Page History
...
- System Idkort (baseret på et VOCESOCES/FOCES OCES certifikat, niveau 3)
- Bruger Idkort (baseret på et MOCES OCES certifikat, niveau 4)
Det er den samme service, der skal anvendes til begge typer af billetter, men indholdet af requesten vil være forskellige. I afsnittet nedenfor med eksempler på requests vil der gives eksempler på begge typer af requests. For Bruger Idkort vil der yderligere være eksempler på udstedelse til brugere med og uden sundhedsfaglig autorisation.
...
Skematisk ser algoritmen til validering/bestemmelse af rolle og/eller autorisationskode således ud:
| Gliffy Diagram | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Service Endpoint
Afhængig af miljø udstilles tjenesten på:
...
Udstedelse af System Idkort sker på baggrund af et VOCES/FOCES OCES certifikat. Et System Idkort identificerer som navnet antyder et anvendersystem, der ønsker at kalde services på NSP. Det kunne f.eks. være et anvendersystem, der i batch overfører data til MinLog fra en patientjournal.
Det i eksemplet anvendte VOCES certifikat Selve requestet til STS ser således ud:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
Certificate: Data: Version: 3 (0x2) Serial Number: 1537969157 (0x5bab8c05) Signature Algorithm: sha256WithRSAEncryption Issuer: C=DK, O=TRUST2408, CN=TRUST2408 Systemtest XXII CA Validity Not Before: Apr 30 09:07:17 2019 GMT Not After : Apr 30 09:06:38 2022 GMT Subject: C=DK, O=Sundhedsdatastyrelsen // CVR:33257872/serialNumber=CVR:33257872-FID:18911861, CN=SOSI Test Federation (funktionscertifikat) Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ca:8e:7b:87:d1:3f:84:ce:60:8a:6c:5a:0e:01: <?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="Envelope"> <soapenv:Header> <wsse:Security id="AAABdiOU1800JWZmH8DNZ1NPU0k="> <wsu:Timestamp> <wsu:Created>2020-12-02T13:12:05Z</wsu:Created> </wsu:Timestamp> </wsse:Security> </soapenv:Header> <soapenv:Body> <wst:RequestSecurityToken Context="www.sosi.dk"> <wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion:</wst:TokenType> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType> <wst:Claims> c1<saml:d0:c2:dc:81:57:d7:18:96:d0:87:ff:0e:0b:5b:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2020-12-02T13:09:57Z" Version="2.0" id="IDCard"> <saml:Issuer>TheSOSILibrary</saml:Issuer> d3:74:3b:02:50:8c:c8:c1:17:79:94:91:3e:69:da:<saml:Subject> <saml:NameID Format="medcom:cvrnumber">46837428</saml:NameID> 3c:ba:b1:c5:ed:49:8a:b9:b1:59:cd:f0:8f:76:ea: <saml:SubjectConfirmation> 11<saml:bfConfirmationMethod>urn:d6oasis:f7names:4etc:43SAML:552.0:29:a8:b1:88:75:0c:b4:fe: cm:holder-of-key</saml:ConfirmationMethod> <saml:SubjectConfirmationData> 1e:81:b2:fc:bd:c8:32:6a:59:36:f1:c3:50:75:49: <ds:KeyInfo> 3c:7f:7e:26:83:c6:ad:82:f7:78:e4:49:c8:2b:3d: <ds:KeyName>OCESSignature</ds:KeyName> </ds:KeyInfo> a2:07:ec:a3:b3:98:2e:24:f0:c1:83:63:85:49:b3: </saml:SubjectConfirmationData> f4:af:9d:cd:53:c7:d5:4e:ad:da:2e:d0:e9:0d:59:</saml:SubjectConfirmation> </saml:Subject> e4:c6:cc:a3:35:0e:c7:38:5b:73:6a:fc:8c:9c:ac:<saml:Conditions NotBefore="2020-12-02T13:09:57Z" NotOnOrAfter="2020-12-03T13:09:57Z"/> <saml:AttributeStatement id="IDCardData"> 74:bc:38:1a:7c:4b:eb:51:1d:d6:4d:22:c2:1a:3b:<saml:Attribute Name="sosi:IDCardID"> <saml:AttributeValue>KvW1gwopeh2o87ezfec5uA==</saml:AttributeValue> b8:69:42:20:dd:38:60:ad:65:c0:ee:2d:e5:3c:80: </saml:Attribute> <saml:Attribute Name="sosi:IDCardVersion"> 17:75:5f:26:42:69:58:df:09:ff:90:80:62:c8:8a: <saml:AttributeValue>1.0.1</saml:AttributeValue> 2d:98:5f:7c:52:c1:24:7a:df:ec:c6:92:4d:90:9e:</saml:Attribute> <saml:Attribute Name="sosi:IDCardType"> 91<saml:e8:05:29:c6:71:80:a4:20:cf:d4:5c:36:06:0c: AttributeValue>system</saml:AttributeValue> </saml:Attribute> 40:41:65:ab:b4:3f:dc:e4:8a:08:67:01:96:35:f2:<saml:Attribute Name="sosi:AuthenticationLevel"> <saml:AttributeValue>3</saml:AttributeValue> e0:a4:91:33:7e:19:ee:21:92:7b:05:fb:3d:46:61: </saml:Attribute> <saml:Attribute Name="sosi:OCESCertHash"> c5:75 <saml:AttributeValue>xe/OtYMBaE1RFJ7l9lN2zAuiXAU=</saml:AttributeValue> Exponent: 65537 (0x10001) </saml:Attribute> X509v3 extensions</saml:AttributeStatement> <saml:AttributeStatement id="SystemLog"> X509v3 Key Usage: critical <saml:Attribute Name="medcom:ITSystemName"> Digital Signature, Key Encipherment, Data Encipherment, Key Agreement <saml:AttributeValue>Test</saml:AttributeValue> Authority Information Access: </saml:Attribute> <saml:Attribute OCSP - URI:http://ocsp.systemtest22.trust2408.com/responderName="medcom:CareProviderID" NameFormat="medcom:cvrnumber"> CA Issuers - URI:http://f.aia.systemtest22.trust2408.com/systemtest22-ca.cer <saml:AttributeValue>46837428</saml:AttributeValue> X509v3 Certificate Policies: </saml:Attribute> Policy: 1.3.6.1.4.1.31313.2.4.6.4.2<saml:Attribute Name="medcom:CareProviderName"> <saml:AttributeValue>Statens Serum Institut</saml:AttributeValue> CPS: http://www.trust2408.com/repository </saml:Attribute> User Notice</saml:AttributeStatement> <ds:Signature id="OCESSignature"> Organization: DanID <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> Number: 1 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#IDCard"> Explicit Text: DanID test certifikater fra denne CA udstedes<ds:Transforms> under OID 1.3.6.1.4.1.31313.2.4.6.4.2. DanID test certificates from this CA are issued under OID 1.3.6.1.4.1.31313.2.4.6.4.2. <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> X509v3 CRL Distribution Points<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> Full Name:</ds:Transforms> URI:<ds:DigestMethod Algorithm="http://crlwww.systemtest22.trust2408.com/systemtest221.crl w3.org/2000/09/xmldsig#sha1"/> Full Name:<ds:DigestValue>7wotC+2VeHeSVglwz/ETmnSoD5I=</ds:DigestValue> </ds:Reference> DirName: C = DK, O = TRUST2408, CN = TRUST2408 Systemtest XXII CA, CN = CRL142 </ds:SignedInfo> X509v3 Authority Key Identifier: <ds:SignatureValue>HUPt3Yn9yeSQEIHTM1FvoqxG2c1mQiXUMpSLszmFbgByaRinPnL3vLp6PcB9nlBFWHqsXoX3LfzPme3dyM0TYqSaM1Wk38Vc190KPO5E7SwcZqEz8iQdbGGn5t+TaqnROPQrCtaSfG7UtHMvbP4jGBJusnTqifk3Q2eWf9VIqffLgS3jkXl7toUdAqmLJG1l7DnpuVxMn1I0wahl9821bvmhAvMKyxlMAUMt6xgMGO2aO2jRJsQZWdBxT2U8llnK0N3ePQ0c4znOzMz7IRsyl6k0s+leHR2xs247XM78taSYtgdfpjswayw68UgJ9q3sGvWynf2ZggZTEZbnF6muyw==</ds:SignatureValue> keyid:AB:A8:01:44:19:B0:B3:43:99:DA:FA:7C:CC:D2:00:18:03:E7:3C:BF <ds:KeyInfo> X509v3 Subject Key Identifier<ds: X509Data> 