Versions Compared

Old Version 2

changes.mady.by.user Unknown User (tim.hallgren@capgeminisogeti.dk)

Saved on

compared with

New Version Current

changes.mady.by.user Unknown User (mbm@arosii.dk)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Dette kan via en service i STS omveksles til et IdentityToken eller en OIOSAML Assertion, der efterføldende kan benyttes til adgang til udvalgte services.

...

AdresseSikkerhedsniveauBeskrivelse
/sts/services/JWT2IdwsNiveau 5Ombytter OIOSaml bootstrap token til signeret identitytoken rettet mod et givet audience, f.eks. FMK. Token skal være signeret af troværdig tredjepart (nem-login)
/sts/services/JWT2OIOSaml Niveau 5Ombytter JSON Web Token til en OIOSAML assertion for borgeren krypteret til webapplikationen.

Bemærk at det udstedte token er rettet mod en konkret anvendelse.

...

ServiceAudienceStatus
Fælles medicinkort

https://fmk

Service i produktion. JWT-enabled.
Det danske vaccinationsregister

https://ddv

Service i produktion. JWT-enabled.
Teknisk komponent til FMK appshttps://eventboxService i produktion. JWT-enabled.
Del af minlæge app'en

https://forloebsplaner

Service i produktion. JWT-enabled.

(Det er pt. kun https://forloebsplaner der har adgang til /sts/services/JWT2OIOSaml)

Anvendelse

Anvendere vil typisk anvende Seal.java eller Seal.net. Nyeste Seal.net version er tilgængelig via Nuget. seal.java hentes via det offentligt tilgængelige maven repository ved i et projekt at benytte f.eks.:

...

Code Block
languagexml
<dependency>
	<groupId>dk.sosi.seal</groupId>
	<artifactId>seal</artifactId>
	<version>2.4.6</version>
</dependency>

Bemærk at version 2.4.5 er ældste version med API-understøttelse af JWT.

Bemærk at version 2.4.6 er første version med understøttelse af servicen JWT2OIOSaml.

Kommunikation

Request (JWT2Idws + JWT2OIOSaml)

Borger-billetomvekslingen er udformet som et standard WS-Trust 1.4 request med tilhørende response.

Et typisk request vil have nogenlunde følgende struktur:

Code Block
languagexml
collapsetrue
<?xml version="1.0" encoding="UTF-8" ?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wst14="http://docs.oasis-open.org/ws-sx/ws-trust/200802" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <soapenv:Header>
    <wsa:Action wsu:Id="action">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</wsa:Action>
    <wsa:MessageID wsu:Id="messageID">urn:uuid:1c2818b8-9ab3-4898-9730-dab518020b05</wsa:MessageID>
    <wsse:Security mustUnderstand="1" wsu:Id="security">
      <wsu:Timestamp wsu:Id="ts"><wsu:Created>2018-05-24T09:17:40Z</wsu:Created></wsu:Timestamp>
      <ds:Signature>
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#messageID"> ... </ds:Reference>
          <ds:Reference URI="#action"> ...</ds:Reference>
          <ds:Reference URI="#ts">...</ds:Reference>
          <ds:Reference URI="#body">...</ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>...</ds:SignatureValue>
        <ds:KeyInfo>
          <ds:X509Data>
            <ds:X509Certificate>
                <!-- FOCES certifikat i base64-encodet form til signering af besked -->
            </ds:X509Certificate>
          </ds:X509Data>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
  </soapenv:Header>
  <soapenv:Body wsu:Id="body">
    <wst:RequestSecurityToken Context="urn:uuid:f637dd3e-fad4-4f5e-ac55-baa504560772">
      <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
      <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
      <wst14:ActAs>
        <wsse:BinarySecurityToken ValueType="urn:ietf:params:oauth:token-type:jwt">
           <!-- encoded JWT -->
        </wsse:BinarySecurityToken>        
      </wst14:ActAs>
      <wsp:AppliesTo>
        <wsa:EndpointReference>
          <wsa:Address>http://audience/clear</wsa:Address>
        </wsa:EndpointReference>
      </wsp:AppliesTo>
      <wst:Claims Dialect="http://docs.oasis-open.org/wsfed/authorization/200706/authclaims">
        <auth:ClaimType Uri="dk:gov:saml:attribute:CprNumberIdentifier">
          <auth:Value>0501792275</auth:Value>
        </auth:ClaimType>
        <auth:ClaimType Uri="dk:healthcare:saml:attribute:OnBehalfOf">
          <auth:Value>urn:dk:healthcare:saml:actThroughProcurationBy:cprNumberIdentifier:1111111118</auth:Value>
        </auth:ClaimType>
      </wst:Claims>
    </wst:RequestSecurityToken>
  </soapenv:Body>
</soapenv:Envelope>

