key Identifier<ds: X509Data>
                keyid:AB:A8:01:44:19:B0:B3:43:99:DA:FA:7C:CC:D2:00:18:03:E7:3C:BF

 <ds:X509Certificate>MIIGRTCCBS2gAwIBAgIEWRzG9TANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE4MDgyOTA2MjUxOVoXDTIxMDgyOTA2MjQwNVowgY4xCzAJBgNVBAYTAkRLMS8wLQYDVQQKDCZTdGF0ZW5zIFNlcnVtIEluc3RpdHV0IC8vIENWUjo0NjgzNzQyODFOMCAGA1UEBRMZQ1ZSOjQ2ODM3NDI4LVVJRDoyNzkxMDEzNTAqBgNVBAMMI1N0YXRlbnMgU2VydW0gSW5zdGl0dXQgLSBUZXN0IFZPQ0VTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl0rwBkF6j7W9UEm/aCS2O5RUBoibeIsxz1kZ6kaaiUV0FcSYLy9Pj9zbRLbO+SX/2QBQ7woY18VTj/9m/zIgrvCtwTZIaWZi0MZFNX6UbcSzrpW2HT18DRdwRI0Fjm3U0FskAxl47PneLmp3ZDlZXOLE4HRPJiNFBvT4UJxJW96vYCk43/wu3CfGGfxU7FW2d7ZzcxmG2Y8fLzblm97Kx9FdpwaO+8xMzzvZa3nJ64Bvl9/Fac0o70J8hB1qr4I4Rit/XCFxHxNS8KWXkaJ1mEyRkAyIm3bY+U5lwlQEe4egrsXcEj5nNKxZ8JF7+zh21WRMUJYtcDcPQcuZHcQGQwIDAQABo4IC7jCCAuowDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vdi5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYDBDCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjMuNC4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjMuNC4wIAYDVR0RBBkwF4EVdGVzdGNlcnRpZmlrYXRAc3NpLmRrMIGsBgNVHR8EgaQwgaEwPaA7oDmGN2h0dHA6Ly9jcmwuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyMS5jcmwwYKBeoFykWjBYMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMQ4wDAYDVQQDDAVDUkw3NjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUf8X/XPGsZNQIHLtleAHUeLZXcQwwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAgMGEzepPJ1Ez1WFqZrVeVHQC1vinhnVFGuRaOyjVPSR7z5Hvzi6N9M9hGyv/yVQSkqdTWA1Fum3sI7kMH6uQ2N6mNfPtRmOjBqCLUzqQ09f9TnAu/GikZdBiDL0h44Myey3PgpVTxh4kRWKxp6SqLDlgw5Rhta5dMOMIWzOJwkRZ9YLgYnNinKnGSWqg16iv7qJF/SBYz4VbWrmfSXhNu+Q2DNyjsFLluVumRg5wGZDBlsUW2dFSY9+olaQMd8rgvMMx9ByVQgvFF+S109fv91uw71esBKzwbEppFtLKNUqOu9+di0GAWQ2Ny+aIzhG43Wx2mawL7anLw5QFHZyEIg==</ds:X509Certificate>
           X509v3 Subject Key Identifier</ds: X509Data>
            </ds:KeyInfo>
    19:80:15:28:A2:F5:EC:B1:F2:54:64:84:AC:BD:BA:30:13:5A:75:34
      </ds:Signature>
      X509v3 Basic Constraints</saml: Assertion>
      </wst:Claims>
       <wst:Issuer>
   CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption<wsa:Address>TheSOSILibrary</wsa:Address>
      </wst:Issuer>
   8c:73:0e:e2:c5:84:7f:c3:36:e5:61:dc:cc:14:c9:62:d3:22:
         b6:7d:70:2c:ea:84:ea:b6:9e:33:aa:18:cb:0e:91:ff:81:48:
         9a:93:b3:17:a6:f1:06:57:cd:9e:18:51:d2:f2:52:5c:c5:93:
         a8:bf:e8:9c:2c:b2:e2:00:ac:f5:e2:e0:95:11:d9:f4:10:bc: </wst:RequestSecurityToken>
  </soapenv:Body>
</soapenv:Envelope>

En succesfuld validering af requestet i STS resulterer i et succesfuldt response (bemærk, at det udstedte System Idkort er signeret af 'SOSI Test Federation (funktionscertifikat)'):

Code Block
languagexml
titleResponse fra STS for System Idkort
collapsetrue
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" id="Envelope">
  <soapenv:Header>
    <wsse:Security id="AAABdiOU1800JWZmH8DNZ1NPU0k=">
      <wsu:Timestamp>
         6b:d7:e6:8a:ba:e0:b8:da:4e:5a:54:7c:34:07:f9:19:1c:0e:
<wsu:Created>2020-12-02T13:15:19Z</wsu:Created>
      </wsu:Timestamp>
    a8:2c:93:9e:44:c0:7d:40:f5:7e:9d:11:cd:5a:3c:4e:f0:1d:</wsse:Security>
  </soapenv:Header>
  <soapenv:Body>
    <wst:RequestSecurityTokenResponse Context="www.sosi.dk">
     ef <wst:75TokenType>urn:a2oasis:19names:e5tc:13SAML:cd2.0:38assertion:80:55:fe:ce:81:91:67:44:86:24:</wst:TokenType>
         70:02:d7:2e:33:6c:e8:0c:04:2d:64:a1:f9:b0:bf:80:6b:90:<wst:RequestedSecurityToken>
         70:75:03:77:c6:06:4b:38:0a:4b:ac:36:ab:3d:df:20:04:ab:<saml:Assertion IssueInstant="2020-12-02T13:10:19Z" Version="2.0" id="IDCard">
         ca:4c:73:95:88:de:ba:c9:2c:e7:c0:9e:ad:e0:ba:59:fb:cd: <saml:Issuer>TEST1-NSP-STS</saml:Issuer>
         d0:8f:86:1a:52:fd:7c:88:23:a7:38:7b:24:41:0b:30:4e:eb: <saml:Subject>
         f5:02:4b:2f:d3:52:ae:69:51:29:f8:4c:f2:0c:ee:13:a5:66:
         e2:f1:b3:99:2b:27:34:9c:46:31:fd:6f:4f:31:2f:7b:89:57:   <saml:NameID Format="medcom:other">SubjectDN={SERIALNUMBER=CVR:46837428-UID:27910135 + CN=Statens Serum Institut - Test VOCES, O=Statens Serum Institut // CVR:46837428, C=DK},IssuerDN={CN=TRUST2408 Systemtest XXII CA, O=TRUST2408, C=DK},CertSerial={1495058165}</saml:NameID>
         23:ca:67:3a:d1:cc:4e:d3:65:e7:3c:38:8c:22:45:6a:44:6a:
   <saml:SubjectConfirmation>
              <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:holder-of-key</saml:ConfirmationMethod>
              <saml:SubjectConfirmationData>
                <ds:KeyInfo>
                  <ds:KeyName>OCESSignature</ds:KeyName>
               71:69:b7:15

Selve requestet til STS ser således ud:

Code Block
languagexml
title(DGWS) Request til STS for System Idkort
collapsetrue
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="Envelope">
  <soapenv:Header>
    <wsse:Security id="AAABdiOU1800JWZmH8DNZ1NPU0k=">
      <wsu:Timestamp> </ds:KeyInfo>
              </saml:SubjectConfirmationData>
            </saml:SubjectConfirmation>
          </saml:Subject>
          <saml:Conditions NotBefore="2020-12-02T13:10:19Z" NotOnOrAfter="2020-12-03T13:10:19Z"/>
          <saml:AttributeStatement id="IDCardData">
            <saml:Attribute Name="sosi:IDCardID">
              <saml:AttributeValue>K8zJ68J++oajvRVZ915dvg==</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="sosi:IDCardVersion">
              <saml:AttributeValue>1.0.1</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="sosi:IDCardType">
              <saml:AttributeValue>system</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="sosi:AuthenticationLevel">
              <saml:AttributeValue>3</saml:AttributeValue>
        <wsu:Created>2020-12-02T13:12:05Z</wsu:Created>
      </wsusaml:Timestamp>Attribute>
    </wsse:Security>
  </soapenv:Header>
  <soapenv:Body>
    <wst<saml:RequestSecurityTokenAttribute ContextName="www.sosi.dk:OCESCertHash">
      <wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion:</wst:TokenType>
        <saml:AttributeValue>xe/OtYMBaE1RFJ7l9lN2zAuiXAU=</saml:AttributeValue>
            <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
</saml:Attribute>
        <wst:Claims>  </saml:AttributeStatement>
          <saml:AssertionAttributeStatement xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2020-12-02T13:09:57Z" Version="2.0" id="IDCard">
id="SystemLog">
            <saml:Attribute Name="medcom:ITSystemName">
              <saml:Issuer>TheSOSILibrary<AttributeValue>Test</saml:Issuer>AttributeValue>
          <saml:Subject>  </saml:Attribute>
            <saml:NameID FormatAttribute Name="medcom:CareProviderID" NameFormat="medcom:cvrnumber">46837428<>
              <saml:AttributeValue>46837428</saml:NameID>AttributeValue>
            <saml</saml:SubjectConfirmation>Attribute>
              <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:holder-of-key</saml:ConfirmationMethod>Attribute Name="medcom:CareProviderName">
              <saml:SubjectConfirmationData>
AttributeValue>Statens Serum Institut</saml:AttributeValue>
            </saml:Attribute>
  <ds:KeyInfo>
        </saml:AttributeStatement>
          <ds:KeyName>OCESSignature</ds:KeyName>Signature id="OCESSignature">
            <ds:SignedInfo>
    </ds:KeyInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
   </saml:SubjectConfirmationData>
            </saml:SubjectConfirmation><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          </saml:Subject>    <ds:Reference URI="#IDCard">
          <saml:Conditions NotBefore="2020-12-02T13:09:57Z" NotOnOrAfter="2020-12-03T13:09:57Z"/>
     <ds:Transforms>
     <saml:AttributeStatement id="IDCardData">
            <saml<ds:AttributeTransform NameAlgorithm="sosi:IDCardID">
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                  <saml<ds:AttributeValue>KvW1gwopeh2o87ezfec5uA==</saml:AttributeValue>
Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </samlds:Attribute>Transforms>
                <saml<ds:AttributeDigestMethod NameAlgorithm="sosi:IDCardVersion">
              <saml:AttributeValue>1.0.1</saml:AttributeValue>http://www.w3.org/2000/09/xmldsig#sha1"/>
            </saml:Attribute>
            <saml:Attribute Name="sosi:IDCardType"><ds:DigestValue>UVzjCyAw5vsBwM9YlO4+mTx79rw=</ds:DigestValue>
              <saml:AttributeValue>system<</samlds:AttributeValue>Reference>
            </samlds:Attribute>SignedInfo>
            <saml:Attribute Name="sosi:AuthenticationLevel"><ds:SignatureValue>JneJnJXDi8JLj6Gv9SmZsKcqMj1SDn7JMw0EMv53OWT4lilCPlaMCmcJ0wykye4PILF3QwW+qkt8Dk95Q4vKyC/qnPamF+yZpIl91AlPCH3za4QjcBwXu9effUDC3UtseVtHxaW8D0jtxRmb2tPCDvG4EmtVMNxqjkyknUDpwwWO919pH7j6wmHSS/DyjXNFjs4hMQwZO/zhwCGbIKeYRDjvY06Eq3ys8kkbJ8B+W5vg0bEUHLRp5vDIVnKuPsol5DDLywAffk9NqhqZqKgjWhJNZsdUqDaD/ss45aMZGWHSa6RAPmz8pjQ4xQvrkV8xjhWkTF9kkuNjnps0QsOSdg==</ds:SignatureValue>
            <ds:KeyInfo>
  <saml:AttributeValue>3</saml:AttributeValue>
            </saml<ds:Attribute>X509Data>
            <saml:Attribute Name="sosi:OCESCertHash">
              <saml:AttributeValue>xe/OtYMBaE1RFJ7l9lN2zAuiXAU=</saml:AttributeValue>
    <ds:X509Certificate>MIIGKjCCBRKgAwIBAgIEW6uMBTANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE5MDQzMDA5MDcxN1oXDTIyMDQzMDA5MDYzOFowgZQxCzAJBgNVBAYTAkRLMS4wLAYDVQQKDCVTdW5kaGVkc2RhdGFzdHlyZWxzZW4gLy8gQ1ZSOjMzMjU3ODcyMVUwIAYDVQQFExlDVlI6MzMyNTc4NzItRklEOjE4OTExODYxMDEGA1UEAwwqU09TSSBUZXN0IEZlZGVyYXRpb24gKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyo57h9E/hM5gimxaDgHB0MLcgVfXGJbQh/8OC1vTdDsCUIzIwRd5lJE+ado8urHF7UmKubFZzfCPduoRv9b3TkNVKaixiHUMtP4egbL8vcgyalk28cNQdUk8f34mg8atgvd45EnIKz2iB+yjs5guJPDBg2OFSbP0r53NU8fVTq3aLtDpDVnkxsyjNQ7HOFtzavyMnKx0vDgafEvrUR3WTSLCGju4aUIg3ThgrWXA7i3lPIAXdV8mQmlY3wn/kIBiyIotmF98UsEket/sxpJNkJ6R6AUpxnGApCDP1Fw2BgxAQWWrtD/c5IoIZwGWNfLgpJEzfhnuIZJ7Bfs9RmHFdQIDAQABo4ICzTCCAskwDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vZi5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYEAjCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4wga0GA1UdHwSBpTCBojA9oDugOYY3aHR0cDovL2NybC5zeXN0ZW10ZXN0MjIudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MjIxLmNybDBhoF+gXaRbMFkxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJTAjBgNVBAMMHFRSVVNUMjQwOCBTeXN0ZW10ZXN0IFhYSUkgQ0ExDzANBgNVBAMMBkNSTDE0MjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUGYAVKKL17LHyVGSErL26MBNadTQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAjHMO4sWEf8M25WHczBTJYtMitn1wLOqE6raeM6oYyw6R/4FImpOzF6bxBlfNnhhR0vJSXMWTqL/onCyy4gCs9eLglRHZ9BC8a9fmirrguNpOWlR8NAf5GRwOqCyTnkTAfUD1fp0RzVo8TvAd73WiGeUTzTiAVf7OgZFnRIYkcALXLjNs6AwELWSh+bC/gGuQcHUDd8YGSzgKS6w2qz3fIASrykxzlYjeusks58CereC6WfvN0I+GGlL9fIgjpzh7JEELME7r9QJLL9NSrmlRKfhM8gzuE6Vm4vGzmSsnNJxGMf1vTzEve4lXI8pnOtHMTtNl5zw4jCJFakRqcWm3FQ==</ds:X509Certificate>
              </samlds:Attribute>X509Data>
            </samlds:AttributeStatement>KeyInfo>
          <saml:AttributeStatement id="SystemLog">
</ds:Signature>
        </saml:Assertion>
     <saml:Attribute Name="medcom:ITSystemName"> </wst:RequestedSecurityToken>
      <wst:Status>
        <saml:AttributeValue>Test</saml:AttributeValue><wst:Code>http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid</wst:Code>
      </wst:Status>
      </saml<wst:Attribute>Issuer>
            <saml:Attribute Name="medcom:CareProviderID" NameFormat="medcom:cvrnumber">
              <saml:AttributeValue>46837428</saml:AttributeValue>
      <wsa:Address>TEST1-NSP-STS</wsa:Address>
      </samlwst:Attribute>Issuer>
            <saml:Attribute Name="medcom:CareProviderName">
              <saml:AttributeValue>Statens Serum Institut</saml:AttributeValue>
            </saml:Attribute>
          </saml:AttributeStatement>
          <ds:Signature id="OCESSignature">
            <ds:SignedInfo>
              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
              <ds:Reference URI="#IDCard">
                <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>7wotC+2VeHeSVglwz/ETmnSoD5I=</ds:DigestValue>
              </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>HUPt3Yn9yeSQEIHTM1FvoqxG2c1mQiXUMpSLszmFbgByaRinPnL3vLp6PcB9nlBFWHqsXoX3LfzPme3dyM0TYqSaM1Wk38Vc190KPO5E7SwcZqEz8iQdbGGn5t+TaqnROPQrCtaSfG7UtHMvbP4jGBJusnTqifk3Q2eWf9VIqffLgS3jkXl7toUdAqmLJG1l7DnpuVxMn1I0wahl9821bvmhAvMKyxlMAUMt6xgMGO2aO2jRJsQZWdBxT2U8llnK0N3ePQ0c4znOzMz7IRsyl6k0s+leHR2xs247XM78taSYtgdfpjswayw68UgJ9q3sGvWynf2ZggZTEZbnF6muyw==</ds:SignatureValue>
            <ds:KeyInfo>
              <ds:X509Data>
                <ds:X509Certificate>MIIGRTCCBS2gAwIBAgIEWRzG9TANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE4MDgyOTA2MjUxOVoXDTIxMDgyOTA2MjQwNVowgY4xCzAJBgNVBAYTAkRLMS8wLQYDVQQKDCZTdGF0ZW5zIFNlcnVtIEluc3RpdHV0IC8vIENWUjo0NjgzNzQyODFOMCAGA1UEBRMZQ1ZSOjQ2ODM3NDI4LVVJRDoyNzkxMDEzNTAqBgNVBAMMI1N0YXRlbnMgU2VydW0gSW5zdGl0dXQgLSBUZXN0IFZPQ0VTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl0rwBkF6j7W9UEm/aCS2O5RUBoibeIsxz1kZ6kaaiUV0FcSYLy9Pj9zbRLbO+SX/2QBQ7woY18VTj/9m/zIgrvCtwTZIaWZi0MZFNX6UbcSzrpW2HT18DRdwRI0Fjm3U0FskAxl47PneLmp3ZDlZXOLE4HRPJiNFBvT4UJxJW96vYCk43/wu3CfGGfxU7FW2d7ZzcxmG2Y8fLzblm97Kx9FdpwaO+8xMzzvZa3nJ64Bvl9/Fac0o70J8hB1qr4I4Rit/XCFxHxNS8KWXkaJ1mEyRkAyIm3bY+U5lwlQEe4egrsXcEj5nNKxZ8JF7+zh21WRMUJYtcDcPQcuZHcQGQwIDAQABo4IC7jCCAuowDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vdi5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYDBDCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjMuNC4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjMuNC4wIAYDVR0RBBkwF4EVdGVzdGNlcnRpZmlrYXRAc3NpLmRrMIGsBgNVHR8EgaQwgaEwPaA7oDmGN2h0dHA6Ly9jcmwuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyMS5jcmwwYKBeoFykWjBYMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMQ4wDAYDVQQDDAVDUkw3NjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUf8X/XPGsZNQIHLtleAHUeLZXcQwwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAgMGEzepPJ1Ez1WFqZrVeVHQC1vinhnVFGuRaOyjVPSR7z5Hvzi6N9M9hGyv/yVQSkqdTWA1Fum3sI7kMH6uQ2N6mNfPtRmOjBqCLUzqQ09f9TnAu/GikZdBiDL0h44Myey3PgpVTxh4kRWKxp6SqLDlgw5Rhta5dMOMIWzOJwkRZ9YLgYnNinKnGSWqg16iv7qJF/SBYz4VbWrmfSXhNu+Q2DNyjsFLluVumRg5wGZDBlsUW2dFSY9+olaQMd8rgvMMx9ByVQgvFF+S109fv91uw71esBKzwbEppFtLKNUqOu9+di0GAWQ2Ny+aIzhG43Wx2mawL7anLw5QFHZyEIg==</ds:X509Certificate>
              </ds:X509Data>
            </ds:KeyInfo>
          </ds:Signature>
        </saml:Assertion>
      </wst:Claims>
      <wst:Issuer>
        <wsa:Address>TheSOSILibrary</wsa:Address>
      </wst:Issuer>
    </wst:RequestSecurityToken>
  </soapenv:Body>
</soapenv:Envelope>