19:80:15:28:A2:F5:EC:B1:F2:54:64:84:AC:BD:BA:30:13:5A:75:34<ds:X509Certificate>MIIGRTCCBS2gAwIBAgIEWRzG9TANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE4MDgyOTA2MjUxOVoXDTIxMDgyOTA2MjQwNVowgY4xCzAJBgNVBAYTAkRLMS8wLQYDVQQKDCZTdGF0ZW5zIFNlcnVtIEluc3RpdHV0IC8vIENWUjo0NjgzNzQyODFOMCAGA1UEBRMZQ1ZSOjQ2ODM3NDI4LVVJRDoyNzkxMDEzNTAqBgNVBAMMI1N0YXRlbnMgU2VydW0gSW5zdGl0dXQgLSBUZXN0IFZPQ0VTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl0rwBkF6j7W9UEm/aCS2O5RUBoibeIsxz1kZ6kaaiUV0FcSYLy9Pj9zbRLbO+SX/2QBQ7woY18VTj/9m/zIgrvCtwTZIaWZi0MZFNX6UbcSzrpW2HT18DRdwRI0Fjm3U0FskAxl47PneLmp3ZDlZXOLE4HRPJiNFBvT4UJxJW96vYCk43/wu3CfGGfxU7FW2d7ZzcxmG2Y8fLzblm97Kx9FdpwaO+8xMzzvZa3nJ64Bvl9/Fac0o70J8hB1qr4I4Rit/XCFxHxNS8KWXkaJ1mEyRkAyIm3bY+U5lwlQEe4egrsXcEj5nNKxZ8JF7+zh21WRMUJYtcDcPQcuZHcQGQwIDAQABo4IC7jCCAuowDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vdi5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYDBDCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjMuNC4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjMuNC4wIAYDVR0RBBkwF4EVdGVzdGNlcnRpZmlrYXRAc3NpLmRrMIGsBgNVHR8EgaQwgaEwPaA7oDmGN2h0dHA6Ly9jcmwuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyMS5jcmwwYKBeoFykWjBYMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMQ4wDAYDVQQDDAVDUkw3NjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUf8X/XPGsZNQIHLtleAHUeLZXcQwwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAgMGEzepPJ1Ez1WFqZrVeVHQC1vinhnVFGuRaOyjVPSR7z5Hvzi6N9M9hGyv/yVQSkqdTWA1Fum3sI7kMH6uQ2N6mNfPtRmOjBqCLUzqQ09f9TnAu/GikZdBiDL0h44Myey3PgpVTxh4kRWKxp6SqLDlgw5Rhta5dMOMIWzOJwkRZ9YLgYnNinKnGSWqg16iv7qJF/SBYz4VbWrmfSXhNu+Q2DNyjsFLluVumRg5wGZDBlsUW2dFSY9+olaQMd8rgvMMx9ByVQgvFF+S109fv91uw71esBKzwbEppFtLKNUqOu9+di0GAWQ2Ny+aIzhG43Wx2mawL7anLw5QFHZyEIg==</ds:X509Certificate> X509v3 Basic Constraints: </ds:X509Data> </ds:KeyInfo> CA:FALSE </ds:Signature> Signature Algorithm: sha256WithRSAEncryption </saml:Assertion> </wst:Claims> 8c:73:0e:e2:c5:84:7f:c3:36:e5:61:dc:cc:14:c9:62:d3:22:<wst:Issuer> b6:7d:70:2c:ea:84:ea:b6:9e:33:aa:18:cb:0e:91:ff:81:48:<wsa:Address>TheSOSILibrary</wsa:Address> 9a:93:b3:17:a6:f1:06:57:cd:9e:18:51:d2:f2:52:5c:c5:93:</wst:Issuer> a8:bf:e8:9c:2c:b2:e2:00:ac:f5:e2:e0:95:11:d9:f4:10:bc: 6b:d7:e6:8a:ba:e0:b8:da:4e:5a:54:7c:34:07:f9:19:1c:0e: a8:2c:93:9e:44:c0:7d:40:f5:7e:9d:11:cd:5a:3c:4e:f0:1d: ef:75:a2:19:e5:13:cd:38:80:55:fe:ce:81:91:67:44:86:24: 70:02:d7:2e:33:6c:e8:0c:04:2d:64:a1:f9:b0:bf:80:6b:90:</wst:RequestSecurityToken> </soapenv:Body> </soapenv:Envelope> |
En succesfuld validering af requestet i STS resulterer i et succesfuldt response (bemærk, at det udstedte System Idkort er signeret af 'SOSI Test Federation (funktionscertifikat)'):
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" id="Envelope"> <soapenv:Header> <wsse:Security id="AAABdiOU1800JWZmH8DNZ1NPU0k="> <wsu:Timestamp> <wsu:Created>2020-12-02T13:15:19Z</wsu:Created> </wsu:Timestamp> </wsse:Security> </soapenv:Header> <soapenv:Body> <wst:RequestSecurityTokenResponse Context="www.sosi.dk"> <wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion:</wst:TokenType> <wst:RequestedSecurityToken> 70:75:03:77:c6:06:4b:38:0a:4b:ac:36:ab:3d:df:20:04:ab: <saml:Assertion IssueInstant="2020-12-02T13:10:19Z" Version="2.0" id="IDCard"> ca:4c:73:95:88:de:ba:c9:2c:e7:c0:9e:ad:e0:ba:59:fb:cd: <saml:Issuer>TEST1-NSP-STS</saml:Issuer> d0:8f:86:1a:52:fd:7c:88:23:a7:38:7b:24:41:0b:30:4e:eb: <saml:Subject> f5:02:4b:2f:d3:52:ae:69:51:29:f8:4c:f2:0c:ee:13:a5:66: <saml:NameID Format="medcom:other">SubjectDN={SERIALNUMBER=CVR:46837428-UID:27910135 + CN=Statens Serum Institut - Test VOCES, O=Statens Serum Institut // CVR:46837428, C=DK},IssuerDN={CN=TRUST2408 Systemtest XXII CA, O=TRUST2408, C=DK},CertSerial={1495058165}</saml:NameID> e2:f1:b3:99:2b:27:34:9c:46:31:fd:6f:4f:31:2f:7b:89:57: <saml:SubjectConfirmation> 23:ca:67:3a:d1:cc:4e:d3:65:e7:3c:38:8c:22:45:6a:44:6a: <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:holder-of-key</saml:ConfirmationMethod> <saml:SubjectConfirmationData> <ds:KeyInfo> <ds:KeyName>OCESSignature</ds:KeyName> </ds:KeyInfo> 71:69:b7:15 |
Selve requestet til STS ser således ud:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="Envelope"> <soapenv:Header> <wsse:Security id="AAABdiOU1800JWZmH8DNZ1NPU0k= </saml:SubjectConfirmationData> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2020-12-02T13:10:19Z" NotOnOrAfter="2020-12-03T13:10:19Z"/> <saml:AttributeStatement id="IDCardData"> <saml:Attribute Name="sosi:IDCardID"> <saml:AttributeValue>K8zJ68J++oajvRVZ915dvg==</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="sosi:IDCardVersion"> <saml:AttributeValue>1.0.1</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="sosi:IDCardType"> <saml:AttributeValue>system</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="sosi:AuthenticationLevel"> <saml:AttributeValue>3</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="sosi:OCESCertHash"> <saml:AttributeValue>xe/OtYMBaE1RFJ7l9lN2zAuiXAU=</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <saml:AttributeStatement id="SystemLog"> <saml:Attribute Name="medcom:ITSystemName"> <wsu:Timestamp> <wsu:Created>2020-12-02T13:12:05Z</wsu:Created> <saml:AttributeValue>Test</saml:AttributeValue> </wsu:Timestamp> </wssesaml:Security>Attribute> </soapenv:Header> <soapenv:Body> <wst:RequestSecurityToken Context="www.sosi.dk<saml:Attribute Name="medcom:CareProviderID" NameFormat="medcom:cvrnumber"> <wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion:</wst:TokenType> <saml:AttributeValue>46837428</saml:AttributeValue> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType> <wst</saml:Claims>Attribute> <saml:AssertionAttribute xmlns:dsName="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2020-12-02T13:09:57Z" Version="2.0" id="IDCard"> medcom:CareProviderName"> <saml:AttributeValue>Statens Serum Institut</saml:AttributeValue> <saml:Issuer>TheSOSILibrary<</saml:Issuer>Attribute> <saml</saml:Subject>AttributeStatement> <saml<ds:NameIDSignature Formatid="medcom:cvrnumber">46837428</saml:NameID>OCESSignature"> <saml<ds:SubjectConfirmation>SignedInfo> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:holder-of-key</saml:ConfirmationMethod><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <saml<ds:SubjectConfirmationData> SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:KeyInfo>Reference URI="#IDCard"> <ds:KeyName>OCESSignature</ds:KeyName>Transforms> </ds:KeyInfo> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> </saml:SubjectConfirmationData> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </saml:SubjectConfirmation> </samlds:Subject>Transforms> <saml:Conditions NotBefore="2020-12-02T13:09:57Z" NotOnOrAfter="2020-12-03T13:09:57Z <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <saml:AttributeStatement id="IDCardData"> <saml:Attribute Name="sosi:IDCardID"><ds:DigestValue>UVzjCyAw5vsBwM9YlO4+mTx79rw=</ds:DigestValue> <saml:AttributeValue>KvW1gwopeh2o87ezfec5uA==</samlds:AttributeValue>Reference> </samlds:Attribute>SignedInfo> <saml:Attribute Name="sosi:IDCardVersion"><ds:SignatureValue>JneJnJXDi8JLj6Gv9SmZsKcqMj1SDn7JMw0EMv53OWT4lilCPlaMCmcJ0wykye4PILF3QwW+qkt8Dk95Q4vKyC/qnPamF+yZpIl91AlPCH3za4QjcBwXu9effUDC3UtseVtHxaW8D0jtxRmb2tPCDvG4EmtVMNxqjkyknUDpwwWO919pH7j6wmHSS/DyjXNFjs4hMQwZO/zhwCGbIKeYRDjvY06Eq3ys8kkbJ8B+W5vg0bEUHLRp5vDIVnKuPsol5DDLywAffk9NqhqZqKgjWhJNZsdUqDaD/ss45aMZGWHSa6RAPmz8pjQ4xQvrkV8xjhWkTF9kkuNjnps0QsOSdg==</ds:SignatureValue> <ds:KeyInfo> <saml:AttributeValue>1.0.1</saml:AttributeValue> </saml<ds:Attribute> <saml:Attribute