...

Populært sagt kan man sige at man beder om en billet til en given service.

Understøttede services

Følgende services (hvoraf ikke alle er i produktion i dag) er pt understøttede af borger-billetomvekslingen:

...

Anvendelse

Anvendere vil typisk anvende Seal.java eller Seal.net. Nyeste Seal.net version er tilgængelig via Nuget. seal.java hentes via det offentligt tilgængelige maven repository ved i et projekt at benytte f.eks.:

...

Bemærk at version 2.4.2 er ældste version med API-understøttelse af fuldmagter.

Kommunikation

Borger-billetomvekslingen er udformet som et standard WS-Trust 1.4 request med tilhørende response.

Et typisk request vil have nogenlunde følgende struktur:

<?xml version="1.0" encoding="UTF-8" ?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wst14="http://docs.oasis-open.org/ws-sx/ws-trust/200802" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <soapenv:Header>
    <wsa:Action wsu:Id="action">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</wsa:Action>
    <wsa:MessageID wsu:Id="messageID">urn:uuid:1c2818b8-9ab3-4898-9730-dab518020b05</wsa:MessageID>
    <wsse:Security mustUnderstand="1" wsu:Id="security">
      <wsu:Timestamp wsu:Id="ts"><wsu:Created>2018-05-24T09:17:40Z</wsu:Created></wsu:Timestamp>
      <ds:Signature>
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#messageID"> ... </ds:Reference>
          <ds:Reference URI="#action"> ...</ds:Reference>
          <ds:Reference URI="#ts">...</ds:Reference>
          <ds:Reference URI="#body">...</ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>...</ds:SignatureValue>
        <ds:KeyInfo>
          <ds:X509Data>
            <ds:X509Certificate>
                <!-- FOCES certifikat i base64-encodet form til signering af -->
            </ds:X509Certificate>
          </ds:X509Data>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
  </soapenv:Header>
  <soapenv:Body wsu:Id="body">
    <wst:RequestSecurityToken Context="urn:uuid:f637dd3e-fad4-4f5e-ac55-baa504560772">
      <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
      <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
      <wst14:ActAs>
          <!-- nemlogin bootstrap token in cleartext -->
        </saml:Assertion>
      </wst14:ActAs>
      <wsp:AppliesTo>
        <wsa:EndpointReference>
          <wsa:Address>http://audience/clear</wsa:Address>
        </wsa:EndpointReference>
      </wsp:AppliesTo>
      <wst:Claims Dialect="http://docs.oasis-open.org/wsfed/authorization/200706/authclaims">
        <auth:ClaimType Uri="dk:gov:saml:attribute:CprNumberIdentifier">
          <auth:Value>0501792275</auth:Value>
        </auth:ClaimType>
        <auth:ClaimType Uri="dk:healthcare:saml:attribute:OnBehalfOf">
          <auth:Value>urn:dk:healthcare:saml:actThroughProcurationBy:cprNumberIdentifier:1111111118</auth:Value>
        </auth:ClaimType>
      </wst:Claims>
    </wst:RequestSecurityToken>
  </soapenv:Body>
</soapenv:Envelope>

...

Indlejret certifikat:
        <ds:KeyInfo>
          <ds:X509Data>
            <ds:X509Certificate><!-- FOCES certifikat i base64-encodet form til signering af --></ds:X509Certificate>
          </ds:X509Data>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
  </soapenv:Header>

