Introduktion

Formål med dokumentet

Formålet med dette dokument er at give en detaljeret beskrivelse af de konkrete services, der udbydes af STS i forbindelse med anvendelsesområdet Medarbejdromvekslinger.

Læsevejledning

Dokumentet henvender sig primært til udviklere, der skal i gang med at anvende de konkrete medarbejdervekslingssnitflader udbudt af STS.

Dokumentet bygger i høj grad på den overordnede STS - Guide til anvendere, som giver et overblik over STS og levere i denne sammenhæng et mere dybdegående teknisk beskrivelse af de services i STS, der ligger i anvendelsesområdet medarbejderomvekslinger.

Overblik over services og anvendelse

Som beskrevet i STS - Guide til anvendere, så findes der i STS følgende services indenfor anvendelsesområdet medarbejderomvekslinger:

Medarbejderomveksling

/sts/services/Sosi2OIOSaml

Niveau 4

Omveksler SOSI Idkort til OIO Saml sikkerhedsbillet rettet mod et specifikt audience, f.eks. sundhed.dk.

Bemærk, at det SOSI Idkort, der veksles, skal være udstedt af /sts/services/NewSecurityTokenService

/sts/services/OIOSaml2Sosi

Niveau 5

Omveksler OIO Saml sikkerhedsbillet til SOSI Idkort.

Bemærk, at den OIO Saml sikkerhedsbillet, der veksles, skal være signeret af troværdig tredjepart (i praksis NemLogin)

Fælles for begge snitflader er, at STS validerer signaturen på indkommende forespørgsler. Det tjekkes, at forespørgslen er signeret med et gyldigt (ikke udløbet, ikke spærret) certifikat. Derudover tjekkes det, at sikkerhedsbilletter, der er en del af forespørgslen ligeledes er signeret med et gyldigt (ikke udløbet, ikke spærret) certifikat.

Valideringer i forbindelse med veksling fra SOSI Idkort til OIO SAML

Udover at indeholde et gyldigt SOSI Idkort på niveau 3 eller 4 (dvs. baseret på et MOCES-, VOCES- eller FOCES-certifikat) som input til omvekslingen, vil omvekslingsrequests af denne type indeholde:

Audience: Dvs. navnet på den webaplikation, som det udstedte token skal gælde for.

Det angivne audience skal være konfigureret i STS'en.

Gyldige requests vil resultere i udstedelse af en OIO SAML sikkerhedsbillet signeret af STS og rettet mod den angivne webapplikation. Oplysningerne i denne sikkerhedsbillet er baseret på oplysningerne i SOSI Idkortet, samt suppleret med information fra STSens konfiguration for det givne audience.

En del af denne audience-konfiguration er:

Den modtagende webapplikations offentlige nøgle: Den udstedte OIO SAML billet krypteres med denne, så det kun kan dekrypteres og anvendes af modtagerapplikationen.
Angivelse af, om det vekslede SOSI Idkort skal være en del af den udstedte sikkerhedsbillet: Ved at indlejre SOSI Idkortet giver det mulighed for, at modtagerapplikationen kan foretage kald til NSPs services på vegne af den kaldende bruger.

Billetomvekslingen kan således anvendes af alle med adgang til NSP. Men kan kun veksle til en assertion som giver adgang til et system kendt og konfigureret i STS.

Valideringer i forbindelse med veksling fra OIO SAML til SOSI Idkort

Der er følgende krav til requests til denne omvesklingsservice:

Medarbejderens CPR-nummer skal enten være angivet i forespørgslen eller kunne bestemmes ud fra certifikatet. Hvis CPR nummeret er medsendt i requestet, så vil STS validere dette udfra RID i certifikatet vha OCES RID-CPR valideringsservice.
Autorisationsnummer og uddannelseskode skal enten være angivet i forespørgslen eller kunne bestemmes entydigt (ud fra CPR-nummer og autorisationsregister).
It-system-navn skal være angivet i forespørgslen da dette ikke indgår i et OIO SAML (NemLogin) token.
Herudover kan man vælge at medsende brugerens fornavn/efternavn i forespørgslen, idet fornavnet ikke kan bestemmes ud fra en OIO SAML sikkerhedsbillet.

Såfremt omvekslingen går godt, vil slutresultatet være et STS-signeret id-kort med oplysninger sammensat fra NemLogin token, supplerende informationer og opslag, som herefter kan benyttes som adgangsbillet til NSP-platformens services.

Claims i forhold til autorisationsnummer og uddannelseskode håndteres vha den samme algoritme, der beskrevet i STS - Guide til anvendere: DGWS.

