1. Indledning

Denne omveksling kan modtage et NSP OIO SAML Bootstrap Token og returnere et NSP OIO IDWS Identity Token.

Et NSP OIO Bootstrap Token er en SAML 2.0 Assertion der repræsentere en borger. Det udstedes af en Identity Provider (IdP). Det er muligt at opbygge et NSP OIO Bootstrap Token vha. Seal.Java, men det er typisk kun til testformål. Et NSP OIO Bootstrap Token kan valideres ved at kontrollere, at audience svarer til den modtager, det er udstedt til, at gyldighedsperioden ikke er udløbet, og at signaturen er gyldig. Signaturen for en SAML 2.0 Assertion valideres ved at benytte det indlejrede signeringscertifikat.

Det samlede request der sendes til en STS er signeret af en troværdig tredjepart, der enten kan være lokal IdP eller SEB. Det samlede request kan valideres vha. det Holder Of Key certifikat der er indlejret i NSP OIO Bootstrap Token.

Et NSP OIO IDWS Identity Token er en SAML 2.0 Assertion der repræsentere en borger. Det kan opbygges af Seal.Java og det vil typisk være en STS der gør dette i forbindelse med omveksling. Det kan benyttes ved borgerkald af NSP services. Et NSP OIO IDWS Identity Token kan valideres ved at kontrollere, at audience svarer til den modtager, det er udstedt til, at gyldighedsperioden ikke er udløbet, og at signaturen er gyldig. Signaturen for en SAML 2.0 Assertion valideres ved at benytte det indlejrede signeringscertifikat.

I det følgende vises nogle stykker kode der viser hvordan man som anvender skal bruge Seal.Java til denne omveksling. 

Der findes et komplet eksempel (incl. STS omveksling) sidst på siden.

2. Eksempel

2.1. Bootstrap Token

2.1.1.  Læs OIO SAML Assertion fra IdP

En NSP OIO SAML Assertion der stammer fra en Identity Provider og er repræsenteret i et W3C element kan Seal.Java parse til et OIOBSTSAMLAssertion objekt på følgende måde:

OIOBSTSAMLAssertion oiosamlAssertion = OIOBSTSAMLAssertionFactory.createOIOBSTSAMLAssertion(assertionElement);

Hvor den modtagne OIO SAML Assertion er indlæst i et Element i variablen assertionElement.

2.1.2. Opbyg OIO SAML Assertion

Seal.Java kan anvendes til at opbygge en OIO SAML Assertion. Dette vil typisk ske i forbindelse med test.

Først skal CredentialVaults sættes op og der skal lave en instans af den factory der kan håndtere OIO SAML:

// CredentialVault og Factory
CredentialVault signingVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Medarbejdercertifikat", "Kodeord til Medarbejdercertifikat");
CredentialVault holderOfKeyVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Holder of key certifikat", "Kodeord til Holder of key certifikat");
OIOSAMLFactory factory = new OIOSAMLFactory();

En signeret OIO SAML Assertion opbygges vha. Seal.Java på denne måde:


// Byg OIOBSTSAMLAssertion
OIO3BSTSAMLAssertionBuilder oiosamlAssertionBuilder = factory.createOIO3BSTSAMLAssertionBuilder();
oiosamlAssertionBuilder.setIssuer("https://oio3bst-issuer.dk");
oiosamlAssertionBuilder.setNameId("KorsbaekKommune\\MSK");
oiosamlAssertionBuilder.setAudience("http://audience.nspoop.dk/dds");
oiosamlAssertionBuilder.setNotOnOrAfter(notOnOrAfter);
oiosamlAssertionBuilder.setCvr("20301823");
oiosamlAssertionBuilder.setOrganizationName("Korsbæk Kommune");
oiosamlAssertionBuilder.setHolderOfKeyCertificate(holderOfKey.getSystemCredentialPair().getCertificate());
oiosamlAssertionBuilder.setSigningVault(signingVault);
OIOBSTSAMLAssertion oiosamlAssertion = oiosamlAssertionBuilder.build();



2.2. STS Request

2.2.1.  Opbygge STS request til testformål

Det samlede STS request med en NSP OIO SAML Assertion opbygges på denne måde:

// NSP OIO SAML Assertion findes i denne variabel:
OIOBSTSAMLAssertion oiosamlAssertion = ...