Name="sosi:IDCardType"> X509Data> <saml<ds:AttributeValue>system</saml:AttributeValue>X509Certificate>MIIGKjCCBRKgAwIBAgIEW6uMBTANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE5MDQzMDA5MDcxN1oXDTIyMDQzMDA5MDYzOFowgZQxCzAJBgNVBAYTAkRLMS4wLAYDVQQKDCVTdW5kaGVkc2RhdGFzdHlyZWxzZW4gLy8gQ1ZSOjMzMjU3ODcyMVUwIAYDVQQFExlDVlI6MzMyNTc4NzItRklEOjE4OTExODYxMDEGA1UEAwwqU09TSSBUZXN0IEZlZGVyYXRpb24gKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyo57h9E/hM5gimxaDgHB0MLcgVfXGJbQh/8OC1vTdDsCUIzIwRd5lJE+ado8urHF7UmKubFZzfCPduoRv9b3TkNVKaixiHUMtP4egbL8vcgyalk28cNQdUk8f34mg8atgvd45EnIKz2iB+yjs5guJPDBg2OFSbP0r53NU8fVTq3aLtDpDVnkxsyjNQ7HOFtzavyMnKx0vDgafEvrUR3WTSLCGju4aUIg3ThgrWXA7i3lPIAXdV8mQmlY3wn/kIBiyIotmF98UsEket/sxpJNkJ6R6AUpxnGApCDP1Fw2BgxAQWWrtD/c5IoIZwGWNfLgpJEzfhnuIZJ7Bfs9RmHFdQIDAQABo4ICzTCCAskwDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vZi5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYEAjCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4wga0GA1UdHwSBpTCBojA9oDugOYY3aHR0cDovL2NybC5zeXN0ZW10ZXN0MjIudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MjIxLmNybDBhoF+gXaRbMFkxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJTAjBgNVBAMMHFRSVVNUMjQwOCBTeXN0ZW10ZXN0IFhYSUkgQ0ExDzANBgNVBAMMBkNSTDE0MjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUGYAVKKL17LHyVGSErL26MBNadTQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAjHMO4sWEf8M25WHczBTJYtMitn1wLOqE6raeM6oYyw6R/4FImpOzF6bxBlfNnhhR0vJSXMWTqL/onCyy4gCs9eLglRHZ9BC8a9fmirrguNpOWlR8NAf5GRwOqCyTnkTAfUD1fp0RzVo8TvAd73WiGeUTzTiAVf7OgZFnRIYkcALXLjNs6AwELWSh+bC/gGuQcHUDd8YGSzgKS6w2qz3fIASrykxzlYjeusks58CereC6WfvN0I+GGlL9fIgjpzh7JEELME7r9QJLL9NSrmlRKfhM8gzuE6Vm4vGzmSsnNJxGMf1vTzEve4lXI8pnOtHMTtNl5zw4jCJFakRqcWm3FQ==</ds:X509Certificate> </samlds:Attribute>X509Data> <saml:Attribute Name="sosi:AuthenticationLevel"></ds:KeyInfo> <saml:AttributeValue>3</saml:AttributeValue></ds:Signature> </saml:Attribute>Assertion> </wst:RequestedSecurityToken> <saml:Attribute Name="sosi:OCESCertHash"><wst:Status> <wst:Code>http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid</wst:Code> <saml:AttributeValue>xe/OtYMBaE1RFJ7l9lN2zAuiXAU=</samlwst:AttributeValue>Status> <wst:Issuer> </saml:Attribute> <wsa:Address>TEST1-NSP-STS</wsa:Address> </samlwst:AttributeStatement>Issuer> </wst:RequestSecurityTokenResponse> </soapenv:Body> </soapenv:Envelope> |
Udstedelse af Bruger Idkort (med sundhedsfaglig autorisation)
For at få udstedt et Bruger Idkort med oplysninger om brugerens sundhedsfaglige autorisation, så må anvender systemet opbygge et request, der indeholder de claims (påstande) vedrørende autorsationsoplysninger (og cprnummer) for den pågældende bruger. I dette eksempel anvendes et OCES certifikat, der tilhører en person, der er i besiddelse af en lægefaglig autorisation.
Selve requestet til STS ser således ud (bemærk især claims om brugeren 'medcom:UserCivilRegistrationNumber' og 'medcom:UserAuthorizationCode', der angiver autorisationskoden samt 'medcom:UserRole', der angiver den tilhørende uddannelseskode):
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:sosi <saml:AttributeStatement id="SystemLog"> <saml:Attribute Name="medcom:ITSystemName"> <saml:AttributeValue>Test</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="medcom:CareProviderID" NameFormat="medcom:cvrnumber"> <saml:AttributeValue>46837428</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="medcom:CareProviderName"> <saml:AttributeValue>Statens Serum Institut</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <ds:Signature id="OCESSignature"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3sosi.orgdk/sosi/20012006/1004/xml-exc-c14n#"/> <ds:SignatureMethod Algorithmsosi-1.0.xsd" xmlns:wsa="http://wwwschemas.w3xmlsoap.org/2000ws/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#IDCard"> <ds:Transforms> <ds:Transform Algorithm2004/08/addressing" xmlns:wsse="http://wwwdocs.w3oasis-open.org/2000wss/2004/0901/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>7wotC+2VeHeSVglwz/ETmnSoD5I=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>HUPt3Yn9yeSQEIHTM1FvoqxG2c1mQiXUMpSLszmFbgByaRinPnL3vLp6PcB9nlBFWHqsXoX3LfzPme3dyM0TYqSaM1Wk38Vc190KPO5E7SwcZqEz8iQdbGGn5t+TaqnROPQrCtaSfG7UtHMvbP4jGBJusnTqifk3Q2eWf9VIqffLgS3jkXl7toUdAqmLJG1l7DnpuVxMn1I0wahl9821bvmhAvMKyxlMAUMt6xgMGO2aO2jRJsQZWdBxT2U8llnK0N3ePQ0c4znOzMz7IRsyl6k0s+leHR2xs247XM78taSYtgdfpjswayw68UgJ9q3sGvWynf2ZggZTEZbnF6muyw==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIGRTCCBS2gAwIBAgIEWRzG9TANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE4MDgyOTA2MjUxOVoXDTIxMDgyOTA2MjQwNVowgY4xCzAJBgNVBAYTAkRLMS8wLQYDVQQKDCZTdGF0ZW5zIFNlcnVtIEluc3RpdHV0IC8vIENWUjo0NjgzNzQyODFOMCAGA1UEBRMZQ1ZSOjQ2ODM3NDI4LVVJRDoyNzkxMDEzNTAqBgNVBAMMI1N0YXRlbnMgU2VydW0gSW5zdGl0dXQgLSBUZXN0IFZPQ0VTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl0rwBkF6j7W9UEm/aCS2O5RUBoibeIsxz1kZ6kaaiUV0FcSYLy9Pj9zbRLbO+SX/2QBQ7woY18VTj/9m/zIgrvCtwTZIaWZi0MZFNX6UbcSzrpW2HT18DRdwRI0Fjm3U0FskAxl47PneLmp3ZDlZXOLE4HRPJiNFBvT4UJxJW96vYCk43/wu3CfGGfxU7FW2d7ZzcxmG2Y8fLzblm97Kx9FdpwaO+8xMzzvZa3nJ64Bvl9/Fac0o70J8hB1qr4I4Rit/XCFxHxNS8KWXkaJ1mEyRkAyIm3bY+U5lwlQEe4egrsXcEj5nNKxZ8JF7+zh21WRMUJYtcDcPQcuZHcQGQwIDAQABo4IC7jCCAuowDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vdi5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYDBDCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjMuNC4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjMuNC4wIAYDVR0RBBkwF4EVdGVzdGNlcnRpZmlrYXRAc3NpLmRrMIGsBgNVHR8EgaQwgaEwPaA7oDmGN2h0dHA6Ly9jcmwuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyMS5jcmwwYKBeoFykWjBYMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMQ4wDAYDVQQDDAVDUkw3NjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUf8X/XPGsZNQIHLtleAHUeLZXcQwwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAgMGEzepPJ1Ez1WFqZrVeVHQC1vinhnVFGuRaOyjVPSR7z5Hvzi6N9M9hGyv/yVQSkqdTWA1Fum3sI7kMH6uQ2N6mNfPtRmOjBqCLUzqQ09f9TnAu/GikZdBiDL0h44Myey3PgpVTxh4kRWKxp6SqLDlgw5Rhta5dMOMIWzOJwkRZ9YLgYnNinKnGSWqg16iv7qJF/SBYz4VbWrmfSXhNu+Q2DNyjsFLluVumRg5wGZDBlsUW2dFSY9+olaQMd8rgvMMx9ByVQgvFF+S109fv91uw71esBKzwbEppFtLKNUqOu9+di0GAWQ2Ny+aIzhG43Wx2mawL7anLw5QFHZyEIg==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </saml:Assertion> </wst:Claims> <wst:Issuer> <wsa:Address>TheSOSILibrary</wsa:Address> </wst:Issuer> </wst:RequestSecurityToken> </soapenv:Body> </soapenv:Envelope> |
En succesfuld validering af requestet i STS resulterer i et succesfuldt response (bemærk, at det udstedte System Idkort er signeret af 'SOSI Test Federation (funktionscertifikat)'):
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" id="Envelope">
<soapenv:Header>
<wsse:Security id="AAABdiOU1800JWZmH8DNZ1NPU0k=">
<wsu:Timestamp>