En succesfuld validering af requestet i STS resulterer i et succesfuldt response (bemærk, at det udstedte System Idkort er signeret af 'SOSI Test Federation (funktionscertifikat)'):

Code Block
languagexml
titleResponse fra STS for System Idkort
collapsetrue
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" id="Envelope">
  <soapenv:Header>
    <wsse:Security id="AAABdiOU1800JWZmH8DNZ1NPU0k=">
      <wsu:Timestamp>
        <wsu:Created>2020-12-02T13:15:19Z</wsu:Created>
      </wsu:Timestamp>
    </wsse:Security>
  </soapenv:Header>
  <soapenv:Body>
    <wst:RequestSecurityTokenResponse Context="www.sosi.dk">
      <wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion:</wst:TokenType>
      <wst:RequestedSecurityToken>
        <saml:Assertion IssueInstant="2020-12-02T13:10:19Z" Version="2.0" id="IDCard">
          <saml:Issuer>TEST1-NSP-STS</saml:Issuer>
          <saml:Subject>
            <saml:NameID Format="medcom:other">SubjectDN={SERIALNUMBER=CVR:46837428-UID:27910135 + CN=Statens Serum Institut - Test VOCES, O=Statens Serum Institut // CVR:46837428, C=DK},IssuerDN={CN=TRUST2408 Systemtest XXII CA, O=TRUST2408, C=DK},CertSerial={1495058165}</saml:NameID>
            <saml:SubjectConfirmation>
              <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:holder-of-key</saml:ConfirmationMethod>
              <saml:SubjectConfirmationData>
                <ds:KeyInfo>
                  <ds:KeyName>OCESSignature</ds:KeyName>
                </ds:KeyInfo>
              </saml:SubjectConfirmationData>
            </saml:SubjectConfirmation>
          </saml:Subject>
          <saml:Conditions NotBefore="2020-12-02T13:10:19Z" NotOnOrAfter="2020-12-03T13:10:19Z"/>
          <saml:AttributeStatement id="IDCardData">
            <saml:Attribute Name="sosi:IDCardID">
              <saml:AttributeValue>K8zJ68J++oajvRVZ915dvg==</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="sosi:IDCardVersion">
              <saml:AttributeValue>1.0.1</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="sosi:IDCardType">
              <saml:AttributeValue>system</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="sosi:AuthenticationLevel">
              <saml:AttributeValue>3</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="sosi:OCESCertHash">
              <saml:AttributeValue>xe/OtYMBaE1RFJ7l9lN2zAuiXAU=</saml:AttributeValue>
            </saml:Attribute>
          </saml:AttributeStatement>
          <saml:AttributeStatement id="SystemLog">
            <saml:Attribute Name="medcom:ITSystemName">
              <saml:AttributeValue>Test</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="medcom:CareProviderID" NameFormat="medcom:cvrnumber">
              <saml:AttributeValue>46837428</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="medcom:CareProviderName">
              <saml:AttributeValue>Statens Serum Institut</saml:AttributeValue>
            </saml:Attribute>
          </saml:AttributeStatement>
          <ds:Signature id="OCESSignature">
            <ds:SignedInfo>
              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
              <ds:Reference URI="#IDCard">
                <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>UVzjCyAw5vsBwM9YlO4+mTx79rw=</ds:DigestValue>
              </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>JneJnJXDi8JLj6Gv9SmZsKcqMj1SDn7JMw0EMv53OWT4lilCPlaMCmcJ0wykye4PILF3QwW+qkt8Dk95Q4vKyC/qnPamF+yZpIl91AlPCH3za4QjcBwXu9effUDC3UtseVtHxaW8D0jtxRmb2tPCDvG4EmtVMNxqjkyknUDpwwWO919pH7j6wmHSS/DyjXNFjs4hMQwZO/zhwCGbIKeYRDjvY06Eq3ys8kkbJ8B+W5vg0bEUHLRp5vDIVnKuPsol5DDLywAffk9NqhqZqKgjWhJNZsdUqDaD/ss45aMZGWHSa6RAPmz8pjQ4xQvrkV8xjhWkTF9kkuNjnps0QsOSdg==</ds:SignatureValue>
            <ds:KeyInfo>
              <ds:X509Data>
                <ds:X509Certificate>MIIGKjCCBRKgAwIBAgIEW6uMBTANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE5MDQzMDA5MDcxN1oXDTIyMDQzMDA5MDYzOFowgZQxCzAJBgNVBAYTAkRLMS4wLAYDVQQKDCVTdW5kaGVkc2RhdGFzdHlyZWxzZW4gLy8gQ1ZSOjMzMjU3ODcyMVUwIAYDVQQFExlDVlI6MzMyNTc4NzItRklEOjE4OTExODYxMDEGA1UEAwwqU09TSSBUZXN0IEZlZGVyYXRpb24gKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyo57h9E/hM5gimxaDgHB0MLcgVfXGJbQh/8OC1vTdDsCUIzIwRd5lJE+ado8urHF7UmKubFZzfCPduoRv9b3TkNVKaixiHUMtP4egbL8vcgyalk28cNQdUk8f34mg8atgvd45EnIKz2iB+yjs5guJPDBg2OFSbP0r53NU8fVTq3aLtDpDVnkxsyjNQ7HOFtzavyMnKx0vDgafEvrUR3WTSLCGju4aUIg3ThgrWXA7i3lPIAXdV8mQmlY3wn/kIBiyIotmF98UsEket/sxpJNkJ6R6AUpxnGApCDP1Fw2BgxAQWWrtD/c5IoIZwGWNfLgpJEzfhnuIZJ7Bfs9RmHFdQIDAQABo4ICzTCCAskwDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vZi5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYEAjCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4wga0GA1UdHwSBpTCBojA9oDugOYY3aHR0cDovL2NybC5zeXN0ZW10ZXN0MjIudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MjIxLmNybDBhoF+gXaRbMFkxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJTAjBgNVBAMMHFRSVVNUMjQwOCBTeXN0ZW10ZXN0IFhYSUkgQ0ExDzANBgNVBAMMBkNSTDE0MjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUGYAVKKL17LHyVGSErL26MBNadTQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAjHMO4sWEf8M25WHczBTJYtMitn1wLOqE6raeM6oYyw6R/4FImpOzF6bxBlfNnhhR0vJSXMWTqL/onCyy4gCs9eLglRHZ9BC8a9fmirrguNpOWlR8NAf5GRwOqCyTnkTAfUD1fp0RzVo8TvAd73WiGeUTzTiAVf7OgZFnRIYkcALXLjNs6AwELWSh+bC/gGuQcHUDd8YGSzgKS6w2qz3fIASrykxzlYjeusks58CereC6WfvN0I+GGlL9fIgjpzh7JEELME7r9QJLL9NSrmlRKfhM8gzuE6Vm4vGzmSsnNJxGMf1vTzEve4lXI8pnOtHMTtNl5zw4jCJFakRqcWm3FQ==</ds:X509Certificate>
              </ds:X509Data>
            </ds:KeyInfo>
          </ds:Signature>
        </saml:Assertion>
      </wst:RequestedSecurityToken>
      <wst:Status>
        <wst:Code>http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid</wst:Code>
      </wst:Status>
      <wst:Issuer>
        <wsa:Address>TEST1-NSP-STS</wsa:Address>
      </wst:Issuer>
    </wst:RequestSecurityTokenResponse>
  </soapenv:Body>
</soapenv:Envelope>

Udstedelse af Bruger Idkort (med sundhedsfaglig autorisation)

For at få udstedt et Bruger Idkort med oplysninger om brugerens sundhedsfaglige autorisation, så må anvender systemet opbygge et request, der indeholder de claims (påstande) vedrørende autorsationsoplysninger (og cprnummer) for den pågældende bruger. I dette eksempel anvendes et MOCES certifikat, der tilhører en person, der er i besiddelse af en lægefaglig autorisation.