OIOBSTSAMLAssertionToIDCardRequestDOMBuilder requestBuilder = factory.createOIOBSTSAMLAssertionToIDCardRequestDOMBuilder();
requestBuilder.setAudience("http://audience.nspoop.dk/dds");
requestBuilder.setITSystemName("Korsbæk Kommunes IT systemer");
requestBuilder.setSubjectNameID("Mads_Skjern");
requestBuilder.setSigningVault(signingVault);
requestBuilder.setOIOBSTSAMLAssertion(oiosamlAssertion);

Document consumerStsRequestDocument = requestBuilder.build();

Når requestet sendes over netværket skal det konverteres til XML:

// Konverter til XML så det kan sendes over netværket
String consumerStsRequestXml = XmlUtil.node2String(consumerStsRequestDocument, false, false);

Nu vil en STS kunne modtage det og veksle det til en NSP OIO IDWS Identity Token. Eksempel på hvordan Seal.Java kan anvendes til denne omveksling findes her: Seal.Java 3 - Guide til anvendere (STS) - Bootstrap Token til OIO-Idws Token

2.2.2.  Request som stream

En consumer vil typisk have et NSP OIO SAML Bootstrap Token som en stream der kan sendes direkte til en STS. Dette vil man selv kunne deserialisere hvis man vil se indholdet:

// Anvender har et XML dokument indeholdende NSP OIO SAML Bootstrap Token request:
String consumerStsRequestXml = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" ... </soapenv:Envelope>";

Document requestDocument = XmlUtil.readXml(new Properties(), consumerStsRequestXml, false);
OIOBootstrapToIdentityTokenRequest request = factory.createOIOBootstrapToIdentityTokenRequestModelBuilder().build(requestDocument);

Det er nu muligt for en STS at se indholdet af requestet og på baggrund af indholdet vil en STS kunne bygge et response.

2.3. STS Response

Når consumeren modtager svaret fra STS, så skal det først indlæses i et W3C Document:

// Konverter XML svaret fra STS til Document
Document consumerStsResponseDocument = XmlUtil.readXml(new java.util.Properties(), consumerStsResponseXml, false);

Man kan nu deserialisere svaret til et OIOBootstrapToIdentityTokenResponse modelobjekt:

// Deserialiser STS svaret til modelobjekt
OIOBootstrapToIdentityTokenResponse consumerStsResponse = factory.createOIOBootstrapToIdentityTokenResponseModelBuilder().build(consumerStsResponseDocument);

Her efter kan man hente Identity Token ud og verificere attributterne:

// Hent Identity Token fra STS svar
IdentityToken identityTokenResponse = consumerStsResponse.getIdentityToken();

// Verificer at det er et IDWS token samt at assurance level og audience er som forventet
Assert.assertEquals("DK-SAML-2.0", identityTokenResponse.getSpecVersion());
Assert.assertEquals("3", identityTokenResponse.getAssuranceLevel());
Assert.assertEquals("http://fmk-online.dk", identityTokenResponse.getAudienceRestriction());


2.4. Service Request

Når vi har STS svaret kan service requestet opbygges. Først skal der opbygges et IDWS request med den Body der passer til den service der skal kaldes. Den kan se sådan her ud, hvor Body elementet ikke er udfyldt:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <soapenv:Header />
    <soapenv:Body>
        ...
    </soapenv:Body>
</soapenv:Envelope>

Nu kan man så bruge Seal.Java til at berige dette request med det Identity Token der findes i STS svaret (identityTokenResponse)  og signere det:

LibertyRequestDOMEnhancer enhancer = oioidwsFactory.createRequestDOMEnhancer(serviceConsumerRequestDocument);

enhancer.setIdentityToken(identityTokenResponse);
enhancer.setWSAddressingMessageID(messageIdSupplier.get());
enhancer.setWSAddressingAction(soapAction);
enhancer.enhanceAndSign();

String serviceConsumerRequestXml = XmlUtil.node2String(serviceConsumerRequestDocument, false, true);

Det samlede request kommer til at se sådan ud, hvor body delen her er tom:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:sbf="urn:liberty:sb" xmlns:sbfprofile="urn:liberty:sb:profile"
    xmlns:wsa="http://www.w3.org/2005/08/addressing"
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <soapenv:Header>
        <wsse:Security mustUnderstand="1" wsu:Id="security">
            <wsu:Timestamp wsu:Id="ts">
                <wsu:Created>2025-10-01T09:16:10Z</wsu:Created>
            </wsu:Timestamp>
            <saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema"
                ID="_55765161-0dc4-4dc7-9156-b862035c2584" IssueInstant="2025-10-01T09:16:10Z"
                Version="2.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <saml:Issuer>TEST1-NSP-STS</saml:Issuer>
                <ds:Signature Id="OCESSignature">
                    <ds:SignedInfo>
                        <ds:CanonicalizationMethod
                            Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                        <ds:Reference URI="#_55765161-0dc4-4dc7-9156-b862035c2584">
                            <ds:Transforms>
                                <ds:Transform
                                    Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </ds:Transforms>
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                            <ds:DigestValue>0UrB5HZ5sM8/BFhYyGTypND09h8=</ds:DigestValue>
                        </ds:Reference>
                    </ds:SignedInfo>
                    <ds:SignatureValue>
                        bzdd9rbaf7gBI/+f6ISkhC8M9XD1/VQ4Jo/7pr8RKCdnyBhZJTOkpqCrw6MG01PAWxgfGpVZZ+7ZS5kYBkRjFHUyPPDtJrQ1Tc6hNrw30bx57LfYCjU3+hKz0arUvD+ncxpGhGFgwqbvBZMCwr496186TcZwWW2QAymz3TmTKcGtdv0QnhVDnYFIbWS8sxjJ3sgGj9HC9adBLJ280l5IOYmBwDQ7f86TxwFtqGKzjTtfFcEH3q9gup7o2QD6NMRdW8Rg4DxPnqfewsfv06yPfPPwdwJWDFWyLmA4gcWzYs7Ao1UH6W5j4Zh5mbsNRP9YV1zVDk89Ny5V6n98WSzg1irgbLwJJsor/N52ZK/wMpilX3r/qH1gABI83kV40Rd6Tp4hJizKaJ+bPiw/DLTYVzwD8mz9pWPZnI7jjlIo9sJ9RRFiY3UameJJA/U2iqt3G17tdrG93VhzFZRqaMIqveKjaxKShEBWP96rloLyCf0GOsZX/xmVc07Lw2jeJ+5O</ds:SignatureValue>
                    <ds:KeyInfo>
                        <ds:X509Data>
                            <ds:X509Certificate>
                                MIIGiDCCBLygAwIBAgIUR5IfpZdXnxp/UHxA0KWAcKzWcm4wQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMGsxLTArBgNVBAMMJERlbiBEYW5za2UgU3RhdCBPQ0VTIHVkc3RlZGVuZGUtQ0EgMTETMBEGA1UECwwKVGVzdCAtIGN0aTEYMBYGA1UECgwPRGVuIERhbnNrZSBTdGF0MQswCQYDVQQGEwJESzAeFw0yMzA1MTIxMTIzMDFaFw0yNjA1MTExMTIzMDBaMIGeMR0wGwYDVQQDDBRTT1NJIFRlc3QgRmVkZXJhdGlvbjE3MDUGA1UEBRMuVUk6REstTzpHOjU4ZjEwNDNkLTNkMmYtNGRlZC1hYjUwLTk0MGRiNDc3NmExODEeMBwGA1UECgwVU3VuZGhlZHNkYXRhc3R5cmVsc2VuMRcwFQYDVQRhDA5OVFJESy0zMzI1Nzg3MjELMAkGA1UEBhMCREswggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCDqOcDXr2tsBXp3QqYpoZCyJAJQ4+rEtmOLJL/Qyol+5e2NyBOqIGdpXdcSI6hCTYEQu/67EDFRcO9yU6yD/u7xOcy+t3eCqx1ydOy20AZCdcKwRmxBzyQN5er+mBErG2+iprTWJdpwCw0mwjNt5edusm7Nwufk0AkN5nxvEEynwesTdTqgLzL99Jk1zdg0uokROg1s13CCvpenYks8+yXwgddO/36WmUn9V8N+1MIu+UpwsULB9zsNCU8qlDzlgg1u6nr8nnKTBBwT2mXl4xCOF2EEJF5lGUaJ+NOu/ljI2WN2pEUsiqpZPvsI14teJKucH4zCV2y7PhyCBacuti7rEZjuZ6ELeTiUvgs+TqqTFGn3dxCq6FOgz5z5N2ypPTPzg/ntBH0CqkjFn+loh5GIBcA8ff5AHNjqM3Ygu/u1p+BwszeGJLAwk0AUtp67aB4QBGuh73vWsaeERwg4Hc1HeNldv/I4iyMQFlp1qsZoAC6cApeoM6umihYcTfi7rMCAwEAAaOCAYYwggGCMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUfyif2XGZQuJ159c1di5NCCVtdl4wewYIKwYBBQUHAQEEbzBtMEMGCCsGAQUFBzAChjdodHRwOi8vY2ExLmN0aS1nb3YuZGsvb2Nlcy9pc3N1aW5nLzEvY2FjZXJ0L2lzc3VpbmcuY2VyMCYGCCsGAQUFBzABhhpodHRwOi8vY2ExLmN0aS1nb3YuZGsvb2NzcDAhBgNVHSAEGjAYMAgGBgQAj3oBATAMBgoqgVCBKQEBAQMHMDsGCCsGAQUFBwEDBC8wLTArBggrBgEFBQcLAjAfBgcEAIvsSQECMBSGEmh0dHBzOi8vdWlkLmdvdi5kazBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vY2ExLmN0aS1nb3YuZGsvb2Nlcy9pc3N1aW5nLzEvY3JsL2lzc3VpbmcuY3JsMB0GA1UdDgQWBBQoPAINYQR2GfgN1KAQMauutePL6jAOBgNVHQ8BAf8EBAMCBaAwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4IBgQC31Dtgc8+hxB0v+/RL1N3SsyfIxKNVJBhkl2Rfihn700Or5E+0ETyP8mV8MadraDBDYbwMkd3TNOzuF6Ct8c4X5mv+XKr8m0eDPlh7I7mMZ5zzpVw5Co4Wiwwiv9Hb59P/c182FaSPAA1bpmko9AH+duPcquiQELoSRfqW23B2cejACd95XbyXQVFdbCdhyCGAexbJ4egChJsXPU2zAOXq1/pa5bNSmJMsJgqP36bTbA6r+mjv0FArkrL76W1kmchpj6F4tSuDaaJlUmKvmzzBomwhlQRr/vxZc0FOamnJ8is9wC49tOaEMUx2l2iSWZKXMh4C6LQC8hQsjiXnYsERAWgeqwzqtVE3iKaGhOv+W7ECKFndGjYM95bdVK8x9BymTrPun63BCiVGqhMzsEc2RkvbKgBpb7L+Ont0EAahwcTshBzfe0jhA2thWHNGFxXpNqI0ZaAo/NKJpHK3I0EACAB0/VjiQZ/inSKtPnof1/nQZ32QWX3ij0VkX2mE2Pw=</ds:X509Certificate>
                        </ds:X509Data>
                    </ds:KeyInfo>
                </ds:Signature>
                <saml:Subject>
                    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
                        dk:gov:saml:attribute:CprNumberIdentifier:0101701234</saml:NameID>
                    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
                        <saml:SubjectConfirmationData NotOnOrAfter="2025-10-01T10:06:10Z"
                            Recipient="https://fsk">
                            <ds:KeyInfo>
                                <ds:X509Data>
                                    <ds:X509Certificate>
                                        MIIGljCCBMqgAwIBAgIUSekWoKAJgAnqOOnhCpBxT0Y7+DIwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMGsxLTArBgNVBAMMJERlbiBEYW5za2UgU3RhdCBPQ0VTIHVkc3RlZGVuZGUtQ0EgMTETMBEGA1UECwwKVGVzdCAtIGN0aTEYMBYGA1UECgwPRGVuIERhbnNrZSBTdGF0MQswCQYDVQQGEwJESzAeFw0yNTAzMTAwOTM2NThaFw0yODAzMDkwOTM2NTdaMIGrMSIwIAYDVQQDDBlEUkcgRnVua3Rpb25zY2VydGlmaWthdGV0MTcwNQYDVQQFEy5VSTpESy1POkc6NWVjN2FmMDEtZTJkZC00NWRhLTkyZjMtZWE4ZWVlY2U5NmY2MSYwJAYDVQQKDB1UZXN0b3JnYW5pc2F0aW9uIG5yLiA5NTQ0NDk2MDEXMBUGA1UEYQwOTlRSREstOTU0NDQ5NjAxCzAJBgNVBAYTAkRLMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAm/9FRP56L/AY3JzWW5KKFa9uAAMdaE6F27Niz4kh/76NeRJ+v0SYGHrYeTojsuNIvoiL7igacO9HCxBJZ9eXkYEHN5oni1oix8WXrIiZ+lshndFCmzOkOUp4oKdmQYU4wFgxySDICkh4X1ZiV7zX2QSYYRIS0CT7BgCM8PUJj+3uQsK8/WmfnCagz33OY5j3zM6zIj/P3NFPSW/mOBJGd5NmPqiWIkE5TAi0v55V9KXKonTQNbyBNmtDFgAeOZuu9PcVQXT4XTZ29Nf9Q8DlOuJkgE5J4YslxKCZAVowtpZ4bvo6+AeBi/TGAyGwH8ZQSquLTRfu+XxA2NeQP/un9OOrb9tbgM879zEjTzRViJQb3DbzyTso3QdZ8ePzGo8or303T3Y1sBsmkgR4ca+WrGJYalHSSv24w/uX5ouYp9isYYigCd+on9EOGdhg1A+8yMfEEk1k6U+Xwk/PorTbaHiwTZzYVTtITYZwuo/AQAuv9fok1vyszLAA9LsRLRu3AgMBAAGjggGHMIIBgzAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFH8on9lxmULidefXNXYuTQglbXZeMHsGCCsGAQUFBwEBBG8wbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhMS5jdGktZ292LmRrL29jZXMvaXNzdWluZy8xL2NhY2VydC9pc3N1aW5nLmNlcjAmBggrBgEFBQcwAYYaaHR0cDovL2NhMS5jdGktZ292LmRrL29jc3AwIgYDVR0gBBswGTAIBgYEAI96AQEwDQYLKoFQgSkBAQEDBwEwOwYIKwYBBQUHAQMELzAtMCsGCCsGAQUFBwsCMB8GBwQAi+xJAQIwFIYSaHR0cHM6Ly91aWQuZ292LmRrMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jYTEuY3RpLWdvdi5kay9vY2VzL2lzc3VpbmcvMS9jcmwvaXNzdWluZy5jcmwwHQYDVR0OBBYEFA6of2eL0FrGUwTaBkf7OmPgvqMzMA4GA1UdDwEB/wQEAwIFoDBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASADggGBAMKj8r6/7oFNzN6Bj8IivsIKfES4R+Q7881DTvaMrtG8Oewi6tUNw6ZEW+/C3kS2eh1xl85tDEi1wN2EKFEgrHIo0RnICx8CCWgd9LPc6f3D8VyLMS5mDeZgjFtZ63SOsIAyeupVHuSx6UCaHKCLyp48Rc7VtHgVIzjFEq/BHzyAcEeSymfLRf4pPbob7zLNSF4jmWUXpyQ47IEYL5zWXBsJdzc++RIMQ5blphINN++auZoXCsy63yAjenfZkv5/hy6v3GZN7vHjdKTf+bOZNYvDoiFqCjsKTDHDOGShr2lGRYGZcOBd/c94wBMILn4/lzThoj3U2S7uUt5ommYD9Db9GVF7Bs71Ey3FLetIa5ynJI14qTkflp3Ij++GAJqdKuUPVCHpHrNJTkzypr4ZDr8AF9q0mvVg0IfMaf9INx0/dAzNUxOoaYKxuiK4r8a3IBBX59QXlctGlgG+CTR0YjPG6uftRB6dSQh1sb7fxDm2eX9+bqqH4Wi/YKDYqGq3RQ==</ds:X509Certificate>
                                </ds:X509Data>
                            </ds:KeyInfo>
                        </saml:SubjectConfirmationData>
                    </saml:SubjectConfirmation>
                </saml:Subject>
                <saml:Conditions NotBefore="2025-10-01T09:11:10Z"
                    NotOnOrAfter="2025-10-01T10:06:10Z">
                    <saml:AudienceRestriction>
                        <saml:Audience>https://fsk</saml:Audience>
                    </saml:AudienceRestriction>
                </saml:Conditions>
                <saml:AttributeStatement>
                    <saml:Attribute Name="dk:gov:saml:attribute:SpecVer"
                        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                        <saml:AttributeValue xsi:type="xs:string">DK-SAML-2.0</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute Name="dk:gov:saml:attribute:AssuranceLevel"
                        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                        <saml:AttributeValue xsi:type="xs:string">3</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute Name="dk:gov:saml:attribute:CprNumberIdentifier"
                        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                        <saml:AttributeValue xsi:type="xs:string">0101701234</saml:AttributeValue>
                    </saml:Attribute>
                </saml:AttributeStatement>
            </saml:Assertion>
            <wsse:SecurityTokenReference
                xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
                wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
                wsu:Id="str">
                <wsse:KeyIdentifier
