1. Indledning

Denne guide beskriver hvordan en STS skal omveksle et eHDSI IDWS XUA Bootstrap Token (DKNCPBST) udsted af "Danish National Contact Point" til et eHDSI IDWS XUA Identity Token (IDWS-eHDSI).

I det følgende vises nogle stykker kode der viser hvordan en STS kan lave denne omveksling.

Der findes et komplet eksempel (incl. hvordan anvender opbygger request og modtager response) sidst på siden.

2. Eksempel

2.1. STS Request

Beskrivelse af hvordan Seal.Java anvendes til at opbygge et STS request findes her: Seal.Java 3 - Guide til anvendere (Consumer) - eHDSI Boostrap token til eHDSI Identity token

Opret en instans af EHDSIFactory og en CredentialVault der indeholder et virksomhedscertifikat der anvendes til denne omveksling:

// CredentialVault og Factory
CredentialVault signingVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Virksomhedscertifikat", "Kodeord til Virksomhedscertifikat");
CredentialVault holderOfKeyVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Holder of key certifikat", "Kodeord til Holder of key certifikat");
EHDSIFactory factory = new EHDSIFactory();

En STS vil kunne anvende Seal.Java til at modtage et XML dokument indeholdende et request og det skal deserialiseres til et DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequest modelobjekt:

consumerStsRequestDocument = readXml(System.getProperties(), consumerStsRequestXml, false);
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequest request = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestModelBuilder().build(consumerStsRequestDocument);

Nu vil en STS kunne verificere det indkomne eHDSI IDWS XUA Bootstrap Token. Dette er ikke relevant for denne anvenderguide, men her er et eksempel på hvordan man henter den indlejrede SAML Assertion ud validere det og verificere tre attributter:

// Validate assertion
DkncpBootstrapSamlAssertion assertion = request.getDkncpBootstrapSamlAssertion();

Assert.assertEquals("eHDSI-IDWS-XUA-1.0", assertion.getSpecVersion());
Assert.assertEquals("3", assertion.getAssuranceLevelNIST());
Assert.assertEquals("Alfonso Gonzalez", assertion.getSubject());

2.2. STS Response

Nu vil en STS bygge et response og først bygge en signeret eHDSI IDWS XUA Identity Token:

// Build Ehdsi Idws Xua Employee identity token
EhdsiIdwsXuaEmployeeIdentityTokenBuilder tokenBuilder = factory.createEhdsiIdwsXuaEmployeeIdentityTokenBuilder();
tokenBuilder.setIssuer("http://sosi");
tokenBuilder.setAudienceRestriction("http://audience.nspoop.dk/dds");
tokenBuilder.setNotBefore(notBefore);
tokenBuilder.setNotOnOrAfter(notOnOrAfter);
tokenBuilder.setDeliveryNotOnOrAfter(notOnOrAfter);
tokenBuilder.setSubjectNameID("C=DK,O=Ingen organisatorisk tilknytning,CN=Lars Larsen,Serial=PID:9208-2002-2-514358910503");
tokenBuilder.setSubjectNameIDFormat(SAMLValues.NAMEID_FORMAT_X509_SUBJECT_NAME);
tokenBuilder.setSigningVault(signingVault);
tokenBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());

// Øvrige attributter sættes
tokenBuilder.setSubject("Alfonso Gonzalez");
tokenBuilder.setRole("2221", "Nursing professionals");
...

EhdsiIdwsXuaEmployeeIdentityToken ehdsiIdwsXuaEmployeeIdentityToken = tokenBuilder.build();

Dette eHDSI IDWS XUA Identity Token kan nu indlejres i det samlede svar fra STS:

// Build Ehdsi Idws Xua Employee response
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder responseBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder();
responseBuilder.setEhdsiIdwsXuaEmployeeIdentityToken(ehdsiIdwsXuaEmployeeIdentityToken);
responseBuilder.setSigningVault(holderOfKeyVault);
responseBuilder.setRelatesTo("relatesTo");
responseBuilder.setContext("context");

Document consumerStsResponseDocument = responseBuilder.build();

Svaret kan sendes over netværket som XML:

String consumerStsResponseXml = XmlUtil.node2String(consumerStsResponseDocument, false, false);

