Page History
| Navitabs | ||||
|---|---|---|---|---|
| ||||
Indledning
Denne guide beskriver hvordan en STS skal omveksle et eHDSI IDWS XUA Bootstrap Token (DKNCPBST) udsted af "Danish National Contact Point" til et eHDSI IDWS XUA Identity Token (IDWS-eHDSI).
I det følgende vises nogle stykker kode der viser hvordan man en STS kan lave denne omveksling.
Der findes et komplet eksempel (incl. hvordan anvender opbygger request og modtager response) sidst på siden.
Eksempel
STS Request
Beskrivelse af hvordan Seal.Java anvendes til at opbygge et STS request findes her: Seal.Java 3 - Guide til anvendere (Consumer) - eHDSI Boostrap token til eHDSI Identity token
Opret en instans af EHDSIFactory og en CredentialVault der indeholder et virksomhedscertifikat der anvendes til denne omveksling:
...
| Code Block |
|---|
// Validate assertion
DkncpBootstrapSamlAssertion assertion = request.getDkncpBootstrapSamlAssertion();
Assert.assertEquals("eHDSI-IDWS-XUA-1.0", assertion.getSpecVersion());
Assert.assertEquals("3", assertion.getAssuranceLevelNIST());
Assert.assertEquals("Alfonso Gonzalez", assertion.getSubject()); |
STS Response
Nu vil en STS bygge et response og først bygges bygge en signeret eHDSI IDWS XUA Identity Token:
...
Nu vil en anvender kunne modtage det omvekslede eHDSI IDWS XUA Identity Token og hvordan man anvender Seal.Java til at behandle dette svar er beskrevet her: Seal.Java 3 - Guide til anvendere (Consumer) - eHDSI Boostrap token til eHDSI Identity token
Komplet eksempel (incl. opbygning af request og modtagelse af response)
| Code Block | ||
|---|---|---|
| ||
public class TestFactoryFlow extends AbstractUserIDCardTest { @Test private final String public void NAMEID_FORMAT_X509_SUBJECT_NAME = "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"; @Test public void testDKNCPBST2EHDSIIdws() { /** * Consumer sender request */ // CredentialVault og Factory CredentialVault signingVault = new CredentialVaultTestUtil.getVoces3CredentialVault(ClasspathCredentialVault(null, "Filnavn på PKCS#12 Virksomhedscertifikat", "Kodeord til Virksomhedscertifikat"); CredentialVault holderOfKeyVault = new CredentialVaultTestUtil.getVocesHolderOfKeyCredentialVault();ClasspathCredentialVault(null, "Filnavn på PKCS#12 Holder of key certifikat", "Kodeord til Holder of key certifikat"); EHDSIFactory factory = new EHDSIFactory(); // Build Dkncp Boostrap SAML Assertion String issuer = "http://sosi"; DkncpBootstrapSamlAssertionBuilder dkncpBootstrapSamlAssertionBuilder = factory.createDkncpBootstrapSamlAssertionBuilder(signingVault, issuer); dkncpBootstrapSamlAssertionBuilder.setIssuer(issuer); dkncpBootstrapSamlAssertionBuilder.setAudienceRestriction("https://fmk"); Date now = new Date(); dkncpBootstrapSamlAssertionBuilder.setNotBefore(notBefore); dkncpBootstrapSamlAssertionBuilder.setNotOnOrAfter(notOnOrAfter); dkncpBootstrapSamlAssertionBuilder.setDeliveryNotOnOrAfter(notOnOrAfter); dkncpBootstrapSamlAssertionBuilder.setSubjectName("C=DK,O=LAKESIDE A/S // CVR:25450442,CN=Sårjournal TEST læge,Serial=CVR:25450442-RID:73570260"); dkncpBootstrapSamlAssertionBuilder.setSubjectNameID("nameid"); dkncpBootstrapSamlAssertionBuilder.setSubjectNameIDFormat(SAMLValues.NAMEID_FORMAT_X509_SUBJECT_NAME); dkncpBootstrapSamlAssertionBuilder.setSigningVault(signingVault); dkncpBootstrapSamlAssertionBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate()); // Mandatory attribute values dkncpBootstrapSamlAssertionBuilder.setSubject("Alfonso Gonzalez"); dkncpBootstrapSamlAssertionBuilder.setRole("2221", "Nursing professionals"); dkncpBootstrapSamlAssertionBuilder.setOrganization("Charité – Universitätsmedizin