Page History
| Table of Contents |
|---|
Introduktion
Formål med dokumentet
...
Anvenders tilgang til DGWS services på STS kan ske med hjælp fra Seal.Java [SPG] eller Seal.NET [SN], som er biblioteker der bl.a. hjælper til med at understøtte brugen af DGWS herunder opbygning af requests til STS (NewSecurityTokenService).
Materiale omkring udsende udstedelse af et id-kort , samt eksempler på kald af servicen fra en java-applikation kan findes under STS - Kom Godt i Gang.
Som nævnt i STS - Guide til anvendere, så kan STS DGWS services anvendes til at udstedet udstede to typer af SOSI Idkort:
- System Idkort (baseret på et VOCESOCES/FOCES OCES certifikat, niveau 3)
- Bruger Idkort (baseret på et MOCES OCES certifikat, niveau 4)
Det er den samme service, der skal anvendes til begge typer af billetter, men indholdet af requesten vil være forskellige. I afsnittet nedenfor med eksempler på requests vil der gives eksempler på begge typer af requests. For Bruger Idkort vil der yderligere være eksempler på udstedelse til brugere med og uden sundhedsfaglig autorisation.
Claims og valideringer
Det Idkort der genereres af anvendersystemet og indgår i requestet til STS kan indeholde en mængde attributter, som vil være at opfatte som claims (påstande) om den pågældende bruger. Følgende attributter er interessante i forhold til validering af STS:
- medcom:UserCivilRegistrationNumber: Brugerens CPR nummer. Dette kan valideres bliver valideret af STS vha OCES service til validering af RID-CPR (RID står i certifikatet).
- medcom:UserRole: Kan indeholde enten en uddannelseskode (for sundhedsfaglige) eller en national (SEB) rolle eller lokal rolle for brugere uden sundhedsfaglig autorisation. Uddannelseskode for sundhedsfaglige kan valideres i autorisationsregisteret udfra CPR nummer (se ovenfor). Nationale roller kan valideres i Stamdata (roller) og lokale roller kopieres blot uden validering.
- medcom:UserAuthorizationCode: Kun relevant for sundhedsfaglige brugere. Valideres af STS ved hjælp af autorisationsregisteret.
Snitfladebeskrivelser
Afhængig af miljø udstilles tjenesten på:
...
http://<sts-host>:<port>/sts/services/NewSecurityTokenService
For sundhedsfaglige brugere valideres uddannelsekoden (medcom:UserRole) og autorisationsnummeret (medcom:UserAuthorizationCode) på følgende måde:
- Hvis både autorisationsnummer og uddannelseskode er medsendt, verificeres disse via autorisationsregisteret og indsættes i det returnerede Idkort.
- Hvis enten autorisationsnummer eller uddannelseskode er medsendt, verificeres at dette matcher præcis én autorisation i autorisationsregisteret, og denne indsættes i det returnerede Idkort.
- Hvis hverken autorisationsnummer eller uddannelseskode er medsendt, verificeres at brugeren har præcis én autorisation i autorisationsregisteret, og denne indsættes i det returnerede Idkort.
For brugere uden sundhedsfaglig autorisation kan der angives en rolle (medcom:UserRole).
- Hvis der er angivet en national rolle (afgøres udfra prefix), så tjekker STS op i mod sin kopi af stamdata, at den pågældende bruger er i besiddelse af den angivne rolle.
- Hvis claimet om en national rolle kommer fra en trusted anvender (afgøres udfra CVR nummer op i mod STS konfiguration af trustede anvendere), så indsættes den nationale rolle uden tjek i stamdata.
- Hvis en anvender ikke har angivet en national rolle i claim-attributten, men den pågældende medarbejder er i besiddelse af netop én nationale rolle i stamdata, så vil denne automatisk inkluderes i det udstedte SOSI Idkort.
- Lokale roller (roller, der ikke har national rolle-prefix) inkluderes i det udstedte Idkort uden yderlige validering.
De nationale roller kan genkendes på, at de alle har prefixet urn:dk:healthcare:national-federation-role:
Eksempler på nationale roller er:
- urn:dk:healthcare:national-federation-role:SundAssistR1
- urn:dk:healthcare:national-federation-role:SundAssistR2
Der er også mulighed for at angive at brugeren ikke vil anvende en eventuel autorisation (eller national rolle). Dette gøres ved at angive "urn:dk:healthcare:no-role".
Skematisk ser algoritmen til validering/bestemmelse af rolle og/eller autorisationskode således ud:
| Gliffy Diagram | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
Service Endpoint
Afhængig af miljø udstilles tjenesten på:
|
Der findes endvidere en ældre udgave placeret under /sts/services/SecurityTokenService, men ovennævnte endpoint anbefales til alle nye anvendelser.
Eksempler på requests
I det følgende gives eksempler på følgende typer af requests:
- Udstedelse af System Idkort
- Udstedelse af Bruger Idkort (med sundhedsfaglig autorisation)
- Udstedelse af Bruger Idkort (uden sundhedsfaglig autorisation men med national rolle)
NB! Det er vigtigt, at den i svaret medsendte sikkerhedsbillet opfattes som binær data og håndteres som sådan i anvendersystemet. Af hensyn til validitet af signering må der ikke laves om i billetten (f.eks. parsning og serialisering af XML), da dette kan have betydning for gyldigheden af de beregnede digests.
Udstedelse af System Idkort
Udstedelse af System Idkort sker på baggrund af et OCES certifikat. Et System Idkort identificerer som navnet antyder et anvendersystem, der ønsker at kalde services på NSP. Det kunne f.eks. være et anvendersystem, der i batch overfører data til MinLog fra en patientjournal.
Selve requestet til STS ser således ud:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="Envelope">
<soapenv:Header>
<wsse:Security id="AAABdiOU1800JWZmH8DNZ1NPU0k=">
<wsu:Timestamp>
<wsu:Created>2020-12-02T13:12:05Z</wsu:Created>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityToken Context="www.sosi.dk">
<wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion:</wst:TokenType>
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
<wst:Claims>
<saml:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2020-12-02T13:09:57Z" Version="2.0" id="IDCard"> |
Der findes endvidere en ældre udgave placeret under /sts/services/SecurityTokenService, men ovennævnte endpoint anbefales til alle nye anvendelser.
Eksempler på requests
I det følgende gives eksempler på følgende typer af requests:
- Udstedelse af System Idkort
- Udstedelse af Bruger Idkort (med sundhedsfaglig autorisation)
- Udstedelse af Bruger Idkort (uden sundhedsfaglig autorisation men med national rolle)
Udstedelse af System Idkort
Udstedelse af System Idkort sker på baggrund af et VOCES/FOCES certifikat. Et System Idkort identificerer som navnet antyder et anvendersystem, der ønsker at kalde services på NSP. Det kunne f.eks. være et anvendersystem, der i batch overfører data til MinLog fra en patientjournal.
Udstedelse af Bruger Idkort (med sundhedsfaglig autorisation)
For at få udstedt et Bruger Idkort med oplysninger om brugerens sundhedsfaglige autorisation, så må anvender systemet opbygge et request, der indeholder de claims (påstande) vedrørende autorsationsoplysninger (og cprnummer) for den pågældende bruger. I dette eksempel anvendes et MOCES certifikat, der tilhører en person, der er i besiddelse af en lægefaglig autorisation.
Det i eksemplet anvendte MOCES certifikat ser således ud (bemærk, at certifikatet indeholder RID og CVR nummer, men ikke oplysninger om hverken CPR nummer eller autorisationsid):
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
