1. Indledning

Omveksler et eHDSI IDWS XUA Bootstrap Token (DKNCPBST) udsted af "Danish National Contact Point" til et eHDSI IDWS XUA Identity Token (IDWS-eHDSI)

Et eHDSI IDWS XUA Bootstrap Token er baseret på OIO-IDWS og er en SAML 2.0 Assertion der repræsentere en borger. Den er udstedt af Danish National Contact Point (DKNCP). Det er muligt at opbygge et eHDSI IDWS XUA Bootstrap Token vha. Seal.Java, men det er typisk kun til testformål. Dette token kan valideres ved at kontrollere, at audience svarer til den modtager, det er udstedt til, at gyldighedsperioden ikke er udløbet, og at signaturen er gyldig. Signaturen for en SAML 2.0 Assertion valideres ved at benytte det indlejrede signeringscertifikat.

Det samlede request der sendes til en STS er signeret af en troværdig tredjepart. Det samlede request kan valideres vha. det Holder Of Key certifikat der er indlejret i NSP OIO Bootstrap Token.

Det omvekslede eHDSI IDWS Identity Token er stort set identisk med eHDSI DWS XUA Bootstrap Token og har de samme Saml attributter.

I det følgende vises nogle stykker kode der viser hvordan man som anvender skal bruge Seal.Java til denne omveksling. 

Der findes et komplet eksempel (incl. STS omveksling) sidst på siden der virker uden at det kræver tilretning.

2. Eksempel

2.1.  eHSDI IDWS XUA Bootstrap Token

2.1.1. Læs eHSDI IDWS XUA Saml Assertion fra IdP

Der findes ikke metoder i EHDSIFactory der kan parse en eHDSI IDWS XUA Saml Assertion der stammer fra en Identity Provider (i et W3C Element) til et DkncpBootstrapSamlAssertion objekt.

2.1.2. Opbyg OIO SAML Assertion

Seal.Java kan anvendes til at opbygge en eHDSI IDWS XUA Saml Assertion. Dette vil typisk ske i forbindelse med test.

Først skal CredentialVaults sættes op og der skal lave en instans af den factory der kan håndtere eHDSI IDWS XUA:

CredentialVault signingVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Virksomhedscertifikat", "Kodeord til Virksomhedscertifikat");
CredentialVault holderOfKeyVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Holder of key certifikat", "Kodeord til Holder of key certifikat");
EHDSIFactory factory = new EHDSIFactory();

En signeret eHDSI IDWS XUA Saml Assertion opbygges vha. Seal.Java på denne måde:

DkncpBootstrapSamlAssertionBuilder dkncpBootstrapSamlAssertionBuilder = factory.createDkncpBootstrapSamlAssertionBuilder(vault, issuer);

dkncpBootstrapSamlAssertionBuilder.setIssuer("http://sosi");
dkncpBootstrapSamlAssertionBuilder.setAudienceRestriction("http://audience.nspoop.dk/dds");
dkncpBootstrapSamlAssertionBuilder.setNotBefore(notBeforeDateTime);
dkncpBootstrapSamlAssertionBuilder.setNotOnOrAfter(notOnOrAfterDateTime);
dkncpBootstrapSamlAssertionBuilder.setSubjectName("C=DK,O=LAKESIDE A/S // CVR:25450442,CN=Sårjournal TEST læge,Serial=CVR:25450442-RID:73570260");
dkncpBootstrapSamlAssertionBuilder.setSubjectNameID("nameid");
dkncpBootstrapSamlAssertionBuilder.setSubjectNameIDFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName");
dkncpBootstrapSamlAssertionBuilder.setDeliveryNotOnOrAfter(notOnOrAfterDateTime);
dkncpBootstrapSamlAssertionBuilder.setSigningVault(signingVault);
dkncpBootstrapSamlAssertionBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());

dkncpBootstrapSamlAssertionBuilder.setSubject("Alfonso Gonzalez");
dkncpBootstrapSamlAssertionBuilder.setRole("2221", "Nursing professionals");

List<String> permissions = new ArrayList<>();
permissions.add("urn:oasis:names:tc:xspa:1.0:subject:hl7:permission:PRD-004");
permissions.add("urn:oasis:names:tc:xspa:1.0:subject:hl7:permission:PRD-010");
dkncpBootstrapSamlAssertionBuilder.setPermissions(permissions);

dkncpBootstrapSamlAssertionBuilder.setOnBehalfOf("221", "Medical Doctors");
dkncpBootstrapSamlAssertionBuilder.setOrganization("Charité – Universitätsmedizin Berlin");
dkncpBootstrapSamlAssertionBuilder.setOrganizationId("urn:oid:1.3.6.1.4.1.44938");
dkncpBootstrapSamlAssertionBuilder.setHealthcareFacilityType("Hospital");
dkncpBootstrapSamlAssertionBuilder.setPurposeOfUse("TREATMENT");

dkncpBootstrapSamlAssertionBuilder.setLocality("Klinik am Berg, 83242 Reit im Winkl");
dkncpBootstrapSamlAssertionBuilder.setPatientId("0205756078^^^&1.2.208.176.1.2&ISO");

dkncpBootstrapSamlAssertionBuilder.setAssuranceLevelNIST(assuranceLevel);
dkncpBootstrapSamlAssertionBuilder.setSpecVersion("eHDSI-IDWS-XUA-1.0");
dkncpBootstrapSamlAssertionBuilder.setIssuancePolicy("urn:dk:sosi:sts:eHDSI-strict");
dkncpBootstrapSamlAssertionBuilder.setCountryOfTreatment("DE");

DkncpBootstrapSamlAssertion dkncpBootstrapSamlAssertion = dkncpBootstrapSamlAssertionBuilder.build();

2.2. STS Request

Det samlede STS request med en NSP OIO SAML Assertion opbygges på denne måde:

// eHDSI IDWS XUA Saml Assertion findes i denne variabel:
DkncpBootstrapSamlAssertion dkncpBootstrapSamlAssertion = ...