Det i eksemplet anvendte MOCES certifikat ser således ud (bemærk, at certifikatet indeholder RID og CVR nummer, men ikke oplysninger om hverken CPR nummer eller autorisationsid):

Code Block
languagexml
titleMOCES certifikat for bruger med lægefaglig autorisation
collapsetrue
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1495058808 (0x591cc978)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=DK, O=TRUST2408, CN=TRUST2408 Systemtest XXII CA
        Validity
            Not Before: Aug 30 12:38:36 2018 GMT
            Not After : Aug 30 12:37:22 2021 GMT
        Subject: C=DK, O=LAKESIDE A/S // CVR:25450442, CN=Casper Rasmussen/serialNumber=CVR:25450442-RID:40252666
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:8f:1b:7d:37:d7:72:4b:5a:cc:e8:d6:b0:fa:12:
                    d2:9f:bd:fd:c9:be:b1:02:bb:fc:67:a7:c9:97:4c:
                    a9:25:0d:5c:69:a7:fc:2e:9d:13:3f:04:42:61:87:
                    18:13:8f:8b:d5:23:0e:99:3c:02:be:5d:4a:fd:10:
                    ab:aa:3a:80:96:74:65:8d:1f:9a:78:15:80:2d:48:
                    28:89:f5:80:71:3e:38:2d:47:6e:19:a9:b8:fd:2b:
                    ff:f7:d9:a1:cb:2a:8f:a9:99:55:bf:27:70:55:4f:
                    21:99:17:eb:08:bd:3d:d3:93:4e:1a:37:86:32:74:
                    a0:03:20:11:ec:a8:99:1c:38:c4:9c:30:8b:c7:73:
                    bc:1a:91:9e:38:4f:83:51:4a:ca:f1:10:b3:3c:75:
                    aa:8b:88:e2:89:d4:41:48:fb:e2:75:78:82:9e:94:
                    93:62:5e:a9:47:c4:6d:4f:44:df:5b:78:b5:1d:51:
                    8b:1b:31:d5:24:dd:ae:41:65:e9:3e:88:e3:97:97:
                    df:ee:ba:06:1c:6b:dc:59:7c:91:fa:ce:f1:17:54:
                    75:10:e2:fc:77:a7:a4:a2:9f:f8:d0:b0:0c:ad:44:
                    61:0a:2f:c4:30:57:64:03:a3:9f:34:fe:8b:e0:4c:
                    f0:21:b2:ee:2f:27:c7:4b:41:ef:09:98:fa:9b:dd:
                    a9:17
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
            Authority Information Access: 
                OCSP - URI:http://ocsp.systemtest22.trust2408.com/responder
                CA Issuers - URI:http://m.aia.systemtest22.trust2408.com/systemtest22-ca.cer

            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.31313.2.4.6.2.5
                  CPS: http://www.trust2408.com/repository
                  User Notice:
                    Organization: DanID
                    Number: 1
                    Explicit Text: DanID test certifikater fra denne CA udstedes under OID 1.3.6.1.4.1.31313.2.4.6.2.5. DanID test certificates from this CA are issued under OID 1.3.6.1.4.1.31313.2.4.6.2.5.

            X509v3 Subject Alternative Name: 
                email:anni@lakeside.dk
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.systemtest22.trust2408.com/systemtest221.crl

                Full Name:
                  DirName: C = DK, O = TRUST2408, CN = TRUST2408 Systemtest XXII CA, CN = CRL76

            X509v3 Authority Key Identifier: 
                keyid:AB:A8:01:44:19:B0:B3:43:99:DA:FA:7C:CC:D2:00:18:03:E7:3C:BF

            X509v3 Subject Key Identifier: 
                EB:4F:3B:90:5C:91:87:11:FB:3F:2D:A2:A7:01:69:97:B6:5D:7C:EE
            X509v3 Basic Constraints: 
                CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption
         73:75:90:8f:c8:ab:4e:67:e3:58:e5:74:57:6e:fb:40:c9:93:
         0e:c7:7b:a2:e2:e9:9b:ab:b2:2c:76:bd:38:85:01:5f:e9:4d:
         a0:8c:aa:f4:a0:42:71:26:71:2a:dc:88:15:a4:b4:4e:bd:1d:
         18:f5:e6:1a:fe:09:05:13:92:6b:1f:13:9d:8a:ba:8d:33:a4:
         58:22:b6:a6:57:70:6e:de:4b:23:62:65:ce:06:c3:0a:4b:5b:
         9a:64:fb:18:a1:0f:94:57:98:90:b5:d5:2a:5d:b3:0f:bc:b8:
         84:a0:81:c9:d4:39:d0:39:06:a6:48:35:b4:57:17:05:1a:4c:
         02:ff:b8:9e:c0:83:be:98:88:25:c7:cc:12:36:ed:11:55:2a:
         0e:35:cc:66:bf:fc:8f:9c:8f:86:57:ee:9c:57:38:90:38:35:
         15:4e:dd:c9:e9:53:45:ba:4b:6e:88:26:12:5b:5f:5b:1d:7c:
         58:fe:ef:65:51:24:85:e1:eb:de:f5:ff:91:5d:eb:e0:ec:3a:
         46:db:73:82:a5:84:b0:e8:e7:69:93:ae:61:02:04:19:33:56:
         28:f6:b5:20:d2:3f:52:a8:8a:a6:62:cd:8f:c5:b6:35:02:81:
         16:fb:c4:df:d5:2f:5c:5f:38:e9:8d:67:57:7d:eb:19:0f:7f:
         3e:a5:6a:8b

Selve requestet til STS ser således ud (bemærk især claims om brugeren 'medcom:UserCivilRegistrationNumber' og 'medcom:UserAuthorizationCode', der angiver autorisationskoden samt 'medcom:UserRole', der angiver den tilhørende uddannelseskode):