                    ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">
                    _55765161-0dc4-4dc7-9156-b862035c2584</wsse:KeyIdentifier>
            </wsse:SecurityTokenReference>
            <ds:Signature>
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                    <ds:Reference URI="#body">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>lbWOchC8WPqugicDmHUOwQR0iug=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#ts">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>6DJcxPGqNVFB2n1Kdj1KYYjUssk=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#str">
                        <ds:Transforms>
                            <ds:Transform
                                Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
                                <wsse:TransformationParameters>
                                    <ds:CanonicalizationMethod
                                        Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                                </wsse:TransformationParameters>
                            </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>0rM6QpH6WBKezKgwF6Lw/2X9yfU=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#messageID">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>Bn0NvtRUO5U2fts3sQTgKR9OV4c=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#action">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>nFVfWu71MwSlvS2L2n7kca+otEQ=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#sbf">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>DrMuEoWp7Uik1KTUOuvtisxvpXA=</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>
                    DHSQ8NecqemsFcmzrWXB85stEUO9Z64fjJ4VwbTcV+6/fZAQ3udCjHQERu9wQhODphSlMnQt9pN9ozjFPUKYteX7bm6O6W4+6cnA+NnX/RoAePn9KXBkKrTSni503MlmCXyp5mKf3uzxoPqggP5Kx12pG9pIuuNdGnKGJER5W6KYAnCkHV6pHp/wfHoESL2T+UqC79Eed157oJOZBY3g2i8U18UIChlrM+XdVVAzKJBS+dzkUObZbiWC92hZ156Z4kt5ZRJN3R839fStdreb1wpvG9scom37UYG3HNezVhwEsZPFA0PTFjZLCc0Chkt3+hzqhfi1w77TpGP/2vTwaNIx0PQ0KG+P/t2ptvMenSjQTRpD5z3STTBRTbdgMk7g+zem32LIV9Rk3KGgDgUOLdx++nR4X8zEM5kgSjuJ+4WFVwFw+TWxQIeE215Se3xTFw2Jscw3FHo0+YFwo9pWWnIowjCISfgtgSqevnH4OAEiuVh/EmJdDRym3n4wAlIi</ds:SignatureValue>
                <ds:KeyInfo>
                    <wsse:SecurityTokenReference
                        xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
                        wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
                        wsu:Id="sigStr">
                        <wsse:KeyIdentifier
                            ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">
                            _55765161-0dc4-4dc7-9156-b862035c2584</wsse:KeyIdentifier>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
            </ds:Signature>
        </wsse:Security>
        <wsa:MessageID wsu:Id="messageID">c32e833f-0c92-41bd-b9d4-fd3ab36ab1f6</wsa:MessageID>
        <wsa:Action wsu:Id="action">
            http://sundhedsdatastyrelsen.dk/skr/2024/01/01#GetPersonalDataCard</wsa:Action>
        <sbf:Framework sbfprofile:profile="urn:liberty:sb:profile:basic" version="2.0" wsu:Id="sbf" />
    </soapenv:Header>
    <soapenv:Body wsu:Id="body">
        ...
    </soapenv:Body>
</soapenv:Envelope>