// Build Dkncp Bootstrap request
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestDOMBuilder requestDomBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestDOMBuilder();

requestDomBuilder.setAudience("https://sosi");
requestDomBuilder.setSigningVault(holderOfKeyVault);
requestDomBuilder.setDkncpBootstrapToken(dkncpBootstrapSamlAssertion);

Document consumerStsRequestDocument = requestDomBuilder.build();

Når requestet sendes over netværket skal det konverteres til XML:

String consumerStsRequestXml = XmlUtil.node2String(consumerStsRequestDocument, false, false);

Nu vil en STS kunne modtage det og veksle det til et eHDSI IDWS XUA Identity Token der kan anvendes på NSP platformen. Eksempel på hvordan Seal.Java kan anvendes til denne omveksling findes her: Seal.Java 3 - Guide til anvendere (STS) - Dkncp Boostrap token til eHDSI Identity token

2.2.1. Request som stream

En consumer vil typisk have et eHDSI IDWS XUA Bootstrap token som en stream der kan sendes direkte til en STS. Dette vil man selv kunne deserialisere hvis man vil se indholdet:

// Anvender har et XML dokument indeholdende NSP OIO SAML Bootstrap Token request:
String consumerStsRequestXml = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" ... </soapenv:Envelope>";

Document requestDocument = XmlUtil.readXml(new Properties(), consumerStsRequestXml, false);
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequest request = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestModelBuilder().build(requestDocument);

Det er nu muligt for en STS at se indholdet af requestet og på baggrund af indholdet vil en STS kunne bygge et response .

2.3. STS Response

Når consumeren modtager svaret fra STS, så skal det først indlæses i et Document:

// Konverter XML svaret fra STS til Document
consumerStsResponseDocument = XmlUtil.readXml(new java.util.Properties(), consumerStsResponseXml, false);

Man kan nu deserialisere svaret til et OIOBSTSAMLAssertionToIDCardResponse modelobjekt:

// Deserialiser STS svaret til modelobjekt
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponse consumerStsResponse = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseModelBuilder.build(consumerStsResponseDocument);

Her efter kan man hente eHDSI IDWS XUA Identity Token ud og verificere attributterne:

// Hent Identity Token fra STS svar
EhdsiIdwsXuaEmployeeIdentityToken employeeIdentityToken = response.getEhdsiIdwsXuaEmployeeIdentityToken();

// Verificer at det er et eHDSI IDWS XUA Identity Token og et par øvrige attributter:
Assert.assertEquals("eHDSI-IDWS-XUA-1.0", employeeIdentityToken.getSpecVersion());        
Assert.assertEquals("3", employeeIdentityToken.getAssuranceLevel());
Assert.assertEquals("Alfonso Gonzalez", employeeIdentityToken.getSubject());


2.4. Service Request

Når vi har STS svaret kan service requestet opbygges. Først skal der opbygges et eHDSI XUA IDWS request med den Body der passer til den service der skal kaldes. Den kan se sådan her ud, hvor Body elementet ikke er udfyldt:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:sbf="urn:liberty:sb" xmlns:sbfprofile="urn:liberty:sb:profile"
    xmlns:wsa="http://www.w3.org/2005/08/addressing"
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <soapenv:Header>
        ...
    </soapenv:Header>    
    <soapenv:Body>
        ...
    </soapenv:Body>
</soapenv:Envelope>

Nu kan man så bruge Seal.Java til at berige dette request med det eHDSI XUA Idws Identity Token der findes i STS svaret (identityTokenResponse)  og signere det:

EhdsiRequestDOMEnhancer enhancer = factory.createEhdsiRequestDOMEnhancer(vocesVault, serviceConsumerRequestDocument);
enhancer.setWSAddressingAction(soapAction);
enhancer.setEhdsiIdwsXuaEmployeeIdentityToken(ehdsiIdwsXuaEmployeeIdentityToken);
enhancer.enhanceAndSign();

String serviceConsumerRequestXml = XmlUtil.node2String(serviceConsumerRequestDocument, false, true);