Berlin"); dkncpBootstrapSamlAssertionBuilder.setOrganizationId("urn:oid:1.3.6.1.4.1.44938"); dkncpBootstrapSamlAssertionBuilder.setHealthcareFacilityType("Hospital"); dkncpBootstrapSamlAssertionBuilder.setPurposeOfUse("TREATMENT"); dkncpBootstrapSamlAssertionBuilder.setLocality("Klinik am Berg, 83242 Reit im Winkl"); dkncpBootstrapSamlAssertionBuilder.setPatientId("0205756078^^^&1.2.208.176.1.2&ISO"); dkncpBootstrapSamlAssertionBuilder.setAssuranceLevelNIST("3"); dkncpBootstrapSamlAssertionBuilder.setSpecVersion("eHDSI-IDWS-XUA-1.0"); dkncpBootstrapSamlAssertionBuilder.setIssuancePolicy("urn:dk:sosi:sts:eHDSI-strict"); dkncpBootstrapSamlAssertionBuilder.setCountryOfTreatment("DE"); DkncpBootstrapSamlAssertion dkncpBootstrapSamlAssertion = dkncpBootstrapSamlAssertionBuilder.build(); dkncpBootstrapSamlAssertion.validateSchema(); dkncpBootstrapSamlAssertion.validateSignatureAndTrust(signingVault); // Build Dkncp Bootstrap request DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestDOMBuilder requestDomBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestDOMBuilder(); requestDomBuilder.setAudience("https://sosi"); requestDomBuilder.setSigningVault(holderOfKeyVault); requestDomBuilder.setDkncpBootstrapToken(dkncpBootstrapSamlAssertion); // Serialize request to the same form as received by the STS Document consumerStsRequestDocument = requestDomBuilder.build(); /** * Send request over netværk */ String consumerStsRequestXml = XmlUtil.node2String(consumerStsRequestDocument, false, false); consumerStsRequestDocument = readXml(System.getProperties(), consumerStsRequestXml, false); /** * STS modtager request */ DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequest request = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestModelBuilder().build(consumerStsRequestDocument); // validate request request.validateSignatureAndTrust(holderOfKeyVault); request.validateHolderOfKeyRelation(); // Validate assertion DkncpBootstrapSamlAssertion assertion = request.getDkncpBootstrapSamlAssertion(); // The DKNCP BST Assertion can be schema validated after serialize/deserialize assertion.validateSchema(); assertion.validateSignatureAndTrust(signingVault); // Verify all attributes Assert.assertEquals("Alfonso Gonzalez", assertion.getSubject()); Assert.assertEquals(EHDSI_ROLE_XSI_TYPE, assertion.getRoleType()); Assert.assertEquals("2221", assertion.getRoleCode()); Assert.assertEquals(EHDSI_ROLE_CODE_SYSTEM, assertion.getRoleCodeSystem()); Assert.assertEquals(EHDSI_ROLE_CODE_SYSTEM_NAME, assertion.getRoleCodeSystemName()); Assert.assertEquals("Nursing professionals", assertion.getRoleDisplayName()); Assert.assertEquals("Charité – Universitätsmedizin Berlin", assertion.getOrganization()); Assert.assertEquals("urn:oid:1.3.6.1.4.1.44938", assertion.getOrganizationId()); Assert.assertEquals("Hospital", assertion.getHealthcareFacilityType()); Assert.assertEquals("TREATMENT", assertion.getPurposeOfUseCode()); Assert.assertEquals("Klinik am Berg, 83242 Reit im Winkl", assertion.getLocality()); Assert.assertEquals("0205756078^^^&1.2.208.176.1.2&ISO", assertion.getPatientId()); Assert.assertEquals("3", assertion.getAssuranceLevelNIST()); Assert.assertEquals("eHDSI-IDWS-XUA-1.0", assertion.getSpecVersion()); Assert.assertEquals("urn:dk:sosi:sts:eHDSI-strict", assertion.getIssuancePolicy()); Assert.assertEquals("DE", assertion.getCountryOfTreatment()); /** * STS bygger response */ // Build Ehdsi Idws Xua Employee identity token EhdsiIdwsXuaEmployeeIdentityTokenBuilder tokenBuilder = factory.createEhdsiIdwsXuaEmployeeIdentityTokenBuilder(); tokenBuilder.setIssuer("http://sosi"); tokenBuilder.setAudienceRestriction("https://fmk"); tokenBuilder.setNotBefore(notBefore); tokenBuilder.setNotOnOrAfter(notOnOrAfter); tokenBuilder.setDeliveryNotOnOrAfter(notOnOrAfter); tokenBuilder.setSubjectNameID("C=DK,O=Ingen organisatorisk tilknytning,CN=Lars