Bemærk at STS IKKE understøtter såkaldte SecurityTokenReference til udpegning af signerende certifikat. Det er nødvendigt at indlejre certifikatet direkte som vist i eksemplet.

Der Ved kald af JWT2Idws understøttes to typer af claims (se eksempler ovenfor):

  1. CPR claim (valgfri). Angiver cpr nummeret på den borger der "sidder bag skærmen". Dette vil ikke være nødvendigt, såfremt det medsendte JWT indeholder cpr-nummeret (hvilket typisk er tilfældet).
  2. Fuldmagts-claim (valgfri). Kan benyttes til at angive at den aktuelle borger har fuldmagt til at agere på vegne af en anden borger. Denne fuldmagt vil typisk være afgivet på borger.dk. Oplysningen vil blive checket op mod en bagvedliggende webservice i Nemid-infrastrukturen.

Dette vil forhåbentlig resultere i et svar på formen

Ved kald af JWT2OIOSaml understøttes kun CPR claim.

Response (JWT2Idws)

Svar fra JWT2Idws vil være på formen

Code Block
languagexml
collapsetrue
Code Block
<?xml version="1.0" encoding="UTF-8" ?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <soapenv:Header>
    <wsa:Action wsu:Id="action">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</wsa:Action>
    <wsa:MessageID wsu:Id="messageID">urn:uuid:b032de90-34a1-44dc-95ce-8b5a61bcf592</wsa:MessageID>
    <wsa:RelatesTo wsu:Id="relatesTo">urn:uuid:04a6576e-607e-4edc-8b6c-aaa26d75f2d6</wsa:RelatesTo>
    <wsse:Security mustUnderstand="1" wsu:Id="security">
      <wsu:Timestamp wsu:Id="ts">
        <wsu:Created>2018-05-24T09:37:49Z</wsu:Created>
      </wsu:Timestamp>
      <ds:Signature> <!- response er signeret med STS certifikat -->
      </ds:Signature>
    </wsse:Security>
  </soapenv:Header>
  <soapenv:Body wsu:Id="body">
    <wst:RequestSecurityTokenResponseCollection>
      <wst:RequestSecurityTokenResponse Context="urn:uuid:d1126e37-5ebf-4fd6-bbd7-67c8063509bf">
        <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
        <wst:RequestedSecurityToken>
          <saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_0eac8d61-a226-4a85-97c0-8d5a5a964178" IssueInstant="2018-05-24T09:37:49Z" Version="2.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml:Issuer>TESTSTS</saml:Issuer>
            <ds:Signature Id="OCESSignature">
              <!-- assertion signeret af STS -->
            </ds:Signature>
            <saml:Subject>
              <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">C=DK,O=Ingen organisatorisk tilknytning,CN=Lars Larsen,Serial=PID:9208-2002-2-514358910503</saml:NameID>
              <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
                <saml:SubjectConfirmationData NotOnOrAfter="2018-05-24T09:42:48Z" Recipient="http://audience/clear">
                  <ds:KeyInfo>
                    <ds:X509Data>
                      <ds:X509Certificate>MIIGIjCCBQqgAwIBAgIEWBjCxjANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSQwIgYDVQQDDBtUUlVTVDI0MDggU3lzdGVtdGVzdCBYSVggQ0EwHhcNMTcwMTMwMDcwNjQ3WhcNMjAwMTMwMDcwNjE0WjCBkDELMAkGA1UEBhMCREsxJzAlBgNVBAoMHk5FVFMgREFOSUQgQS9TIC8vIENWUjozMDgwODQ2MDFYMCAGA1UEBRMZQ1ZSOjMwODA4NDYwLUZJRDo5NDczMTMxNTA0BgNVBAMMLVRVIEdFTkVSRUwgRk9DRVMgZ3lsZGlnIChmdW5rdGlvbnNjZXJ0aWZpa2F0KTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANLzkWLn7qgPVpNZFIpq2X7kUR00IPreIF6osVsdAXWAs61/1mAFr7jMklEOTe9f/2iddZ77SlWhvnsWWnU3y0P9jnKrNnQh6VRo/ykqgKK/wCXMAuHBsZJ9yJ8XuZ6MhDEbY/ktSdSpvCqmoz3eBYLp7fqewNcjMg69hbGW5V+EPmurM4z1+HN+CAKjeyjYnoqwOcENdXJZ8Ctx1Rnwy1UWZizzavHnN0XZzVj+MmT4yVE/SXDRhDwhsR/CEa4ghFWGqG+bCOIh8Q2axZgYaUtLkpb8syYOlPpxq2ow/ZoZAlpctCw9kbbacxPyUH7GT62qzdJbNVnGb6HE49J++gUCAwEAAaOCAsowggLGMA4GA1UdDwEB/wQEAwIDuDCBlwYIKwYBBQUHAQEEgYowgYcwPAYIKwYBBQUHMAGGMGh0dHA6Ly9vY3NwLnN5c3RlbXRlc3QxOS50cnVzdDI0MDguY29tL3Jlc3BvbmRlcjBHBggrBgEFBQcwAoY7aHR0cDovL2YuYWlhLnN5c3RlbXRlc3QxOS50cnVzdDI0MDguY29tL3N5c3RlbXRlc3QxOS1jYS5jZXIwggEgBgNVHSAEggEXMIIBEzCCAQ8GDSsGAQQBgfRRAgQGBAIwgf0wLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cudHJ1c3QyNDA4LmNvbS9yZXBvc2l0b3J5MIHJBggrBgEFBQcCAjCBvDAMFgVEYW5JRDADAgEBGoGrRGFuSUQgdGVzdCBjZXJ0aWZpa2F0ZXIgZnJhIGRlbm5lIENBIHVkc3RlZGVzIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi40LjIuIERhbklEIHRlc3QgY2VydGlmaWNhdGVzIGZyb20gdGhpcyBDQSBhcmUgaXNzdWVkIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi40LjIuMIGqBgNVHR8EgaIwgZ8wPKA6oDiGNmh0dHA6Ly9jcmwuc3lzdGVtdGVzdDE5LnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDE5LmNybDBfoF2gW6RZMFcxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJDAiBgNVBAMMG1RSVVNUMjQwOCBTeXN0ZW10ZXN0IFhJWCBDQTEOMAwGA1UEAwwFQ1JMOTYwHwYDVR0jBBgwFoAUzAJVDOSBdK8gVNURFFeckVI4f6AwHQYDVR0OBBYEFM87NIlSfKvNYR6xTrPPLlP5/zDaMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAHJ4gA73YkRR4BaFgcbi5BRCtYUqxdr0Ip6Hx/yY9+PZv9YvnhnLTvCRTs18oJK8lGlTL/lAeQfCM/CAo9V/4e6IhhbUYaehmAguR+4uSMrJXyThvB/6aOYLsdyPwpBmXSaBXbCjVIpUgZ7Q6FemhUuslTNsy3Tt/zDfAgqHhlLjB33io9hYOefT9/IIFkJ32pa5itni0yNzOUi1jC4tx8XdOZGN17lBkXtmaGWh9grWd17x3odVG+kYoa+TekdKOys8bY7ZQwkqktJZnitMgQmbtuGHHQ+9ZXeEwZhhL/U+Lda3O92m8HSdgiHRhvoZ4+j3e/PbRaUW2z5YSqBoua4=</ds:X509Certificate>
                    </ds:X509Data>
                  </ds:KeyInfo>
                </saml:SubjectConfirmationData>
              </saml:SubjectConfirmation>
            </saml:Subject>
            <saml:Conditions NotBefore="2018-05-24T09:32:48Z" NotOnOrAfter="2018-05-24T09:42:48Z">
              <saml:AudienceRestriction>
                <saml:Audience>http://audience/clear</saml:Audience>
              </saml:AudienceRestriction>
            </saml:Conditions>
            <saml:AttributeStatement>
              <saml:Attribute Name="dk:gov:saml:attribute:SpecVer" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">DK-SAML-2.0</saml:AttributeValue>
              </saml:Attribute>
              <saml:Attribute Name="dk:gov:saml:attribute:AssuranceLevel" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">3</saml:AttributeValue>
              </saml:Attribute>
              <saml:Attribute Name="dk:gov:saml:attribute:CprNumberIdentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">0501792275</saml:AttributeValue>
              </saml:Attribute>
              <saml:Attribute Name="dk:gov:saml:attribute:Privileges_intermediate" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">
                   <!-- fuldmagts privilegier i Base64 encodet form -->
                </saml:AttributeValue>
              </saml:Attribute>
            </saml:AttributeStatement>
          </saml:Assertion>
        </wst:RequestedSecurityToken>
        <wsp:AppliesTo>
          <wsa:EndpointReference>
            <wsa:Address>http://audience/clear</wsa:Address>
          </wsa:EndpointReference>
        </wsp:AppliesTo>
        <wst:Lifetime>
          <wsu:Created>2018-05-24T09:32:48Z</wsu:Created>
          <wsu:Expires>2018-05-24T09:42:48Z</wsu:Expires>
        </wst:Lifetime>
      </wst:RequestSecurityTokenResponse>
    </wst:RequestSecurityTokenResponseCollection>
  </soapenv:Body>
</soapenv:Envelope>