Det samlede request kommer til at se sådan ud, hvor body delen her er tom:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:sbf="urn:liberty:sb" xmlns:sbfprofile="urn:liberty:sb:profile"
    xmlns:wsa="http://www.w3.org/2005/08/addressing"
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <soapenv:Header>
        <wsse:Security mustUnderstand="1" wsu:Id="security">
            <wsu:Timestamp wsu:Id="ts">
                <wsu:Created>2025-11-25T12:19:41Z</wsu:Created>
            </wsu:Timestamp>
            <saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                ID="_390ea322-411a-4c0e-8d49-ce913cdba835" IssueInstant="2025-11-25T12:19:41Z"
                Version="2.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
                <saml:Issuer>http://sosi</saml:Issuer>
                <ds:Signature Id="OCESSignature">
                    <ds:SignedInfo>
                        <ds:CanonicalizationMethod
                            Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        <ds:SignatureMethod
                            Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                        <ds:Reference URI="#_390ea322-411a-4c0e-8d49-ce913cdba835">
                            <ds:Transforms>
                                <ds:Transform
                                    Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </ds:Transforms>
                            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                            <ds:DigestValue>OYvT2iTaVAxohdVEob8FQ71VTyqLyecOI8TIIT6gTOQ=</ds:DigestValue>
                        </ds:Reference>
                    </ds:SignedInfo>
                    <ds:SignatureValue>
                        pMG6Nl1NnEyeK2iFB/WZALRGcn/WnOljUaNqHWtT/lvQrv0gqCe11CEqYiGfkpfWNnl6JvM7+voTDaxoI+h+PDylCvZTIwBR+IZCNHYk65mR3yh9bXyFmd7sc9LGugu49r5jUeclfbv/fUzQFM0WjWJ6qSIhaoLP7ZUYRIN7HAVX5hevOXhSizf3PFdvuFpcThpgUxEmLYsR7R1hlAFa/p0b817u9TNsTRfoYXRWSJLNNdQrrV5IktO+oQ8bdCmg3+/zdYJ+mRkofmWGeFIC8HKj+zXN22lb86CNacppxUdlT6gT4smfsuPYXVPNF0KVuvlquXqOdlyItvMLYDj5nmZV21NTL6hroGW7+2Of7Bg4gunuLJhAdl3lOih+IX6Hty/ZYPDVKYO+sTj/NHhmaQoKtIS0Svkf6ZLbbUmZu6K7suaJSNSdgFrYQWijor40bbBzIyZLkjbic8dQy9E6r46hLp1Iohqtpjrxe7krqzP2TKGl8JWmI2azwrSA/iZQ</ds:SignatureValue>
                    <ds:KeyInfo>
                        <ds:X509Data>
                            <ds:X509Certificate>
                                MIIGqzCCBN+gAwIBAgIUbMuS2gXsAUxVt5B4LYli9Jh7G64wQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMGsxLTArBgNVBAMMJERlbiBEYW5za2UgU3RhdCBPQ0VTIHVkc3RlZGVuZGUtQ0EgMTETMBEGA1UECwwKVGVzdCAtIGN0aTEYMBYGA1UECgwPRGVuIERhbnNrZSBTdGF0MQswCQYDVQQGEwJESzAeFw0yNDA0MjkwNjU0MzhaFw0yNzA0MjkwNjU0MzdaMIGeMRUwEwYDVQQDDAxWT0NFU19neWxkaWcxNzA1BgNVBAUTLlVJOkRLLU86RzpjNzBiMDIwNy0xNjJlLTRkM2QtYTdmMS1hMTlhOGUwN2Q5OWIxJjAkBgNVBAoMHVRlc3RvcmdhbmlzYXRpb24gbnIuIDk0MzU0OTY5MRcwFQYDVQRhDA5OVFJESy05NDM1NDk2OTELMAkGA1UEBhMCREswggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDMxeSBXyU1e/jdTJeC5C6qbKL/LosO1jyuwzVTr1OXUwNtWN47L3Xx/uflPcQUKvAj1DggEhraQRW3itGqeK6jktkKaz2SijYVoCXS1QbxXbWhSUkNXLwyDcRdhnj5DqfIYsifAFquX2BfzLweLudVWvIuggX4WVJA0GrpSFwmwIGcZpyu82XuW8wriw2NvUrjrfDjxpFkCoMZXT9Jr5YVVncPBiN9pxFVneoBhBeFnHmxdHSDILLPuGahsc57g/8o0BsgSWjWJNxGzST727bLb/rSCvRMWBIkUlsmx4HuNixJ8U0zITGgDGjVmv59OUXYOYq92QGaXBGnfVDKHK2uFC3Yqcx8MCD2gxg4Yr5Yl7wa0iXmLZXjvy14n0a+GOk5uH/DLD+uNU32HOSZ7ZMe1Hb/37ztBLklmUfhqS2jVdbR+5KuQegycNnbCRks8oUAFbeUnoJtXMPguBdTY1Uko/UXV+scl95w4XFj+BnVbgI13BRlmcKrTi8U5EphugMCAwEAAaOCAakwggGlMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUfyif2XGZQuJ159c1di5NCCVtdl4wewYIKwYBBQUHAQEEbzBtMEMGCCsGAQUFBzAChjdodHRwOi8vY2ExLmN0aS1nb3YuZGsvb2Nlcy9pc3N1aW5nLzEvY2FjZXJ0L2lzc3VpbmcuY2VyMCYGCCsGAQUFBzABhhpodHRwOi8vY2ExLmN0aS1nb3YuZGsvb2NzcDAgBgNVHREEGTAXgRVuc3Auc3VwcG9ydEBhcm9zaWkuZGswIgYDVR0gBBswGTAIBgYEAI96AQEwDQYLKoFQgSkBAQEDBwEwOwYIKwYBBQUHAQMELzAtMCsGCCsGAQUFBwsCMB8GBwQAi+xJAQIwFIYSaHR0cHM6Ly91aWQuZ292LmRrMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jYTEuY3RpLWdvdi5kay9vY2VzL2lzc3VpbmcvMS9jcmwvaXNzdWluZy5jcmwwHQYDVR0OBBYEFC7ffuHVkwJCJnx9k2t3oJr0IYcxMA4GA1UdDwEB/wQEAwIF4DBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASADggGBAL/FUm1nnfOw6iTUxHdHJjFziHzYgVLhm56yTeB5I74AmQHJWDY58vu3VEvrPm1q1YsQGnzd4Ks95/C6Y3po2mXMyY2lZLDmZrFRfcP7X+LfdNMxGYCxNaIVtSqW5SYGPrkbCRvk9IXt2OhZaYqblYsq2/bOBDUZq9kL/dyVoPs2dxSUNqNlpuQrpgvPwMVQYLEClY1h6Bgx3LgF5Un6j4TNXX+fvCoJi/41OSlZUFXWY8C9I3hpSHHBLtzX1UlFhWuEfz9aELakFb4PSFzwzZ+7iBibngbWJUHF4j16FigO7zqST63jYPlvgg5WoPSkGpXdiSsRbwrl4eOjXTLljDgcMePqXG/vhxVtkTcGOk6nPoBGwN0nasbdXkg+ZYmov7nvIUvMGgkYhhrAis1OYYZDpwHLSsZHKD85/pWoUUMRhnXcKTOFIa8t2GApFhBVdPruiZaDIokaKMacer1D+3f4iU64AzXPSOc6TORfvVHC8uIvXaVnl34ifUgD4FV72Q==</ds:X509Certificate>