Larsen,Serial=PID:9208-2002-2-514358910503"); tokenBuilder.setSubjectNameIDFormat(SAMLValues.NAMEID_FORMAT_X509_SUBJECT_NAME); tokenBuilder.setSigningVault(signingVault); tokenBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate()); tokenBuilder.setSubject("Alfonso Gonzalez"); tokenBuilder.setRole("2221", "Nursing professionals"); tokenBuilder.setOrganization("Charité – Universitätsmedizin Berlin"); tokenBuilder.setOrganizationId("urn:oid:1.3.6.1.4.1.44938"); tokenBuilder.setHealthcareFacilityType("Hospital"); tokenBuilder.setPurposeOfUse("TREATMENT"); tokenBuilder.setLocality("Klinik am Berg, 83242 Reit im Winkl"); tokenBuilder.setPatientId("0205756078^^^&1.2.208.176.1.2&ISO"); tokenBuilder.setAssuranceLevel("3"); tokenBuilder.setSpecVersion("eHDSI-IDWS-XUA-1.0"); tokenBuilder.setIssuancePolicy("urn:dk:sosi:sts:eHDSI-strict"); tokenBuilder.setCountryOfTreatment("DE"); EhdsiIdwsXuaEmployeeIdentityToken ehdsiIdwsXuaEmployeeIdentityToken = tokenBuilder.build(); // Validate Identity Token ehdsiIdwsXuaEmployeeIdentityToken.validateSchema(); ehdsiIdwsXuaEmployeeIdentityToken.validateSignatureAndTrust(signingVault); // Build Ehdsi Idws Xua Employee response DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder responseBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder(); responseBuilder.setEhdsiIdwsXuaEmployeeIdentityToken(ehdsiIdwsXuaEmployeeIdentityToken); responseBuilder.setSigningVault(holderOfKeyVault); responseBuilder.setRelatesTo("relatesTo"); responseBuilder.setContext("context"); Document consumerStsResponseDocument = responseBuilder.build(); /** * Send response over netværk */ String consumerStsResponseXml = XmlUtil.node2String(consumerStsResponseDocument, false, false); consumerStsResponseDocument = readXml(System.getProperties(), consumerStsResponseXml, false); /** * Consumer modtager response */ DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseModelBuilder responseModelBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseModelBuilder(); DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponse response = responseModelBuilder.build(consumerStsResponseDocument); // Validate entire response response.validateSignature(); // Validate the Ehdsi Idws Xua Employee Identity token from the response EhdsiIdwsXuaEmployeeIdentityToken employeeIdentityToken = response.getEhdsiIdwsXuaEmployeeIdentityToken(); // The Ehdsi Idws Xua Employee Identity token can be schema validated after serialize/deserialize employeeIdentityToken.validateSchema(); employeeIdentityToken.validateSignatureAndTrust(signingVault); // Verify all attributes assertEquals("3", employeeIdentityToken.getAssuranceLevel()); assertEquals("Alfonso Gonzalez", employeeIdentityToken.getSubject()); Assert.assertEquals("2221", employeeIdentityToken.getRoleCode()); Assert.assertEquals("Nursing professionals", employeeIdentityToken.getRoleDisplayName()); Assert.assertEquals("Charité – Universitätsmedizin Berlin", employeeIdentityToken.getOrganization()); Assert.assertEquals("urn:oid:1.3.6.1.4.1.44938", employeeIdentityToken.getOrganizationId()); Assert.assertEquals("Hospital", employeeIdentityToken.getHealthcareFacilityType()); Assert.assertEquals("TREATMENT", employeeIdentityToken.getPurposeOfUseCode()); Assert.assertEquals("Klinik am Berg, 83242 Reit im Winkl", employeeIdentityToken.getLocality()); Assert.assertEquals("0205756078^^^&1.2.208.176.1.2&ISO", employeeIdentityToken.getPatientId()); Assert.assertEquals("3", employeeIdentityToken.getAssuranceLevel()); Assert.assertEquals("eHDSI-IDWS-XUA-1.0", employeeIdentityToken.getSpecVersion()); Assert.assertEquals("urn:dk:sosi:sts:eHDSI-strict", employeeIdentityToken.getIssuancePolicy()); Assert.assertEquals("DE", employeeIdentityToken.getCountryOfTreatment()); } } |
...