Certificate: Data: Version: 3 (0x2) Serial Number: 1495058808 (0x591cc978) Signature Algorithm: sha256WithRSAEncryption Issuer: C=DK, O=TRUST2408, CN=TRUST2408 Systemtest XXII CA Validity Not Before: Aug 30 12:38:36 2018 GMT Not After : Aug 30 12:37:22 2021 GMT Subject: C=DK, O=LAKESIDE A/S // CVR:25450442, CN=Casper Rasmussen/serialNumber=CVR:25450442-RID:40252666 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:8f:1b:7d:37:d7:72:4b:5a:cc:e8:d6:b0:fa:12: d2:9f:bd:fd:c9:be:b1:02:bb:fc:67:a7:c9:97:4c: a9:25:0d:5c:69:a7:fc:2e:9d:13:3f:04:42:61:87: 18:13:8f:8b:d5:23:0e:99:3c:02:be:5d:4a:fd:10: ab:aa:3a:80:96:74:65:8d:1f:9a:78:15:80:2d:48: 28:89:f5:80:71:3e:38:2d:47:6e:19:a9:b8:fd:2b: ff:f7:d9:a1:cb:2a:8f:a9:99:55:bf:27:70:55:4f: 21:99:17:eb:08:bd:3d:d3:93:4e:1a:37:86:32:74: <saml:Issuer>TheSOSILibrary</saml:Issuer> a0:03:20:11:ec:a8:99:1c:38:c4:9c:30:8b:c7:73:<saml:Subject> <saml:NameID Format="medcom:cvrnumber">46837428</saml:NameID> bc:1a:91:9e:38:4f:83:51:4a:ca:f1:10:b3:3c:75: <saml:SubjectConfirmation> aa<saml:8bConfirmationMethod>urn:88oasis:e2names:89tc:d4SAML:412.0:48:fb:e2:75:78:82:9e:94:cm:holder-of-key</saml:ConfirmationMethod> <saml:SubjectConfirmationData> 93:62:5e:a9:47:c4:6d:4f:44:df:5b:78:b5:1d:51: <ds:KeyInfo> 8b:1b:31:d5:24:dd:ae:41:65:e9:3e:88:e3:97:97:<ds:KeyName>OCESSignature</ds:KeyName> </ds:KeyInfo> df:ee:ba:06:1c:6b:dc:59:7c:91:fa:ce:f1:17:54: </saml:SubjectConfirmationData> </saml:SubjectConfirmation> 75:10:e2:fc:77:a7:a4:a2:9f:f8:d0:b0:0c:ad:44: </saml:Subject> <saml:Conditions NotBefore="2020-12-02T13:09:57Z" NotOnOrAfter="2020-12-03T13:09:57Z"/> <saml:AttributeStatement id="IDCardData"> 61:0a:2f:c4:30:57:64:03:a3:9f:34:fe:8b:e0:4c: <saml:Attribute Name="sosi:IDCardID"> f0:21:b2:ee:2f:27:c7:4b:41:ef:09:98:fa:9b:dd:<saml:AttributeValue>KvW1gwopeh2o87ezfec5uA==</saml:AttributeValue> </saml:Attribute> a9:17 <saml:Attribute Name="sosi:IDCardVersion"> <saml:AttributeValue>1.0.1</saml:AttributeValue> Exponent: 65537 (0x10001) X509v3 extensions:</saml:Attribute> X509v3 Key Usage: critical <saml:Attribute Name="sosi:IDCardType"> <saml:AttributeValue>system</saml:AttributeValue> Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement </saml:Attribute> Authority Information Access<saml:Attribute Name="sosi:AuthenticationLevel"> OCSP - URI:http://ocsp.systemtest22.trust2408.com/responder<saml:AttributeValue>3</saml:AttributeValue> CA Issuers - URI:http://m.aia.systemtest22.trust2408.com/systemtest22-ca.cer </saml:Attribute> X509v3 Certificate Policies: <saml:Attribute Name="sosi:OCESCertHash"> <saml:AttributeValue>xe/OtYMBaE1RFJ7l9lN2zAuiXAU=</saml:AttributeValue> Policy: 1.3.6.1.4.1.31313.2.4.6.2.5 </saml:Attribute> CPS: http://www.trust2408.com/repository</saml:AttributeStatement> <saml:AttributeStatement id="SystemLog"> User Notice: <saml:Attribute Name="medcom:ITSystemName"> Organization: DanID<saml:AttributeValue>Test</saml:AttributeValue> </saml:Attribute> Number: 1 <saml:Attribute Name="medcom:CareProviderID" NameFormat="medcom:cvrnumber"> Explicit Text: DanID test certifikater fra denne CA udstedes under OID 1.3.6.1.4.1.31313.2.4.6.2.5. DanID test certificates from this CA are issued under OID 1.3.6.1.4.1.31313.2.4.6.2.5. <saml:AttributeValue>46837428</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="medcom:CareProviderName"> X509v3 Subject Alternative Name: <saml:AttributeValue>Statens Serum Institut</saml:AttributeValue> email:anni@lakeside.dk</saml:Attribute> </saml:AttributeStatement> X509v3 CRL Distribution Points: <ds:Signature id="OCESSignature"> Full Name<ds:SignedInfo> URI:<ds:CanonicalizationMethod Algorithm="http://crlwww.systemtest22.trust2408.com/systemtest221.crl w3.org/2001/10/xml-exc-c14n#"/> Full Name: <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#IDCard"> DirName: C = DK, O = TRUST2408, CN = TRUST2408 Systemtest XXII CA, CN = CRL76 <ds:Transforms> X509v3 Authority Key Identifier<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> keyid:AB:A8:01:44:19:B0:B3:43:99:DA:FA:7C:CC:D2:00:18:03:E7:3C:BF <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> X509v3 Subject Key Identifier</ds: Transforms> EB:4F:3B:90:5C:91:87:11:FB:3F:2D:A2:A7:01:69:97:B6:5D:7C:EE <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> X509v3 Basic Constraints: <ds:DigestValue>7wotC+2VeHeSVglwz/ETmnSoD5I=</ds:DigestValue> CA:FALSE</ds:Reference> Signature Algorithm: sha256WithRSAEncryption 73:75:90:8f:c8:ab:4e:67:e3:58:e5:74:57:6e:fb:40:c9:93:</ds:SignedInfo> 0e:c7:7b:a2:e2:e9:9b:ab:b2:2c:76:bd:38:85:01:5f:e9:4d: a0:8c:aa:f4:a0:42:71:26:71:2a:dc:88:15:a4:b4:4e:bd:1d: <ds:SignatureValue>HUPt3Yn9yeSQEIHTM1FvoqxG2c1mQiXUMpSLszmFbgByaRinPnL3vLp6PcB9nlBFWHqsXoX3LfzPme3dyM0TYqSaM1Wk38Vc190KPO5E7SwcZqEz8iQdbGGn5t+TaqnROPQrCtaSfG7UtHMvbP4jGBJusnTqifk3Q2eWf9VIqffLgS3jkXl7toUdAqmLJG1l7DnpuVxMn1I0wahl9821bvmhAvMKyxlMAUMt6xgMGO2aO2jRJsQZWdBxT2U8llnK0N3ePQ0c4znOzMz7IRsyl6k0s+leHR2xs247XM78taSYtgdfpjswayw68UgJ9q3sGvWynf2ZggZTEZbnF6muyw==</ds:SignatureValue> 18:f5:e6:1a:fe:09:05:13:92:6b:1f:13:9d:8a:ba:8d:33:a4: <ds:KeyInfo> 58:22:b6:a6:57:70:6e:de:4b:23:62:65:ce:06:c3:0a:4b:5b: <ds:X509Data> 9a:64:fb:18:a1:0f:94:57:98:90:b5:d5:2a:5d:b3:0f:bc:b8: 84:a0:81:c9:d4:39:d0:39:06:a6:48:35:b4:57:17:05:1a:4c: <ds:X509Certificate>MIIGRTCCBS2gAwIBAgIEWRzG9TANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE4MDgyOTA2MjUxOVoXDTIxMDgyOTA2MjQwNVowgY4xCzAJBgNVBAYTAkRLMS8wLQYDVQQKDCZTdGF0ZW5zIFNlcnVtIEluc3RpdHV0IC8vIENWUjo0NjgzNzQyODFOMCAGA1UEBRMZQ1ZSOjQ2ODM3NDI4LVVJRDoyNzkxMDEzNTAqBgNVBAMMI1N0YXRlbnMgU2VydW0gSW5zdGl0dXQgLSBUZXN0IFZPQ0VTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl0rwBkF6j7W9UEm/aCS2O5RUBoibeIsxz1kZ6kaaiUV0FcSYLy9Pj9zbRLbO+SX/2QBQ7woY18VTj/9m/zIgrvCtwTZIaWZi0MZFNX6UbcSzrpW2HT18DRdwRI0Fjm3U0FskAxl47PneLmp3ZDlZXOLE4HRPJiNFBvT4UJxJW96vYCk43/wu3CfGGfxU7FW2d7ZzcxmG2Y8fLzblm97Kx9FdpwaO+8xMzzvZa3nJ64Bvl9/Fac0o70J8hB1qr4I4Rit/XCFxHxNS8KWXkaJ1mEyRkAyIm3bY+U5lwlQEe4egrsXcEj5nNKxZ8JF7+zh21WRMUJYtcDcPQcuZHcQGQwIDAQABo4IC7jCCAuowDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vdi5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYDBDCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjMuNC4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjMuNC4wIAYDVR0RBBkwF4EVdGVzdGNlcnRpZmlrYXRAc3NpLmRrMIGsBgNVHR8EgaQwgaEwPaA7oDmGN2h0dHA6Ly9jcmwuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyMS5jcmwwYKBeoFykWjBYMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMQ4wDAYDVQQDDAVDUkw3NjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUf8X/XPGsZNQIHLtleAHUeLZXcQwwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAgMGEzepPJ1Ez1WFqZrVeVHQC1vinhnVFGuRaOyjVPSR7z5Hvzi6N9M9hGyv/yVQSkqdTWA1Fum3sI7kMH6uQ2N6mNfPtRmOjBqCLUzqQ09f9TnAu/GikZdBiDL0h44Myey3PgpVTxh4kRWKxp6SqLDlgw5Rhta5dMOMIWzOJwkRZ9YLgYnNinKnGSWqg16iv7qJF/SBYz4VbWrmfSXhNu+Q2DNyjsFLluVumRg5wGZDBlsUW2dFSY9+olaQMd8rgvMMx9ByVQgvFF+S109fv91uw71esBKzwbEppFtLKNUqOu9+di0GAWQ2Ny+aIzhG43Wx2mawL7anLw5QFHZyEIg==</ds:X509Certificate> 02:ff:b8:9e:c0:83:be:98:88:25:c7:cc:12:36:ed:11:55:2a:</ds:X509Data> 0e:35:cc:66:bf:fc:8f:9c:8f:86:57:ee:9c:57:38:90:38:35: </ds:KeyInfo> 15:4e:dd:c9:e9:53:45:ba:4b:6e:88:26:12:5b:5f:5b:1d:7c: </ds:Signature> </saml:Assertion> 58:fe:ef:65:51:24:85:e1:eb:de:f5:ff:91:5d:eb:e0:ec:3a:</wst:Claims> <wst:Issuer> 46:db:73:82:a5:84:b0:e8:e7:69:93:ae:61:02:04:19:33:56: 28:f6:b5:20:d2:3f:52:a8:8a:a6:62:cd:8f:c5:b6:35:02:81: 16:fb:c4:df:d5:2f:5c:5f:38:e9:8d:67:57:7d:eb:19:0f:7f: 3e:a5:6a:8b |
Selve requestet til STS ser således ud (bemærk især claims om brugeren 'medcom:UserCivilRegistrationNumber' og 'medcom:UserAuthorizationCode', der angiver autorisationskoden samt 'medcom:UserRole', der angiver den tilhørende uddannelseskode):
<wsa:Address>TheSOSILibrary</wsa:Address>
</wst:Issuer>
</wst:RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope> |
En succesfuld validering af requestet i STS resulterer i et succesfuldt response (bemærk, at det udstedte System Idkort er signeret af 'SOSI Test Federation (funktionscertifikat)'):
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" id="Envelope">
<soapenv:Header>
<wsse:Security id="AAABdiOU1800JWZmH8DNZ1NPU0k=">
<wsu:Timestamp>