                        </ds:X509Data>
                    </ds:KeyInfo>
                </ds:Signature>
                <saml:Subject>
                    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">C=DK,O=Ingen
                        organisatorisk tilknytning,CN=Lars
                        Larsen,Serial=PID:9208-2002-2-514358910503</saml:NameID>
                    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
                        <saml:SubjectConfirmationData NotOnOrAfter="2025-11-25T12:19:51Z">
                            <ds:KeyInfo>
                                <ds:X509Data>
                                    <ds:X509Certificate>
                                        MIIGpTCCBNmgAwIBAgIUYJ0aPJz3wA7sSIY072JLnBOYu/IwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMGsxLTArBgNVBAMMJERlbiBEYW5za2UgU3RhdCBPQ0VTIHVkc3RlZGVuZGUtQ0EgMTETMBEGA1UECwwKVGVzdCAtIGN0aTEYMBYGA1UECgwPRGVuIERhbnNrZSBTdGF0MQswCQYDVQQGEwJESzAeFw0yNTAzMTkxOTE2MDlaFw0yODAzMTgxOTE2MDhaMIGbMRIwEAYDVQQDDAlWT0NFU19IT0sxNzA1BgNVBAUTLlVJOkRLLU86Rzo4YjQ2MTY1Ny1hZjliLTRkN2ItYThhYS0xMDY1YTdjNzUxZGIxJjAkBgNVBAoMHVRlc3RvcmdhbmlzYXRpb24gbnIuIDk0MzU0OTY5MRcwFQYDVQRhDA5OVFJESy05NDM1NDk2OTELMAkGA1UEBhMCREswggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDxyntzZwKVYwyT2LCMuPvfGxGBVdbxVBA1w6OrJfaktgHTOC6/aP4Er/M6Ey0Yk37paf2QNwkX4R9OOpZtikKsnKAgAryy8lNW1/4vHv+m2lguT/lUcjn6Y02CeoA3hTs3wxup4Z/0SbFucMZ2HlyoUKGVgroFHIiDVw0S7zeAlh25IxiO2U1C4aGFNbX25/vcU0SclYWAaWTDNQv3dReIPU/uPjKE87Ng7BbjFqP9sFtL0O0TJhMvDw6uNdSyVYAicmhLQhvMXAn31pfYp284uu+OpSDlZ8XM/V9zBuK+LyOZU8xWIT3Sio5ZBH9i3tHXOaG3SaGpgrNg7figkewo6haRanQm8NmzOBD2rwcYJOf9A07NurRdr3yYdsN9cQjYxJ47ZjN0jNnEHorWMgzMaqBCYqSH59C2Oqt7Isvqpi6vI+wOAHrE3pLdRYAQ5a4hA6gFMnME27vPskC344mEkLAbnfGlFI7WUK4pwtlBhi0R1RHr6WdMghmPBlPBpq0CAwEAAaOCAaYwggGiMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUfyif2XGZQuJ159c1di5NCCVtdl4wewYIKwYBBQUHAQEEbzBtMEMGCCsGAQUFBzAChjdodHRwOi8vY2ExLmN0aS1nb3YuZGsvb2Nlcy9pc3N1aW5nLzEvY2FjZXJ0L2lzc3VpbmcuY2VyMCYGCCsGAQUFBzABhhpodHRwOi8vY2ExLmN0aS1nb3YuZGsvb2NzcDAdBgNVHREEFjAUgRJ0a25Aa3ZhbGl0ZXRzaXQuZGswIgYDVR0gBBswGTAIBgYEAI96AQEwDQYLKoFQgSkBAQEDBwEwOwYIKwYBBQUHAQMELzAtMCsGCCsGAQUFBwsCMB8GBwQAi+xJAQIwFIYSaHR0cHM6Ly91aWQuZ292LmRrMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jYTEuY3RpLWdvdi5kay9vY2VzL2lzc3VpbmcvMS9jcmwvaXNzdWluZy5jcmwwHQYDVR0OBBYEFEazl9U4mkXimPA+0Ev2r0LAuAPdMA4GA1UdDwEB/wQEAwIF4DBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASADggGBALVDzuhJDYcr/DjKuvBLCGYsontwVBB5H4DT4XW9CoVjAwKuJMTrrpQZinKftjHR4Rn+QY5Mz0J/P8PgvXeyZ5FqLa46cCz/msBH+uqDWiH4jq1H0Yc/IYtxTb2jB2GArST905tb+aXoGmE3Gyus1PdmznPhHiGuImiZ5v8JITEdpHdi54Ywjmp9B/DRQ4o7x/oYTfQweq5a1ut0MlFukhdRL5K/wmNjH6FFbAOKWK7QBorKm+I0W2mZcQHUPKzryqM1FvZhWNJ76Kl3dDngRfOPZHpAMPIC0gPe2feC8850l3awYCA3c/hVKquteMPJcb3YQbqNB4z8iV0xZyXNiDxCUyT3ibiPltocEDnMGiVhNurRrOKCMX0l3q2kmWWO8JJn7Mif0avdSaOg+Z378VM6kSF6bdD4swiBZlMz6D3m3HeKKy/QCPWpaRAcAp1/oO0+gxs8UuMKusbxFHAQQ3InSoJhyOt+sv1ZnLKd9Iouvcy5v9yFGVsMsgbtB896ew==</ds:X509Certificate>
                                </ds:X509Data>
                            </ds:KeyInfo>
                        </saml:SubjectConfirmationData>
                    </saml:SubDet samlede request kommer til at se sådan ud, hvor body delen her er tom:jectConfirmation>
                </saml:Subject>
                <saml:Conditions NotBefore="2025-11-25T12:19:40Z"
                    NotOnOrAfter="2025-11-25T12:24:41Z">
                    <saml:AudienceRestriction>
                        <saml:Audience>https://fmk</saml:Audience>
                    </saml:AudienceRestriction>