...

Det returnede IdentityToken (SAML assertion) kan herefter anvendes til kald af den bagvedliggende webservice hos eksempelvis FMK.

Eksempel kode (seal.java)

...

Response (JWT2OIOSaml)

Svar fra JWT2OIOSaml vil være på formen

Code Block
languagexml
collapsetrue
<?xml version="1.0" encoding="UTF-8" ?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <soapenv:Header>
    <wsa:Action wsu:Id="action">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</wsa:Action>
    <wsa:MessageID wsu:Id="messageID">urn:uuid:b032de90-34a1-44dc-95ce-8b5a61bcf592</wsa:MessageID>
    <wsa:RelatesTo wsu:Id="relatesTo">urn:uuid:04a6576e-607e-4edc-8b6c-aaa26d75f2d6</wsa:RelatesTo>
    <wsse:Security mustUnderstand="1" wsu:Id="security">
      <wsu:Timestamp wsu:Id="ts">
        <wsu:Created>2018-05-24T09:37:49Z</wsu:Created>
      </wsu:Timestamp>
      <ds:Signature> <!- response er signeret med STS certifikat -->
      </ds:Signature>
    </wsse:Security>
  </soapenv:Header>
  <soapenv:Body wsu:Id="body">
    <wst:RequestSecurityTokenResponseCollection>
      <wst:RequestSecurityTokenResponse Context="urn:uuid:d1126e37-5ebf-4fd6-bbd7-67c8063509bf">
        <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
        <wst:RequestedSecurityToken>
          <saml:EncryptedAssertion>
            <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
              <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
              <ds:KeyInfo>
				  <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                  <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
                  <xenc:CipherData>
                    <xenc:CipherValue>...</xenc:CipherValue>
                  </xenc:CipherData>
                </xenc:EncryptedKey>
              </ds:KeyInfo>
              <xenc:CipherData>
                <xenc:CipherValue>...</xenc:CipherValue>
              </xenc:CipherData>
            </xenc:EncryptedData>
          </saml:EncryptedAssertion>
        </wst:RequestedSecurityToken>
        <wsp:AppliesTo>
          <wsa:EndpointReference>
            <wsa:Address>http://audience/clear</wsa:Address>
          </wsa:EndpointReference>
        </wsp:AppliesTo>
        <wst:Lifetime>
          <wsu:Created>2018-05-24T09:32:48Z</wsu:Created>
          <wsu:Expires>2018-05-24T09:42:48Z</wsu:Expires>
        </wst:Lifetime>
      </wst:RequestSecurityTokenResponse>
    </wst:RequestSecurityTokenResponseCollection>
  </soapenv:Body>
</soapenv:Envelope>

Indholded i saml:EncryptedAssertion indeholder følgende i dekrypteret form:

Code Block
languagexml
collapsetrue
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:disco="urn:liberty:disco:2006-08" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:sec="urn:liberty:security:2006-08" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_9cc8aca8-8df0-438d-8818-a99d6152131c" IssueInstant="2019-07-01T09:47:05Z" Version="2.0">
  <saml:Issuer>TESTSTS</saml:Issuer>
  <ds:Signature Id="OCESSignature">
	<!-- assertion signeret af STS -->
  </ds:Signature>
  <saml:Subject>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">C=DK,O=Ingen organisatorisk tilknytning,CN=Lars Larsen,Serial=PID:9208-2002-2-514358910503</saml:NameID>
    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <saml:SubjectConfirmationData NotOnOrAfter="2019-07-01T09:52:05Z" Recipient="/ststest/login"/>
    </saml:SubjectConfirmation>
  </saml:Subject>
  <saml:Conditions NotBefore="2019-07-01T09:42:05Z" NotOnOrAfter="2019-07-01T09:52:05Z">
    <saml:AudienceRestriction>
      <saml:Audience>http://audience/sbo</saml:Audience>
    </saml:AudienceRestriction>
  </saml:Conditions>
  <saml:AuthnStatement AuthnInstant="2019-07-01T09:47:05Z" SessionIndex="_9cc8aca8-8df0-438d-8818-a99d6152131c">
    <saml:AuthnContext>
      <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml:AuthnContextClassRef>
    </saml:AuthnContext>
  </saml:AuthnStatement>
  <saml:AttributeStatement>
    <saml:Attribute Name="dk:gov:saml:attribute:AssuranceLevel" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml:AttributeValue xsi:type="xs:string">3</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="dk:gov:saml:attribute:SpecVer" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml:AttributeValue xsi:type="xs:string">DK-SAML-2.0</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="dk:gov:saml:attribute:CprNumberIdentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml:AttributeValue xsi:type="xs:string">0501792275</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute FriendlyName="CommonName" Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml:AttributeValue xsi:type="xs:string">PID:9208-2002-2-514358910503</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute FriendlyName="Uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml:AttributeValue xsi:type="xs:string">Lars Larsen</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="dk:gov:saml:attribute:PidNumberIdentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml:AttributeValue xsi:type="xs:string">9208-2002-2-514358910503</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:liberty:disco:2006-08:DiscoveryEPR" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue>
        <wsa:EndpointReference>
          <wsa:Address>http://sosi.dk/sts</wsa:Address>
          <wsa:Metadata>
            <disco:Abstract>OIO IDWS 1.0 Bootstrap token</disco:Abstract>
            <disco:ServiceType>dk:sosi:1-0-1</disco:ServiceType>
            <disco:ProviderID>http://sosi.dk/sts</disco:ProviderID>
            <disco:SecurityContext>
              <disco:SecurityMechID>urn:liberty:security:2006-08:TLS:SAMLV2</disco:SecurityMechID>
              <sec:Token usage="urn:liberty:security:tokenusage:2006-08:SecurityToken">
                <saml:Assertion ID="_e8072da1-af2b-4ca6-b8db-417b5de4bd5d" IssueInstant="2019-07-01T09:47:05Z" Version="2.0">
                  <saml:Issuer>TESTSTS</saml:Issuer>
                  <ds:Signature Id="OCESSignature">
                    <ds:SignedInfo>
                      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                      <ds:Reference URI="#_e8072da1-af2b-4ca6-b8db-417b5de4bd5d">...</ds:Reference>
                    </ds:SignedInfo>
                    <ds:SignatureValue>...</ds:SignatureValue>
                    <ds:KeyInfo>
                      <ds:X509Data>
                        <ds:X509Certificate>...</ds:X509Certificate>
                      </ds:X509Data>
                    </ds:KeyInfo>
                  </ds:Signature>
                  <saml:Subject>
                    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">C=DK,O=Ingen organisatorisk tilknytning,CN=Lars Larsen,Serial=PID:9208-2002-2-514358910503</saml:NameID>
                    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
                      <saml:SubjectConfirmationData>
                        <ds:KeyInfo>
                          <ds:X509Data>
                            <ds:X509Certificate>...</ds:X509Certificate>
                          </ds:X509Data>
                        </ds:KeyInfo>
                      </saml:SubjectConfirmationData>
                    </saml:SubjectConfirmation>
                  </saml:Subject>
                  <saml:Conditions NotBefore="2019-07-01T09:42:05Z" NotOnOrAfter="2019-07-01T09:52:05Z">
                    <saml:AudienceRestriction>
                      <saml:Audience>http://sosi.dk</saml:Audience>
                    </saml:AudienceRestriction>
                  </saml:Conditions>
                  <saml:AuthnStatement AuthnInstant="2019-07-01T09:47:05Z" SessionIndex="_e8072da1-af2b-4ca6-b8db-417b5de4bd5d">
                    <saml:AuthnContext>
                      <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml:AuthnContextClassRef>
                    </saml:AuthnContext>
                  </saml:AuthnStatement>
                  <saml:AttributeStatement>
                    <saml:Attribute Name="dk:gov:saml:attribute:SpecVer" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                      <saml:AttributeValue xsi:type="xs:string">DK-SAML-2.0</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute Name="dk:gov:saml:attribute:CprNumberIdentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                      <saml:AttributeValue xsi:type="xs:string">0501792275</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute Name="dk:gov:saml:attribute:AssuranceLevel" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                      <saml:AttributeValue xsi:type="xs:string">3</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute FriendlyName="CommonName" Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                      <saml:AttributeValue xsi:type="xs:string">Lars Larsen</saml:AttributeValue>
                    </saml:Attribute>
                  </saml:AttributeStatement>
                </saml:Assertion>
              </sec:Token>
            </disco:SecurityContext>
          </wsa:Metadata>
        </wsa:EndpointReference>
      </saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>

