Edit profile

Page History

Versions Compared

Key

This line was added.
This line was removed.
Formatting was changed.

...

Populært sagt kan man sige at man beder om en billet til en given service.

Understøttede services

Følgende services (hvoraf ikke alle er i produktion i dag) er pt understøttede af borger-billetomvekslingen:

...

Service	Audience	Status
Fælles medicinkort	https://fmk	I produktion
Fælles stamkort	https://fsk	Tilgængelig på test. Ventes i produktion november 2018.
Minlog2	https://minlog2	Tilgængeligt på test1. Ventes i produktion ultimo 2018.

Anvendelse

Anvendere vil typisk anvende Seal.java eller Seal.net. Nyeste Seal.net version er tilgængelig via Nuget. seal.java hentes via det offentligt tilgængelige maven repository ved i et projekt at benytte f.eks.:

...

Bemærk at version 2.4.2 er ældste version med API-understøttelse af fuldmagter.

Kommunikation

Borger-billetomvekslingen er udformet som et standard WS-Trust 1.4 request med tilhørende response.

Et typisk request vil have nogenlunde følgende struktur:

Code Block

language	xml
collapse	true

<?xml version="1.0" encoding="UTF-8" ?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wst14="http://docs.oasis-open.org/ws-sx/ws-trust/200802" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <soapenv:Header>
    <wsa:Action wsu:Id="action">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</wsa:Action>
    <wsa:MessageID wsu:Id="messageID">urn:uuid:1c2818b8-9ab3-4898-9730-dab518020b05</wsa:MessageID>
    <wsse:Security mustUnderstand="1" wsu:Id="security">
      <wsu:Timestamp wsu:Id="ts"><wsu:Created>2018-05-24T09:17:40Z</wsu:Created></wsu:Timestamp>
      <ds:Signature>
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#messageID"> ... </ds:Reference>
          <ds:Reference URI="#action"> ...</ds:Reference>
          <ds:Reference URI="#ts">...</ds:Reference>
          <ds:Reference URI="#body">...</ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>...</ds:SignatureValue>
        <ds:KeyInfo>
          <ds:X509Data>
            <ds:X509Certificate>
                <!-- FOCES certifikat i base64-encodet form til signering af -->
            </ds:X509Certificate>
          </ds:X509Data>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
  </soapenv:Header>
  <soapenv:Body wsu:Id="body">
    <wst:RequestSecurityToken Context="urn:uuid:f637dd3e-fad4-4f5e-ac55-baa504560772">
      <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
      <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
      <wst14:ActAs>
          <!-- nemlogin bootstrap token in cleartext -->
        </saml:Assertion>
      </wst14:ActAs>
      <wsp:AppliesTo>
        <wsa:EndpointReference>
          <wsa:Address>http://audience/clear</wsa:Address>
        </wsa:EndpointReference>
      </wsp:AppliesTo>
      <wst:Claims Dialect="http://docs.oasis-open.org/wsfed/authorization/200706/authclaims">
        <auth:ClaimType Uri="dk:gov:saml:attribute:CprNumberIdentifier">
          <auth:Value>0501792275</auth:Value>
        </auth:ClaimType>
        <auth:ClaimType Uri="dk:healthcare:saml:attribute:OnBehalfOf">
          <auth:Value>urn:dk:healthcare:saml:actThroughProcurationBy:cprNumberIdentifier:1111111118</auth:Value>
        </auth:ClaimType>
      </wst:Claims>
    </wst:RequestSecurityToken>
  </soapenv:Body>
</soapenv:Envelope>

...

Code Block

language	xml
collapse	true

Indlejret certifikat:
        <ds:KeyInfo>
          <ds:X509Data>
            <ds:X509Certificate><!-- FOCES certifikat i base64-encodet form til signering af --></ds:X509Certificate>
          </ds:X509Data>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
  </soapenv:Header>

Certifikat vha. BinarySecurityToken:
        <ds:KeyInfo>
          <wsse:SecurityTokenReference>
            <wsse:Reference URI="#X509Token" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
    <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509Token"><!-- FOCES certifikat i base64-encodet form til signering af --></wsse:BinarySecurityToken>
  </soapenv:Header>

Eksempel kode (seal.java)

// bootstrap token dom is normally fetched by the citizen authenticating himself with NemLog-in
OIOBootstrapToken bootstrapToken = new OIOBootstrapToken(this.bootstrapTokenDom);
OIOSAMLFactory oiosamlFactory = new OIOSAMLFactory();
OIOBootstrapToIdentityTokenRequestDOMBuilder requestBuilder = oiosamlFactory.createOIOBootstrapToIdentityTokenRequestDOMBuilder();
requestBuilder.setOIOBootstrapToken(bootstrapToken);
// Hvis man ønsker at bygge et request med certifikat i BinarySecurityToken, så kaldes:
// requestBuilder.setSigningVault(getValidWhitelistedVault(), true);  
requestBuilder.setSigningVault(getValidWhitelistedVault());
requestBuilder.setAudience("http://audience/clear");
requestBuilder.setCPRNumberClaim("0501792275");
requestBuilder.setProcurationByCprClaim("1111111118");
Document requestDocument = requestBuilder.build();

final String requestString = XmlUtil.node2String(requestDocument, false, false);
final Document responseDoc = soapClient.execute(requestString);

OIOBootstrapToIdentityTokenResponse response = oiosamlFactory.createOIOBootstrapToIdentityTokenResponseModelBuilder().build(responseDoc);
assertFalse(response.getFaultString(), response.isFault());
response.validateSignature();
response.validateSignatureAndTrust(federation);

final IdentityToken identityToken = response.getIdentityToken();

// identity token can be used to authenticate against backend service
// below we just inspect the result

assertEquals("0501792275", identityToken.getCpr());
assertEquals("http://audience/clear", identityToken.getAudienceRestriction());
assertTrue(identityToken.getIssuer(), identityToken.getIssuer().contains("STS"));
assertEquals("DK-SAML-2.0", identityToken.getAttribute("dk:gov:saml:attribute:SpecVer"));
assertEquals("3", identityToken.getAssuranceLevel());
final BasicPrivileges privileges = identityToken.getPrivileges();
final String privilegeScope = "urn:dk:healthcare:saml:actThroughProcurationBy:cprNumberIdentifier:1111111118";
assertEquals(1, privileges.getPrivileges(privilegeScope).size());
assertTrue(privileges.getPrivileges(privilegeScope).contains("urn:dk:nspop:sts:read"));

Udseende af privilegier

Aktuelt er der mulighed for op til 4 privilegier. Disse returneres i givet fald i Privileges_Intermediate attributten i base64 encodet format:

...

Et gyldigt svar vil altid indeholde 1-2 privilegier, idet der i tilfældet af 0 privilegier returneres et fejlsvar.

Testborgere

I testsystemet er oprettet en fuldmagtshaver (borger) med cpr-nummeret 0501792275

...

Content

Space Tools