                </saml:Conditions>
                <saml:AttributeStatement>
                    <saml:Attribute FriendlyName="XSPA Subject"
                        Name="urn:oasis:names:tc:xspa:1.0:subject:subject-id" NameFormat="">
                        <saml:AttributeValue xsi:type="xs:string">Alfonso Gonzalez</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute FriendlyName="XSPA Role"
                        Name="urn:oasis:names:tc:xacml:2.0:subject:role">
                        <saml:AttributeValue>
                            <Role xmlns="urn:hl7-org:v3" code="2221"
                                codeSystem="2.16.840.1.113883.2.9.6.2.7" codeSystemName="ISCO"
                                displayName="Nursing professionals" xsi:type="CE" />
                        </saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute FriendlyName="XSPA Organization Id"
                        Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id" NameFormat="">
                        <saml:AttributeValue xsi:type="xs:string">urn:oid:1.3.6.1.4.1.44938</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute FriendlyName="EHDSI Healthcare Facility Type"
                        Name="urn:ehdsi:names:subject:healthcare-facility-type" NameFormat="">
                        <saml:AttributeValue xsi:type="xs:string">Hospital</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute FriendlyName="XSPA Purpose of Use"
                        Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse">
                        <saml:AttributeValue>
                            <PurposeOfUse xmlns="urn:hl7-org:v3" code="TREATMENT"
                                codeSystem="urn:oasis:names:tc:xspa:1.0" xsi:type="CE" />
                        </saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute FriendlyName="XSPA Locality"
                        Name="urn:oasis:names:tc:xspa:1.0:environment:locality" NameFormat="">
                        <saml:AttributeValue xsi:type="xs:string">Klinik am Berg, 83242 Reit im
                            Winkl</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute FriendlyName="XUA Patient Id"
                        Name="urn:oasis:names:tc:xacml:2.0:resource:resource-id" NameFormat="">
                        <saml:AttributeValue xsi:type="xs:string">
                            0205756078^^^&1.2.208.176.1.2&ISO</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute FriendlyName="IDWS XUA SpecVersion"
                        Name="urn:dk:healthcare:saml:SpecVersion" NameFormat="">
                        <saml:AttributeValue xsi:type="xs:string">eHDSI-IDWS-XUA-1.0</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute FriendlyName="IDWS XUA IssuancePolicy"
                        Name="urn:dk:healthcare:saml:IssuancePolicy" NameFormat="">
                        <saml:AttributeValue xsi:type="xs:string">urn:dk:sosi:sts:eHDSI-strict</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute FriendlyName="EHDSI Country of Treatment"
                        Name="urn:dk:healthcare:saml:CountryOfTreatment" NameFormat="">
                        <saml:AttributeValue xsi:type="xs:string">DE</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute FriendlyName="NIST AssuranceLevel"
                        Name="dk:gov:saml:attribute:AssuranceLevel" NameFormat="">
                        <saml:AttributeValue xsi:type="xs:string">3</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute FriendlyName="XSPA permissions"
                        Name="urn:oasis:names:tc:xspa:1.0:subject:hl7:permission" NameFormat="">
                        <saml:AttributeValue xsi:type="xs:string">
                            urn:oasis:names:tc:xspa:1.0:subject:hl7:permission:PRD-004</saml:AttributeValue>
                        <saml:AttributeValue xsi:type="xs:string">
                            urn:oasis:names:tc:xspa:1.0:subject:hl7:permission:PRD-010</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute FriendlyName="EHDSI OnBehalfOf"
                        Name="urn:ehdsi:names:subject:on-behalf-of">
                        <saml:AttributeValue>