Certifikat vha. BinarySecurityToken:
        <ds:KeyInfo>
          <wsse:SecurityTokenReference>
            <wsse:Reference URI="#X509Token" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
    <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509Token">
MIIGKjCCBRKgAwIBAgIEW6uMBTANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE5MDQzMDA5MDcxN1oXDTIyMDQzMDA5MDYzOFowgZQxCzAJBgNVBAYTAkRLMS4wLAYDVQQKDCVTdW5kaGVkc2RhdGFzdHlyZWxzZW4gLy8gQ1ZSOjMzMjU3ODcyMVUwIAYDVQQFExlDVlI6MzMyNTc4NzItRklEOjE4OTExODYxMDEGA1UEAwwqU09TSSBUZXN0IEZlZGVyYXRpb24gKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyo57h9E/hM5gimxaDgHB0MLcgVfXGJbQh/8OC1vTdDsCUIzIwRd5lJE+ado8urHF7UmKubFZzfCPduoRv9b3TkNVKaixiHUMtP4egbL8vcgyalk28cNQdUk8f34mg8atgvd45EnIKz2iB+yjs5guJPDBg2OFSbP0r53NU8fVTq3aLtDpDVnkxsyjNQ7HOFtzavyMnKx0vDgafEvrUR3WTSLCGju4aUIg3ThgrWXA7i3lPIAXdV8mQmlY3wn/kIBiyIotmF98UsEket/sxpJNkJ6R6AUpxnGApCDP1Fw2BgxAQWWrtD/c5IoIZwGWNfLgpJEzfhnuIZJ7Bfs9RmHFdQIDAQABo4ICzTCCAskwDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vZi5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYEAjCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4wga0GA1UdHwSBpTCBojA9oDugOYY3aHR0cDovL2NybC5zeXN0ZW10ZXN0MjIudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MjIxLmNybDBhoF+gXaRbMFkxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJTAjBgNVBAMMHFRSVVNUMjQwOCBTeXN0ZW10ZXN0IFhYSUkgQ0ExDzANBgNVBAMMBkNSTDE0MjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUGYAVKKL17LHyVGSErL26MBNadTQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAjHMO4sWEf8M25WHczBTJYtMitn1wLOqE6raeM6oYyw6R/4FImpOzF6bxBlfNnhhR0vJSXMWTqL/onCyy4gCs9eLglRHZ9BC8a9fmirrguNpOWlR8NAf5GRwOqCyTnkTAfUD1fp0RzVo8TvAd73WiGeUTzTiAVf7OgZFnRIYkcALXLjNs6AwELWSh+bC/gGuQcHUDd8YGSzgKS6w2qz3fIASrykxzlYjeusks58CereC6WfvN0I+GGlL9fIgjpzh7JEELME7r9QJLL9NSrmlRKfhM8gzuE6Vm4vGzmSsnNJxGMf1vTzEve4lXI8pnOtHMTtNl5zw4jCJFakRqcWm3FQ==</><!-- FOCES certifikat i base64-encodet form til signering af --></wsse:BinarySecurityToken>
  </soapenv:Header>

Eksempel kode (seal.java)

// bootstrap token dom is normally fetched by the citizen authenticating himself with NemLog-in
OIOBootstrapToken bootstrapToken = new OIOBootstrapToken(this.bootstrapTokenDom);
OIOSAMLFactory oiosamlFactory = new OIOSAMLFactory();
OIOBootstrapToIdentityTokenRequestDOMBuilder requestBuilder = oiosamlFactory.createOIOBootstrapToIdentityTokenRequestDOMBuilder();
requestBuilder.setOIOBootstrapToken(bootstrapToken);
// Hvis man ønsker at bygge et request med certifikat i BinarySecurityToken, så kaldes:
// requestBuilder.setSigningVault(getValidWhitelistedVault(), true);  
requestBuilder.setSigningVault(getValidWhitelistedVault());
requestBuilder.setAudience("http://audience/clear");
requestBuilder.setCPRNumberClaim("0501792275");
requestBuilder.setProcurationByCprClaim("1111111118");
Document requestDocument = requestBuilder.build();

final String requestString = XmlUtil.node2String(requestDocument, false, false);
final Document responseDoc = soapClient.execute(requestString);

OIOBootstrapToIdentityTokenResponse response = oiosamlFactory.createOIOBootstrapToIdentityTokenResponseModelBuilder().build(responseDoc);
assertFalse(response.getFaultString(), response.isFault());
response.validateSignature();
response.validateSignatureAndTrust(federation);

final IdentityToken identityToken = response.getIdentityToken();

// identity token can be used to authenticate against backend service
// below we just inspect the result

assertEquals("0501792275", identityToken.getCpr());
assertEquals("http://audience/clear", identityToken.getAudienceRestriction());
assertTrue(identityToken.getIssuer(), identityToken.getIssuer().contains("STS"));
assertEquals("DK-SAML-2.0", identityToken.getAttribute("dk:gov:saml:attribute:SpecVer"));
assertEquals("3", identityToken.getAssuranceLevel());
final BasicPrivileges privileges = identityToken.getPrivileges();
final String privilegeScope = "urn:dk:healthcare:saml:actThroughProcurationBy:cprNumberIdentifier:1111111118";
assertEquals(1, privileges.getPrivileges(privilegeScope).size());
assertTrue(privileges.getPrivileges(privilegeScope).contains("urn:dk:nspop:sts:read"));

Udseende af privilegier

Aktuelt er der mulighed for op til 4 privilegier. Disse returneres i givet fald i Privileges_Intermediate attributten i base64 encodet format:

...

Et gyldigt svar vil altid indeholde 1-2 privilegier, idet der i tilfældet af 0 privilegier returneres et fejlsvar.

Testborgere

I testsystemet er oprettet en fuldmagtshaver (borger) med cpr-nummeret 0501792275 

...