Code Block
languagexml
title(DGWS) Request til STS for Bruger Idkort for sundhedsfaglig
collapsetrue
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="Envelope">
  <soapenv:Header>
    <wsse:Security id="AAABdiJ5Tp5qHUF3ucrocFNPU0k=">
      <wsu:Timestamp>
        <wsu:Created>2020-12-02T08:02:24Z</wsu:Created>
      </wsu:Timestamp>
    </wsse:Security>
  </soapenv:Header>
  <soapenv:Body>
    <wst:RequestSecurityToken Context="www.sosi.dk">
      <wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion:</wst:TokenType>
      <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
      <wst:Claims>
        <saml:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2020-12-02T07:57:24Z" Version="2.0" id="IDCard">
          <saml:Issuer>TheSOSILibrary</saml:Issuer>
          <saml:Subject>
            <saml:NameID Format="medcom:cprnumber">0804569723</saml:NameID>
            <saml:SubjectConfirmation>
              <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:holder-of-key</saml:ConfirmationMethod>
              <saml:SubjectConfirmationData>
                <ds:KeyInfo>
                  <ds:KeyName>OCESSignature</ds:KeyName>
                </ds:KeyInfo>
              </saml:SubjectConfirmationData>
            </saml:SubjectConfirmation>
          </saml:Subject>
          <saml:Conditions NotBefore="2020-12-02T07:57:24Z" NotOnOrAfter="2020-12-03T07:57:24Z"/>
          <saml:AttributeStatement id="IDCardData">
            <saml:Attribute Name="sosi:IDCardID">
              <saml:AttributeValue>bkRCjUrGv397gdbh9FvqDg==</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="sosi:IDCardVersion">
              <saml:AttributeValue>1.0.1</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="sosi:IDCardType">
              <saml:AttributeValue>user</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="sosi:AuthenticationLevel">
              <saml:AttributeValue>4</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="sosi:OCESCertHash">
              <saml:AttributeValue>RIQsET5XYrNoH/CVyZdYqa7GvYQ=</saml:AttributeValue>
            </saml:Attribute>
          </saml:AttributeStatement>
          <saml:AttributeStatement id="UserLog">
            <saml:Attribute Name="medcom:UserCivilRegistrationNumber">
              <saml:AttributeValue>0804569723</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="medcom:UserGivenName">
              <saml:AttributeValue>Casper</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="medcom:UserSurName">
              <saml:AttributeValue>Rasmussen</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="medcom:UserEmailAddress">
              <saml:AttributeValue>casper56@hotdocs.dk</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="medcom:UserRole">
              <saml:AttributeValue>Læge</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="medcom:UserAuthorizationCode">
              <saml:AttributeValue>CBNH1</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="medcom:UserOccupation">
              <saml:AttributeValue>Læge</saml:AttributeValue>
            </saml:Attribute>
          </saml:AttributeStatement>
          <saml:AttributeStatement id="SystemLog">
            <saml:Attribute Name="medcom:ITSystemName">
              <saml:AttributeValue>Test</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="medcom:CareProviderID" NameFormat="medcom:cvrnumber">
              <saml:AttributeValue>25450442</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="medcom:CareProviderName">
              <saml:AttributeValue>LAKESIDE A/S</saml:AttributeValue>
            </saml:Attribute>
          </saml:AttributeStatement>
          <ds:Signature id="OCESSignature">
            <ds:SignedInfo>
              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
              <ds:Reference URI="#IDCard">
                <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>crGwfhPSXjudjc9vCMFFfpy24W0=</ds:DigestValue>
              </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>Fm9MAXQFMfMlWZT3UXPLwMVRL9sBt9IPo1STf8Cvyvva1xahuPR7fIarFjOui5y2JI+COYwx5saUhWKzvFyTuKQcVWsWJ9iS1mxxHmWF6KtSVLEpisTh7+MyLe/Ko98PD0nDc7/Vx4jnv+NIMdOeBnyIBI5TjTw8wfG2OKjtagdR/dwcfJad33Iy5DZP+v1+lKOmpS3vgcMlYJy/HSlSNejwdJGx5vr5LZav7/44QDll6ulewIKFe5hJGGh7c9EDv0VBxNXGp/vIYqOAV/bnsspThhtsuuS+b7rxlwvWF/j63OlNss5O3UBkFH2sh1WSX4ilMSFNuThXx5oA51zxTw==</ds:SignatureValue>
            <ds:KeyInfo>
              <ds:X509Data>
                <ds:X509Certificate>MIIGIjCCBQqgAwIBAgIEWRzJeDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE4MDgzMDEyMzgzNloXDTIxMDgzMDEyMzcyMlowcTELMAkGA1UEBhMCREsxJTAjBgNVBAoMHExBS0VTSURFIEEvUyAvLyBDVlI6MjU0NTA0NDIxOzAXBgNVBAMMEENhc3BlciBSYXNtdXNzZW4wIAYDVQQFExlDVlI6MjU0NTA0NDItUklEOjQwMjUyNjY2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjxt9N9dyS1rM6Naw+hLSn739yb6xArv8Z6fJl0ypJQ1caaf8Lp0TPwRCYYcYE4+L1SMOmTwCvl1K/RCrqjqAlnRljR+aeBWALUgoifWAcT44LUduGam4/Sv/99mhyyqPqZlVvydwVU8hmRfrCL0905NOGjeGMnSgAyAR7KiZHDjEnDCLx3O8GpGeOE+DUUrK8RCzPHWqi4jiidRBSPvidXiCnpSTYl6pR8RtT0TfW3i1HVGLGzHVJN2uQWXpPojjl5ff7roGHGvcWXyR+s7xF1R1EOL8d6ekop/40LAMrURhCi/EMFdkA6OfNP6L4EzwIbLuLyfHS0HvCZj6m92pFwIDAQABo4IC6TCCAuUwDgYDVR0PAQH/BAQDAgP4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vbS5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYCBTCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjIuNS4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjIuNS4wGwYDVR0RBBQwEoEQYW5uaUBsYWtlc2lkZS5kazCBrAYDVR0fBIGkMIGhMD2gO6A5hjdodHRwOi8vY3JsLnN5c3RlbXRlc3QyMi50cnVzdDI0MDguY29tL3N5c3RlbXRlc3QyMjEuY3JsMGCgXqBcpFowWDELMAkGA1UEBhMCREsxEjAQBgNVBAoMCVRSVVNUMjQwODElMCMGA1UEAwwcVFJVU1QyNDA4IFN5c3RlbXRlc3QgWFhJSSBDQTEOMAwGA1UEAwwFQ1JMNzYwHwYDVR0jBBgwFoAUq6gBRBmws0OZ2vp8zNIAGAPnPL8wHQYDVR0OBBYEFOtPO5BckYcR+z8toqcBaZe2XXzuMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAHN1kI/Iq05n41jldFdu+0DJkw7He6Li6Zursix2vTiFAV/pTaCMqvSgQnEmcSrciBWktE69HRj15hr+CQUTkmsfE52Kuo0zpFgitqZXcG7eSyNiZc4GwwpLW5pk+xihD5RXmJC11Spdsw+8uISggcnUOdA5BqZINbRXFwUaTAL/uJ7Ag76YiCXHzBI27RFVKg41zGa//I+cj4ZX7pxXOJA4NRVO3cnpU0W6S26IJhJbX1sdfFj+72VRJIXh6971/5Fd6+DsOkbbc4KlhLDo52mTrmECBBkzVij2tSDSP1KoiqZizY/FtjUCgRb7xN/VL1xfOOmNZ1d96xkPfz6laos=</ds:X509Certificate>
              </ds:X509Data>
            </ds:KeyInfo>
          </ds:Signature>
        </saml:Assertion>
      </wst:Claims>
      <wst:Issuer>
        <wsa:Address>TheSOSILibrary</wsa:Address>
      </wst:Issuer>
    </wst:RequestSecurityToken>
  </soapenv:Body>
</soapenv:Envelope>

En succesfuld validering af requestet i STS resulterer i et succesfuldt response (bemærk, at det udstedte Bruger Idkort er signeret af 'SOSI Test Federation (funktionscertifikat)' og indeholder de nu af STS validerede claims fra requestet. Bemærk også at medcom:UserRole er erstattet med uddannelseskoden, der hører til brugerens autorisation i autorisationsregisteret):

</wst:RequestSecurityTokenResponse>
  </soapenv:Body>
</soapenv:Envelope>

Udstedelse af Bruger Idkort (med sundhedsfaglig autorisation)

For at få udstedt et Bruger Idkort med oplysninger om brugerens sundhedsfaglige autorisation, så må anvender systemet opbygge et request, der indeholder de claims (påstande) vedrørende autorsationsoplysninger (og cprnummer) for den pågældende bruger. I dette eksempel anvendes et OCES certifikat, der tilhører en person, der er i besiddelse af en lægefaglig autorisation.

Selve requestet til STS ser således ud (bemærk især claims om brugeren 'medcom:UserCivilRegistrationNumber' og 'medcom:UserAuthorizationCode', der angiver autorisationskoden samt 'medcom:UserRole', der angiver den tilhørende uddannelseskode):