                            <Role xmlns="urn:hl7-org:v3" code="221"
                                codeSystem="2.16.840.1.113883.2.9.6.2.7" codeSystemName="ISCO"
                                displayName="Medical Doctors" xsi:type="CE" />
                        </saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute FriendlyName="XSPA Organization"
                        Name="urn:oasis:names:tc:xspa:1.0:subject:organization" NameFormat="">
                        <saml:AttributeValue xsi:type="xs:string">Charité – Universitätsmedizin
                            Berlin</saml:AttributeValue>
                    </saml:Attribute>
                </saml:AttributeStatement>
            </saml:Assertion>
            <wsse:SecurityTokenReference
                xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
                wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
                wsu:Id="str">
                <wsse:KeyIdentifier
                    ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">
                    _390ea322-411a-4c0e-8d49-ce913cdba835</wsse:KeyIdentifier>
            </wsse:SecurityTokenReference>
            <ds:Signature>
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                    <ds:Reference URI="#body">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>t4qwYXQUpCa6RcPoOxZurThUAQE=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#ts">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>PAd/Il/MPQ374UqwA45WNqFBASw=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#str">
                        <ds:Transforms>
                            <ds:Transform
                                Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
                                <wsse:TransformationParameters>
                                    <ds:CanonicalizationMethod
                                        Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                                </wsse:TransformationParameters>
                            </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>MplFr7XEIG5UEjmXXHrPAtMiSss=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#messageID">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>JC57pKzzB6LKydk++s7Dzibh5TA=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#action">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>gMcZyZVVFnlS95RDJcS8GmTyPzY=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#sbf">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>DrMuEoWp7Uik1KTUOuvtisxvpXA=</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>
                    fA1nANrYJrZWF10fDfO+BFgcM0wJwMh2BWFtLxkvnMa3SWjdfxT14f4JWQfPAQLsIg/BXFO7Xit+lQJb2sPxAnEBIlPr2SEu4O5uaWPCQkZk3fM86nYKuM+ZaeNdYPrzk7S6vPkMuDOllvm9EAVjhc7ZzQ+SixOJ/SNqJqi9hBhOzoBdSH2hjEAPwEu3lS/k+/Y9liiW8u9QQfPZGi/7E2uqU1D7P1XERQrUkwkJI6K+sBQUOKoK302/h4WlzDlEI4Z9yN8bFLa95te+ALAjCgFZHdPw+QCQ0SEPZIXCpcYvTmfMT71vZyL8KLFvZ9P2p7xG40q9pR1oChjllv5opdU4phGQGGFPF5g2aJJBQSuqKY2kX+BfSSSUHj63OxqFYLmgl2e2yV9LcEd1FuUiUumYt6Jq2SeP+34I8m0zlnANmBncnG4hNgP9qNtuU2WBl1hVkICU2e7Xv8dEetM4ot4G/m+QK9NOjI0DVg7jp6lh+Uj67sRKZa55lItXUoiO</ds:SignatureValue>
                <ds:KeyInfo>
                    <wsse:SecurityTokenReference
                        xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
                        wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
                        wsu:Id="sigStr">
                        <wsse:KeyIdentifier
                            ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">
                            _390ea322-411a-4c0e-8d49-ce913cdba835</wsse:KeyIdentifier>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
            </ds:Signature>
        </wsse:Security>
        <wsa:MessageID wsu:Id="messageID">urn:uuid:a74425bc-b3f2-4891-a6c5-576914fdfdde</wsa:MessageID>
        <wsa:Action wsu:Id="action">http://foo.com#bar</wsa:Action>
        <sbf:Framework sbfprofile:profile="urn:liberty:sb:profile:basic" version="2.0" wsu:Id="sbf" />
    </soapenv:Header>
    <soapenv:Body wsu:Id="body" />
</soapenv:Envelope>


2.5.  Service Response

Det er pt. ikke muligt at benytte Seal.Java til at modtage service responses for denne omveksling.

3. Komplet eksempel (incl. STS delen)


public class TestFactoryFlow {

    private final String NAMEID_FORMAT_X509_SUBJECT_NAME = "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName";

    @Test
    public void testDKNCPBST2EHDSIIdws() {
       
        /**
         * Consumer sender request
         */

        // CredentialVault og Factory
        CredentialVault signingVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Virksomhedscertifikat", "Kodeord til Virksomhedscertifikat");
        CredentialVault holderOfKeyVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Holder of key certifikat", "Kodeord til Holder of key certifikat");        
        EHDSIFactory factory = new EHDSIFactory();

        // Build Dkncp Boostrap SAML Assertion
        String issuer = "http://sosi";

        DkncpBootstrapSamlAssertionBuilder dkncpBootstrapSamlAssertionBuilder = factory.createDkncpBootstrapSamlAssertionBuilder(signingVault, issuer);
        dkncpBootstrapSamlAssertionBuilder.setIssuer(issuer);
        dkncpBootstrapSamlAssertionBuilder.setAudienceRestriction("https://fmk");
        Date now = new Date();
        dkncpBootstrapSamlAssertionBuilder.setNotBefore(notBefore);
        dkncpBootstrapSamlAssertionBuilder.setNotOnOrAfter(notOnOrAfter);
        dkncpBootstrapSamlAssertionBuilder.setDeliveryNotOnOrAfter(notOnOrAfter);
        dkncpBootstrapSamlAssertionBuilder.setSubjectName("C=DK,O=LAKESIDE A/S // CVR:25450442,CN=Sårjournal TEST læge,Serial=CVR:25450442-RID:73570260");
        dkncpBootstrapSamlAssertionBuilder.setSubjectNameID("nameid");
        dkncpBootstrapSamlAssertionBuilder.setSubjectNameIDFormat(SAMLValues.NAMEID_FORMAT_X509_SUBJECT_NAME);
        dkncpBootstrapSamlAssertionBuilder.setSigningVault(signingVault);
        dkncpBootstrapSamlAssertionBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());

        // Mandatory attribute values
        dkncpBootstrapSamlAssertionBuilder.setSubject("Alfonso Gonzalez");
        dkncpBootstrapSamlAssertionBuilder.setRole("2221", "Nursing professionals");
        dkncpBootstrapSamlAssertionBuilder.setOrganization("Charité – Universitätsmedizin Berlin");
        dkncpBootstrapSamlAssertionBuilder.setOrganizationId("urn:oid:1.3.6.1.4.1.44938");
        dkncpBootstrapSamlAssertionBuilder.setHealthcareFacilityType("Hospital");
        dkncpBootstrapSamlAssertionBuilder.setPurposeOfUse("TREATMENT");
        dkncpBootstrapSamlAssertionBuilder.setLocality("Klinik am Berg, 83242 Reit im Winkl");
        dkncpBootstrapSamlAssertionBuilder.setPatientId("0205756078^^^&1.2.208.176.1.2&ISO");
        dkncpBootstrapSamlAssertionBuilder.setAssuranceLevelNIST("3");
        dkncpBootstrapSamlAssertionBuilder.setSpecVersion("eHDSI-IDWS-XUA-1.0");
        dkncpBootstrapSamlAssertionBuilder.setIssuancePolicy("urn:dk:sosi:sts:eHDSI-strict");
        dkncpBootstrapSamlAssertionBuilder.setCountryOfTreatment("DE");

        DkncpBootstrapSamlAssertion dkncpBootstrapSamlAssertion = dkncpBootstrapSamlAssertionBuilder.build();
        dkncpBootstrapSamlAssertion.validateSchema();
        dkncpBootstrapSamlAssertion.validateSignatureAndTrust(signingVault);

        // Build Dkncp Bootstrap request
        DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestDOMBuilder requestDomBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestDOMBuilder();
        requestDomBuilder.setAudience("https://sosi");
        requestDomBuilder.setSigningVault(holderOfKeyVault);
        requestDomBuilder.setDkncpBootstrapToken(dkncpBootstrapSamlAssertion);

        // Serialize request to the same form as received by the STS
        Document consumerStsRequestDocument = requestDomBuilder.build();

        /**
         * Send request over netværk
         */
        String consumerStsRequestXml = XmlUtil.node2String(consumerStsRequestDocument, false, false);
        consumerStsRequestDocument = readXml(System.getProperties(), consumerStsRequestXml, false);

        /**
         *  STS modtager request
         */
        DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequest request = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestModelBuilder().build(consumerStsRequestDocument);

        // validate request
        request.validateSignatureAndTrust(holderOfKeyVault);
        request.validateHolderOfKeyRelation();


        // Validate assertion
        DkncpBootstrapSamlAssertion assertion = request.getDkncpBootstrapSamlAssertion();

        // The DKNCP BST Assertion can be schema validated after serialize/deserialize
        assertion.validateSchema();
        assertion.validateSignatureAndTrust(signingVault);

        // Verify all attributes
        Assert.assertEquals("Alfonso Gonzalez", assertion.getSubject());

        Assert.assertEquals(EHDSI_ROLE_XSI_TYPE, assertion.getRoleType());
        Assert.assertEquals("2221", assertion.getRoleCode());
        Assert.assertEquals(EHDSI_ROLE_CODE_SYSTEM, assertion.getRoleCodeSystem());
        Assert.assertEquals(EHDSI_ROLE_CODE_SYSTEM_NAME, assertion.getRoleCodeSystemName());
        Assert.assertEquals("Nursing professionals", assertion.getRoleDisplayName());

        Assert.assertEquals("Charité – Universitätsmedizin Berlin", assertion.getOrganization());
        Assert.assertEquals("urn:oid:1.3.6.1.4.1.44938", assertion.getOrganizationId());
        Assert.assertEquals("Hospital", assertion.getHealthcareFacilityType());

        Assert.assertEquals("TREATMENT", assertion.getPurposeOfUseCode());

        Assert.assertEquals("Klinik am Berg, 83242 Reit im Winkl", assertion.getLocality());
        Assert.assertEquals("0205756078^^^&1.2.208.176.1.2&ISO", assertion.getPatientId());

        Assert.assertEquals("3", assertion.getAssuranceLevelNIST());
        Assert.assertEquals("eHDSI-IDWS-XUA-1.0", assertion.getSpecVersion());
        Assert.assertEquals("urn:dk:sosi:sts:eHDSI-strict", assertion.getIssuancePolicy());
        Assert.assertEquals("DE", assertion.getCountryOfTreatment());