Værdien i saml:Attribute med navn urn:liberty:disco:2006-08:DiscoveryEPR kommer kun med i svaret, hvis det requestede audience er konfigureret til det i STS.

Eksempel kode (seal.java)

JWT2Idws

Code Block
languagejava
collapsetrue
// JWT is normally fetched by the citizen authenticating himself with NemLog-in
String jwtToken = fetchFromOpenId();
OIOSAMLFactory oiosamlFactory = new OIOSAMLFactory();
JWTIdentityTokenRequestDOMBuilder requestBuilder = oiosamlFactory.createJWTToIdentityTokenRequestDOMBuilder();
requestBuilder.setJWTToken(bootstrapToken);
requestBuilder.setSigningVault(getValidWhitelistedVault());
requestBuilder.setAudience("http://audience/clear");
//requestBuilder.setCPRNumberClaim("0501792275"); // optional - specified in JWTToken
requestBuilder.setProcurationByCprClaim("1111111118"); // optional - only relevant ved 'fuldmagt'
Document requestDocument = requestBuilder.build();

final String requestString = XmlUtil.node2String(requestDocument, false, false);
final Document responseDoc = soapClient.execute(requestString);

JWTToIdentityTokenResponse response = oiosamlFactory.createJWTToIdentityTokenResponseModelBuilder().build(responseDoc);
assertFalse(response.getFaultString(), response.isFault());
response.validateSignature();
response.validateSignatureAndTrust(federation);

final IdentityToken identityToken = response.getIdentityToken();

// identity token can be used to authenticate against backend service
// below we just inspect the result

assertEquals("0501792275", identityToken.getCpr());
assertEquals("http://audience/clear", identityToken.getAudienceRestriction());
assertTrue(identityToken.getIssuer(), identityToken.getIssuer().contains("STS"));
assertEquals("DK-SAML-2.0", identityToken.getAttribute("dk:gov:saml:attribute:SpecVer"));
assertEquals("3", identityToken.getAssuranceLevel());
final BasicPrivileges privileges = identityToken.getPrivileges();
final String privilegeScope = "urn:dk:healthcare:saml:actThroughProcurationBy:cprNumberIdentifier:1111111118";
assertEquals(1, privileges.getPrivileges(privilegeScope).size());
assertFalse(privileges.getPrivileges(privilegeScope).contains("urn:dk:nspop:sts:read"));


JWT2OIOSaml

Code Block
languagejava
collapsetrue
// JWT is normally fetched by the citizen authenticating himself with NemLog-in
String jwtToken = fetchFromOpenId();
OIOSAMLFactory oiosamlFactory = new OIOSAMLFactory();
JWTToOIOSAMLAssertionRequestDOMBuilder requestBuilder = oiosamlFactory.createJWTToOIOSAMLAssertionRequestDOMBuilder();
requestBuilder.setJWTToken(bootstrapToken);
requestBuilder.setSigningVault(getValidWhitelistedVault());
requestBuilder.setAudience("http://audience/clear");
//requestBuilder.setCPRNumberClaim("0501792275"); // optional - specified in JWTToken
Document requestDocument = requestBuilder.build();

final String requestString = XmlUtil.node2String(requestDocument, false, false);
final Document responseDoc = soapClient.execute(requestString);