<wsu:Created>2020-12-02T13:15:19Z</wsu:Created>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityTokenResponse Context="www.sosi.dk">
<wst:TokenType>urn | ||||||
| Code Block | ||||||
| ||||||
<?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="Envelope"> <soapenv:Header> <wsse:Security id="AAABdiJ5Tp5qHUF3ucrocFNPU0k="> <wsu:Timestamp> :</wst:TokenType> <wst:RequestedSecurityToken> <saml:Assertion IssueInstant="2020-12-02T13:10:19Z" Version="2.0" id="IDCard"> <saml:Issuer>TEST1-NSP-STS</saml:Issuer> <saml:Subject> <saml:NameID Format="medcom:other">SubjectDN={SERIALNUMBER=CVR:46837428-UID:27910135 + CN=Statens Serum Institut - Test VOCES, O=Statens Serum Institut // CVR:46837428, C=DK},IssuerDN={CN=TRUST2408 Systemtest XXII CA, O=TRUST2408, C=DK},CertSerial={1495058165}</saml:NameID> <saml:SubjectConfirmation> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:holder-of-key</saml:ConfirmationMethod> <saml:SubjectConfirmationData> <ds:KeyInfo> <ds:KeyName>OCESSignature</ds:KeyName> <wsu:Created>2020-12-02T08:02:24Z</wsu:Created> </ds:KeyInfo> </wsu:Timestamp> </wsse:Security> </soapenvsaml:Header>SubjectConfirmationData> <soapenv:Body> <wst:RequestSecurityToken Context="www.sosi.dk"> <wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion:</wstsaml:TokenType>SubjectConfirmation> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType> <wst:Claims> </saml:Subject> <saml:AssertionConditions xmlns:dsNotBefore="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant2020-12-02T13:10:19Z" NotOnOrAfter="2020-12-02T07:57:24Z" Version="2.0" id="IDCard">03T13:10:19Z"/> <saml:AttributeStatement id="IDCardData"> <saml:Attribute Name="sosi:IDCardID"> <saml:AttributeValue>K8zJ68J++oajvRVZ915dvg==</saml:AttributeValue> <saml:Issuer>TheSOSILibrary< </saml:Issuer>Attribute> <saml:Subject> :Attribute Name="sosi:IDCardVersion"> <saml:NameID Format="medcom:cprnumber">0804569723<AttributeValue>1.0.1</saml:NameID>AttributeValue> <saml</saml:SubjectConfirmation>Attribute> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:holder-of-key</saml:ConfirmationMethod>Attribute Name="sosi:IDCardType"> <saml:AttributeValue>system</saml:SubjectConfirmationData>AttributeValue> </saml:Attribute> <ds:KeyInfo> <saml:Attribute Name="sosi:AuthenticationLevel"> <ds<saml:KeyName>OCESSignature<AttributeValue>3</dssaml:KeyName>AttributeValue> </dssaml:KeyInfo>Attribute> </saml:SubjectConfirmationData> <saml:Attribute Name="sosi:OCESCertHash"> <saml:AttributeValue>xe/OtYMBaE1RFJ7l9lN2zAuiXAU=</saml:SubjectConfirmation>AttributeValue> </saml:Subject>Attribute> <saml:Conditions NotBefore="2020-12-02T07:57:24Z" NotOnOrAfter="2020-12-03T07:57:24Z"/></saml:AttributeStatement> <saml:AttributeStatement id="IDCardDataSystemLog"> <saml:Attribute Name="sosimedcom:IDCardIDITSystemName"> <saml:AttributeValue>bkRCjUrGv397gdbh9FvqDg==<AttributeValue>Test</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="medcom:CareProviderID" NameFormat="sosimedcom:IDCardVersioncvrnumber"> <saml:AttributeValue>1.0.1<AttributeValue>46837428</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="sosimedcom:IDCardTypeCareProviderName"> <saml:AttributeValue>Statens Serum Institut</saml:AttributeValue> <saml:AttributeValue>user<</saml:AttributeValue>Attribute> </saml:Attribute>AttributeStatement> <saml<ds:AttributeSignature Nameid="sosi:AuthenticationLevelOCESSignature"> <saml:AttributeValue>4</saml:AttributeValue><ds:SignedInfo> </saml:Attribute> <saml:Attribute Name="sosi:OCESCertHash"> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <saml:AttributeValue>RIQsET5XYrNoH/CVyZdYqa7GvYQ=</saml:AttributeValue><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </saml:Attribute> <ds:Reference URI="#IDCard"> </saml:AttributeStatement> <saml:AttributeStatement id="UserLog"> <ds:Transforms> <saml<ds:AttributeTransform NameAlgorithm="medcom:UserCivilRegistrationNumber"http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <saml:AttributeValue>0804569723</saml:AttributeValue> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </saml:Attribute> </ds:Transforms> <saml:Attribute Name="medcom:UserGivenName"> <saml:AttributeValue>Casper</saml:AttributeValue><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>UVzjCyAw5vsBwM9YlO4+mTx79rw=</samlds:Attribute>DigestValue> <saml:Attribute Name="medcom:UserSurName"> </ds:Reference> <saml:AttributeValue>Rasmussen</saml:AttributeValue></ds:SignedInfo> <ds:SignatureValue>JneJnJXDi8JLj6Gv9SmZsKcqMj1SDn7JMw0EMv53OWT4lilCPlaMCmcJ0wykye4PILF3QwW+qkt8Dk95Q4vKyC/qnPamF+yZpIl91AlPCH3za4QjcBwXu9effUDC3UtseVtHxaW8D0jtxRmb2tPCDvG4EmtVMNxqjkyknUDpwwWO919pH7j6wmHSS/DyjXNFjs4hMQwZO/zhwCGbIKeYRDjvY06Eq3ys8kkbJ8B+W5vg0bEUHLRp5vDIVnKuPsol5DDLywAffk9NqhqZqKgjWhJNZsdUqDaD/ss45aMZGWHSa6RAPmz8pjQ4xQvrkV8xjhWkTF9kkuNjnps0QsOSdg==</samlds:Attribute>SignatureValue> <saml:Attribute Name="medcom:UserEmailAddress"><ds:KeyInfo> <saml:AttributeValue>casper56@hotdocs.dk</saml:AttributeValue><ds:X509Data> </saml:Attribute> <saml:Attribute Name="medcom:UserRole"><ds:X509Certificate>MIIGKjCCBRKgAwIBAgIEW6uMBTANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE5MDQzMDA5MDcxN1oXDTIyMDQzMDA5MDYzOFowgZQxCzAJBgNVBAYTAkRLMS4wLAYDVQQKDCVTdW5kaGVkc2RhdGFzdHlyZWxzZW4gLy8gQ1ZSOjMzMjU3ODcyMVUwIAYDVQQFExlDVlI6MzMyNTc4NzItRklEOjE4OTExODYxMDEGA1UEAwwqU09TSSBUZXN0IEZlZGVyYXRpb24gKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyo57h9E/hM5gimxaDgHB0MLcgVfXGJbQh/8OC1vTdDsCUIzIwRd5lJE+ado8urHF7UmKubFZzfCPduoRv9b3TkNVKaixiHUMtP4egbL8vcgyalk28cNQdUk8f34mg8atgvd45EnIKz2iB+yjs5guJPDBg2OFSbP0r53NU8fVTq3aLtDpDVnkxsyjNQ7HOFtzavyMnKx0vDgafEvrUR3WTSLCGju4aUIg3ThgrWXA7i3lPIAXdV8mQmlY3wn/kIBiyIotmF98UsEket/sxpJNkJ6R6AUpxnGApCDP1Fw2BgxAQWWrtD/c5IoIZwGWNfLgpJEzfhnuIZJ7Bfs9RmHFdQIDAQABo4ICzTCCAskwDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vZi5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYEAjCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4wga0GA1UdHwSBpTCBojA9oDugOYY3aHR0cDovL2NybC5zeXN0ZW10ZXN0MjIudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MjIxLmNybDBhoF+gXaRbMFkxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJTAjBgNVBAMMHFRSVVNUMjQwOCBTeXN0ZW10ZXN0IFhYSUkgQ0ExDzANBgNVBAMMBkNSTDE0MjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUGYAVKKL17LHyVGSErL26MBNadTQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAjHMO4sWEf8M25WHczBTJYtMitn1wLOqE6raeM6oYyw6R/4FImpOzF6bxBlfNnhhR0vJSXMWTqL/onCyy4gCs9eLglRHZ9BC8a9fmirrguNpOWlR8NAf5GRwOqCyTnkTAfUD1fp0RzVo8TvAd73WiGeUTzTiAVf7OgZFnRIYkcALXLjNs6AwELWSh+bC/gGuQcHUDd8YGSzgKS6w2qz3fIASrykxzlYjeusks58CereC6WfvN0I+GGlL9fIgjpzh7JEELME7r9QJLL9NSrmlRKfhM8gzuE6Vm4vGzmSsnNJxGMf1vTzEve4lXI8pnOtHMTtNl5zw4jCJFakRqcWm3FQ==</ds:X509Certificate> <saml:AttributeValue>Læge<</samlds:AttributeValue>X509Data> </samlds:Attribute>KeyInfo> <saml:Attribute Name="medcom:UserAuthorizationCode"></ds:Signature> <saml:AttributeValue>CBNH1<</saml:AttributeValue>Assertion> </samlwst:Attribute>RequestedSecurityToken> <saml:Attribute Name="medcom:UserOccupation"><wst:Status> <saml:AttributeValue>Læge</saml:AttributeValue> <wst:Code>http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid</wst:Code> </samlwst:Attribute>Status> <wst:Issuer> </saml:AttributeStatement> <wsa:Address>TEST1-NSP-STS</wsa:Address> </wst:Issuer> </wst:RequestSecurityTokenResponse> </soapenv:Body> </soapenv:Envelope> |
Udstedelse af Bruger Idkort (med sundhedsfaglig autorisation)
For at få udstedt et Bruger Idkort med oplysninger om brugerens sundhedsfaglige autorisation, så må anvender systemet opbygge et request, der indeholder de claims (påstande) vedrørende autorsationsoplysninger (og cprnummer) for den pågældende bruger. I dette eksempel anvendes et OCES certifikat, der tilhører en person, der er i besiddelse af en lægefaglig autorisation.