        /**
         *  STS bygger response
         */

        // Build Ehdsi Idws Xua Employee identity token
        EhdsiIdwsXuaEmployeeIdentityTokenBuilder tokenBuilder = factory.createEhdsiIdwsXuaEmployeeIdentityTokenBuilder();
        tokenBuilder.setIssuer("http://sosi");
        tokenBuilder.setAudienceRestriction("https://fmk");
        tokenBuilder.setNotBefore(notBefore);
        tokenBuilder.setNotOnOrAfter(notOnOrAfter);
        tokenBuilder.setDeliveryNotOnOrAfter(notOnOrAfter);
        tokenBuilder.setSubjectNameID("C=DK,O=Ingen organisatorisk tilknytning,CN=Lars Larsen,Serial=PID:9208-2002-2-514358910503");
        tokenBuilder.setSubjectNameIDFormat(SAMLValues.NAMEID_FORMAT_X509_SUBJECT_NAME);
        tokenBuilder.setSigningVault(signingVault);
        tokenBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());

        tokenBuilder.setSubject("Alfonso Gonzalez");
        tokenBuilder.setRole("2221", "Nursing professionals");

        tokenBuilder.setOrganization("Charité – Universitätsmedizin Berlin");
        tokenBuilder.setOrganizationId("urn:oid:1.3.6.1.4.1.44938");
        tokenBuilder.setHealthcareFacilityType("Hospital");
        tokenBuilder.setPurposeOfUse("TREATMENT");

        tokenBuilder.setLocality("Klinik am Berg, 83242 Reit im Winkl");
        tokenBuilder.setPatientId("0205756078^^^&1.2.208.176.1.2&ISO");

        tokenBuilder.setAssuranceLevel("3");
        tokenBuilder.setSpecVersion("eHDSI-IDWS-XUA-1.0");
        tokenBuilder.setIssuancePolicy("urn:dk:sosi:sts:eHDSI-strict");
        tokenBuilder.setCountryOfTreatment("DE");

        EhdsiIdwsXuaEmployeeIdentityToken ehdsiIdwsXuaEmployeeIdentityToken = tokenBuilder.build();

        // Validate Identity Token
        ehdsiIdwsXuaEmployeeIdentityToken.validateSchema();
        ehdsiIdwsXuaEmployeeIdentityToken.validateSignatureAndTrust(signingVault);

        // Build Ehdsi Idws Xua Employee response
        DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder responseBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder();
        responseBuilder.setEhdsiIdwsXuaEmployeeIdentityToken(ehdsiIdwsXuaEmployeeIdentityToken);
        responseBuilder.setSigningVault(holderOfKeyVault);
        responseBuilder.setRelatesTo("relatesTo");
        responseBuilder.setContext("context");

        Document consumerStsResponseDocument = responseBuilder.build();

        /**
         *  Send response over netværk
         */
        String consumerStsResponseXml = XmlUtil.node2String(consumerStsResponseDocument, false, false);
        consumerStsResponseDocument = readXml(System.getProperties(), consumerStsResponseXml, false);

        /**
         *  Consumer modtager response
         */
        DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseModelBuilder responseModelBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseModelBuilder();
        DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponse response = responseModelBuilder.build(consumerStsResponseDocument);

        // Validate entire response
        response.validateSignature();

        // Validate the Ehdsi Idws Xua Employee Identity token from the response
        EhdsiIdwsXuaEmployeeIdentityToken employeeIdentityToken = response.getEhdsiIdwsXuaEmployeeIdentityToken();

        // The Ehdsi Idws Xua Employee Identity token can be schema validated after serialize/deserialize
        employeeIdentityToken.validateSchema();
        employeeIdentityToken.validateSignatureAndTrust(signingVault);

        // Verify all attributes
        assertEquals("3", employeeIdentityToken.getAssuranceLevel());
        assertEquals("Alfonso Gonzalez", employeeIdentityToken.getSubject());
        Assert.assertEquals("2221", employeeIdentityToken.getRoleCode());
        Assert.assertEquals("Nursing professionals", employeeIdentityToken.getRoleDisplayName());

        Assert.assertEquals("Charité – Universitätsmedizin Berlin", employeeIdentityToken.getOrganization());
        Assert.assertEquals("urn:oid:1.3.6.1.4.1.44938", employeeIdentityToken.getOrganizationId());
        Assert.assertEquals("Hospital", employeeIdentityToken.getHealthcareFacilityType());

        Assert.assertEquals("TREATMENT", employeeIdentityToken.getPurposeOfUseCode());

        Assert.assertEquals("Klinik am Berg, 83242 Reit im Winkl", employeeIdentityToken.getLocality());
        Assert.assertEquals("0205756078^^^&1.2.208.176.1.2&ISO", employeeIdentityToken.getPatientId());

        Assert.assertEquals("3", employeeIdentityToken.getAssuranceLevel());
        Assert.assertEquals("eHDSI-IDWS-XUA-1.0", employeeIdentityToken.getSpecVersion());
        Assert.assertEquals("urn:dk:sosi:sts:eHDSI-strict", employeeIdentityToken.getIssuancePolicy());
        Assert.assertEquals("DE", employeeIdentityToken.getCountryOfTreatment());
    }
}


  • No labels