<wsu:Created>2020-12-02T13:15:19Z</wsu:Created>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityTokenResponse Context="www.sosi.dk">
<wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion:</wst:TokenType>
<wst:RequestedSecurityToken>
<saml:Assertion IssueInstant="2020-12-02T13:10:19Z" Version="2.0" id="IDCard">
<saml:Issuer>TEST1-NSP-STS</saml:Issuer>
<saml:Subject>
<saml:NameID Format="medcom:other">SubjectDN={SERIALNUMBER=CVR:46837428-UID:27910135 + CN=Statens Serum Institut - Test VOCES, O=Statens Serum Institut // CVR:46837428, C=DK},IssuerDN={CN=TRUST2408 Systemtest XXII CA, O=TRUST2408, C=DK},CertSerial={1495058165}</saml:NameID>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:holder-of-key</saml:ConfirmationMethod>
<saml:SubjectConfirmationData>
<ds:KeyInfo>
<ds:KeyName>OCESSignature</ds:KeyName>
</ds:KeyInfo>
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-12-02T13:10:19Z" NotOnOrAfter="2020-12-03T13:10:19Z"/>
<saml:AttributeStatement id="IDCardData">
<saml:Attribute Name="sosi:IDCardID">
<saml:AttributeValue>K8zJ68J++oajvRVZ915dvg==</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sosi:IDCardVersion">
<saml:AttributeValue>1.0.1</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sosi:IDCardType">
<saml:AttributeValue>system</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sosi:AuthenticationLevel">
<saml:AttributeValue>3</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sosi:OCESCertHash">
<saml:AttributeValue>xe/OtYMBaE1RFJ7l9lN2zAuiXAU=</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AttributeStatement id="SystemLog">
<saml:Attribute Name="medcom:ITSystemName">
<saml:AttributeValue>Test</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:CareProviderID" NameFormat="medcom:cvrnumber">
<saml:AttributeValue>46837428</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:CareProviderName">
<saml:AttributeValue>Statens Serum Institut</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<ds:Signature id="OCESSignature">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#IDCard">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>UVzjCyAw5vsBwM9YlO4+mTx79rw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>JneJnJXDi8JLj6Gv9SmZsKcqMj1SDn7JMw0EMv53OWT4lilCPlaMCmcJ0wykye4PILF3QwW+qkt8Dk95Q4vKyC/qnPamF+yZpIl91AlPCH3za4QjcBwXu9effUDC3UtseVtHxaW8D0jtxRmb2tPCDvG4EmtVMNxqjkyknUDpwwWO919pH7j6wmHSS/DyjXNFjs4hMQwZO/zhwCGbIKeYRDjvY06Eq3ys8kkbJ8B+W5vg0bEUHLRp5vDIVnKuPsol5DDLywAffk9NqhqZqKgjWhJNZsdUqDaD/ss45aMZGWHSa6RAPmz8pjQ4xQvrkV8xjhWkTF9kkuNjnps0QsOSdg==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIGKjCCBRKgAwIBAgIEW6uMBTANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE5MDQzMDA5MDcxN1oXDTIyMDQzMDA5MDYzOFowgZQxCzAJBgNVBAYTAkRLMS4wLAYDVQQKDCVTdW5kaGVkc2RhdGFzdHlyZWxzZW4gLy8gQ1ZSOjMzMjU3ODcyMVUwIAYDVQQFExlDVlI6MzMyNTc4NzItRklEOjE4OTExODYxMDEGA1UEAwwqU09TSSBUZXN0IEZlZGVyYXRpb24gKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyo57h9E/hM5gimxaDgHB0MLcgVfXGJbQh/8OC1vTdDsCUIzIwRd5lJE+ado8urHF7UmKubFZzfCPduoRv9b3TkNVKaixiHUMtP4egbL8vcgyalk28cNQdUk8f34mg8atgvd45EnIKz2iB+yjs5guJPDBg2OFSbP0r53NU8fVTq3aLtDpDVnkxsyjNQ7HOFtzavyMnKx0vDgafEvrUR3WTSLCGju4aUIg3ThgrWXA7i3lPIAXdV8mQmlY3wn/kIBiyIotmF98UsEket/sxpJNkJ6R6AUpxnGApCDP1Fw2BgxAQWWrtD/c5IoIZwGWNfLgpJEzfhnuIZJ7Bfs9RmHFdQIDAQABo4ICzTCCAskwDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vZi5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYEAjCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4wga0GA1UdHwSBpTCBojA9oDugOYY3aHR0cDovL2NybC5zeXN0ZW10ZXN0MjIudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MjIxLmNybDBhoF+gXaRbMFkxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJTAjBgNVBAMMHFRSVVNUMjQwOCBTeXN0ZW10ZXN0IFhYSUkgQ0ExDzANBgNVBAMMBkNSTDE0MjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUGYAVKKL17LHyVGSErL26MBNadTQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAjHMO4sWEf8M25WHczBTJYtMitn1wLOqE6raeM6oYyw6R/4FImpOzF6bxBlfNnhhR0vJSXMWTqL/onCyy4gCs9eLglRHZ9BC8a9fmirrguNpOWlR8NAf5GRwOqCyTnkTAfUD1fp0RzVo8TvAd73WiGeUTzTiAVf7OgZFnRIYkcALXLjNs6AwELWSh+bC/gGuQcHUDd8YGSzgKS6w2qz3fIASrykxzlYjeusks58CereC6WfvN0I+GGlL9fIgjpzh7JEELME7r9QJLL9NSrmlRKfhM8gzuE6Vm4vGzmSsnNJxGMf1vTzEve4lXI8pnOtHMTtNl5zw4jCJFakRqcWm3FQ==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml:Assertion>
</wst:RequestedSecurityToken>
<wst:Status>
<wst:Code>http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid</wst:Code>
</wst:Status>
<wst:Issuer>
<wsa:Address>TEST1-NSP-STS</wsa:Address>
</wst:Issuer>
</wst:RequestSecurityTokenResponse>
</soapenv:Body>
</soapenv:Envelope> |
Udstedelse af Bruger Idkort (med sundhedsfaglig autorisation)
For at få udstedt et Bruger Idkort med oplysninger om brugerens sundhedsfaglige autorisation, så må anvender systemet opbygge et request, der indeholder de claims (påstande) vedrørende autorsationsoplysninger (og cprnummer) for den pågældende bruger. I dette eksempel anvendes et MOCES certifikat, der tilhører en person, der er i besiddelse af en lægefaglig autorisation.
Det i eksemplet anvendte MOCES certifikat ser således ud (bemærk, at certifikatet indeholder RID og CVR nummer, men ikke oplysninger om hverken CPR nummer eller autorisationsid):
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1495058808 (0x591cc978)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DK, O=TRUST2408, CN=TRUST2408 Systemtest XXII CA
Validity
Not Before: Aug 30 12:38:36 2018 GMT
Not After : Aug 30 12:37:22 2021 GMT
Subject: C=DK, O=LAKESIDE A/S // CVR:25450442, CN=Casper Rasmussen/serialNumber=CVR:25450442-RID:40252666
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:8f:1b:7d:37:d7:72:4b:5a:cc:e8:d6:b0:fa:12:
d2:9f:bd:fd:c9:be:b1:02:bb:fc:67:a7:c9:97:4c:
a9:25:0d:5c:69:a7:fc:2e:9d:13:3f:04:42:61:87:
18:13:8f:8b:d5:23:0e:99:3c:02:be:5d:4a:fd:10:
ab:aa:3a:80:96:74:65:8d:1f:9a:78:15:80:2d:48:
28:89:f5:80:71:3e:38:2d:47:6e:19:a9:b8:fd:2b:
ff:f7:d9:a1:cb:2a:8f:a9:99:55:bf:27:70:55:4f:
21:99:17:eb:08:bd:3d:d3:93:4e:1a:37:86:32:74:
a0:03:20:11:ec:a8:99:1c:38:c4:9c:30:8b:c7:73:
bc:1a:91:9e:38:4f:83:51:4a:ca:f1:10:b3:3c:75:
aa:8b:88:e2:89:d4:41:48:fb:e2:75:78:82:9e:94:
93:62:5e:a9:47:c4:6d:4f:44:df:5b:78:b5:1d:51:
8b:1b:31:d5:24:dd:ae:41:65:e9:3e:88:e3:97:97:
df:ee:ba:06:1c:6b:dc:59:7c:91:fa:ce:f1:17:54:
75:10:e2:fc:77:a7:a4:a2:9f:f8:d0:b0:0c:ad:44:
61:0a:2f:c4:30:57:64:03:a3:9f:34:fe:8b:e0:4c:
f0:21:b2:ee:2f:27:c7:4b:41:ef:09:98:fa:9b:dd:
a9:17
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
Authority Information Access:
OCSP - URI:http://ocsp.systemtest22.trust2408.com/responder
CA Issuers - URI:http://m.aia.systemtest22.trust2408.com/systemtest22-ca.cer
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.31313.2.4.6.2.5
CPS: http://www.trust2408.com/repository
User Notice:
Organization: DanID
Number: 1
Explicit Text: DanID test certifikater fra denne CA udstedes under OID 1.3.6.1.4.1.31313.2.4.6.2.5. DanID test certificates from this CA are issued under OID 1.3.6.1.4.1.31313.2.4.6.2.5.
