Versions Compared

Old Version 4

changes.mady.by.user Thomas Kilden Nielsen

Saved on

compared with

New Version Current

changes.mady.by.user Jacob Qvortrup

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Navitabs
rootSeal.Java 3 - Leverancebeskrivelse
includeroottrue


Indledning

Denne guide beskriver hvordan en STS skal omveksle

Indledning

...

et eHDSI IDWS XUA Bootstrap Token (DKNCPBST) udsted af "Danish National Contact Point" til et eHDSI IDWS XUA Identity Token (IDWS-eHDSI)

...

.

Bemærk, at den OIO Saml sikkerhedsbillet, der veksles, skal være signeret af troværdig tredjepart 

I det følgende vises nogle stykker kode der viser hvordan man som en STS kan modtage et eHDSI IDWS XUA Bootstrap Token og veksle det til et eHDSI IDWS XUA Identity Token.lave denne omveksling.

Der findes et komplet eksempel (incl. Der findes et komplet eksempel (incl. hvordan anvender opbygger request og modtager response) sidst på siden der virker uden at det kræver tilretning.

Eksempel

STS Request

...

.

Eksempel

STS Request

Beskrivelse af hvordan Seal.Java anvendes til at opbygge et STS request findes her: Seal.Java 3 - Guide til anvendere (Consumer) - eHDSI Boostrap token til eHDSI Identity token

Opret en instans af EHDSIFactory og en CredentialVault der indeholder et virksomhedscertifikat der anvendes til denne omveksling:

Code Block
// CredentialVault og Factory
CredentialVault signingVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Virksomhedscertifikat", "Kodeord til Virksomhedscertifikat");
CredentialVault holderOfKeyVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Holder of key certifikat", "Kodeord til Holder of key certifikat");
EHDSIFactory factory = new EHDSIFactory();

En STS vil kunne anvende Seal.Java til at modtage et XML dokument indeholdende et request og det skal deserialiseres til et DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequest modelobjekt:

Code Block
consumerStsRequestDocument = readXml(System.getProperties(), consumerStsRequestXml, false);
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequest request = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestModelBuilder().build(consumerStsRequestDocument);

Nu vil en STS kunne verificere det indkomne eHDSI IDWS XUA Bootstrap Token. Dette er ikke relevant for denne anvenderguide, men her er et eksempel på hvordan man henter den indlejrede SAML Assertion ud validere det og verificere tre attributter:

Code Block
// Validate assertion
DkncpBootstrapSamlAssertion assertion = request.getDkncpBootstrapSamlAssertion();

Assert.assertEquals("eHDSI-IDWS-XUA-1.0", assertion.getSpecVersion());
Assert.assertEquals("3", assertion.getAssuranceLevelNIST());
Assert.assertEquals("Alfonso Gonzalez", assertion.getSubject());

STS Response

Nu vil en STS bygge et response og først bygge en signeret eHDSI IDWS XUA Identity Token:

Code Block
// Build Ehdsi Idws Xua Employee identity token
EhdsiIdwsXuaEmployeeIdentityTokenBuilder tokenBuilder = factory.createEhdsiIdwsXuaEmployeeIdentityTokenBuilder();
tokenBuilder.setIssuer("http://sosi");
tokenBuilder.setAudienceRestriction("http://audience.nspoop.dk/dds");
tokenBuilder.setNotBefore(notBefore);
tokenBuilder.setNotOnOrAfter(notOnOrAfter);
tokenBuilder.setDeliveryNotOnOrAfter(notOnOrAfter);
tokenBuilder.setSubjectNameID("C=DK,O=Ingen organisatorisk tilknytning,CN=Lars Larsen,Serial=PID:9208-2002-2-514358910503");
tokenBuilder.setSubjectNameIDFormat(SAMLValues.NAMEID_FORMAT_X509_SUBJECT_NAME);
tokenBuilder.setSigningVault(signingVault);
tokenBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());

// Øvrige attributter sættes
tokenBuilder.setSubject("Alfonso Gonzalez");
tokenBuilder.setRole("2221", "Nursing professionals");
...