Nu vil en anvender kunne modtage det omvekslede eHDSI IDWS XUA Identity Token og hvordan man anvender Seal.Java til at behandle dette svar er beskrevet her: Seal.Java 3 - Guide til anvendere (Consumer) - eHDSI Boostrap token til eHDSI Identity token

3. Komplet eksempel (incl. opbygning af request og modtagelse af response)

public class TestFactoryFlow {

    private final String NAMEID_FORMAT_X509_SUBJECT_NAME = "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName";

    @Test
    public void testDKNCPBST2EHDSIIdws() {
       
        /**
         * Consumer sender request
         */

        // CredentialVault og Factory
        CredentialVault signingVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Virksomhedscertifikat", "Kodeord til Virksomhedscertifikat");
        CredentialVault holderOfKeyVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Holder of key certifikat", "Kodeord til Holder of key certifikat");        
        EHDSIFactory factory = new EHDSIFactory();

        // Build Dkncp Boostrap SAML Assertion
        String issuer = "http://sosi";

        DkncpBootstrapSamlAssertionBuilder dkncpBootstrapSamlAssertionBuilder = factory.createDkncpBootstrapSamlAssertionBuilder(signingVault, issuer);
        dkncpBootstrapSamlAssertionBuilder.setIssuer(issuer);
        dkncpBootstrapSamlAssertionBuilder.setAudienceRestriction("https://fmk");
        Date now = new Date();
        dkncpBootstrapSamlAssertionBuilder.setNotBefore(notBefore);
        dkncpBootstrapSamlAssertionBuilder.setNotOnOrAfter(notOnOrAfter);
        dkncpBootstrapSamlAssertionBuilder.setDeliveryNotOnOrAfter(notOnOrAfter);
        dkncpBootstrapSamlAssertionBuilder.setSubjectName("C=DK,O=LAKESIDE A/S // CVR:25450442,CN=Sårjournal TEST læge,Serial=CVR:25450442-RID:73570260");
        dkncpBootstrapSamlAssertionBuilder.setSubjectNameID("nameid");
        dkncpBootstrapSamlAssertionBuilder.setSubjectNameIDFormat(SAMLValues.NAMEID_FORMAT_X509_SUBJECT_NAME);
        dkncpBootstrapSamlAssertionBuilder.setSigningVault(signingVault);
        dkncpBootstrapSamlAssertionBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());

        // Mandatory attribute values
        dkncpBootstrapSamlAssertionBuilder.setSubject("Alfonso Gonzalez");
        dkncpBootstrapSamlAssertionBuilder.setRole("2221", "Nursing professionals");
        dkncpBootstrapSamlAssertionBuilder.setOrganization("Charité – Universitätsmedizin Berlin");
        dkncpBootstrapSamlAssertionBuilder.setOrganizationId("urn:oid:1.3.6.1.4.1.44938");
        dkncpBootstrapSamlAssertionBuilder.setHealthcareFacilityType("Hospital");
        dkncpBootstrapSamlAssertionBuilder.setPurposeOfUse("TREATMENT");
        dkncpBootstrapSamlAssertionBuilder.setLocality("Klinik am Berg, 83242 Reit im Winkl");
        dkncpBootstrapSamlAssertionBuilder.setPatientId("0205756078^^^&1.2.208.176.1.2&ISO");
        dkncpBootstrapSamlAssertionBuilder.setAssuranceLevelNIST("3");
        dkncpBootstrapSamlAssertionBuilder.setSpecVersion("eHDSI-IDWS-XUA-1.0");
        dkncpBootstrapSamlAssertionBuilder.setIssuancePolicy("urn:dk:sosi:sts:eHDSI-strict");
        dkncpBootstrapSamlAssertionBuilder.setCountryOfTreatment("DE");

        DkncpBootstrapSamlAssertion dkncpBootstrapSamlAssertion = dkncpBootstrapSamlAssertionBuilder.build();
        dkncpBootstrapSamlAssertion.validateSchema();
        dkncpBootstrapSamlAssertion.validateSignatureAndTrust(signingVault);