Code Block
languagexml
title(DGWS) Request til STS for Bruger Idkort for sundhedsfaglig
collapsetrue
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Code Block
languagexml
titleResponse fra STS for Bruger Idkort for sundhedsfaglig
collapsetrue
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id=" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="httpEnvelope">
  <soapenv:Header>
    <wsse:Security id="AAABdiJ5Tp5qHUF3ucrocFNPU0k=">
      <wsu:Timestamp>
        <wsu:Created>2020-12-02T08:02:24Z</wsu:Created>
      </wsu:Timestamp>
    </wsse:Security>
  </soapenv:Header>
  <soapenv:Body>
    <wst:RequestSecurityToken Context="www.sosi.dk">
      <wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion:</wst:TokenType>
      <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust"/Issue</wst:RequestType>
      <wst:Claims>
        <saml:Assertion xmlns:medcomds="http://www.medcomw3.dkorg/dgws2000/2006/04/dgws-1.0.xsd09/xmldsig#" xmlns:dssaml="http://www.w3.org/2000/09/xmldsig#urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2020-12-02T07:57:24Z" Version="2.0" id="EnvelopeIDCard">
          <soapenv:Header><saml:Issuer>TheSOSILibrary</saml:Issuer>
    <wsse:Security id="AAABdiJ5Tp5qHUF3ucrocFNPU0k=">
      <wsu<saml:Timestamp>Subject>
          <wsu:Created>2020-12-02T08:02:30Z</wsu:Created>  <saml:NameID Format="medcom:cprnumber">0804569723</saml:NameID>
      </wsu:Timestamp>
    </wsse:Security>
  </soapenv<saml:Header>SubjectConfirmation>
   <soapenv:Body>
    <wst:RequestSecurityTokenResponse Context="www.sosi.dk">
      <wst<saml:TokenType>urnConfirmationMethod>urn:oasis:names:tc:SAML:2.0:assertion:</wst:TokenType>
cm:holder-of-key</saml:ConfirmationMethod>
           <wst:RequestedSecurityToken>
   <saml:SubjectConfirmationData>
          <saml:Assertion IssueInstant="2020-12-02T07:57:30Z" Version="2.0" id="IDCard">      <ds:KeyInfo>
          <saml:Issuer>TEST1-NSP-STS</saml:Issuer>
        <ds:KeyName>OCESSignature</ds:KeyName>
  <saml:Subject>
              <saml:NameID Format="medcom:other">SubjectDN={CN=Casper Rasmussen + SERIALNUMBER=CVR:25450442-RID:40252666, O=LAKESIDE A/S // CVR:25450442, C=DK},IssuerDN={CN=TRUST2408 Systemtest XXII CA, O=TRUST2408, C=DK},CertSerial={1495058808}</saml:NameID></ds:KeyInfo>
              </saml:SubjectConfirmationData>
            <saml</saml:SubjectConfirmation>
          </saml:Subject>
          <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:holder-of-key</saml:ConfirmationMethod>Conditions NotBefore="2020-12-02T07:57:24Z" NotOnOrAfter="2020-12-03T07:57:24Z"/>
              <saml:SubjectConfirmationData>AttributeStatement id="IDCardData">
                <ds:KeyInfo><saml:Attribute Name="sosi:IDCardID">
                  <ds:KeyName>OCESSignature</ds:KeyName>
    <saml:AttributeValue>bkRCjUrGv397gdbh9FvqDg==</saml:AttributeValue>
            </dssaml:KeyInfo>Attribute>
              </saml:SubjectConfirmationData><saml:Attribute Name="sosi:IDCardVersion">
            <  <saml:AttributeValue>1.0.1</saml:SubjectConfirmation>AttributeValue>
            </saml:Subject>Attribute>
            <saml:ConditionsAttribute NotBeforeName="2020-12-02T07:57:30Z" NotOnOrAfter="2020-12-03T07:57:30Z"/>
sosi:IDCardType">
              <saml:AttributeValue>user</saml:AttributeValue>
            <saml:AttributeStatement id="IDCardData"></saml:Attribute>
            <saml:Attribute Name="sosi:IDCardIDAuthenticationLevel">
              <saml:AttributeValue>uqU7WoiYXI0usmYQ5GvBsA==<AttributeValue>4</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="sosi:IDCardVersionOCESCertHash">
              <saml:AttributeValue>1.0.1<AttributeValue>RIQsET5XYrNoH/CVyZdYqa7GvYQ=</saml:AttributeValue>
            </saml:Attribute>
          </saml:AttributeStatement>
          <saml:AttributeStatement id="UserLog">
            <saml:Attribute Name="sosimedcom:IDCardTypeUserCivilRegistrationNumber">
              <saml:AttributeValue>user<AttributeValue>0804569723</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="sosimedcom:AuthenticationLevelUserGivenName">
              <saml:AttributeValue>4<AttributeValue>Casper</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="sosimedcom:OCESCertHashUserSurName">
              <saml:AttributeValue>RIQsET5XYrNoHAttributeValue>Rasmussen</CVyZdYqa7GvYQ=</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="medcom:UserEmailAddress">
          <    <saml:AttributeValue>casper56@hotdocs.dk</saml:AttributeStatement>AttributeValue>
           <saml:AttributeStatement id="UserLog"> </saml:Attribute>
            <saml:Attribute Name="medcom:UserCivilRegistrationNumberUserRole">
              <saml:AttributeValue>0804569723<AttributeValue>Læge</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="medcom:UserGivenNameUserAuthorizationCode">
              <saml:AttributeValue>Casper<AttributeValue>CBNH1</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="medcom:UserSurNameUserOccupation">
              <saml:AttributeValue>Rasmussen<AttributeValue>Læge</saml:AttributeValue>
            </saml:Attribute>
          </saml:AttributeStatement>
          <saml:AttributeStatement id="SystemLog">
            <saml:Attribute Name="medcom:UserEmailAddressITSystemName">
              <saml:AttributeValue>casper56@hotdocs.dk<AttributeValue>Test</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="medcom:CareProviderID" NameFormat="medcom:UserRolecvrnumber">
              <saml:AttributeValue>7170<AttributeValue>25450442</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="medcom:UserAuthorizationCodeCareProviderName">
              <saml:AttributeValue>CBNH1<AttributeValue>LAKESIDE A/S</saml:AttributeValue>
            </saml:Attribute>
          </saml:AttributeStatement>
          <saml<ds:AttributeSignature Nameid="medcom:UserOccupationOCESSignature">
            <ds:SignedInfo>
   <saml:AttributeValue>Læge</saml:AttributeValue>
            </saml:Attribute><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </saml:AttributeStatement>
          <saml:AttributeStatement id="SystemLog"<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <saml  <ds:AttributeReference NameURI="medcom:ITSystemName#IDCard">
              <saml:AttributeValue>Test</saml:AttributeValue>
  <ds:Transforms>
                </saml:Attribute>
  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                <saml:Attribute Name="medcom:CareProviderID" NameFormat="medcom:cvrnumber">
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <saml:AttributeValue>25450442</saml:AttributeValue>
            </samlds:Attribute>Transforms>
            <saml:Attribute Name    <ds:DigestMethod Algorithm="medcom:CareProviderName"http://www.w3.org/2000/09/xmldsig#sha1"/>
              <saml:AttributeValue>LAKESIDE A/S</saml:AttributeValue>  <ds:DigestValue>crGwfhPSXjudjc9vCMFFfpy24W0=</ds:DigestValue>
              </samlds:Attribute>Reference>
            </samlds:AttributeStatement>SignedInfo>
            <ds:Signature id="OCESSignature">SignatureValue>Fm9MAXQFMfMlWZT3UXPLwMVRL9sBt9IPo1STf8Cvyvva1xahuPR7fIarFjOui5y2JI+COYwx5saUhWKzvFyTuKQcVWsWJ9iS1mxxHmWF6KtSVLEpisTh7+MyLe/Ko98PD0nDc7/Vx4jnv+NIMdOeBnyIBI5TjTw8wfG2OKjtagdR/dwcfJad33Iy5DZP+v1+lKOmpS3vgcMlYJy/HSlSNejwdJGx5vr5LZav7/44QDll6ulewIKFe5hJGGh7c9EDv0VBxNXGp/vIYqOAV/bnsspThhtsuuS+b7rxlwvWF/j63OlNss5O3UBkFH2sh1WSX4ilMSFNuThXx5oA51zxTw==</ds:SignatureValue>
            <ds:SignedInfo>KeyInfo>
              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
X509Data>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>X509Certificate>MIIGIjCCBQqgAwIBAgIEWRzJeDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE4MDgzMDEyMzgzNloXDTIxMDgzMDEyMzcyMlowcTELMAkGA1UEBhMCREsxJTAjBgNVBAoMHExBS0VTSURFIEEvUyAvLyBDVlI6MjU0NTA0NDIxOzAXBgNVBAMMEENhc3BlciBSYXNtdXNzZW4wIAYDVQQFExlDVlI6MjU0NTA0NDItUklEOjQwMjUyNjY2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjxt9N9dyS1rM6Naw+hLSn739yb6xArv8Z6fJl0ypJQ1caaf8Lp0TPwRCYYcYE4+L1SMOmTwCvl1K/RCrqjqAlnRljR+aeBWALUgoifWAcT44LUduGam4/Sv/99mhyyqPqZlVvydwVU8hmRfrCL0905NOGjeGMnSgAyAR7KiZHDjEnDCLx3O8GpGeOE+DUUrK8RCzPHWqi4jiidRBSPvidXiCnpSTYl6pR8RtT0TfW3i1HVGLGzHVJN2uQWXpPojjl5ff7roGHGvcWXyR+s7xF1R1EOL8d6ekop/40LAMrURhCi/EMFdkA6OfNP6L4EzwIbLuLyfHS0HvCZj6m92pFwIDAQABo4IC6TCCAuUwDgYDVR0PAQH/BAQDAgP4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vbS5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYCBTCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjIuNS4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjIuNS4wGwYDVR0RBBQwEoEQYW5uaUBsYWtlc2lkZS5kazCBrAYDVR0fBIGkMIGhMD2gO6A5hjdodHRwOi8vY3JsLnN5c3RlbXRlc3QyMi50cnVzdDI0MDguY29tL3N5c3RlbXRlc3QyMjEuY3JsMGCgXqBcpFowWDELMAkGA1UEBhMCREsxEjAQBgNVBAoMCVRSVVNUMjQwODElMCMGA1UEAwwcVFJVU1QyNDA4IFN5c3RlbXRlc3QgWFhJSSBDQTEOMAwGA1UEAwwFQ1JMNzYwHwYDVR0jBBgwFoAUq6gBRBmws0OZ2vp8zNIAGAPnPL8wHQYDVR0OBBYEFOtPO5BckYcR+z8toqcBaZe2XXzuMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAHN1kI/Iq05n41jldFdu+0DJkw7He6Li6Zursix2vTiFAV/pTaCMqvSgQnEmcSrciBWktE69HRj15hr+CQUTkmsfE52Kuo0zpFgitqZXcG7eSyNiZc4GwwpLW5pk+xihD5RXmJC11Spdsw+8uISggcnUOdA5BqZINbRXFwUaTAL/uJ7Ag76YiCXHzBI27RFVKg41zGa//I+cj4ZX7pxXOJA4NRVO3cnpU0W6S26IJhJbX1sdfFj+72VRJIXh6971/5Fd6+DsOkbbc4KlhLDo52mTrmECBBkzVij2tSDSP1KoiqZizY/FtjUCgRb7xN/VL1xfOOmNZ1d96xkPfz6laos=</ds:X509Certificate>
              <ds:Reference URI="#IDCard">
</ds:X509Data>
            </ds:KeyInfo>
          <ds</ds:Transforms>Signature>
        </saml:Assertion>
      </wst:Claims>
     <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <wst:Issuer>
        <wsa:Address>TheSOSILibrary</wsa:Address>
      </wst:Issuer>
    </wst:RequestSecurityToken>
  </soapenv:Body>
</soapenv:Envelope>

En succesfuld validering af requestet i STS resulterer i et succesfuldt response (bemærk, at det udstedte Bruger Idkort er signeret af 'SOSI Test Federation (funktionscertifikat)' og indeholder de nu af STS validerede claims fra requestet. Bemærk også at medcom:UserRole er erstattet med uddannelseskoden, der hører til brugerens autorisation i autorisationsregisteret):