EhdsiIdwsXuaEmployeeIdentityToken ehdsiIdwsXuaEmployeeIdentityToken = tokenBuilder.build();

Dette eHDSI IDWS XUA Identity Token kan nu indlejres i det samlede svar fra STS:

Code Block
// Build Ehdsi Idws Xua Employee response
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder responseBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder();
responseBuilder.setEhdsiIdwsXuaEmployeeIdentityToken(ehdsiIdwsXuaEmployeeIdentityToken);
responseBuilder.setSigningVault(holderOfKeyVault);
responseBuilder.setRelatesTo("relatesTo");
responseBuilder.setContext("context");

Document consumerStsResponseDocument = responseBuilder.build();

Svaret kan sendes over netværket som XML:

Code Block
String consumerStsResponseXml = XmlUtil.node2String(consumerStsResponseDocument, false, false);

Nu vil en anvender kunne modtage det omvekslede eHDSI IDWS XUA Identity Token og hvordan man anvender Seal.Java til at behandle dette svar er beskrevet her: Seal.Java 3 - Guide til anvendere (Consumer) - eHDSI Boostrap token til eHDSI Identity token


Komplet eksempel (incl. opbygning af request  og modtagelse af response)

Code Block
collapsetrue
public class TestFactoryFlow extends AbstractUserIDCardTest { class TestFactoryFlow {

    private final String NAMEID_FORMAT_X509_SUBJECT_NAME = "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName";

    @Test
    public void testDKNCPBST2EHDSIIdws() {
       
        /**
         * Consumer sender request
         */

        // CredentialVault  // CredentialVault og Factoryog Factory
        CredentialVault signingVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Virksomhedscertifikat", "Kodeord til Virksomhedscertifikat");
        CredentialVault signingVaultholderOfKeyVault = new CredentialVaultTestUtil.getVoces3CredentialVault();
        CredentialVault holderOfKeyVault = CredentialVaultTestUtil.getVocesHolderOfKeyCredentialVault();ClasspathCredentialVault(null, "Filnavn på PKCS#12 Holder of key certifikat", "Kodeord til Holder of key certifikat");        
        EHDSIFactory factory = new EHDSIFactory();

        // Build Dkncp Boostrap SAML Assertion
        String issuer = "http://sosi";

        DkncpBootstrapSamlAssertionBuilder dkncpBootstrapSamlAssertionBuilder = factory.createDkncpBootstrapSamlAssertionBuilder(signingVault, issuer);
        dkncpBootstrapSamlAssertionBuilder.setIssuer(issuer);
        dkncpBootstrapSamlAssertionBuilder.setAudienceRestriction("https://fmk");
        Date now = new Date();
        dkncpBootstrapSamlAssertionBuilder.setNotBefore(notBefore);
        dkncpBootstrapSamlAssertionBuilder.setNotOnOrAfter(notOnOrAfter);
        dkncpBootstrapSamlAssertionBuilder.setDeliveryNotOnOrAfter(notOnOrAfter);
        dkncpBootstrapSamlAssertionBuilder.setSubjectName("C=DK,O=LAKESIDE A/S // CVR:25450442,CN=Sårjournal TEST læge,Serial=CVR:25450442-RID:73570260");
        dkncpBootstrapSamlAssertionBuilder.setSubjectNameID("nameid");
        dkncpBootstrapSamlAssertionBuilder.setSubjectNameIDFormat(SAMLValues.NAMEID_FORMAT_X509_SUBJECT_NAME);
        dkncpBootstrapSamlAssertionBuilder.setSigningVault(signingVault);
        dkncpBootstrapSamlAssertionBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());

        // Mandatory attribute values
        dkncpBootstrapSamlAssertionBuilder.setSubject("Alfonso Gonzalez");
        dkncpBootstrapSamlAssertionBuilder.setRole("2221", "Nursing professionals");
        dkncpBootstrapSamlAssertionBuilder.setOrganization("Charité – Universitätsmedizin Berlin");
        dkncpBootstrapSamlAssertionBuilder.setOrganizationId("urn:oid:1.3.6.1.4.1.44938");
        dkncpBootstrapSamlAssertionBuilder.setHealthcareFacilityType("Hospital");
        dkncpBootstrapSamlAssertionBuilder.setPurposeOfUse("TREATMENT");
        dkncpBootstrapSamlAssertionBuilder.setLocality("Klinik am Berg, 83242 Reit im Winkl");
        dkncpBootstrapSamlAssertionBuilder.setPatientId("0205756078^^^&1.2.208.176.1.2&ISO");
        dkncpBootstrapSamlAssertionBuilder.setAssuranceLevelNIST("3");
        dkncpBootstrapSamlAssertionBuilder.setSpecVersion("eHDSI-IDWS-XUA-1.0");
        dkncpBootstrapSamlAssertionBuilder.setIssuancePolicy("urn:dk:sosi:sts:eHDSI-strict");
        dkncpBootstrapSamlAssertionBuilder.setCountryOfTreatment("DE");