        // Build Dkncp Bootstrap request
        DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestDOMBuilder requestDomBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestDOMBuilder();
        requestDomBuilder.setAudience("https://sosi");
        requestDomBuilder.setSigningVault(holderOfKeyVault);
        requestDomBuilder.setDkncpBootstrapToken(dkncpBootstrapSamlAssertion);

        // Serialize request to the same form as received by the STS
        Document consumerStsRequestDocument = requestDomBuilder.build();

        /**
         * Send request over netværk
         */
        String consumerStsRequestXml = XmlUtil.node2String(consumerStsRequestDocument, false, false);
        consumerStsRequestDocument = readXml(System.getProperties(), consumerStsRequestXml, false);

        /**
         *  STS modtager request
         */
        DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequest request = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestModelBuilder().build(consumerStsRequestDocument);

        // validate request
        request.validateSignatureAndTrust(holderOfKeyVault);
        request.validateHolderOfKeyRelation();


        // Validate assertion
        DkncpBootstrapSamlAssertion assertion = request.getDkncpBootstrapSamlAssertion();

        // The DKNCP BST Assertion can be schema validated after serialize/deserialize
        assertion.validateSchema();
        assertion.validateSignatureAndTrust(signingVault);

        // Verify all attributes
        Assert.assertEquals("Alfonso Gonzalez", assertion.getSubject());

        Assert.assertEquals(EHDSI_ROLE_XSI_TYPE, assertion.getRoleType());
        Assert.assertEquals("2221", assertion.getRoleCode());
        Assert.assertEquals(EHDSI_ROLE_CODE_SYSTEM, assertion.getRoleCodeSystem());
        Assert.assertEquals(EHDSI_ROLE_CODE_SYSTEM_NAME, assertion.getRoleCodeSystemName());
        Assert.assertEquals("Nursing professionals", assertion.getRoleDisplayName());

        Assert.assertEquals("Charité – Universitätsmedizin Berlin", assertion.getOrganization());
        Assert.assertEquals("urn:oid:1.3.6.1.4.1.44938", assertion.getOrganizationId());
        Assert.assertEquals("Hospital", assertion.getHealthcareFacilityType());

        Assert.assertEquals("TREATMENT", assertion.getPurposeOfUseCode());

        Assert.assertEquals("Klinik am Berg, 83242 Reit im Winkl", assertion.getLocality());
        Assert.assertEquals("0205756078^^^&1.2.208.176.1.2&ISO", assertion.getPatientId());

        Assert.assertEquals("3", assertion.getAssuranceLevelNIST());
        Assert.assertEquals("eHDSI-IDWS-XUA-1.0", assertion.getSpecVersion());
        Assert.assertEquals("urn:dk:sosi:sts:eHDSI-strict", assertion.getIssuancePolicy());
        Assert.assertEquals("DE", assertion.getCountryOfTreatment());

        /**
         *  STS bygger response
         */

        // Build Ehdsi Idws Xua Employee identity token
        EhdsiIdwsXuaEmployeeIdentityTokenBuilder tokenBuilder = factory.createEhdsiIdwsXuaEmployeeIdentityTokenBuilder();
        tokenBuilder.setIssuer("http://sosi");
        tokenBuilder.setAudienceRestriction("https://fmk");
        tokenBuilder.setNotBefore(notBefore);
        tokenBuilder.setNotOnOrAfter(notOnOrAfter);
        tokenBuilder.setDeliveryNotOnOrAfter(notOnOrAfter);
        tokenBuilder.setSubjectNameID("C=DK,O=Ingen organisatorisk tilknytning,CN=Lars Larsen,Serial=PID:9208-2002-2-514358910503");
        tokenBuilder.setSubjectNameIDFormat(SAMLValues.NAMEID_FORMAT_X509_SUBJECT_NAME);
        tokenBuilder.setSigningVault(signingVault);
        tokenBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());

        tokenBuilder.setSubject("Alfonso Gonzalez");
        tokenBuilder.setRole("2221", "Nursing professionals");

        tokenBuilder.setOrganization("Charité – Universitätsmedizin Berlin");
        tokenBuilder.setOrganizationId("urn:oid:1.3.6.1.4.1.44938");
        tokenBuilder.setHealthcareFacilityType("Hospital");
        tokenBuilder.setPurposeOfUse("TREATMENT");

        tokenBuilder.setLocality("Klinik am Berg, 83242 Reit im Winkl");
        tokenBuilder.setPatientId("0205756078^^^&1.2.208.176.1.2&ISO");

        tokenBuilder.setAssuranceLevel("3");
        tokenBuilder.setSpecVersion("eHDSI-IDWS-XUA-1.0");
        tokenBuilder.setIssuancePolicy("urn:dk:sosi:sts:eHDSI-strict");
        tokenBuilder.setCountryOfTreatment("DE");