X509v3 Subject Alternative Name:
email:anni@lakeside.dk
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.systemtest22.trust2408.com/systemtest221.crl
Full Name:
DirName: C = DK, O = TRUST2408, CN = TRUST2408 Systemtest XXII CA, CN = CRL76
X509v3 Authority Key Identifier:
keyid:AB:A8:01:44:19:B0:B3:43:99:DA:FA:7C:CC:D2:00:18:03:E7:3C:BF
X509v3 Subject Key Identifier:
EB:4F:3B:90:5C:91:87:11:FB:3F:2D:A2:A7:01:69:97:B6:5D:7C:EE
X509v3 Basic Constraints:
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
73:75:90:8f:c8:ab:4e:67:e3:58:e5:74:57:6e:fb:40:c9:93:
0e:c7:7b:a2:e2:e9:9b:ab:b2:2c:76:bd:38:85:01:5f:e9:4d:
a0:8c:aa:f4:a0:42:71:26:71:2a:dc:88:15:a4:b4:4e:bd:1d:
18:f5:e6:1a:fe:09:05:13:92:6b:1f:13:9d:8a:ba:8d:33:a4:
58:22:b6:a6:57:70:6e:de:4b:23:62:65:ce:06:c3:0a:4b:5b:
9a:64:fb:18:a1:0f:94:57:98:90:b5:d5:2a:5d:b3:0f:bc:b8:
84:a0:81:c9:d4:39:d0:39:06:a6:48:35:b4:57:17:05:1a:4c:
02:ff:b8:9e:c0:83:be:98:88:25:c7:cc:12:36:ed:11:55:2a:
0e:35:cc:66:bf:fc:8f:9c:8f:86:57:ee:9c:57:38:90:38:35:
15:4e:dd:c9:e9:53:45:ba:4b:6e:88:26:12:5b:5f:5b:1d:7c:
58:fe:ef:65:51:24:85:e1:eb:de:f5:ff:91:5d:eb:e0:ec:3a:
46:db:73:82:a5:84:b0:e8:e7:69:93:ae:61:02:04:19:33:56:
28:f6:b5:20:d2:3f:52:a8:8a:a6:62:cd:8f:c5:b6:35:02:81:
16:fb:c4:df:d5:2f:5c:5f:38:e9:8d:67:57:7d:eb:19:0f:7f:
3e:a5:6a:8b |
Selve requestet til STS ser således ud (bemærk især claims om brugeren 'medcom:UserCivilRegistrationNumber' og 'medcom:UserAuthorizationCode', der angiver autorisationskoden samt 'medcom:UserRole', der angiver den tilhørende uddannelseskode):
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="Envelope">
<soapenv:Header>
<wsse:Security id="AAABdiJ5Tp5qHUF3ucrocFNPU0k=">
<wsu:Timestamp>
<wsu:Created>2020-12-02T08:02:24Z</wsu:Created>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityToken Context="www.sosi.dk">
<wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion:</wst:TokenType>
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
<wst:Claims>
<saml:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2020-12-02T07:57:24Z" Version="2.0" id="IDCard">
<saml:Issuer>TheSOSILibrary</saml:Issuer>
<saml:Subject>
<saml:NameID Format="medcom:cprnumber">0804569723</saml:NameID>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:holder-of-key</saml:ConfirmationMethod>
<saml:SubjectConfirmationData>
<ds:KeyInfo>
<ds:KeyName>OCESSignature</ds:KeyName>
</ds:KeyInfo>
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-12-02T07:57:24Z" NotOnOrAfter="2020-12-03T07:57:24Z"/>
<saml:AttributeStatement id="IDCardData">
<saml:Attribute Name="sosi:IDCardID">
<saml:AttributeValue>bkRCjUrGv397gdbh9FvqDg==</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sosi:IDCardVersion">
<saml:AttributeValue>1.0.1</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sosi:IDCardType">
<saml:AttributeValue>user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sosi:AuthenticationLevel">
<saml:AttributeValue>4</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sosi:OCESCertHash">
<saml:AttributeValue>RIQsET5XYrNoH/CVyZdYqa7GvYQ=</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AttributeStatement id="UserLog">
<saml:Attribute Name="medcom:UserCivilRegistrationNumber">
<saml:AttributeValue>0804569723</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:UserGivenName">
<saml:AttributeValue>Casper</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:UserSurName">
<saml:AttributeValue>Rasmussen</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:UserEmailAddress">
<saml:AttributeValue>casper56@hotdocs.dk</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:UserRole">
<saml:AttributeValue>Læge</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:UserAuthorizationCode">
<saml:AttributeValue>CBNH1</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:UserOccupation">
<saml:AttributeValue>Læge</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AttributeStatement id="SystemLog">
<saml:Attribute Name="medcom:ITSystemName">
<saml:AttributeValue>Test</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:CareProviderID" NameFormat="medcom:cvrnumber">
<saml:AttributeValue>25450442</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:CareProviderName">
<saml:AttributeValue>LAKESIDE A/S</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<ds:Signature id="OCESSignature">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#IDCard">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>crGwfhPSXjudjc9vCMFFfpy24W0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Fm9MAXQFMfMlWZT3UXPLwMVRL9sBt9IPo1STf8Cvyvva1xahuPR7fIarFjOui5y2JI+COYwx5saUhWKzvFyTuKQcVWsWJ9iS1mxxHmWF6KtSVLEpisTh7+MyLe/Ko98PD0nDc7/Vx4jnv+NIMdOeBnyIBI5TjTw8wfG2OKjtagdR/dwcfJad33Iy5DZP+v1+lKOmpS3vgcMlYJy/HSlSNejwdJGx5vr5LZav7/44QDll6ulewIKFe5hJGGh7c9EDv0VBxNXGp/vIYqOAV/bnsspThhtsuuS+b7rxlwvWF/j63OlNss5O3UBkFH2sh1WSX4ilMSFNuThXx5oA51zxTw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIGIjCCBQqgAwIBAgIEWRzJeDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE4MDgzMDEyMzgzNloXDTIxMDgzMDEyMzcyMlowcTELMAkGA1UEBhMCREsxJTAjBgNVBAoMHExBS0VTSURFIEEvUyAvLyBDVlI6MjU0NTA0NDIxOzAXBgNVBAMMEENhc3BlciBSYXNtdXNzZW4wIAYDVQQFExlDVlI6MjU0NTA0NDItUklEOjQwMjUyNjY2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjxt9N9dyS1rM6Naw+hLSn739yb6xArv8Z6fJl0ypJQ1caaf8Lp0TPwRCYYcYE4+L1SMOmTwCvl1K/RCrqjqAlnRljR+aeBWALUgoifWAcT44LUduGam4/Sv/99mhyyqPqZlVvydwVU8hmRfrCL0905NOGjeGMnSgAyAR7KiZHDjEnDCLx3O8GpGeOE+DUUrK8RCzPHWqi4jiidRBSPvidXiCnpSTYl6pR8RtT0TfW3i1HVGLGzHVJN2uQWXpPojjl5ff7roGHGvcWXyR+s7xF1R1EOL8d6ekop/40LAMrURhCi/EMFdkA6OfNP6L4EzwIbLuLyfHS0HvCZj6m92pFwIDAQABo4IC6TCCAuUwDgYDVR0PAQH/BAQDAgP4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vbS5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYCBTCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjIuNS4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjIuNS4wGwYDVR0RBBQwEoEQYW5uaUBsYWtlc2lkZS5kazCBrAYDVR0fBIGkMIGhMD2gO6A5hjdodHRwOi8vY3JsLnN5c3RlbXRlc3QyMi50cnVzdDI0MDguY29tL3N5c3RlbXRlc3QyMjEuY3JsMGCgXqBcpFowWDELMAkGA1UEBhMCREsxEjAQBgNVBAoMCVRSVVNUMjQwODElMCMGA1UEAwwcVFJVU1QyNDA4IFN5c3RlbXRlc3QgWFhJSSBDQTEOMAwGA1UEAwwFQ1JMNzYwHwYDVR0jBBgwFoAUq6gBRBmws0OZ2vp8zNIAGAPnPL8wHQYDVR0OBBYEFOtPO5BckYcR+z8toqcBaZe2XXzuMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAHN1kI/Iq05n41jldFdu+0DJkw7He6Li6Zursix2vTiFAV/pTaCMqvSgQnEmcSrciBWktE69HRj15hr+CQUTkmsfE52Kuo0zpFgitqZXcG7eSyNiZc4GwwpLW5pk+xihD5RXmJC11Spdsw+8uISggcnUOdA5BqZINbRXFwUaTAL/uJ7Ag76YiCXHzBI27RFVKg41zGa//I+cj4ZX7pxXOJA4NRVO3cnpU0W6S26IJhJbX1sdfFj+72VRJIXh6971/5Fd6+DsOkbbc4KlhLDo52mTrmECBBkzVij2tSDSP1KoiqZizY/FtjUCgRb7xN/VL1xfOOmNZ1d96xkPfz6laos=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml:Assertion>
</wst:Claims>
<wst:Issuer>
<wsa:Address>TheSOSILibrary</wsa:Address>
</wst:Issuer>
</wst:RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope> |
En succesfuld validering af requestet i STS resulterer i et succesfuldt response (bemærk, at det udstedte Bruger Idkort er signeret af 'SOSI Test Federation (funktionscertifikat)' og indeholder de nu af STS validerede claims fra requestet. Bemærk også at medcom:UserRole er erstattet med uddannelseskoden, der hører til brugerens autorisation i autorisationsregisteret):