2.5. Service Response

Seal.Java kan nu benyttes til at validere det samlede response fra servicen. Ved kald til en IDWS service kan man vha. kald til Seal.Java tjekke om svaret indeholder en fejl og evt. fejlbesked og fejlkode.

Eksempel på dette hvor vi antager at vi har svaret som et Document i variablen serviceConsumerResponseDocument:

Federation federation = new SOSITestFederation(new Properties());

OIOBootstrapToIdentityTokenResponse response = new OIOBootstrapToIdentityTokenResponseModelBuilder().build(serviceConsumerResponseDocument);

// Verify IDWS service response for errors
if (response.isFault()) {
   log.error("Response error: " + response.getFaultString() + ", error code: " + response.getFaultCode());
   return false;
}

// Validate IDWS service response
try {
   response.validateSignature();
   response.validateSignatureAndTrust(federation);
} catch (ModelBuildException e) {
   log.error("Validation error: " + e.getMessage());
   return false;
}

return true;


3.  Komplet eksempel (incl. STS delen)


 public class TestFactoryFlow {
        
    @Test
    public void testBst2Idws() {

        /**
         * Consumer sender request
         */

        // CredentialVault og Factory
        CredentialVault signingVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Medarbejdercertifikat", "Kodeord til Medarbejdercertifikat");
        CredentialVault holderOfKeyVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Holder of key certifikat", "Kodeord til Holder of key certifikat");
        OIOSAMLFactory factory = new OIOSAMLFactory();

        // Byg OIOBSTSAMLAssertion
        OIO3BSTCitizenSAMLAssertionBuilder oio3bstCitizenSAMLAssertionBuilder = factory.createOIO3BSTCitizenSAMLAssertionBuilder();
        oio3bstCitizenSAMLAssertionBuilder.setAudience("http://fmk-online.dk");
        oio3bstCitizenSAMLAssertionBuilder.setIssuer("Issuer");
        oio3bstCitizenSAMLAssertionBuilder.setNameId("NameId");
        oio3bstCitizenSAMLAssertionBuilder.setAssuranceLevel(AssuranceLevel.NSIS.Substantial);
        oio3bstCitizenSAMLAssertionBuilder.setCpr("0101701234");
        oio3bstCitizenSAMLAssertionBuilder.setNotOnOrAfter(notOnOrAfter);
        oio3bstCitizenSAMLAssertionBuilder.setSigningVault(signingVault);
        oio3bstCitizenSAMLAssertionBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());
        OIOBSTSAMLAssertion oiobstsamlAssertion = oio3bstCitizenSAMLAssertionBuilder.build();