        EhdsiIdwsXuaEmployeeIdentityToken ehdsiIdwsXuaEmployeeIdentityToken = tokenBuilder.build();

        // Validate Identity Token
        ehdsiIdwsXuaEmployeeIdentityToken.validateSchema();
        ehdsiIdwsXuaEmployeeIdentityToken.validateSignatureAndTrust(signingVault);

        // Build Ehdsi Idws Xua Employee response
        DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder responseBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder();
        responseBuilder.setEhdsiIdwsXuaEmployeeIdentityToken(ehdsiIdwsXuaEmployeeIdentityToken);
        responseBuilder.setSigningVault(holderOfKeyVault);
        responseBuilder.setRelatesTo("relatesTo");
        responseBuilder.setContext("context");

        Document consumerStsResponseDocument = responseBuilder.build();

        /**
         *  Send response over netværk
         */
        String consumerStsResponseXml = XmlUtil.node2String(consumerStsResponseDocument, false, false);
        consumerStsResponseDocument = readXml(System.getProperties(), consumerStsResponseXml, false);

        /**
         *  Consumer modtager response
         */
        DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseModelBuilder responseModelBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseModelBuilder();
        DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponse response = responseModelBuilder.build(consumerStsResponseDocument);

        // Validate entire response
        response.validateSignature();

        // Validate the Ehdsi Idws Xua Employee Identity token from the response
        EhdsiIdwsXuaEmployeeIdentityToken employeeIdentityToken = response.getEhdsiIdwsXuaEmployeeIdentityToken();

        // The Ehdsi Idws Xua Employee Identity token can be schema validated after serialize/deserialize
        employeeIdentityToken.validateSchema();
        employeeIdentityToken.validateSignatureAndTrust(signingVault);

        // Verify all attributes
        assertEquals("3", employeeIdentityToken.getAssuranceLevel());
        assertEquals("Alfonso Gonzalez", employeeIdentityToken.getSubject());
        Assert.assertEquals("2221", employeeIdentityToken.getRoleCode());
        Assert.assertEquals("Nursing professionals", employeeIdentityToken.getRoleDisplayName());

        Assert.assertEquals("Charité – Universitätsmedizin Berlin", employeeIdentityToken.getOrganization());
        Assert.assertEquals("urn:oid:1.3.6.1.4.1.44938", employeeIdentityToken.getOrganizationId());
        Assert.assertEquals("Hospital", employeeIdentityToken.getHealthcareFacilityType());

        Assert.assertEquals("TREATMENT", employeeIdentityToken.getPurposeOfUseCode());

        Assert.assertEquals("Klinik am Berg, 83242 Reit im Winkl", employeeIdentityToken.getLocality());
        Assert.assertEquals("0205756078^^^&1.2.208.176.1.2&ISO", employeeIdentityToken.getPatientId());

        Assert.assertEquals("3", employeeIdentityToken.getAssuranceLevel());
        Assert.assertEquals("eHDSI-IDWS-XUA-1.0", employeeIdentityToken.getSpecVersion());
        Assert.assertEquals("urn:dk:sosi:sts:eHDSI-strict", employeeIdentityToken.getIssuancePolicy());
        Assert.assertEquals("DE", employeeIdentityToken.getCountryOfTreatment());
    }
}

Content

Space Tools

1. Indledning

2. Eksempel

2.1. STS Request

2.2. STS Response

3. Komplet eksempel (incl. opbygning af request og modtagelse af response)

Content

Space Tools

Seal.Java 3 - Guide til anvendere (STS) - Dkncp Boostrap token til eHDSI Identity token

1. Indledning

2. Eksempel

2.1. STS Request

2.2. STS Response

3. Komplet eksempel (incl. opbygning af request og modtagelse af response)