JWTToOIOSAMLAssertionResponse response = oiosamlFactory.createJWTToOIOSAMLAssertionResponseModelBuilder().build(responseDoc);
assertFalse(response.getFaultString(), response.isFault());
response.validateSignature();
response.validateSignatureAndTrust(federation);

PrivateKey privateKey = CertificateStore.getValidVocesVault().getSystemCredentialPair().getPrivateKey();
BootstrapOIOSAMLAssertion identityToken = response.getBootstrapOIOSAMLAssertion(privateKey);

// identity token can be used to authenticate against backend service
// below we just inspect the result

assertEquals("0501792275", identityToken.getCpr());
assertEquals("http://audience/clear", identityToken.getAudienceRestriction());
assertTrue(identityToken.getIssuer(), identityToken.getIssuer().contains("STS"));
assertEquals("DK-SAML-2.0", identityToken.getAttribute("dk:gov:saml:attribute:SpecVer"));
assertEquals("3", identityToken.getAssuranceLevel());

// OIOBootstrapToken kan kun hentes, hvis konfigurationen af includeBst for audience er sat til true 
//
//OIOBootstrapToken bstToken = identityToken.getOIOBootstrapToken()
//assertEquals("0501792275", bstToken.getCpr());
//assertEquals("http://sosi.dk", bstToken.getAudienceRestriction());
//assertTrue(identityToken.getIssuer(), bstToken

...

.getIssuer().contains("STS"));

...


//assertEquals("DK-SAML-2.0", bstToken.getAttribute("dk:gov:saml:attribute:SpecVer"));
//assertEquals("3", bstToken.getAssuranceLevel());
//assertTrue(bstToken.isHolderOfCertificate());


  

", identityToken.getAttribute("dk:gov:saml:attribute:SpecVer"));
assertEquals("3", identityToken.getAssuranceLevel());
final BasicPrivileges privileges = identityToken.getPrivileges();
final String privilegeScope = "urn:dk:healthcare:saml:actThroughProcurationBy:cprNumberIdentifier:1111111118";
assertEquals(1, privileges.getPrivileges(privilegeScope).size());
assertFalse(privileges.getPrivileges(privilegeScope).contains("urn:dk:nspop:sts:read"));

Udseende af privilegier

Aktuelt er der mulighed for op til 2 privilegier. Disse returneres i givet fald i Privileges_Intermediate attributten i base64 encodet format:


Code Block
languagexml
collapsetrue
<?xml version="1.0" encoding="UTF-8" ?>
<bpp:PrivilegeList xmlns:bpp="http://itst.dk/oiosaml/basic_privilege_profile">
  <bpp:PrivilegeGroup Scope="urn:dk:healthcare:saml:actThroughProcurationBy:cprNumberIdentifier:1111111118">
    <bpp:Privilege>urn:dk:nspop:sts:fmk:read</bpp:Privilege>
    <bpp:Privilege>urn:dk:nspop:sts:fmk:write</bpp:Privilege>
  </bpp:PrivilegeGroup>
</bpp:PrivilegeList>

...

I testsystemet er oprettet en fuldmagtshaver (borger) med cpr-nummeret 0501792275 nummeret 0501792275

og certifikat-nøglen nøglen PID:9208-2002-2-514358910503

Borgeren har modtaget fuldmagt fra følgende to cpr numre:   1111111118 og og 0101603040

Der kan anmodes om oprettelse af fuldmagter for yderligere borgere via NSP support:   https://www.nspop.dk/category/sup. Der må påregnes lidt ventetid, idet forespørgslen delegeres videre til NemLog-In support.

Whitelisting til kald af STS service

Adgang til JWT-billetomvekslingen kræver whitelisting i hhv. test og produktion.

Anmodning om dette kan ske ved oprettelse af support henvendelser via https://www.nspop.dk/category/sup  .

I anmodningen bør man

  • Bede om adgang til JWT-billetomveksling
  • Angive hvorvidt der er tale om test eller produktion
  • Angive hvilket system der ønskes adgang til (se listen af understøttede services ovenfor)
  • Angive hvilket certifikat man som anvender benytter til xml-signering af beskeden

...