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id=" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="httpEnvelope"> <soapenv:Header> <wsse:Security id="AAABdiJ5Tp5qHUF3ucrocFNPU0k="> <wsu:Timestamp> <wsu:Created>2020-12-02T08:02:24Z</wsu:Created> </wsu:Timestamp> </wsse:Security> </soapenv:Header> <soapenv:Body> <wst:RequestSecurityToken Context="www.sosi.dk"> <wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion:</wst:TokenType> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust"/Issue</wst:RequestType> <wst:Claims> <saml:Assertion xmlns:medcomds="http://www.medcomw3.dkorg/dgws2000/2006/04/dgws-1.0.xsd09/xmldsig#" xmlns:dssaml="http://www.w3.org/2000/09/xmldsig#urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2020-12-02T07:57:24Z" Version="2.0" id="EnvelopeIDCard"> <soapenv:Header><saml:Issuer>TheSOSILibrary</saml:Issuer> <wsse:Security id="AAABdiJ5Tp5qHUF3ucrocFNPU0k="> <wsu<saml:Timestamp>Subject> <wsu:Created>2020-12-02T08:02:30Z</wsu:Created> <saml:NameID Format="medcom:cprnumber">0804569723</saml:NameID> </wsu:Timestamp> </wsse:Security> </soapenv<saml:Header>SubjectConfirmation> <soapenv:Body> <wst:RequestSecurityTokenResponse Context="www.sosi.dk"> <wst<saml:TokenType>urnConfirmationMethod>urn:oasis:names:tc:SAML:2.0:assertion:</wst:TokenType> cm:holder-of-key</saml:ConfirmationMethod> <wst:RequestedSecurityToken> <saml:SubjectConfirmationData> <saml:Assertion IssueInstant="2020-12-02T07:57:30Z" Version="2.0" id="IDCard"> <ds:KeyInfo> <saml:Issuer>TEST1-NSP-STS</saml:Issuer> <ds:KeyName>OCESSignature</ds:KeyName> <saml:Subject> <saml:NameID Format="medcom:other">SubjectDN={CN=Casper Rasmussen + SERIALNUMBER=CVR:25450442-RID:40252666, O=LAKESIDE A/S // CVR:25450442, C=DK},IssuerDN={CN=TRUST2408 Systemtest XXII CA, O=TRUST2408, C=DK},CertSerial={1495058808}</saml:NameID></ds:KeyInfo> </saml:SubjectConfirmationData> <saml</saml:SubjectConfirmation> </saml:Subject> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:holder-of-key</saml:ConfirmationMethod>Conditions NotBefore="2020-12-02T07:57:24Z" NotOnOrAfter="2020-12-03T07:57:24Z"/> <saml:SubjectConfirmationData>AttributeStatement id="IDCardData"> <ds:KeyInfo><saml:Attribute Name="sosi:IDCardID"> <ds:KeyName>OCESSignature</ds:KeyName> <saml:AttributeValue>bkRCjUrGv397gdbh9FvqDg==</saml:AttributeValue> </dssaml:KeyInfo>Attribute> </saml:SubjectConfirmationData><saml:Attribute Name="sosi:IDCardVersion"> < <saml:AttributeValue>1.0.1</saml:SubjectConfirmation>AttributeValue> </saml:Subject>Attribute> <saml:ConditionsAttribute NotBeforeName="2020-12-02T07:57:30Z" NotOnOrAfter="2020-12-03T07:57:30Z"/> sosi:IDCardType"> <saml:AttributeValue>user</saml:AttributeValue> <saml:AttributeStatement id="IDCardData"></saml:Attribute> <saml:Attribute Name="sosi:IDCardIDAuthenticationLevel"> <saml:AttributeValue>uqU7WoiYXI0usmYQ5GvBsA==<AttributeValue>4</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="sosi:IDCardVersionOCESCertHash"> <saml:AttributeValue>1.0.1<AttributeValue>RIQsET5XYrNoH/CVyZdYqa7GvYQ=</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <saml:AttributeStatement id="UserLog"> <saml:Attribute Name="sosimedcom:IDCardTypeUserCivilRegistrationNumber"> <saml:AttributeValue>user<AttributeValue>0804569723</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="sosimedcom:AuthenticationLevelUserGivenName"> <saml:AttributeValue>4<AttributeValue>Casper</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="sosimedcom:OCESCertHashUserSurName"> <saml:AttributeValue>RIQsET5XYrNoHAttributeValue>Rasmussen</CVyZdYqa7GvYQ=</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="medcom:UserEmailAddress"> < <saml:AttributeValue>casper56@hotdocs.dk</saml:AttributeStatement>AttributeValue> <saml:AttributeStatement id="UserLog"> </saml:Attribute> <saml:Attribute Name="medcom:UserCivilRegistrationNumberUserRole"> <saml:AttributeValue>0804569723<AttributeValue>Læge</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="medcom:UserGivenNameUserAuthorizationCode"> <saml:AttributeValue>Casper<AttributeValue>CBNH1</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="medcom:UserSurNameUserOccupation"> <saml:AttributeValue>Rasmussen<AttributeValue>Læge</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <saml:AttributeStatement id="SystemLog"> <saml:Attribute Name="medcom:UserEmailAddressITSystemName"> <saml:AttributeValue>casper56@hotdocs.dk<AttributeValue>Test</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="medcom:CareProviderID" NameFormat="medcom:UserRolecvrnumber"> <saml:AttributeValue>7170<AttributeValue>25450442</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="medcom:UserAuthorizationCodeCareProviderName"> <saml:AttributeValue>CBNH1<AttributeValue>LAKESIDE A/S</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <saml<ds:AttributeSignature Nameid="medcom:UserOccupationOCESSignature"> <ds:SignedInfo> <saml:AttributeValue>Læge</saml:AttributeValue> </saml:Attribute><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </saml:AttributeStatement> <saml:AttributeStatement id="SystemLog"<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <saml <ds:AttributeReference NameURI="medcom:ITSystemName#IDCard"> <saml:AttributeValue>Test</saml:AttributeValue> <ds:Transforms> </saml:Attribute> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <saml:Attribute Name="medcom:CareProviderID" NameFormat="medcom:cvrnumber"> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <saml:AttributeValue>25450442</saml:AttributeValue> </samlds:Attribute>Transforms> <saml:Attribute Name <ds:DigestMethod Algorithm="medcom:CareProviderName"http://www.w3.org/2000/09/xmldsig#sha1"/> <saml:AttributeValue>LAKESIDE A/S</saml:AttributeValue> <ds:DigestValue>crGwfhPSXjudjc9vCMFFfpy24W0=</ds:DigestValue> </samlds:Attribute>Reference> </samlds:AttributeStatement>SignedInfo> <ds:Signature id="OCESSignature">SignatureValue>Fm9MAXQFMfMlWZT3UXPLwMVRL9sBt9IPo1STf8Cvyvva1xahuPR7fIarFjOui5y2JI+COYwx5saUhWKzvFyTuKQcVWsWJ9iS1mxxHmWF6KtSVLEpisTh7+MyLe/Ko98PD0nDc7/Vx4jnv+NIMdOeBnyIBI5TjTw8wfG2OKjtagdR/dwcfJad33Iy5DZP+v1+lKOmpS3vgcMlYJy/HSlSNejwdJGx5vr5LZav7/44QDll6ulewIKFe5hJGGh7c9EDv0VBxNXGp/vIYqOAV/bnsspThhtsuuS+b7rxlwvWF/j63OlNss5O3UBkFH2sh1WSX4ilMSFNuThXx5oA51zxTw==</ds:SignatureValue> <ds:SignedInfo>KeyInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> X509Data> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>X509Certificate>MIIGIjCCBQqgAwIBAgIEWRzJeDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE4MDgzMDEyMzgzNloXDTIxMDgzMDEyMzcyMlowcTELMAkGA1UEBhMCREsxJTAjBgNVBAoMHExBS0VTSURFIEEvUyAvLyBDVlI6MjU0NTA0NDIxOzAXBgNVBAMMEENhc3BlciBSYXNtdXNzZW4wIAYDVQQFExlDVlI6MjU0NTA0NDItUklEOjQwMjUyNjY2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjxt9N9dyS1rM6Naw+hLSn739yb6xArv8Z6fJl0ypJQ1caaf8Lp0TPwRCYYcYE4+L1SMOmTwCvl1K/RCrqjqAlnRljR+aeBWALUgoifWAcT44LUduGam4/Sv/99mhyyqPqZlVvydwVU8hmRfrCL0905NOGjeGMnSgAyAR7KiZHDjEnDCLx3O8GpGeOE+DUUrK8RCzPHWqi4jiidRBSPvidXiCnpSTYl6pR8RtT0TfW3i1HVGLGzHVJN2uQWXpPojjl5ff7roGHGvcWXyR+s7xF1R1EOL8d6ekop/40LAMrURhCi/EMFdkA6OfNP6L4EzwIbLuLyfHS0HvCZj6m92pFwIDAQABo4IC6TCCAuUwDgYDVR0PAQH/BAQDAgP4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vbS5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYCBTCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjIuNS4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjIuNS4wGwYDVR0RBBQwEoEQYW5uaUBsYWtlc2lkZS5kazCBrAYDVR0fBIGkMIGhMD2gO6A5hjdodHRwOi8vY3JsLnN5c3RlbXRlc3QyMi50cnVzdDI0MDguY29tL3N5c3RlbXRlc3QyMjEuY3JsMGCgXqBcpFowWDELMAkGA1UEBhMCREsxEjAQBgNVBAoMCVRSVVNUMjQwODElMCMGA1UEAwwcVFJVU1QyNDA4IFN5c3RlbXRlc3QgWFhJSSBDQTEOMAwGA1UEAwwFQ1JMNzYwHwYDVR0jBBgwFoAUq6gBRBmws0OZ2vp8zNIAGAPnPL8wHQYDVR0OBBYEFOtPO5BckYcR+z8toqcBaZe2XXzuMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAHN1kI/Iq05n41jldFdu+0DJkw7He6Li6Zursix2vTiFAV/pTaCMqvSgQnEmcSrciBWktE69HRj15hr+CQUTkmsfE52Kuo0zpFgitqZXcG7eSyNiZc4GwwpLW5pk+xihD5RXmJC11Spdsw+8uISggcnUOdA5BqZINbRXFwUaTAL/uJ7Ag76YiCXHzBI27RFVKg41zGa//I+cj4ZX7pxXOJA4NRVO3cnpU0W6S26IJhJbX1sdfFj+72VRJIXh6971/5Fd6+DsOkbbc4KlhLDo52mTrmECBBkzVij2tSDSP1KoiqZizY/FtjUCgRb7xN/VL1xfOOmNZ1d96xkPfz6laos=</ds:X509Certificate> <ds:Reference