Code Block
languagexml
titleResponse fra STS for Bruger Idkort for sundhedsfaglig
collapsetrue
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://wwwschemas.w3xmlsoap.org/2000soap/09envelope/xmldsig#sha1"/>
                <ds:DigestValue>7rGpBft4x09fFey3Ny/ygbSmRI4=</ds:DigestValue>
              </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>e14AkKe/qygk07YrDjzdEzOs7TN0mVPjN4yioh8trDsKhSmx9hO8Sg/zzpRewA4FweLVh+muBSwNR//By6XoLA4nUC7aBqHQ14maBCojwzYH5dmgua2VMAYBECk/fi/3WrMo1qd6EGCHjUOnFnaiyRLQgSc99vF6dHGmW/AeyVdAv7miJcTWNnu4MbtrcBNNnJeClBHJlpAu1708+wjoDSkDcB7BvUYkWqKNuXNdxecYbR6TBjo4S4FrT0Yt7qsXpLRIBxXLBia5BbA/XXzYLcDYPxP7USbSJ47jq18M65llXG56dhxihJzt4WVLFXfBit9oPkhnfF2QfSjZzy6l3g==</ds:SignatureValue>
            <ds:KeyInfo>
              <ds:X509Data>
                <ds:X509Certificate>MIIGKjCCBRKgAwIBAgIEW6uMBTANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE5MDQzMDA5MDcxN1oXDTIyMDQzMDA5MDYzOFowgZQxCzAJBgNVBAYTAkRLMS4wLAYDVQQKDCVTdW5kaGVkc2RhdGFzdHlyZWxzZW4gLy8gQ1ZSOjMzMjU3ODcyMVUwIAYDVQQFExlDVlI6MzMyNTc4NzItRklEOjE4OTExODYxMDEGA1UEAwwqU09TSSBUZXN0IEZlZGVyYXRpb24gKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyo57h9E/hM5gimxaDgHB0MLcgVfXGJbQh/8OC1vTdDsCUIzIwRd5lJE+ado8urHF7UmKubFZzfCPduoRv9b3TkNVKaixiHUMtP4egbL8vcgyalk28cNQdUk8f34mg8atgvd45EnIKz2iB+yjs5guJPDBg2OFSbP0r53NU8fVTq3aLtDpDVnkxsyjNQ7HOFtzavyMnKx0vDgafEvrUR3WTSLCGju4aUIg3ThgrWXA7i3lPIAXdV8mQmlY3wn/kIBiyIotmF98UsEket/sxpJNkJ6R6AUpxnGApCDP1Fw2BgxAQWWrtD/c5IoIZwGWNfLgpJEzfhnuIZJ7Bfs9RmHFdQIDAQABo4ICzTCCAskwDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vZi5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYEAjCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4wga0GA1UdHwSBpTCBojA9oDugOYY3aHR0cDovL2NybC5zeXN0ZW10ZXN0MjIudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MjIxLmNybDBhoF+gXaRbMFkxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJTAjBgNVBAMMHFRSVVNUMjQwOCBTeXN0ZW10ZXN0IFhYSUkgQ0ExDzANBgNVBAMMBkNSTDE0MjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUGYAVKKL17LHyVGSErL26MBNadTQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAjHMO4sWEf8M25WHczBTJYtMitn1wLOqE6raeM6oYyw6R/4FImpOzF6bxBlfNnhhR0vJSXMWTqL/onCyy4gCs9eLglRHZ9BC8a9fmirrguNpOWlR8NAf5GRwOqCyTnkTAfUD1fp0RzVo8TvAd73WiGeUTzTiAVf7OgZFnRIYkcALXLjNs6AwELWSh+bC/gGuQcHUDd8YGSzgKS6w2qz3fIASrykxzlYjeusks58CereC6WfvN0I+GGlL9fIgjpzh7JEELME7r9QJLL9NSrmlRKfhM8gzuE6Vm4vGzmSsnNJxGMf1vTzEve4lXI8pnOtHMTtNl5zw4jCJFakRqcWm3FQ==</ds:X509Certificate>
              </ds:X509Data>
            </ds:KeyInfo>
          </ds:Signature>
        </saml:Assertion>
      </wst:RequestedSecurityToken>
      <wst:Status>
        <wst:Code>http xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid</wst:Code>
  " xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" id="Envelope">
  <soapenv:Header>
    </wst:Status><wsse:Security id="AAABdiJ5Tp5qHUF3ucrocFNPU0k=">
      <wst<wsu:Issuer>Timestamp>
        <wsa<wsu:Address>TEST1Created>2020-NSP-STS</wsa:Address>12-02T08:02:30Z</wsu:Created>
      </wstwsu:Issuer>Timestamp>
    </wstwsse:RequestSecurityTokenResponse>Security>
  </soapenv:Body>
</soapenv:Envelope>

Udstedelse af Bruger Idkort (uden sundhedsfaglig autorisation, men med national rolle)

I dette eksempel anvendes et MOCES certifikat for en bruger uden sundhedsfaglig autorisation men med netop én national rolle. Eksemplet illusterer, hvorledes STS automatisk sætter oplysninger ind om en medarbejders (unikke) nationale rolle, hvis en sådan findes.

Code Block
languagexml
titleMOCES certifikat for bruger uden sundhedsfaglig autorisation
collapsetrue
Certificate:
    Data:Header>
  <soapenv:Body>
        Version<wst: 3 (0x2)RequestSecurityTokenResponse Context="www.sosi.dk">
        Serial Number: 1537912428 (0x5baaae6c)
<wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion:</wst:TokenType>
      Signature Algorithm: sha256WithRSAEncryption<wst:RequestedSecurityToken>
        Issuer<saml:Assertion C=DK, O=TRUST2408, CN=TRUST2408 Systemtest XXII CA
IssueInstant="2020-12-02T07:57:30Z" Version="2.0" id="IDCard">
           Validity<saml:Issuer>TEST1-NSP-STS</saml:Issuer>
            Not Before: Dec 19 09:17:40 2018 GMT<saml:Subject>
            Not After <saml: Dec 19 09:17:05 2021 GMT
        Subject: C=DKNameID Format="medcom:other">SubjectDN={CN=Casper Rasmussen + SERIALNUMBER=CVR:25450442-RID:40252666, O=LAKESIDE A/S // CVR:25450442, CN=Peter Rasmussen/serialNumber=CVR:25450442-RID:15467395
C=DK},IssuerDN={CN=TRUST2408 Systemtest XXII CA, O=TRUST2408, C=DK},CertSerial={1495058808}</saml:NameID>
         Subject Public Key Info<saml:SubjectConfirmation>
            Public Key Algorithm: rsaEncryption <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:holder-of-key</saml:ConfirmationMethod>
                Public-Key: (2048 bit)<saml:SubjectConfirmationData>
                Modulus<ds:KeyInfo>
                    00:ae:6c:d5:c1:db:65:4b:84:65:ea:c0:11:c0:20:   <ds:KeyName>OCESSignature</ds:KeyName>
                </ds:KeyInfo>
    c1:68:68:ee:ee:d7:a9:56:2d:f1:59:46:11:bf:6f:
          </saml:SubjectConfirmationData>
            54:6d:63:0b:45:ed:43:ef:df:7c:8f:69:63:5e:71:</saml:SubjectConfirmation>
          </saml:Subject>
          c7:ef:aa:59:05:1e:3b:57:c3:4e:dc:9d:f8:9d:00:<saml:Conditions NotBefore="2020-12-02T07:57:30Z" NotOnOrAfter="2020-12-03T07:57:30Z"/>
          <saml:AttributeStatement id="IDCardData">
         b1:a0:69:02:10:7c:3c:9e:c5:d1:e5:52:2f:0c:11:
   <saml:Attribute Name="sosi:IDCardID">
              <saml:AttributeValue>uqU7WoiYXI0usmYQ5GvBsA==</saml:AttributeValue>
            a3:f4:3b:1c:f4:43:3b:5d:6f:a7:4c:70:06:0e:96:</saml:Attribute>
            <saml:Attribute Name="sosi:IDCardVersion">
           76:42:6d:67:bd:e1:08:52:78:7f:8f:f5:84:50:5d:   <saml:AttributeValue>1.0.1</saml:AttributeValue>
            </saml:Attribute>
        97:52:57:ca:03:49:15:bb:dd:c0:bc:dc:6c:4a:1c:
    <saml:Attribute Name="sosi:IDCardType">
               69:21:bd:c0:dd:c3:f3:32:0b:ac:e3:5a:15:ba:0b:
<saml:AttributeValue>user</saml:AttributeValue>
            </saml:Attribute>
            f7:6b:fa:ec:2a:82:3b:3c:c5:6d:ff:3b:88:dc:cc:<saml:Attribute Name="sosi:AuthenticationLevel">
              <saml:AttributeValue>4</saml:AttributeValue>
       90:f1:56:cb:03:fe:14:65:00:d5:6b:6c:61:8c:44:
     </saml:Attribute>
            <saml:Attribute Name="sosi:OCESCertHash">
              13:4b:59:7f:f8:c2:4e:bd:d2:29:3c:76:56:42:24:<saml:AttributeValue>RIQsET5XYrNoH/CVyZdYqa7GvYQ=</saml:AttributeValue>
            </saml:Attribute>
          03:a9:68:4f:fe:7e:f0:7c:96:42:f6:56:db:9e:f6:</saml:AttributeStatement>
          <saml:AttributeStatement id="UserLog">
         d2:28:38:e3:0b:83:5d:8c:b2:c0:93:93:00:4f:06:
   <saml:Attribute Name="medcom:UserCivilRegistrationNumber">
              <saml:AttributeValue>0804569723</saml:AttributeValue>
            f1:1b:2f:fa:24:47:23:64:d4:c4:f7:5c:c2:ca:a6:
</saml:Attribute>
            <saml:Attribute Name="medcom:UserGivenName">
              48:3f:ab:58:9d:6c:d0:37:31:be:ea:27:a3:29:14:<saml:AttributeValue>Casper</saml:AttributeValue>
            </saml:Attribute>
        cc:d8:fc:9a:21:56:99:33:03:6f:a7:33:86:b5:64:
    <saml:Attribute Name="medcom:UserSurName">
               5e:63<saml:AttributeValue>Rasmussen</saml:AttributeValue>
            </saml:Attribute>
    Exponent: 65537 (0x10001)
        X509v3 extensions:<saml:Attribute Name="medcom:UserEmailAddress">
            X509v3 Key Usage: critical <saml:AttributeValue>casper56@hotdocs.dk</saml:AttributeValue>
            </saml:Attribute>
    Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
<saml:Attribute Name="medcom:UserRole">
             Authority Information Access: 
 <saml:AttributeValue>7170</saml:AttributeValue>
            </saml:Attribute>
      OCSP - URI:http://ocsp.systemtest22.trust2408.com/responder
    <saml:Attribute Name="medcom:UserAuthorizationCode">
           CA Issuers - URI<saml:http://m.aia.systemtest22.trust2408.com/systemtest22-ca.cer

AttributeValue>CBNH1</saml:AttributeValue>
            X509v3 Certificate Policies: </saml:Attribute>
                Policy: 1.3.6.1.4.1.31313.2.4.6.2.5<saml:Attribute Name="medcom:UserOccupation">
              <saml:AttributeValue>Læge</saml:AttributeValue>
    CPS: http://www.trust2408.com/repository
         </saml:Attribute>
         User Notice</saml:AttributeStatement>
          <saml:AttributeStatement id="SystemLog">
         Organization: DanID
  <saml:Attribute Name="medcom:ITSystemName">
                 Number: 1<saml:AttributeValue>Test</saml:AttributeValue>
            </saml:Attribute>
        Explicit Text: DanID test certifikater fra denne CA udstedes under OID 1.3.6.1.4.1.31313.2.4.6.2.5. DanID test certificates from this CA are issued under OID 1.3.6.1.4.1.31313.2.4.6.2.5.