Selve requestet til STS ser således ud (bemærk især claims om brugeren 'medcom:UserCivilRegistrationNumber' og 'medcom:UserAuthorizationCode', der angiver autorisationskoden samt 'medcom:UserRole', der angiver den tilhørende uddannelseskode):
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd<saml:AttributeStatement id="SystemLog"> <saml:Attribute Name="medcom:ITSystemName"> <saml:AttributeValue>Test</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="medcom:CareProviderID" NameFormat="medcom:cvrnumber"> <saml:AttributeValue>25450442</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="medcom:CareProviderName"> <saml:AttributeValue>LAKESIDE A/S</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <ds:Signature id="OCESSignature"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#IDCard"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/10/xml-exc-c14n#"/XMLSchema-instance" id="Envelope"> <soapenv:Header> <wsse:Security id="AAABdiJ5Tp5qHUF3ucrocFNPU0k="> </ds:Transforms><wsu:Timestamp> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><wsu:Created>2020-12-02T08:02:24Z</wsu:Created> </wsu:Timestamp> </wsse:Security> <ds:DigestValue>crGwfhPSXjudjc9vCMFFfpy24W0=</dssoapenv:DigestValue>Header> <soapenv:Body> <wst:RequestSecurityToken Context="www.sosi.dk"> <wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion:</dswst:Reference>TokenType> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType> </ds<wst:SignedInfo>Claims> <ds:SignatureValue>Fm9MAXQFMfMlWZT3UXPLwMVRL9sBt9IPo1STf8Cvyvva1xahuPR7fIarFjOui5y2JI+COYwx5saUhWKzvFyTuKQcVWsWJ9iS1mxxHmWF6KtSVLEpisTh7+MyLe/Ko98PD0nDc7/Vx4jnv+NIMdOeBnyIBI5TjTw8wfG2OKjtagdR/dwcfJad33Iy5DZP+v1+lKOmpS3vgcMlYJy/HSlSNejwdJGx5vr5LZav7/44QDll6ulewIKFe5hJGGh7c9EDv0VBxNXGp/vIYqOAV/bnsspThhtsuuS+b7rxlwvWF/j63OlNss5O3UBkFH2sh1WSX4ilMSFNuThXx5oA51zxTw==</ds:SignatureValue><saml:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2020-12-02T07:57:24Z" Version="2.0" id="IDCard"> <ds:KeyInfo><saml:Issuer>TheSOSILibrary</saml:Issuer> <ds:X509Data><saml:Subject> <ds:X509Certificate>MIIGIjCCBQqgAwIBAgIEWRzJeDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE4MDgzMDEyMzgzNloXDTIxMDgzMDEyMzcyMlowcTELMAkGA1UEBhMCREsxJTAjBgNVBAoMHExBS0VTSURFIEEvUyAvLyBDVlI6MjU0NTA0NDIxOzAXBgNVBAMMEENhc3BlciBSYXNtdXNzZW4wIAYDVQQFExlDVlI6MjU0NTA0NDItUklEOjQwMjUyNjY2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjxt9N9dyS1rM6Naw+hLSn739yb6xArv8Z6fJl0ypJQ1caaf8Lp0TPwRCYYcYE4+L1SMOmTwCvl1K/RCrqjqAlnRljR+aeBWALUgoifWAcT44LUduGam4/Sv/99mhyyqPqZlVvydwVU8hmRfrCL0905NOGjeGMnSgAyAR7KiZHDjEnDCLx3O8GpGeOE+DUUrK8RCzPHWqi4jiidRBSPvidXiCnpSTYl6pR8RtT0TfW3i1HVGLGzHVJN2uQWXpPojjl5ff7roGHGvcWXyR+s7xF1R1EOL8d6ekop/40LAMrURhCi/EMFdkA6OfNP6L4EzwIbLuLyfHS0HvCZj6m92pFwIDAQABo4IC6TCCAuUwDgYDVR0PAQH/BAQDAgP4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vbS5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYCBTCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjIuNS4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjIuNS4wGwYDVR0RBBQwEoEQYW5uaUBsYWtlc2lkZS5kazCBrAYDVR0fBIGkMIGhMD2gO6A5hjdodHRwOi8vY3JsLnN5c3RlbXRlc3QyMi50cnVzdDI0MDguY29tL3N5c3RlbXRlc3QyMjEuY3JsMGCgXqBcpFowWDELMAkGA1UEBhMCREsxEjAQBgNVBAoMCVRSVVNUMjQwODElMCMGA1UEAwwcVFJVU1QyNDA4IFN5c3RlbXRlc3QgWFhJSSBDQTEOMAwGA1UEAwwFQ1JMNzYwHwYDVR0jBBgwFoAUq6gBRBmws0OZ2vp8zNIAGAPnPL8wHQYDVR0OBBYEFOtPO5BckYcR+z8toqcBaZe2XXzuMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAHN1kI/Iq05n41jldFdu+0DJkw7He6Li6Zursix2vTiFAV/pTaCMqvSgQnEmcSrciBWktE69HRj15hr+CQUTkmsfE52Kuo0zpFgitqZXcG7eSyNiZc4GwwpLW5pk+xihD5RXmJC11Spdsw+8uISggcnUOdA5BqZINbRXFwUaTAL/uJ7Ag76YiCXHzBI27RFVKg41zGa//I+cj4ZX7pxXOJA4NRVO3cnpU0W6S26IJhJbX1sdfFj+72VRJIXh6971/5Fd6+DsOkbbc4KlhLDo52mTrmECBBkzVij2tSDSP1KoiqZizY/FtjUCgRb7xN/VL1xfOOmNZ1d96xkPfz6laos=</ds:X509Certificate><saml:NameID Format="medcom:cprnumber">0804569723</saml:NameID> <saml:SubjectConfirmation> </ds:X509Data> </ds:KeyInfo><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:holder-of-key</saml:ConfirmationMethod> </ds:Signature> </saml:Assertion> <saml:SubjectConfirmationData> </wst:Claims> <wst:Issuer> <wsa:Address>TheSOSILibrary</wsa:Address><ds:KeyInfo> </wst:Issuer> </wst:RequestSecurityToken> </soapenv:Body> </soapenv:Envelope> |
En succesfuld validering af requestet i STS resulterer i et succesfuldt response (bemærk, at det udstedte Bruger Idkort er signeret af 'SOSI Test Federation (funktionscertifikat)' og indeholder de nu af STS validerede claims fra requestet):
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" id="Envelope"> <soapenv:Header> <wsse:Security id="AAABdiJ5Tp5qHUF3ucrocFNPU0k= <ds:KeyName>OCESSignature</ds:KeyName> </ds:KeyInfo> </saml:SubjectConfirmationData> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2020-12-02T07:57:24Z" NotOnOrAfter="2020-12-03T07:57:24Z"/> <saml:AttributeStatement id="IDCardData"> <saml:Attribute Name="sosi:IDCardID"> <saml:AttributeValue>bkRCjUrGv397gdbh9FvqDg==</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="sosi:IDCardVersion"> <saml:AttributeValue>1.0.1</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="sosi:IDCardType"> <saml:AttributeValue>user</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="sosi:AuthenticationLevel"> <wsu:Timestamp> <saml:AttributeValue>4</saml:AttributeValue> <wsu:Created>2020-12-02T08:02:30Z</wsu:Created> </saml:Attribute> <saml:Attribute Name="sosi:OCESCertHash"> </wsu:Timestamp> </wsse:Security> <saml:AttributeValue>RIQsET5XYrNoH/CVyZdYqa7GvYQ=</soapenvsaml:Header>AttributeValue> <soapenv:Body> <wst:RequestSecurityTokenResponse Context="www.sosi.dk"> <wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion:</wstsaml:TokenType>Attribute> <wst:RequestedSecurityToken> </saml:AttributeStatement> <saml:Assertion IssueInstant="2020-12-02T07:57:30Z" Version="2.0" AttributeStatement id="IDCardUserLog"> <saml:Issuer>TEST1-NSP-STS</saml:Issuer> Attribute Name="medcom:UserCivilRegistrationNumber"> <saml:AttributeValue>0804569723</saml:Subject>AttributeValue> <saml:NameID Format="medcom:other">SubjectDN={CN=Casper Rasmussen + SERIALNUMBER=CVR:25450442-RID:40252666, O=LAKESIDE A/S // CVR:25450442, C=DK},IssuerDN={CN=TRUST2408 Systemtest XXII CA, O=TRUST2408, C=DK},CertSerial={1495058808}</saml:NameID> </saml:Attribute> <saml:Attribute Name="medcom:UserGivenName"> <saml:AttributeValue>Casper</saml:SubjectConfirmation>AttributeValue> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:holder-of-key<</saml:ConfirmationMethod>Attribute> <saml:SubjectConfirmationData><saml:Attribute Name="medcom:UserSurName"> <ds:KeyInfo><saml:AttributeValue>Rasmussen</saml:AttributeValue> <ds:KeyName>OCESSignature</ds:KeyName></saml:Attribute> </ds:KeyInfo><saml:Attribute Name="medcom:UserEmailAddress"> <<saml:AttributeValue>casper56@hotdocs.dk</saml:SubjectConfirmationData>AttributeValue> </saml:SubjectConfirmation>Attribute> </saml:Subject> <saml:Attribute Name="medcom:UserRole"> <saml:Conditions NotBefore="2020-12-02T07:57:30Z" NotOnOrAfter="2020-12-03T07:57:30Z"/> <saml:AttributeValue>Læge</saml:AttributeValue> <saml:AttributeStatement id="IDCardData"></saml:Attribute> <saml:Attribute Name="sosimedcom:IDCardIDUserAuthorizationCode"> <saml:AttributeValue>uqU7WoiYXI0usmYQ5GvBsA==<AttributeValue>CBNH1</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="sosimedcom:IDCardVersionUserOccupation"> <saml:AttributeValue>1.0.1<AttributeValue>Læge</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <saml:AttributeStatement id="SystemLog"> <saml:Attribute