URI="#IDCard"> </ds:X509Data> </ds:KeyInfo> <ds</ds:Transforms>Signature> </saml:Assertion> </wst:Claims> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <wst:Issuer> <wsa:Address>TheSOSILibrary</wsa:Address> </wst:Issuer> </wst:RequestSecurityToken> </soapenv:Body> </soapenv:Envelope> |
En succesfuld validering af requestet i STS resulterer i et succesfuldt response (bemærk, at det udstedte Bruger Idkort er signeret af 'SOSI Test Federation (funktionscertifikat)' og indeholder de nu af STS validerede claims fra requestet. Bemærk også at medcom:UserRole er erstattet med uddannelseskoden, der hører til brugerens autorisation i autorisationsregisteret):
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://wwwschemas.w3xmlsoap.org/2000soap/09envelope/xmldsig#sha1"/> <ds:DigestValue>7rGpBft4x09fFey3Ny/ygbSmRI4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>e14AkKe/qygk07YrDjzdEzOs7TN0mVPjN4yioh8trDsKhSmx9hO8Sg/zzpRewA4FweLVh+muBSwNR//By6XoLA4nUC7aBqHQ14maBCojwzYH5dmgua2VMAYBECk/fi/3WrMo1qd6EGCHjUOnFnaiyRLQgSc99vF6dHGmW/AeyVdAv7miJcTWNnu4MbtrcBNNnJeClBHJlpAu1708+wjoDSkDcB7BvUYkWqKNuXNdxecYbR6TBjo4S4FrT0Yt7qsXpLRIBxXLBia5BbA/XXzYLcDYPxP7USbSJ47jq18M65llXG56dhxihJzt4WVLFXfBit9oPkhnfF2QfSjZzy6l3g==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIGKjCCBRKgAwIBAgIEW6uMBTANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE5MDQzMDA5MDcxN1oXDTIyMDQzMDA5MDYzOFowgZQxCzAJBgNVBAYTAkRLMS4wLAYDVQQKDCVTdW5kaGVkc2RhdGFzdHlyZWxzZW4gLy8gQ1ZSOjMzMjU3ODcyMVUwIAYDVQQFExlDVlI6MzMyNTc4NzItRklEOjE4OTExODYxMDEGA1UEAwwqU09TSSBUZXN0IEZlZGVyYXRpb24gKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyo57h9E/hM5gimxaDgHB0MLcgVfXGJbQh/8OC1vTdDsCUIzIwRd5lJE+ado8urHF7UmKubFZzfCPduoRv9b3TkNVKaixiHUMtP4egbL8vcgyalk28cNQdUk8f34mg8atgvd45EnIKz2iB+yjs5guJPDBg2OFSbP0r53NU8fVTq3aLtDpDVnkxsyjNQ7HOFtzavyMnKx0vDgafEvrUR3WTSLCGju4aUIg3ThgrWXA7i3lPIAXdV8mQmlY3wn/kIBiyIotmF98UsEket/sxpJNkJ6R6AUpxnGApCDP1Fw2BgxAQWWrtD/c5IoIZwGWNfLgpJEzfhnuIZJ7Bfs9RmHFdQIDAQABo4ICzTCCAskwDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vZi5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYEAjCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4wga0GA1UdHwSBpTCBojA9oDugOYY3aHR0cDovL2NybC5zeXN0ZW10ZXN0MjIudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MjIxLmNybDBhoF+gXaRbMFkxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJTAjBgNVBAMMHFRSVVNUMjQwOCBTeXN0ZW10ZXN0IFhYSUkgQ0ExDzANBgNVBAMMBkNSTDE0MjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUGYAVKKL17LHyVGSErL26MBNadTQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAjHMO4sWEf8M25WHczBTJYtMitn1wLOqE6raeM6oYyw6R/4FImpOzF6bxBlfNnhhR0vJSXMWTqL/onCyy4gCs9eLglRHZ9BC8a9fmirrguNpOWlR8NAf5GRwOqCyTnkTAfUD1fp0RzVo8TvAd73WiGeUTzTiAVf7OgZFnRIYkcALXLjNs6AwELWSh+bC/gGuQcHUDd8YGSzgKS6w2qz3fIASrykxzlYjeusks58CereC6WfvN0I+GGlL9fIgjpzh7JEELME7r9QJLL9NSrmlRKfhM8gzuE6Vm4vGzmSsnNJxGMf1vTzEve4lXI8pnOtHMTtNl5zw4jCJFakRqcWm3FQ==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </saml:Assertion> </wst:RequestedSecurityToken> <wst:Status> <wst:Code>http xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid</wst:Code> " xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" id="Envelope"> <soapenv:Header> </wst:Status><wsse:Security id="AAABdiJ5Tp5qHUF3ucrocFNPU0k="> <wst<wsu:Issuer>Timestamp> <wsa<wsu:Address>TEST1Created>2020-NSP-STS</wsa:Address>12-02T08:02:30Z</wsu:Created> </wstwsu:Issuer>Timestamp> </wstwsse:RequestSecurityTokenResponse>Security> </soapenv:Body> </soapenv:Envelope> |
Udstedelse af Bruger Idkort (uden sundhedsfaglig autorisation, men med national rolle)
I dette eksempel anvendes et MOCES certifikat for en bruger uden sundhedsfaglig autorisation men med netop én national rolle. Eksemplet illusterer, hvorledes STS automatisk sætter oplysninger ind om en medarbejders (unikke) nationale rolle, hvis en sådan findes.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
Certificate: Data:Header> <soapenv:Body> Version<wst: 3 (0x2)RequestSecurityTokenResponse Context="www.sosi.dk"> Serial Number: 1537912428 (0x5baaae6c) <wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion:</wst:TokenType> Signature Algorithm: sha256WithRSAEncryption<wst:RequestedSecurityToken> Issuer<saml:Assertion C=DK, O=TRUST2408, CN=TRUST2408 Systemtest XXII CA IssueInstant="2020-12-02T07:57:30Z" Version="2.0" id="IDCard"> Validity<saml:Issuer>TEST1-NSP-STS</saml:Issuer> Not Before: Dec 19 09:17:40 2018 GMT<saml:Subject> Not After <saml: Dec 19 09:17:05 2021 GMT Subject: C=DKNameID Format="medcom:other">SubjectDN={CN=Casper Rasmussen + SERIALNUMBER=CVR:25450442-RID:40252666, O=LAKESIDE A/S // CVR:25450442, CN=Peter Rasmussen/serialNumber=CVR:25450442-RID:15467395 C=DK},IssuerDN={CN=TRUST2408 Systemtest XXII CA, O=TRUST2408, C=DK},CertSerial={1495058808}</saml:NameID> Subject Public Key Info<saml:SubjectConfirmation> Public Key Algorithm: rsaEncryption <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:holder-of-key</saml:ConfirmationMethod> Public-Key: (2048 bit)<saml:SubjectConfirmationData> Modulus<ds:KeyInfo> 00:ae:6c:d5:c1:db:65:4b:84:65:ea:c0:11:c0:20: <ds:KeyName>OCESSignature</ds:KeyName> </ds:KeyInfo> c1:68:68:ee:ee:d7:a9:56:2d:f1:59:46:11:bf:6f: </saml:SubjectConfirmationData> 54:6d:63:0b:45:ed:43:ef:df:7c:8f:69:63:5e:71:</saml:SubjectConfirmation> </saml:Subject> c7:ef:aa:59:05:1e:3b:57:c3:4e:dc:9d:f8:9d:00:<saml:Conditions NotBefore="2020-12-02T07:57:30Z" NotOnOrAfter="2020-12-03T07:57:30Z"/> <saml:AttributeStatement id="IDCardData"> b1:a0:69:02:10:7c:3c:9e:c5:d1:e5:52:2f:0c:11: <saml:Attribute Name="sosi:IDCardID"> <saml:AttributeValue>uqU7WoiYXI0usmYQ5GvBsA==</saml:AttributeValue> a3:f4:3b:1c:f4:43:3b:5d:6f:a7:4c:70:06:0e:96:</saml:Attribute> <saml:Attribute Name="sosi:IDCardVersion"> 76:42:6d:67:bd:e1:08:52:78:7f:8f:f5:84:50:5d: <saml:AttributeValue>1.0.1</saml:AttributeValue> </saml:Attribute> 97:52:57:ca:03:49:15:bb:dd:c0:bc:dc:6c:4a:1c: <saml:Attribute Name="sosi:IDCardType"> 69:21:bd:c0:dd:c3:f3:32:0b:ac:e3:5a:15:ba:0b: <saml:AttributeValue>user</saml:AttributeValue> </saml:Attribute> f7:6b:fa:ec:2a:82:3b:3c:c5:6d:ff:3b:88:dc:cc:<saml:Attribute Name="sosi:AuthenticationLevel"> <saml:AttributeValue>4</saml:AttributeValue> 90:f1:56:cb:03:fe:14:65:00:d5:6b:6c:61:8c:44: </saml:Attribute> <saml:Attribute Name="sosi:OCESCertHash"> 13:4b:59:7f:f8:c2:4e:bd:d2:29:3c:76:56:42:24:<saml:AttributeValue>RIQsET5XYrNoH/CVyZdYqa7GvYQ=</saml:AttributeValue> </saml:Attribute> 03:a9:68:4f:fe:7e:f0:7c:96:42:f6:56:db:9e:f6:</saml:AttributeStatement> <saml:AttributeStatement id="UserLog"> d2:28:38:e3:0b:83:5d:8c:b2:c0:93:93:00:4f:06: <saml:Attribute Name="medcom:UserCivilRegistrationNumber"> <saml:AttributeValue>0804569723</saml:AttributeValue> f1:1b:2f:fa:24:47:23:64:d4:c4:f7:5c:c2:ca:a6: </saml:Attribute> <saml:Attribute Name="medcom:UserGivenName"> 48:3f:ab:58:9d:6c:d0:37:31:be:ea:27:a3:29:14:<saml:AttributeValue>Casper</saml:AttributeValue> </saml:Attribute> cc:d8:fc:9a:21:56:99:33:03:6f:a7:33:86:b5:64: <saml:Attribute Name="medcom:UserSurName"> 5e:63<saml:AttributeValue>Rasmussen</saml:AttributeValue> </saml:Attribute> Exponent: 65537 (0x10001) X509v3 extensions:<saml:Attribute Name="medcom:UserEmailAddress"> X509v3 Key Usage: critical <saml:AttributeValue>casper56@hotdocs.dk</saml:AttributeValue> </saml:Attribute> Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement <saml:Attribute Name="medcom:UserRole"> Authority Information Access: <saml:AttributeValue>7170</saml:AttributeValue> </saml:Attribute> OCSP - URI:http://ocsp.systemtest22.trust2408.com/responder <saml:Attribute Name="medcom:UserAuthorizationCode"> CA Issuers - URI<saml:http://m.aia.systemtest22.trust2408.com/systemtest22-ca.cer AttributeValue>CBNH1</saml:AttributeValue> X509v3 Certificate Policies: </saml:Attribute> Policy: 1.3.6.1.4.1.31313.2.4.6.2.5<saml:Attribute Name="medcom:UserOccupation"> <saml:AttributeValue>Læge</saml:AttributeValue> CPS: http://www.trust2408.com/repository </saml:Attribute> User Notice</saml:AttributeStatement> <saml:AttributeStatement id="SystemLog"> Organization: DanID <saml:Attribute Name="medcom:ITSystemName"> Number: 1<saml:AttributeValue>Test</saml:AttributeValue> </saml:Attribute> Explicit Text: DanID test certifikater fra denne CA udstedes under OID 1.3.6.1.4.1.31313.2.4.6.2.5. DanID test certificates from this CA are issued under OID 1.3.6.1.4.1.31313.2.4.6.2.5. <saml:Attribute Name="medcom:CareProviderID" NameFormat="medcom:cvrnumber"> <saml:AttributeValue>25450442</saml:AttributeValue> </saml:Attribute> X509v3 Subject Alternative<saml:Attribute Name: ="medcom:CareProviderName"> email:smi@lakeside.dk<saml:AttributeValue>LAKESIDE A/S</saml:AttributeValue> </saml:Attribute> X509v3 CRL Distribution Points</saml: AttributeStatement> <ds:Signature id="OCESSignature"> Full Name: <ds:SignedInfo> URI<ds:CanonicalizationMethod Algorithm="http://crlwww.systemtest22.trust2408.com/systemtest221.crl w3.org/2001/10/xml-exc-c14n#"/> Full Name:<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> DirName<ds:Reference C = DK, O = TRUST2408, CN = TRUST2408 Systemtest XXII CA, CN = CRL105 URI="#IDCard"> <ds:Transforms> X509v3 Authority Key Identifier: <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> keyid:AB:A8:01:44:19:B0:B3:43:99:DA:FA:7C:CC:D2:00:18:03:E7:3C:BF X509v3 Subject Key Identifier: <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 0A:B6:21:06:8D:81:C7:33:38:B0:C4:65:59:42:DE:B7:BA:10:11:63</ds:Transforms> X509v3 Basic Constraints<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> CA:FALSE <ds:DigestValue>7rGpBft4x09fFey3Ny/ygbSmRI4=</ds:DigestValue> Signature Algorithm: sha256WithRSAEncryption c5:11:e9:de:c5:ca:6d:3b:a5:74:ac:fc:fe:fc:6d:2d:f5:1b: </ds:Reference> ac:30:ea:e6:7f:d2:f6:e3:cd:0e:30:02:7e:83:91:2d:ca:57:</ds:SignedInfo> 5f:d7:d8:77:79:44:4e:28:a2:fa:9a:24:00:80:5a:2a:ec:27: <ds:SignatureValue>e14AkKe/qygk07YrDjzdEzOs7TN0mVPjN4yioh8trDsKhSmx9hO8Sg/zzpRewA4FweLVh+muBSwNR//By6XoLA4nUC7aBqHQ14maBCojwzYH5dmgua2VMAYBECk/fi/3WrMo1qd6EGCHjUOnFnaiyRLQgSc99vF6dHGmW/AeyVdAv7miJcTWNnu4MbtrcBNNnJeClBHJlpAu1708+wjoDSkDcB7BvUYkWqKNuXNdxecYbR6TBjo4S4FrT0Yt7qsXpLRIBxXLBia5BbA/XXzYLcDYPxP7USbSJ47jq18M65llXG56dhxihJzt4WVLFXfBit9oPkhnfF2QfSjZzy6l3g==</ds:SignatureValue> 3a:f9:f9:2b:f2:a6:f7:20:cd:0f:13:46:a2:2f:4e:6b:ee:c0: <ds:KeyInfo> 0c:a7:27:e8:ee:7c:20:c1:9f:5e:db:67:99:d2:46:52:c6:a2:<ds:X509Data> 82:db:4a:a0:65:6c:2a:c6:25:5c:7d:2f:eb:d0:1a:40:7c:1b: 57:96:2b:21:76:19:a3:85:bf:16:dd:b6:5e:ed:16:95:88:be:<ds:X509Certificate>MIIGKjCCBRKgAwIBAgIEW6uMBTANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE5MDQzMDA5MDcxN1oXDTIyMDQzMDA5MDYzOFowgZQxCzAJBgNVBAYTAkRLMS4wLAYDVQQKDCVTdW5kaGVkc2RhdGFzdHlyZWxzZW4gLy8gQ1ZSOjMzMjU3ODcyMVUwIAYDVQQFExlDVlI6MzMyNTc4NzItRklEOjE4OTExODYxMDEGA1UEAwwqU09TSSBUZXN0IEZlZGVyYXRpb24gKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyo57h9E/hM5gimxaDgHB0MLcgVfXGJbQh/8OC1vTdDsCUIzIwRd5lJE+ado8urHF7UmKubFZzfCPduoRv9b3TkNVKaixiHUMtP4egbL8vcgyalk28cNQdUk8f34mg8atgvd45EnIKz2iB+yjs5guJPDBg2OFSbP0r53NU8fVTq3aLtDpDVnkxsyjNQ7HOFtzavyMnKx0vDgafEvrUR3WTSLCGju4aUIg3ThgrWXA7i3lPIAXdV8mQmlY3wn/kIBiyIotmF98UsEket/sxpJNkJ6R6AUpxnGApCDP1Fw2BgxAQWWrtD/c5IoIZwGWNfLgpJEzfhnuIZJ7Bfs9RmHFdQIDAQABo4ICzTCCAskwDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vZi5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYEAjCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4wga0GA1UdHwSBpTCBojA9oDugOYY3aHR0cDovL2NybC5zeXN0ZW10ZXN0MjIudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MjIxLmNybDBhoF+gXaRbMFkxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJTAjBgNVBAMMHFRSVVNUMjQwOCBTeXN0ZW10ZXN0IFhYSUkgQ0ExDzANBgNVBAMMBkNSTDE0MjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUGYAVKKL17LHyVGSErL26MBNadTQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAjHMO4sWEf8M25WHczBTJYtMitn1wLOqE6raeM6oYyw6R/4FImpOzF6bxBlfNnhhR0vJSXMWTqL/onCyy4gCs9eLglRHZ9BC8a9fmirrguNpOWlR8NAf5GRwOqCyTnkTAfUD1fp0RzVo8TvAd73WiGeUTzTiAVf7OgZFnRIYkcALXLjNs6AwELWSh+bC/gGuQcHUDd8YGSzgKS6w2qz3fIASrykxzlYjeusks58CereC6WfvN0I+GGlL9fIgjpzh7JEELME7r9QJLL9NSrmlRKfhM8gzuE6Vm4vGzmSsnNJxGMf1vTzEve4lXI8pnOtHMTtNl5zw4jCJFakRqcWm3FQ==</ds:X509Certificate> 83:a2:41:4c:92:1d:7a:00:08:32:b1:d5:50:74:c8:74:cc:34: </ds:X509Data> 6b:92:da:dc:b4:0b:c9:68:1a:c7:bf:83:60:20:7d:3a:74:83: </ds:KeyInfo> c0:37:f7:d4:ef:33:eb:a4:85:b9:5e:23:6a:db:1e:d9:8f:26:</ds:Signature> </saml:Assertion> </wst:RequestedSecurityToken> 80:9f:7e:ea:da:06:a3:df:d4:eb:47:95:62:b3:cf:bc:51:27: <wst:Status> d9<wst:72:e7:23:2d:7c:be:e2:0a:d4:c5:d2:d0:c2:3c:9e:98:d5:Code>http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid</wst:Code> 9b:19:7a:ff:9c:97:e7:34:e8:4a:b2:c8:b3:57:d6:5e:fc:f5:</wst:Status> <wst:Issuer> fc:d8:c5:2e:b1:c2:54:16:d8:f6:4a:f9:0c:0a:f5:2f:62:e1:<wsa:Address>TEST1-NSP-STS</wsa:Address> </wst:Issuer> ea:73:79:42</wst:RequestSecurityTokenResponse> </soapenv:Body> </soapenv:Envelope> |
Udstedelse af Bruger Idkort (uden sundhedsfaglig autorisation, men med national rolle)
I dette eksempel anvendes et OCES certifikat for en bruger uden sundhedsfaglig autorisation men med netop én national rolle. Eksemplet illusterer, hvorledes STS automatisk sætter oplysninger ind om en medarbejders (unikke) nationale rolle, hvis en sådan findes.Selve requestet til STS ser således ud (bemærk især claims om brugeren 'medcom:UserCivilRegistrationNumber' og 'medcom:UserRole', der er sat til 'ingen_idkort_rolle' for at angive en uspecificeret rolle):
...