        DkncpBootstrapSamlAssertion dkncpBootstrapSamlAssertion = dkncpBootstrapSamlAssertionBuilder.build();
        dkncpBootstrapSamlAssertion.validateSchema();
        dkncpBootstrapSamlAssertion.validateSignatureAndTrust(signingVault);

        // Build Dkncp Bootstrap request
        DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestDOMBuilder requestDomBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestDOMBuilder();
        requestDomBuilder.setAudience("https://sosi");
        requestDomBuilder.setSigningVault(holderOfKeyVault);
        requestDomBuilder.setDkncpBootstrapToken(dkncpBootstrapSamlAssertion);

        // Serialize request to the same form as received by the STS
        Document consumerStsRequestDocument = requestDomBuilder.build();

        /**
         * Send request over netværk
         */
        String consumerStsRequestXml = XmlUtil.node2String(consumerStsRequestDocument, false, false);
        consumerStsRequestDocument = readXml(System.getProperties(), consumerStsRequestXml, false);

        /**
         *  STS modtager request
         */
        DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequest request = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestModelBuilder().build(consumerStsRequestDocument);

        // validate request
        request.validateSignatureAndTrust(holderOfKeyVault);
        request.validateHolderOfKeyRelation();


        // Validate assertion
        DkncpBootstrapSamlAssertion assertion = request.getDkncpBootstrapSamlAssertion();

        // The DKNCP BST Assertion can be schema validated after serialize/deserialize
        assertion.validateSchema();
        assertion.validateSignatureAndTrust(signingVault);

        // Verify all attributes
        Assert.assertEquals("Alfonso Gonzalez", assertion.getSubject());

        Assert.assertEquals(EHDSI_ROLE_XSI_TYPE, assertion.getRoleType());
        Assert.assertEquals("2221", assertion.getRoleCode());
        Assert.assertEquals(EHDSI_ROLE_CODE_SYSTEM, assertion.getRoleCodeSystem());
        Assert.assertEquals(EHDSI_ROLE_CODE_SYSTEM_NAME, assertion.getRoleCodeSystemName());
        Assert.assertEquals("Nursing professionals", assertion.getRoleDisplayName());

        Assert.assertEquals("Charité – Universitätsmedizin Berlin", assertion.getOrganization());
        Assert.assertEquals("urn:oid:1.3.6.1.4.1.44938", assertion.getOrganizationId());
        Assert.assertEquals("Hospital", assertion.getHealthcareFacilityType());

        Assert.assertEquals("TREATMENT", assertion.getPurposeOfUseCode());

        Assert.assertEquals("Klinik am Berg, 83242 Reit im Winkl", assertion.getLocality());
        Assert.assertEquals("0205756078^^^&1.2.208.176.1.2&ISO", assertion.getPatientId());

        Assert.assertEquals("3", assertion.getAssuranceLevelNIST());
        Assert.assertEquals("eHDSI-IDWS-XUA-1.0", assertion.getSpecVersion());
        Assert.assertEquals("urn:dk:sosi:sts:eHDSI-strict", assertion.getIssuancePolicy());
        Assert.assertEquals("DE", assertion.getCountryOfTreatment());

        /**
         *  STS bygger response
         */

        // Build Ehdsi Idws Xua Employee identity token
        EhdsiIdwsXuaEmployeeIdentityTokenBuilder tokenBuilder = factory.createEhdsiIdwsXuaEmployeeIdentityTokenBuilder();
        tokenBuilder.setIssuer("http://sosi");
        tokenBuilder.setAudienceRestriction("https://fmk");
        tokenBuilder.setNotBefore(notBefore);
        tokenBuilder.setNotOnOrAfter(notOnOrAfter);
        tokenBuilder.setDeliveryNotOnOrAfter(notOnOrAfter);
        tokenBuilder.setSubjectNameID("C=DK,O=Ingen organisatorisk tilknytning,CN=Lars Larsen,Serial=PID:9208-2002-2-514358910503");
        tokenBuilder.setSubjectNameIDFormat(SAMLValues.NAMEID_FORMAT_X509_SUBJECT_NAME);
        tokenBuilder.setSigningVault(signingVault);
        tokenBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());