Name="sosimedcom:IDCardTypeITSystemName"> <saml:AttributeValue>user<AttributeValue>Test</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="medcom:CareProviderID" NameFormat="sosimedcom:AuthenticationLevelcvrnumber"> <saml:AttributeValue>4<AttributeValue>25450442</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="sosimedcom:OCESCertHashCareProviderName"> <saml:AttributeValue>RIQsET5XYrNoH/CVyZdYqa7GvYQ=<AttributeValue>LAKESIDE A/S</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <saml<ds:AttributeStatementSignature id="UserLog"> <saml:Attribute Name="medcom:UserCivilRegistrationNumber"> <saml:AttributeValue>0804569723</saml:AttributeValue>"OCESSignature"> </saml<ds:Attribute>SignedInfo> <saml<ds:AttributeCanonicalizationMethod NameAlgorithm="medcom:UserGivenName"http://www.w3.org/2001/10/xml-exc-c14n#"/> <saml:AttributeValue>Casper</saml:AttributeValue><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </saml:Attribute> <ds:Reference URI="#IDCard"> <saml:Attribute Name="medcom:UserSurName"> <ds:Transforms> <saml:AttributeValue>Rasmussen</saml:AttributeValue><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> </saml:Attribute> <saml:Attribute Name="medcom:UserEmailAddress"> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <saml:AttributeValue>casper56@hotdocs.dk</saml:AttributeValue> </ds:Transforms> </saml:Attribute> <saml:Attribute Name<ds:DigestMethod Algorithm="medcom:UserRole"http://www.w3.org/2000/09/xmldsig#sha1"/> <saml:AttributeValue>7170</saml:AttributeValue> </saml:Attribute> <ds:DigestValue>crGwfhPSXjudjc9vCMFFfpy24W0=</ds:DigestValue> <saml:Attribute Name="medcom:UserAuthorizationCode"> </ds:Reference> <saml:AttributeValue>CBNH1</saml:AttributeValue></ds:SignedInfo> </saml:Attribute><ds:SignatureValue>Fm9MAXQFMfMlWZT3UXPLwMVRL9sBt9IPo1STf8Cvyvva1xahuPR7fIarFjOui5y2JI+COYwx5saUhWKzvFyTuKQcVWsWJ9iS1mxxHmWF6KtSVLEpisTh7+MyLe/Ko98PD0nDc7/Vx4jnv+NIMdOeBnyIBI5TjTw8wfG2OKjtagdR/dwcfJad33Iy5DZP+v1+lKOmpS3vgcMlYJy/HSlSNejwdJGx5vr5LZav7/44QDll6ulewIKFe5hJGGh7c9EDv0VBxNXGp/vIYqOAV/bnsspThhtsuuS+b7rxlwvWF/j63OlNss5O3UBkFH2sh1WSX4ilMSFNuThXx5oA51zxTw==</ds:SignatureValue> <saml:Attribute Name="medcom:UserOccupation"><ds:KeyInfo> <saml:AttributeValue>Læge</saml:AttributeValue><ds:X509Data> </saml:Attribute> <ds:X509Certificate>MIIGIjCCBQqgAwIBAgIEWRzJeDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE4MDgzMDEyMzgzNloXDTIxMDgzMDEyMzcyMlowcTELMAkGA1UEBhMCREsxJTAjBgNVBAoMHExBS0VTSURFIEEvUyAvLyBDVlI6MjU0NTA0NDIxOzAXBgNVBAMMEENhc3BlciBSYXNtdXNzZW4wIAYDVQQFExlDVlI6MjU0NTA0NDItUklEOjQwMjUyNjY2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjxt9N9dyS1rM6Naw+hLSn739yb6xArv8Z6fJl0ypJQ1caaf8Lp0TPwRCYYcYE4+L1SMOmTwCvl1K/RCrqjqAlnRljR+aeBWALUgoifWAcT44LUduGam4/Sv/99mhyyqPqZlVvydwVU8hmRfrCL0905NOGjeGMnSgAyAR7KiZHDjEnDCLx3O8GpGeOE+DUUrK8RCzPHWqi4jiidRBSPvidXiCnpSTYl6pR8RtT0TfW3i1HVGLGzHVJN2uQWXpPojjl5ff7roGHGvcWXyR+s7xF1R1EOL8d6ekop/40LAMrURhCi/EMFdkA6OfNP6L4EzwIbLuLyfHS0HvCZj6m92pFwIDAQABo4IC6TCCAuUwDgYDVR0PAQH/BAQDAgP4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vbS5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYCBTCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjIuNS4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjIuNS4wGwYDVR0RBBQwEoEQYW5uaUBsYWtlc2lkZS5kazCBrAYDVR0fBIGkMIGhMD2gO6A5hjdodHRwOi8vY3JsLnN5c3RlbXRlc3QyMi50cnVzdDI0MDguY29tL3N5c3RlbXRlc3QyMjEuY3JsMGCgXqBcpFowWDELMAkGA1UEBhMCREsxEjAQBgNVBAoMCVRSVVNUMjQwODElMCMGA1UEAwwcVFJVU1QyNDA4IFN5c3RlbXRlc3QgWFhJSSBDQTEOMAwGA1UEAwwFQ1JMNzYwHwYDVR0jBBgwFoAUq6gBRBmws0OZ2vp8zNIAGAPnPL8wHQYDVR0OBBYEFOtPO5BckYcR+z8toqcBaZe2XXzuMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAHN1kI/Iq05n41jldFdu+0DJkw7He6Li6Zursix2vTiFAV/pTaCMqvSgQnEmcSrciBWktE69HRj15hr+CQUTkmsfE52Kuo0zpFgitqZXcG7eSyNiZc4GwwpLW5pk+xihD5RXmJC11Spdsw+8uISggcnUOdA5BqZINbRXFwUaTAL/uJ7Ag76YiCXHzBI27RFVKg41zGa//I+cj4ZX7pxXOJA4NRVO3cnpU0W6S26IJhJbX1sdfFj+72VRJIXh6971/5Fd6+DsOkbbc4KlhLDo52mTrmECBBkzVij2tSDSP1KoiqZizY/FtjUCgRb7xN/VL1xfOOmNZ1d96xkPfz6laos=</ds:X509Certificate> </saml:AttributeStatement> <saml:AttributeStatement id="SystemLog"></ds:X509Data> <saml:Attribute Name="medcom:ITSystemName"></ds:KeyInfo> <saml:AttributeValue>Test</saml:AttributeValue> </ds:Signature> </saml:Attribute>Assertion> <saml:Attribute Name="medcom:CareProviderID" NameFormat="medcom:cvrnumber"></wst:Claims> <saml:AttributeValue>25450442</saml:AttributeValue><wst:Issuer> </saml:Attribute> <wsa:Address>TheSOSILibrary</wsa:Address> <saml:Attribute Name="medcom:CareProviderName"></wst:Issuer> </wst:RequestSecurityToken> </soapenv:Body> </soapenv:Envelope> |
En succesfuld validering af requestet i STS resulterer i et succesfuldt response (bemærk, at det udstedte Bruger Idkort er signeret af 'SOSI Test Federation (funktionscertifikat)' og indeholder de nu af STS validerede claims fra requestet. Bemærk også at medcom:UserRole er erstattet med uddannelseskoden, der hører til brugerens autorisation i autorisationsregisteret):
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi <saml:AttributeValue>LAKESIDE A/S</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <ds:Signature id="OCESSignature"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod AlgorithmXMLSchema-instance" xmlns:wsa="http://wwwschemas.w3xmlsoap.org/ws/20002004/0908/xmldsig#rsa-sha1"/> <ds:Reference URI="#IDCard"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithmaddressing" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsu="http://wwwdocs.w3oasis-open.org/2001wss/2004/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://wwwdocs.w3oasis-open.org/wss/20002004/09/xmldsig#sha1"/> <ds:DigestValue>7rGpBft4x09fFey3Ny/ygbSmRI4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>e14AkKe/qygk07YrDjzdEzOs7TN0mVPjN4yioh8trDsKhSmx9hO8Sg/zzpRewA4FweLVh+muBSwNR//By6XoLA4nUC7aBqHQ14maBCojwzYH5dmgua2VMAYBECk/fi/3WrMo1qd6EGCHjUOnFnaiyRLQgSc99vF6dHGmW/AeyVdAv7miJcTWNnu4MbtrcBNNnJeClBHJlpAu1708+wjoDSkDcB7BvUYkWqKNuXNdxecYbR6TBjo4S4FrT0Yt7qsXpLRIBxXLBia5BbA/XXzYLcDYPxP7USbSJ47jq18M65llXG56dhxihJzt4WVLFXfBit9oPkhnfF2QfSjZzy6l3g==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIGKjCCBRKgAwIBAgIEW6uMBTANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE5MDQzMDA5MDcxN1oXDTIyMDQzMDA5MDYzOFowgZQxCzAJBgNVBAYTAkRLMS4wLAYDVQQKDCVTdW5kaGVkc2RhdGFzdHlyZWxzZW4gLy8gQ1ZSOjMzMjU3ODcyMVUwIAYDVQQFExlDVlI6MzMyNTc4NzItRklEOjE4OTExODYxMDEGA1UEAwwqU09TSSBUZXN0IEZlZGVyYXRpb24gKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyo57h9E/hM5gimxaDgHB0MLcgVfXGJbQh/8OC1vTdDsCUIzIwRd5lJE+ado8urHF7UmKubFZzfCPduoRv9b3TkNVKaixiHUMtP4egbL8vcgyalk28cNQdUk8f34mg8atgvd45EnIKz2iB+yjs5guJPDBg2OFSbP0r53NU8fVTq3aLtDpDVnkxsyjNQ7HOFtzavyMnKx0vDgafEvrUR3WTSLCGju4aUIg3ThgrWXA7i3lPIAXdV8mQmlY3wn/kIBiyIotmF98UsEket/sxpJNkJ6R6AUpxnGApCDP1Fw2BgxAQWWrtD/c5IoIZwGWNfLgpJEzfhnuIZJ7Bfs9RmHFdQIDAQABo4ICzTCCAskwDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vZi5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYEAjCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4wga0GA1UdHwSBpTCBojA9oDugOYY3aHR0cDovL2NybC5zeXN0ZW10ZXN0MjIudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MjIxLmNybDBhoF+gXaRbMFkxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJTAjBgNVBAMMHFRSVVNUMjQwOCBTeXN0ZW10ZXN0IFhYSUkgQ0ExDzANBgNVBAMMBkNSTDE0MjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUGYAVKKL17LHyVGSErL26MBNadTQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAjHMO4sWEf8M25WHczBTJYtMitn1wLOqE6raeM6oYyw6R/4FImpOzF6bxBlfNnhhR0vJSXMWTqL/onCyy4gCs9eLglRHZ9BC8a9fmirrguNpOWlR8NAf5GRwOqCyTnkTAfUD1fp0RzVo8TvAd73WiGeUTzTiAVf7OgZFnRIYkcALXLjNs6AwELWSh+bC/gGuQcHUDd8YGSzgKS6w2qz3fIASrykxzlYjeusks58CereC6WfvN0I+GGlL9fIgjpzh7JEELME7r9QJLL9NSrmlRKfhM8gzuE6Vm4vGzmSsnNJxGMf1vTzEve4lXI8pnOtHMTtNl5zw4jCJFakRqcWm3FQ==</ds:X509Certificate> </ds:X509Data>01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" id="Envelope"> <soapenv:Header> <wsse:Security id="AAABdiJ5Tp5qHUF3ucrocFNPU0k="> <wsu:Timestamp> </ds:KeyInfo> <wsu:Created>2020-12-02T08:02:30Z</wsu:Created> </dswsu:Signature>Timestamp> </samlwsse:Assertion>Security> </wstsoapenv:RequestedSecurityToken>Header> <soapenv:Body> <wst:Status> RequestSecurityTokenResponse Context="www.sosi.dk"> <wst:Code>http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid</wst:Code> :TokenType>urn:oasis:names:tc:SAML:2.0:assertion:</wst:Status>TokenType> <wst:Issuer>RequestedSecurityToken> <wsa:Address>TEST1-NSP-STS</wsa:Address> </wst:Issuer> </wst:RequestSecurityTokenResponse> </soapenv:Body> </soapenv:Envelope> |