     <saml:Attribute Name="medcom:CareProviderID" NameFormat="medcom:cvrnumber">
              <saml:AttributeValue>25450442</saml:AttributeValue>
            </saml:Attribute>
        X509v3   Subject Alternative<saml:Attribute Name: ="medcom:CareProviderName">
                email:smi@lakeside.dk<saml:AttributeValue>LAKESIDE A/S</saml:AttributeValue>
            </saml:Attribute>
       X509v3 CRL Distribution Points</saml: AttributeStatement>

          <ds:Signature id="OCESSignature">
       Full Name:
    <ds:SignedInfo>
              URI<ds:CanonicalizationMethod Algorithm="http://crlwww.systemtest22.trust2408.com/systemtest221.crl

w3.org/2001/10/xml-exc-c14n#"/>
                Full Name:<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                  DirName<ds:Reference C = DK, O = TRUST2408, CN = TRUST2408 Systemtest XXII CA, CN = CRL105

   URI="#IDCard">
                <ds:Transforms>
         X509v3 Authority Key Identifier: 
     <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          keyid:AB:A8:01:44:19:B0:B3:43:99:DA:FA:7C:CC:D2:00:18:03:E7:3C:BF

            X509v3 Subject Key Identifier: <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                0A:B6:21:06:8D:81:C7:33:38:B0:C4:65:59:42:DE:B7:BA:10:11:63</ds:Transforms>
            X509v3   Basic Constraints<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                CA:FALSE
<ds:DigestValue>7rGpBft4x09fFey3Ny/ygbSmRI4=</ds:DigestValue>
     Signature Algorithm: sha256WithRSAEncryption
         c5:11:e9:de:c5:ca:6d:3b:a5:74:ac:fc:fe:fc:6d:2d:f5:1b:
</ds:Reference>
            ac:30:ea:e6:7f:d2:f6:e3:cd:0e:30:02:7e:83:91:2d:ca:57:</ds:SignedInfo>
         5f:d7:d8:77:79:44:4e:28:a2:fa:9a:24:00:80:5a:2a:ec:27:   <ds:SignatureValue>e14AkKe/qygk07YrDjzdEzOs7TN0mVPjN4yioh8trDsKhSmx9hO8Sg/zzpRewA4FweLVh+muBSwNR//By6XoLA4nUC7aBqHQ14maBCojwzYH5dmgua2VMAYBECk/fi/3WrMo1qd6EGCHjUOnFnaiyRLQgSc99vF6dHGmW/AeyVdAv7miJcTWNnu4MbtrcBNNnJeClBHJlpAu1708+wjoDSkDcB7BvUYkWqKNuXNdxecYbR6TBjo4S4FrT0Yt7qsXpLRIBxXLBia5BbA/XXzYLcDYPxP7USbSJ47jq18M65llXG56dhxihJzt4WVLFXfBit9oPkhnfF2QfSjZzy6l3g==</ds:SignatureValue>
         3a:f9:f9:2b:f2:a6:f7:20:cd:0f:13:46:a2:2f:4e:6b:ee:c0:
   <ds:KeyInfo>
              0c:a7:27:e8:ee:7c:20:c1:9f:5e:db:67:99:d2:46:52:c6:a2:<ds:X509Data>
         82:db:4a:a0:65:6c:2a:c6:25:5c:7d:2f:eb:d0:1a:40:7c:1b:
         57:96:2b:21:76:19:a3:85:bf:16:dd:b6:5e:ed:16:95:88:be:<ds:X509Certificate>MIIGKjCCBRKgAwIBAgIEW6uMBTANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE5MDQzMDA5MDcxN1oXDTIyMDQzMDA5MDYzOFowgZQxCzAJBgNVBAYTAkRLMS4wLAYDVQQKDCVTdW5kaGVkc2RhdGFzdHlyZWxzZW4gLy8gQ1ZSOjMzMjU3ODcyMVUwIAYDVQQFExlDVlI6MzMyNTc4NzItRklEOjE4OTExODYxMDEGA1UEAwwqU09TSSBUZXN0IEZlZGVyYXRpb24gKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyo57h9E/hM5gimxaDgHB0MLcgVfXGJbQh/8OC1vTdDsCUIzIwRd5lJE+ado8urHF7UmKubFZzfCPduoRv9b3TkNVKaixiHUMtP4egbL8vcgyalk28cNQdUk8f34mg8atgvd45EnIKz2iB+yjs5guJPDBg2OFSbP0r53NU8fVTq3aLtDpDVnkxsyjNQ7HOFtzavyMnKx0vDgafEvrUR3WTSLCGju4aUIg3ThgrWXA7i3lPIAXdV8mQmlY3wn/kIBiyIotmF98UsEket/sxpJNkJ6R6AUpxnGApCDP1Fw2BgxAQWWrtD/c5IoIZwGWNfLgpJEzfhnuIZJ7Bfs9RmHFdQIDAQABo4ICzTCCAskwDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vZi5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYEAjCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4wga0GA1UdHwSBpTCBojA9oDugOYY3aHR0cDovL2NybC5zeXN0ZW10ZXN0MjIudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MjIxLmNybDBhoF+gXaRbMFkxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJTAjBgNVBAMMHFRSVVNUMjQwOCBTeXN0ZW10ZXN0IFhYSUkgQ0ExDzANBgNVBAMMBkNSTDE0MjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUGYAVKKL17LHyVGSErL26MBNadTQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAjHMO4sWEf8M25WHczBTJYtMitn1wLOqE6raeM6oYyw6R/4FImpOzF6bxBlfNnhhR0vJSXMWTqL/onCyy4gCs9eLglRHZ9BC8a9fmirrguNpOWlR8NAf5GRwOqCyTnkTAfUD1fp0RzVo8TvAd73WiGeUTzTiAVf7OgZFnRIYkcALXLjNs6AwELWSh+bC/gGuQcHUDd8YGSzgKS6w2qz3fIASrykxzlYjeusks58CereC6WfvN0I+GGlL9fIgjpzh7JEELME7r9QJLL9NSrmlRKfhM8gzuE6Vm4vGzmSsnNJxGMf1vTzEve4lXI8pnOtHMTtNl5zw4jCJFakRqcWm3FQ==</ds:X509Certificate>
         83:a2:41:4c:92:1d:7a:00:08:32:b1:d5:50:74:c8:74:cc:34:     </ds:X509Data>
         6b:92:da:dc:b4:0b:c9:68:1a:c7:bf:83:60:20:7d:3a:74:83:
   </ds:KeyInfo>
          c0:37:f7:d4:ef:33:eb:a4:85:b9:5e:23:6a:db:1e:d9:8f:26:</ds:Signature>
        </saml:Assertion>
      </wst:RequestedSecurityToken>
   80:9f:7e:ea:da:06:a3:df:d4:eb:47:95:62:b3:cf:bc:51:27:   <wst:Status>
         d9<wst:72:e7:23:2d:7c:be:e2:0a:d4:c5:d2:d0:c2:3c:9e:98:d5:Code>http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid</wst:Code>
         9b:19:7a:ff:9c:97:e7:34:e8:4a:b2:c8:b3:57:d6:5e:fc:f5:</wst:Status>
      <wst:Issuer>
         fc:d8:c5:2e:b1:c2:54:16:d8:f6:4a:f9:0c:0a:f5:2f:62:e1:<wsa:Address>TEST1-NSP-STS</wsa:Address>
      </wst:Issuer>
    ea:73:79:42</wst:RequestSecurityTokenResponse>
  </soapenv:Body>
</soapenv:Envelope>

Udstedelse af Bruger Idkort (uden sundhedsfaglig autorisation, men med national rolle)

I dette eksempel anvendes et OCES certifikat for en bruger uden sundhedsfaglig autorisation men med netop én national rolle. Eksemplet illusterer, hvorledes STS automatisk sætter oplysninger ind om en medarbejders (unikke) nationale rolle, hvis en sådan findes.Selve requestet til STS ser således ud (bemærk især claims om brugeren 'medcom:UserCivilRegistrationNumber' og 'medcom:UserRole', der er sat til 'ingen_idkort_rolle' for at angive en uspecificeret rolle):

...