        // Byg STS request
        OIOBootstrapToIdentityTokenRequestDOMBuilder requestDomBuilder = factory.createOIOBootstrapToIdentityTokenRequestDOMBuilder();
        requestDomBuilder.setOIOBootstrapToken(oiobstsamlAssertion);
        requestDomBuilder.setAudience("http://fmk-online.dk");
        requestDomBuilder.setCPRNumberClaim("0101701234");
        requestDomBuilder.setSigningVault(signingVault);
        Document consumerStsRequestDocument = requestDomBuilder.build();

        /**
         * Send request over netværk
         */
        String consumerStsRequestXml = XmlUtil.node2String(consumerStsRequestDocument, false, false);
        consumerStsRequestDocument = XmlUtil.readXml(new java.util.Properties(), consumerStsRequestXml, false);

        /**
         *  STS modtager request
         */
        OIOBootstrapToIdentityTokenRequest stsRequest = factory.createOIOBootstrapToIdentityTokenRequestModelBuilder().build(consumerStsRequestDocument);

        // Her vil STS'en verificere ID kortet. I dette eksempel verificeres følgende tre attributter:
        oiobstsamlAssertion = stsRequest.getOIOBSTSAMLAssertion();
        Assert.assertEquals("OIO-SAML-3.0", oiobstsamlAssertion.getSpecVersion());
        Assert.assertEquals("Substantial", oiobstsamlAssertion.getAssuranceLevel());
        Assert.assertEquals("http://fmk-online.dk", oiobstsamlAssertion.getAudienceRestriction());

        /**
         *  STS bygger response
         */

        // Byg IdentityToken
        CitizenIdentityTokenBuilder identityTokenBuilder = factory.createCitizenIdentityTokenBuilder();
        identityTokenBuilder.setAudienceRestriction("http://fmk-online.dk");
        identityTokenBuilder.setRecipientURL("https://fmk");
        identityTokenBuilder.setIssuer("Issuer");
        identityTokenBuilder.setNotBefore(notBefore);
        identityTokenBuilder.setNotOnOrAfter(notOnOrAfter);
        identityTokenBuilder.setDeliveryNotOnOrAfter(notOnOrAfter);
        identityTokenBuilder.setCprNumberAttribute("0101701234");
        identityTokenBuilder.setSubjectNameID("SubjectNameID");
        identityTokenBuilder.setSubjectNameIDFormat("SubjectNameIDFormat");
        identityTokenBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());
        identityTokenBuilder.setSigningVault(signingVault);

        IdentityToken identityToken = identityTokenBuilder.build();

        // Byg STS response
        AbstractOIOToIdentityTokenResponseDOMBuilder<?> responseBuilder = factory.createOIOBootstrapToIdentityTokenResponseDOMBuilder();
        responseBuilder.setIdentityToken(identityToken);
        responseBuilder.setSigningVault(signingVault);
        responseBuilder.setRelatesTo("relatesTo");
        responseBuilder.setContext("context");

        Document consumerStsResponseDocument = responseBuilder.build();

        /**
         *  Send response over netværk
         */
        String consumerStsResponseXml = XmlUtil.node2String(consumerStsResponseDocument, false, false);
        consumerStsResponseDocument = XmlUtil.readXml(new Properties(), consumerStsResponseXml, false);

        /**
         *  Consumer modtager response
         */
        OIOBootstrapToIdentityTokenResponse consumerStsResponse = factory.createOIOBootstrapToIdentityTokenResponseModelBuilder().build(consumerStsResponseDocument);

        IdentityToken identityTokenResponse = consumerStsResponse.getIdentityToken();
        Assert.assertEquals("DK-SAML-2.0", identityTokenResponse.getSpecVersion());
        Assert.assertEquals("3", identityTokenResponse.getAssuranceLevel());
        Assert.assertEquals("http://fmk-online.dk", identityTokenResponse.getAudienceRestriction());
    }
}


  • No labels