Udstedelse af Bruger Idkort (uden sundhedsfaglig autorisation, men med national rolle)
I dette eksempel anvendes et MOCES certifikat for en bruger uden sundhedsfaglig autorisation.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
Certificate:<saml:Assertion IssueInstant="2020-12-02T07:57:30Z" Version="2.0" id="IDCard"> Data: <saml:Issuer>TEST1-NSP-STS</saml:Issuer> Version: 3 (0x2) <saml:Subject> Serial Number: 1537912428 (0x5baaae6c) Signature Algorithm<saml: sha256WithRSAEncryption Issuer:NameID Format="medcom:other">SubjectDN={CN=Casper Rasmussen + SERIALNUMBER=CVR:25450442-RID:40252666, O=LAKESIDE A/S // CVR:25450442, C=DK},IssuerDN={CN=TRUST2408 Systemtest XXII CA, O=TRUST2408, CN=TRUST2408 Systemtest XXII CA C=DK},CertSerial={1495058808}</saml:NameID> <saml:SubjectConfirmation> Validity <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:holder-of-key</saml:ConfirmationMethod> Not Before: Dec 19 09:17:40 2018 GMT <saml:SubjectConfirmationData> Not After <ds:KeyInfo> Dec 19 09:17:05 2021 GMT Subject: C=DK, O=LAKESIDE A/S // CVR:25450442, CN=Peter Rasmussen/serialNumber=CVR:25450442-RID:15467395 <ds:KeyName>OCESSignature</ds:KeyName> Subject Public Key Info</ds:KeyInfo> Public Key Algorithm: rsaEncryption</saml:SubjectConfirmationData> Public-Key: (2048 bit) </saml:SubjectConfirmation> </saml:Subject> Modulus<saml: Conditions NotBefore="2020-12-02T07:57:30Z" NotOnOrAfter="2020-12-03T07:57:30Z"/> <saml:AttributeStatement id="IDCardData"> 00:ae:6c:d5:c1:db:65:4b:84:65:ea:c0:11:c0:20: <saml:Attribute Name="sosi:IDCardID"> c1:68:68:ee:ee:d7:a9:56:2d:f1:59:46:11:bf:6f:<saml:AttributeValue>uqU7WoiYXI0usmYQ5GvBsA==</saml:AttributeValue> </saml:Attribute> 54:6d:63:0b:45:ed:43:ef:df:7c:8f:69:63:5e:71: <saml:Attribute Name="sosi:IDCardVersion"> c7:ef:aa:59:05:1e:3b:57:c3:4e:dc:9d:f8:9d:00:<saml:AttributeValue>1.0.1</saml:AttributeValue> b1:a0:69:02:10:7c:3c:9e:c5:d1:e5:52:2f:0c:11:</saml:Attribute> <saml:Attribute Name="sosi:IDCardType"> a3:f4:3b:1c:f4:43:3b:5d:6f:a7:4c:70:06:0e:96: <saml:AttributeValue>user</saml:AttributeValue> 76:42:6d:67:bd:e1:08:52:78:7f:8f:f5:84:50:5d:</saml:Attribute> <saml:Attribute Name="sosi:AuthenticationLevel"> 97:52:57:ca:03:49:15:bb:dd:c0:bc:dc:6c:4a:1c: <saml:AttributeValue>4</saml:AttributeValue> 69:21:bd:c0:dd:c3:f3:32:0b:ac:e3:5a:15:ba:0b:</saml:Attribute> <saml:Attribute Name="sosi:OCESCertHash"> f7:6b:fa:ec:2a:82:3b:3c:c5:6d:ff:3b:88:dc:cc: <saml:AttributeValue>RIQsET5XYrNoH/CVyZdYqa7GvYQ=</saml:AttributeValue> 90:f1:56:cb:03:fe:14:65:00:d5:6b:6c:61:8c:44:</saml:Attribute> </saml:AttributeStatement> 13:4b:59:7f:f8:c2:4e:bd:d2:29:3c:76:56:42:24:<saml:AttributeStatement id="UserLog"> <saml:Attribute Name="medcom:UserCivilRegistrationNumber"> 03:a9:68:4f:fe:7e:f0:7c:96:42:f6:56:db:9e:f6: <saml:AttributeValue>0804569723</saml:AttributeValue> d2:28:38:e3:0b:83:5d:8c:b2:c0:93:93:00:4f:06:</saml:Attribute> <saml:Attribute Name="medcom:UserGivenName"> f1:1b:2f:fa:24:47:23:64:d4:c4:f7:5c:c2:ca:a6: <saml:AttributeValue>Casper</saml:AttributeValue> 48:3f:ab:58:9d:6c:d0:37:31:be:ea:27:a3:29:14:</saml:Attribute> <saml:Attribute Name="medcom:UserSurName"> cc:d8:fc:9a:21:56:99:33:03:6f:a7:33:86:b5:64: <saml:AttributeValue>Rasmussen</saml:AttributeValue> 5e</saml:63Attribute> <saml:Attribute Name="medcom:UserEmailAddress"> Exponent: 65537 (0x10001) X509v3 extensions: <saml:AttributeValue>casper56@hotdocs.dk</saml:AttributeValue> X509v3 Key Usage: critical</saml:Attribute> <saml:Attribute Name="medcom:UserRole"> Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement <saml:AttributeValue>7170</saml:AttributeValue> Authority Information Access</saml:Attribute> <saml:Attribute Name="medcom:UserAuthorizationCode"> OCSP - URI:http://ocsp.systemtest22.trust2408.com/responder <saml:AttributeValue>CBNH1</saml:AttributeValue> CA Issuers - URI:http://m.aia.systemtest22.trust2408.com/systemtest22-ca.cer </saml:Attribute> X509v3 Certificate Policies: <saml:Attribute Name="medcom:UserOccupation"> <saml:AttributeValue>Læge</saml:AttributeValue> Policy: 1.3.6.1.4.1.31313.2.4.6.2.5 </saml:Attribute> CPS: http://www.trust2408.com/repository </saml:AttributeStatement> <saml:AttributeStatement id="SystemLog"> User Notice:<saml:Attribute Name="medcom:ITSystemName"> <saml:AttributeValue>Test</saml:AttributeValue> Organization: DanID </saml:Attribute> <saml:Attribute Number: 1Name="medcom:CareProviderID" NameFormat="medcom:cvrnumber"> <saml:AttributeValue>25450442</saml:AttributeValue> Explicit Text: DanID test certifikater fra denne CA udstedes under OID 1.3.6.1.4.1.31313.2.4.6.2.5. DanID test certificates from this CA are issued under OID 1.3.6.1.4.1.31313.2.4.6.2.5. </saml:Attribute> <saml:Attribute Name="medcom:CareProviderName"> X509v3 Subject Alternative Name: <saml:AttributeValue>LAKESIDE A/S</saml:AttributeValue> </saml:Attribute> email:smi@lakeside.dk </saml:AttributeStatement> X509v3 CRL Distribution Points<ds:Signature id="OCESSignature"> <ds:SignedInfo> Full Name: <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> URI: <ds:SignatureMethod Algorithm="http://crlwww.systemtest22.trust2408.com/systemtest221.crl w3.org/2000/09/xmldsig#rsa-sha1"/> Full Name:<ds:Reference URI="#IDCard"> DirName<ds:Transforms> C = DK, O = TRUST2408, CN = TRUST2408 Systemtest XXII CA, CN = CRL105 <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> X509v3 Authority Key Identifier: keyid:AB:A8:01:44:19:B0:B3:43:99:DA:FA:7C:CC:D2:00:18:03:E7:3C:BF <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> X509v3 Subject Key Identifier</ds: Transforms> 0A:B6:21:06:8D:81:C7:33:38:B0:C4:65:59:42:DE:B7:BA:10:11:63 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> X509v3 Basic Constraints: <ds:DigestValue>7rGpBft4x09fFey3Ny/ygbSmRI4=</ds:DigestValue> </ds:Reference> CA:FALSE Signature Algorithm: sha256WithRSAEncryption </ds:SignedInfo> c5:11:e9:de:c5:ca:6d:3b:a5:74:ac:fc:fe:fc:6d:2d:f5:1b: <ds:SignatureValue>e14AkKe/qygk07YrDjzdEzOs7TN0mVPjN4yioh8trDsKhSmx9hO8Sg/zzpRewA4FweLVh+muBSwNR//By6XoLA4nUC7aBqHQ14maBCojwzYH5dmgua2VMAYBECk/fi/3WrMo1qd6EGCHjUOnFnaiyRLQgSc99vF6dHGmW/AeyVdAv7miJcTWNnu4MbtrcBNNnJeClBHJlpAu1708+wjoDSkDcB7BvUYkWqKNuXNdxecYbR6TBjo4S4FrT0Yt7qsXpLRIBxXLBia5BbA/XXzYLcDYPxP7USbSJ47jq18M65llXG56dhxihJzt4WVLFXfBit9oPkhnfF2QfSjZzy6l3g==</ds:SignatureValue> ac:30:ea:e6:7f:d2:f6:e3:cd:0e:30:02:7e:83:91:2d:ca:57:<ds:KeyInfo> 5f:d7:d8:77:79:44:4e:28:a2:fa:9a:24:00:80:5a:2a:ec:27: <ds:X509Data> 3a:f9:f9:2b:f2:a6:f7:20:cd:0f:13:46:a2:2f:4e:6b:ee:c0: <ds:X509Certificate>MIIGKjCCBRKgAwIBAgIEW6uMBTANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE5MDQzMDA5MDcxN1oXDTIyMDQzMDA5MDYzOFowgZQxCzAJBgNVBAYTAkRLMS4wLAYDVQQKDCVTdW5kaGVkc2RhdGFzdHlyZWxzZW4gLy8gQ1ZSOjMzMjU3ODcyMVUwIAYDVQQFExlDVlI6MzMyNTc4NzItRklEOjE4OTExODYxMDEGA1UEAwwqU09TSSBUZXN0IEZlZGVyYXRpb24gKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyo57h9E/hM5gimxaDgHB0MLcgVfXGJbQh/8OC1vTdDsCUIzIwRd5lJE+ado8urHF7UmKubFZzfCPduoRv9b3TkNVKaixiHUMtP4egbL8vcgyalk28cNQdUk8f34mg8atgvd45EnIKz2iB+yjs5guJPDBg2OFSbP0r53NU8fVTq3aLtDpDVnkxsyjNQ7HOFtzavyMnKx0vDgafEvrUR3WTSLCGju4aUIg3ThgrWXA7i3lPIAXdV8mQmlY3wn/kIBiyIotmF98UsEket/sxpJNkJ6R6AUpxnGApCDP1Fw2BgxAQWWrtD/c5IoIZwGWNfLgpJEzfhnuIZJ7Bfs9RmHFdQIDAQABo4ICzTCCAskwDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vZi5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYEAjCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4wga0GA1UdHwSBpTCBojA9oDugOYY3aHR0cDovL2NybC5zeXN0ZW10ZXN0MjIudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MjIxLmNybDBhoF+gXaRbMFkxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJTAjBgNVBAMMHFRSVVNUMjQwOCBTeXN0ZW10ZXN0IFhYSUkgQ0ExDzANBgNVBAMMBkNSTDE0MjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUGYAVKKL17LHyVGSErL26MBNadTQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAjHMO4sWEf8M25WHczBTJYtMitn1wLOqE6raeM6oYyw6R/4FImpOzF6bxBlfNnhhR0vJSXMWTqL/onCyy4gCs9eLglRHZ9BC8a9fmirrguNpOWlR8NAf5GRwOqCyTnkTAfUD1fp0RzVo8TvAd73WiGeUTzTiAVf7OgZFnRIYkcALXLjNs6AwELWSh+bC/gGuQcHUDd8YGSzgKS6w2qz3fIASrykxzlYjeusks58CereC6WfvN0I+GGlL9fIgjpzh7JEELME7r9QJLL9NSrmlRKfhM8gzuE6Vm4vGzmSsnNJxGMf1vTzEve4lXI8pnOtHMTtNl5zw4jCJFakRqcWm3FQ==</ds:X509Certificate> 0c:a7:27:e8:ee:7c:20:c1:9f:5e:db:67:99:d2:46:52:c6:a2: </ds:X509Data> 82:db:4a:a0:65:6c:2a:c6:25:5c:7d:2f:eb:d0:1a:40:7c:1b: </ds:KeyInfo> 57:96:2b:21:76:19:a3:85:bf:16:dd:b6:5e:ed:16:95:88:be:</ds:Signature> 83:a2:41:4c:92:1d:7a:00:08:32:b1:d5:50:74:c8:74:cc:34:</saml:Assertion> 6b:92:da:dc:b4:0b:c9:68:1a:c7:bf:83:60:20:7d:3a:74:83:</wst:RequestedSecurityToken> c0:37:f7:d4:ef:33:eb:a4:85:b9:5e:23:6a:db:1e:d9:8f:26:<wst:Status> 80<wst:9f:7e:ea:da:06:a3:df:d4:eb:47:95:62:b3:cf:bc:51:27:Code>http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid</wst:Code> d9:72:e7:23:2d:7c:be:e2:0a:d4:c5:d2:d0:c2:3c:9e:98:d5:</wst:Status> 9b:19:7a:ff:9c:97:e7:34:e8:4a:b2:c8:b3:57:d6:5e:fc:f5:<wst:Issuer> fc:d8:c5:2e:b1:c2:54:16:d8:f6:4a:f9:0c:0a:f5:2f:62:e1:<wsa:Address>TEST1-NSP-STS</wsa:Address> </wst:Issuer> ea:73:79:42</wst:RequestSecurityTokenResponse> </soapenv:Body> </soapenv:Envelope> |
Udstedelse af Bruger Idkort (uden sundhedsfaglig autorisation, men med national rolle)
I dette eksempel anvendes et OCES certifikat for en bruger uden sundhedsfaglig autorisation men med netop én national rolle. Eksemplet illusterer, hvorledes STS automatisk sætter oplysninger ind om en medarbejders (unikke) nationale rolle, hvis en sådan findes.Selve requestet til STS ser således ud (bemærk især claims om brugeren 'medcom:UserCivilRegistrationNumber' og 'medcom:UserRole', der udpeger en national er sat til 'ingen_idkort_rolle' for at angive en uspecificeret rolle):
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="Envelope">
<soapenv:Header>
<wsse:Security id="AAABdiOJLQLCKRtsExEt5lNPU0kAAABdi2k9N6MR/n+guZaylNPU0k=">
<wsu:Timestamp>
<wsu:Created>2020-12-02T1204T12:5905:21Z<54Z</wsu:Created>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityToken Context="www.sosi.dk">
<wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion:</wst:TokenType>
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
<wst:Claims>
<saml:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2020-12-02T1204T12:5400:21Z54Z" Version="2.0" id="IDCard">
<saml:Issuer>TheSOSILibrary</saml:Issuer>
<saml:Subject>
<saml:NameID Format="medcom:cprnumber">0112709169</saml:NameID>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:holder-of-key</saml:ConfirmationMethod>
<saml:SubjectConfirmationData>
<ds:KeyInfo>
<ds:KeyName>OCESSignature</ds:KeyName>
</ds:KeyInfo>
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-12-02T1204T12:5400:21Z54Z" NotOnOrAfter="2020-12-03T1205T12:5400:21Z54Z"/>
<saml:AttributeStatement id="IDCardData">
<saml:Attribute Name="sosi:IDCardID">
<saml:AttributeValue>pevuDgRPbuLMgJCGYlEFdQAttributeValue>k7NpQnaMEJ8iWbivIdZD1Q==</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sosi:IDCardVersion">
<saml:AttributeValue>1.0.1</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sosi:IDCardType">
<saml:AttributeValue>user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sosi:AuthenticationLevel">
<saml:AttributeValue>4</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sosi:OCESCertHash">
<saml:AttributeValue>WiEtM2flJxiqUguE7Xz2YwZ7Vdo=</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AttributeStatement id="UserLog">
<saml:Attribute Name="medcom:UserCivilRegistrationNumber">
<saml:AttributeValue>0112709169</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:UserGivenName">
<saml:AttributeValue>Peter</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:UserSurName">
<saml:AttributeValue>Rasmussen</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:UserEmailAddress">
<saml:AttributeValue>p@rasser.dk</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:UserRole">
<saml:AttributeValue>nspSundAssistR1<AttributeValue>ingen_idkort_rolle</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:UserOccupation">
<saml:AttributeValue>Test</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AttributeStatement id="SystemLog">
<saml:Attribute Name="medcom:ITSystemName">
<saml:AttributeValue>Test</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:CareProviderID" NameFormat="medcom:cvrnumber">
<saml:AttributeValue>25450442</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:CareProviderName">
<saml:AttributeValue>LAKESIDE A/S</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<ds:Signature id="OCESSignature">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#IDCard">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>XS1znoTDRVDY/gpcAuhZtSsq99UDigestValue>9e1UTUMNg8cJQn8fDqOhRoeDBCw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>kFS/v3qvwcg7TZ8ftxnjwjzrcxX+BLsldsN/9S5/Cq/FQWj8JMhmhrEK/4KwYmeuLKWBq35HRRX5CYFZ0M7tkKQXiwTcBxIe0jOQjDz6MoJQ+JhDAXbIoZyeAg6UYAuu3NX370JQP1eKjMBBOYD8idUCRqaMtzmairqbveJKpdp0h6wF+fE95MKeVP+62ucvutXFDm1SmjDvB+WW7eIQFSgtCldNkTdCPZHU+xRcCEPjvwA287DaEmfR0jh0nWiWK7Cv/CSxlkksQZp2yJx/NfwQgYplV1JgO9jpv550P3cZgfXAYmUrJf+BnjFK6zGYi2PsVwX/1pwQqnTvZsT+zwSignatureValue>KantAiwyIeHZiQBR5ziLQ9WNHqDBPLjojUlCdDtBsXk71qVbyiw8R5/QVfG0x1AWShWU8KpBzz913qb2GxcfnXVWiYxIJbQn4VC0dSg0UHYEc8qaVfAcO4L6ZObMQEU//nkqNLIWNYcDqYoDmV2VBCos1XOzcC+Z1T9O0maRn+9Gv4V3P1cymGFZK8B28F8ZfWhS4qr+t27vFaNdjkIiLioKvmkNL6HQIyNC6UDhaX5eHBTAG4EktJFAcTcHPVq3tO5IWVcqr3Ueuj2TAIPquQPsYGeHpUu4wvPkdmhBkppWc+xgACGCY4CU85LeDo0HuBTyKze9NhLuVrStHVz1lg==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIGITCCBQmgAwIBAgIEW6qubDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE4MTIxOTA5MTc0MFoXDTIxMTIxOTA5MTcwNVowcDELMAkGA1UEBhMCREsxJTAjBgNVBAoMHExBS0VTSURFIEEvUyAvLyBDVlI6MjU0NTA0NDIxOjAWBgNVBAMMD1BldGVyIFJhc211c3NlbjAgBgNVBAUTGUNWUjoyNTQ1MDQ0Mi1SSUQ6MTU0NjczOTUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCubNXB22VLhGXqwBHAIMFoaO7u16lWLfFZRhG/b1RtYwtF7UPv33yPaWNeccfvqlkFHjtXw07cnfidALGgaQIQfDyexdHlUi8MEaP0Oxz0Qztdb6dMcAYOlnZCbWe94QhSeH+P9YRQXZdSV8oDSRW73cC83GxKHGkhvcDdw/MyC6zjWhW6C/dr+uwqgjs8xW3/O4jczJDxVssD/hRlANVrbGGMRBNLWX/4wk690ik8dlZCJAOpaE/+fvB8lkL2Vtue9tIoOOMLg12MssCTkwBPBvEbL/okRyNk1MT3XMLKpkg/q1idbNA3Mb7qJ6MpFMzY/JohVpkzA2+nM4a1ZF5jAgMBAAGjggLpMIIC5TAOBgNVHQ8BAf8EBAMCA/gwgZcGCCsGAQUFBwEBBIGKMIGHMDwGCCsGAQUFBzABhjBodHRwOi8vb2NzcC5zeXN0ZW10ZXN0MjIudHJ1c3QyNDA4LmNvbS9yZXNwb25kZXIwRwYIKwYBBQUHMAKGO2h0dHA6Ly9tLmFpYS5zeXN0ZW10ZXN0MjIudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MjItY2EuY2VyMIIBIAYDVR0gBIIBFzCCARMwggEPBg0rBgEEAYH0UQIEBgIFMIH9MC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LnRydXN0MjQwOC5jb20vcmVwb3NpdG9yeTCByQYIKwYBBQUHAgIwgbwwDBYFRGFuSUQwAwIBARqBq0RhbklEIHRlc3QgY2VydGlmaWthdGVyIGZyYSBkZW5uZSBDQSB1ZHN0ZWRlcyB1bmRlciBPSUQgMS4zLjYuMS40LjEuMzEzMTMuMi40LjYuMi41LiBEYW5JRCB0ZXN0IGNlcnRpZmljYXRlcyBmcm9tIHRoaXMgQ0EgYXJlIGlzc3VlZCB1bmRlciBPSUQgMS4zLjYuMS40LjEuMzEzMTMuMi40LjYuMi41LjAaBgNVHREEEzARgQ9zbWlAbGFrZXNpZGUuZGswga0GA1UdHwSBpTCBojA9oDugOYY3aHR0cDovL2NybC5zeXN0ZW10ZXN0MjIudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MjIxLmNybDBhoF+gXaRbMFkxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJTAjBgNVBAMMHFRSVVNUMjQwOCBTeXN0ZW10ZXN0IFhYSUkgQ0ExDzANBgNVBAMMBkNSTDEwNTAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUCrYhBo2BxzM4sMRlWULet7oQEWMwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAxRHp3sXKbTuldKz8/vxtLfUbrDDq5n/S9uPNDjACfoORLcpXX9fYd3lETiii+pokAIBaKuwnOvn5K/Km9yDNDxNGoi9Oa+7ADKcn6O58IMGfXttnmdJGUsaigttKoGVsKsYlXH0v69AaQHwbV5YrIXYZo4W/Ft22Xu0WlYi+g6JBTJIdegAIMrHVUHTIdMw0a5La3LQLyWgax7+DYCB9OnSDwDf31O8z66SFuV4jatse2Y8mgJ9+6toGo9/U60eVYrPPvFEn2XLnIy18vuIK1MXS0MI8npjVmxl6/5yX5zToSrLIs1fWXvz1/NjFLrHCVBbY9kr5DAr1L2Lh6nN5Qg==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml:Assertion>