        tokenBuilder.setSubject("Alfonso Gonzalez");
        tokenBuilder.setRole("2221", "Nursing professionals");

        tokenBuilder.setOrganization("Charité – Universitätsmedizin Berlin");
        tokenBuilder.setOrganizationId("urn:oid:1.3.6.1.4.1.44938");
        tokenBuilder.setHealthcareFacilityType("Hospital");
        tokenBuilder.setPurposeOfUse("TREATMENT");

        tokenBuilder.setLocality("Klinik am Berg, 83242 Reit im Winkl");
        tokenBuilder.setPatientId("0205756078^^^&1.2.208.176.1.2&ISO");

        tokenBuilder.setAssuranceLevel("3");
        tokenBuilder.setSpecVersion("eHDSI-IDWS-XUA-1.0");
        tokenBuilder.setIssuancePolicy("urn:dk:sosi:sts:eHDSI-strict");
        tokenBuilder.setCountryOfTreatment("DE");

        EhdsiIdwsXuaEmployeeIdentityToken ehdsiIdwsXuaEmployeeIdentityToken = tokenBuilder.build();

        // Validate Identity Token
        ehdsiIdwsXuaEmployeeIdentityToken.validateSchema();
        ehdsiIdwsXuaEmployeeIdentityToken.validateSignatureAndTrust(signingVault);

        // Build Ehdsi Idws Xua Employee response
        DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder responseBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder();
        responseBuilder.setEhdsiIdwsXuaEmployeeIdentityToken(ehdsiIdwsXuaEmployeeIdentityToken);
        responseBuilder.setSigningVault(holderOfKeyVault);
        responseBuilder.setRelatesTo("relatesTo");
        responseBuilder.setContext("context");

        Document consumerStsResponseDocument = responseBuilder.build();

        /**
         *  Send response over netværk
         */
        String consumerStsResponseXml = XmlUtil.node2String(consumerStsResponseDocument, false, false);
        consumerStsResponseDocument = readXml(System.getProperties(), consumerStsResponseXml, false);

        /**
         *  Consumer modtager response
         */
        DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseModelBuilder responseModelBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseModelBuilder();
        DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponse response = responseModelBuilder.build(consumerStsResponseDocument);

        // Validate entire response
        response.validateSignature();

        // Validate the Ehdsi Idws Xua Employee Identity token from the response
        EhdsiIdwsXuaEmployeeIdentityToken employeeIdentityToken = response.getEhdsiIdwsXuaEmployeeIdentityToken();

        // The Ehdsi Idws Xua Employee Identity token can be schema validated after serialize/deserialize
        employeeIdentityToken.validateSchema();
        employeeIdentityToken.validateSignatureAndTrust(signingVault);

        // Verify all attributes
        assertEquals("3", employeeIdentityToken.getAssuranceLevel());
        assertEquals("Alfonso Gonzalez", employeeIdentityToken.getSubject());
        Assert.assertEquals("2221", employeeIdentityToken.getRoleCode());
        Assert.assertEquals("Nursing professionals", employeeIdentityToken.getRoleDisplayName());

        Assert.assertEquals("Charité – Universitätsmedizin Berlin", employeeIdentityToken.getOrganization());
        Assert.assertEquals("urn:oid:1.3.6.1.4.1.44938", employeeIdentityToken.getOrganizationId());
        Assert.assertEquals("Hospital", employeeIdentityToken.getHealthcareFacilityType());

        Assert.assertEquals("TREATMENT", employeeIdentityToken.getPurposeOfUseCode());

        Assert.assertEquals("Klinik am Berg, 83242 Reit im Winkl", employeeIdentityToken.getLocality());
        Assert.assertEquals("0205756078^^^&1.2.208.176.1.2&ISO", employeeIdentityToken.getPatientId());

        Assert.assertEquals("3", employeeIdentityToken.getAssuranceLevel());
        Assert.assertEquals("eHDSI-IDWS-XUA-1.0", employeeIdentityToken.getSpecVersion());
        Assert.assertEquals("urn:dk:sosi:sts:eHDSI-strict", employeeIdentityToken.getIssuancePolicy());
        Assert.assertEquals("DE", employeeIdentityToken.getCountryOfTreatment());
    }
}

...