</wst:Claims>
<wst:Issuer>
<wsa:Address>TheSOSILibrary</wsa:Address>
</wst:Issuer>
</wst:RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope>
|
En succesfuld validering af requestet i STS resulterer i et succesfuldt response (bemærk, at det udstedte Bruger Idkort er signeret af 'SOSI Test Federation (funktionscertifikat)' og indeholder de nu af STS validerede claims fra requestet mht cprnummer og den automatisk påstemplede nationale rolle, som medarbejderen har):
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:sosi="http://www.sosi.dk/sosi/2006/04/sosi-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:medcom="http://www.medcom.dk/dgws/2006/04/dgws-1.0.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" id="Envelope">
<soapenv:Header>
<wsse:Security id="AAABdiOJLQLCKRtsExEt5lNPU0kAAABdi2k9N6MR/n+guZaylNPU0k=">
<wsu:Timestamp>
<wsu:Created>2020-12-02T1204T12:5905:30Z<57Z</wsu:Created>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityTokenResponse Context="www.sosi.dk">
<wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion:</wst:TokenType>
<wst:RequestedSecurityToken>
<saml:Assertion IssueInstant="2020-12-02T1204T12:5400:30Z57Z" Version="2.0" id="IDCard">
<saml:Issuer>TEST1-NSP-STS</saml:Issuer>
<saml:Subject>
<saml:NameID Format="medcom:other">SubjectDN={CN=Peter Rasmussen + SERIALNUMBER=CVR:25450442-RID:15467395, O=LAKESIDE A/S // CVR:25450442, C=DK},IssuerDN={CN=TRUST2408 Systemtest XXII CA, O=TRUST2408, C=DK},CertSerial={1537912428}</saml:NameID>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:holder-of-key</saml:ConfirmationMethod>
<saml:SubjectConfirmationData>
<ds:KeyInfo>
<ds:KeyName>OCESSignature</ds:KeyName>
</ds:KeyInfo>
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-12-02T1204T12:5400:30Z57Z" NotOnOrAfter="2020-12-03T1205T12:5400:30Z57Z"/>
<saml:AttributeStatement id="IDCardData">
<saml:Attribute Name="sosi:IDCardID">
<saml:AttributeValue>2v9vhP7vCvqb+ecgaHfxAQAttributeValue>toRbepBS3GGSLCUKmIVzvA==</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sosi:IDCardVersion">
<saml:AttributeValue>1.0.1</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sosi:IDCardType">
<saml:AttributeValue>user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sosi:AuthenticationLevel">
<saml:AttributeValue>4</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sosi:OCESCertHash">
<saml:AttributeValue>WiEtM2flJxiqUguE7Xz2YwZ7Vdo=</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AttributeStatement id="UserLog">
<saml:Attribute Name="medcom:UserCivilRegistrationNumber">
<saml:AttributeValue>0112709169</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:UserGivenName">
<saml:AttributeValue>Peter</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:UserSurName">
<saml:AttributeValue>Rasmussen</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:UserEmailAddress">
<saml:AttributeValue>p@rasser.dk</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:UserRole">
<saml:AttributeValue>urn:dk:healthcare:national-federation-role:code:41001:value:SundAssistR1</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:UserOccupation">
<saml:AttributeValue>Test</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AttributeStatement id="SystemLog">
<saml:Attribute Name="medcom:ITSystemName">
<saml:AttributeValue>Test</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:CareProviderID" NameFormat="medcom:cvrnumber">
<saml:AttributeValue>25450442</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="medcom:CareProviderName">
<saml:AttributeValue>LAKESIDE A/S</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<ds:Signature id="OCESSignature">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#IDCard">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Mnd1o9kSuZRLoI0Aep95HruozN4DigestValue>TzEYtBJ591TM+lvn66M4X+tR5PY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>fWky1+83mI3N0R47naGAjUE9fm31LsR2wXfuIsaBZ350A1pube5YM2e5V+BXr69syP6fCBB7KLy33wajKHU6dLYrlpa6THKebixRw1Yaq7XWD4Eq8oh5trFcTQ1t82jTBirPy8J15I/pqTFfkzoRtEeQa4ytpoGkDfQGjuJMcnRgrWoJoXVrJiqesmV3TzK4aj8G2FkDKl/hfVjR7oWdWNTJJIxW4Urq2ssfEFX9KU8eY4CWHQl/Y4eKswstKKqecEMacX5Tw9T7LtWTWYAUZ/+O1c6AauMzkdyHC45tJSwdpeXDwvtAF7fenKb70BNT/7F9EDi4lSSDu2Oxdcrg4gSignatureValue>Vbj5rNngQodscXZk53TCmpeyHFa9815eiJm0fp5PGgWNlnwtYjgGsFVyzvvz/LXubnNUWXg58sOszaUE1ItFLNb6eEtgGoSENsP1lp/ydcq4fnpPLCF9xZ4Gq+YdE/AHtINqGC+eeO7AqdS6Q+Fw9scJZSwpHDSJ1Pf72YricRM5selseCShsVSlawaJQhY1npjHAc3BV/qSfhBrWEx6w9avkNUU9gWjBYDeUVaykgQWhjGczQrxGzlYeBkr80qgB4gNK19jEeiezOqqJcZYMm5MN5f43o7W3d2dRbPi4IOKp/hs/gfLhRlGUlJFyPt2mdkjRDTLQJdad4thFfUNPA==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIGKjCCBRKgAwIBAgIEW6uMBTANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE5MDQzMDA5MDcxN1oXDTIyMDQzMDA5MDYzOFowgZQxCzAJBgNVBAYTAkRLMS4wLAYDVQQKDCVTdW5kaGVkc2RhdGFzdHlyZWxzZW4gLy8gQ1ZSOjMzMjU3ODcyMVUwIAYDVQQFExlDVlI6MzMyNTc4NzItRklEOjE4OTExODYxMDEGA1UEAwwqU09TSSBUZXN0IEZlZGVyYXRpb24gKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyo57h9E/hM5gimxaDgHB0MLcgVfXGJbQh/8OC1vTdDsCUIzIwRd5lJE+ado8urHF7UmKubFZzfCPduoRv9b3TkNVKaixiHUMtP4egbL8vcgyalk28cNQdUk8f34mg8atgvd45EnIKz2iB+yjs5guJPDBg2OFSbP0r53NU8fVTq3aLtDpDVnkxsyjNQ7HOFtzavyMnKx0vDgafEvrUR3WTSLCGju4aUIg3ThgrWXA7i3lPIAXdV8mQmlY3wn/kIBiyIotmF98UsEket/sxpJNkJ6R6AUpxnGApCDP1Fw2BgxAQWWrtD/c5IoIZwGWNfLgpJEzfhnuIZJ7Bfs9RmHFdQIDAQABo4ICzTCCAskwDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vZi5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYEAjCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4wga0GA1UdHwSBpTCBojA9oDugOYY3aHR0cDovL2NybC5zeXN0ZW10ZXN0MjIudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MjIxLmNybDBhoF+gXaRbMFkxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJTAjBgNVBAMMHFRSVVNUMjQwOCBTeXN0ZW10ZXN0IFhYSUkgQ0ExDzANBgNVBAMMBkNSTDE0MjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUGYAVKKL17LHyVGSErL26MBNadTQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAjHMO4sWEf8M25WHczBTJYtMitn1wLOqE6raeM6oYyw6R/4FImpOzF6bxBlfNnhhR0vJSXMWTqL/onCyy4gCs9eLglRHZ9BC8a9fmirrguNpOWlR8NAf5GRwOqCyTnkTAfUD1fp0RzVo8TvAd73WiGeUTzTiAVf7OgZFnRIYkcALXLjNs6AwELWSh+bC/gGuQcHUDd8YGSzgKS6w2qz3fIASrykxzlYjeusks58CereC6WfvN0I+GGlL9fIgjpzh7JEELME7r9QJLL9NSrmlRKfhM8gzuE6Vm4vGzmSsnNJxGMf1vTzEve4lXI8pnOtHMTtNl5zw4jCJFakRqcWm3FQ==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml:Assertion>
</wst:RequestedSecurityToken>
<wst:Status>
<wst:Code>http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid</wst:Code>
</wst:Status>
<wst:Issuer>
<wsa:Address>TEST1-NSP-STS</wsa:Address>
</wst:Issuer>
</wst:RequestSecurityTokenResponse>
</soapenv:Body>
</soapenv:Envelope>
|