Snitfladebeskrivelser

Afhængig af miljø udstilles tjenesten på:

http://<sts-host>:<port>/sts/services/Sosi2OIOSaml

http://<sts-host>:<port>/sts/services/OIOSaml2Sosi

Eksempler på requests

I det følgende gives eksempler på de to typer af requests:

Veksling fra SOSI Idkort til OIO SAML

Veksling fra OIO SAML til SOSI Idkort

Selve requestet til STS ser således ud:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wst14="http://docs.oasis-open.org/ws-sx/ws-trust/200802" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <soapenv:Header>
    <wsse:Security mustUnderstand="1" wsu:Id="security">
      <wsu:Timestamp wsu:Id="ts">
        <wsu:Created>2020-12-04T13:34:53Z</wsu:Created>
      </wsu:Timestamp>
      <ds:Signature>
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#body">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>CmI9nsLcR3tIH331Qpwnh5Q0tZA=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#ts">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>ulJY+wzEYEvxHWhqK3/whW6Mnmw=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#messageID">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>HcrDir5O5S/LidhZ/US8rAqyuhI=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#action">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>3cXAhlhZH22NiSh7AttxKxBap7Q=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>CGpgSPnpOqWRqj4GhbMhchvcCXJO/Qox8DucwfIjoPmktENPUUOT1KL9vy9qDr/XeogUmRDFbUCSfGZGHuoAjkDzo3P7A1aoeZ5TG8+t4oTQgej0O0+ww+/djg81cAuHeCueTVPRgL0xyiVBNUR7uR15OWY7DzXYd3LvvKNyA3zyS4jLJA8y4Dkahb6JU1CWmOT7r79qhH8q7tbScv+dSJQdPHjbH1XW9ilD/fZiqNZBHA0Zcu+H5OPpvtgKKO52+ZNDuIJ8h9nm2IPglTSK1jyg6J9xQ5i3Iko7rVUOTQe6r3PfnPh/GIdcN8d4ZMjUo7JXmZCaKtKa2yuaRPqRIA==</ds:SignatureValue>
        <ds:KeyInfo>
          <ds:X509Data>
            <ds:X509Certificate>MIIGJjCCBQ6gAwIBAgIEW607GjANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE5MTIxNjE0MzE1NFoXDTIyMTIxNjE0MzEwN1owgZAxCzAJBgNVBAYTAkRLMScwJQYDVQQKDB5ORVRTIERBTklEIEEvUyAvLyBDVlI6MzA4MDg0NjAxWDAgBgNVBAUTGUNWUjozMDgwODQ2MC1GSUQ6OTQ3MzEzMTUwNAYDVQQDDC1UVSBHRU5FUkVMIEZPQ0VTIGd5bGRpZyAoZnVua3Rpb25zY2VydGlmaWthdCkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1oIiZqfo6pai5XoKDBlrtsckoUrj2AxK9neEWWjB6HtzXeVou/AnA5R5xZL+3BpCoZHkoI9ncsh+dTNSeFgNkWkZXRIYK9RYAsxvpr3vTlvDtwfGxY9KLQJJrU/8N0EQbdfNncz6cDNBpoYQRv573nOZdwQKp3sAo+ONDw69ttghOlQekOpbeMwAjTwBRSEWPmqAbsCH+H5niU6TlUfWWJ3WXLeQD4m7AOFEWpYDtTl2ZpN/sEoaAEvnwMZpT6aqbegipIB++llsR8Hc8pd/JnChfwOQrx1gBPn7oSfGLYQS4R1ZPlsredAkWiWGvWnxtJ46AUVNZEzydcIaHkyCvAgMBAAGjggLNMIICyTAOBgNVHQ8BAf8EBAMCA7gwgZcGCCsGAQUFBwEBBIGKMIGHMDwGCCsGAQUFBzABhjBodHRwOi8vb2NzcC5zeXN0ZW10ZXN0MjIudHJ1c3QyNDA4LmNvbS9yZXNwb25kZXIwRwYIKwYBBQUHMAKGO2h0dHA6Ly9mLmFpYS5zeXN0ZW10ZXN0MjIudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MjItY2EuY2VyMIIBIAYDVR0gBIIBFzCCARMwggEPBg0rBgEEAYH0UQIEBgQDMIH9MC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LnRydXN0MjQwOC5jb20vcmVwb3NpdG9yeTCByQYIKwYBBQUHAgIwgbwwDBYFRGFuSUQwAwIBARqBq0RhbklEIHRlc3QgY2VydGlmaWthdGVyIGZyYSBkZW5uZSBDQSB1ZHN0ZWRlcyB1bmRlciBPSUQgMS4zLjYuMS40LjEuMzEzMTMuMi40LjYuNC4zLiBEYW5JRCB0ZXN0IGNlcnRpZmljYXRlcyBmcm9tIHRoaXMgQ0EgYXJlIGlzc3VlZCB1bmRlciBPSUQgMS4zLjYuMS40LjEuMzEzMTMuMi40LjYuNC4zLjCBrQYDVR0fBIGlMIGiMD2gO6A5hjdodHRwOi8vY3JsLnN5c3RlbXRlc3QyMi50cnVzdDI0MDguY29tL3N5c3RlbXRlc3QyMjEuY3JsMGGgX6BdpFswWTELMAkGA1UEBhMCREsxEjAQBgNVBAoMCVRSVVNUMjQwODElMCMGA1UEAwwcVFJVU1QyNDA4IFN5c3RlbXRlc3QgWFhJSSBDQTEPMA0GA1UEAwwGQ1JMMjE0MB8GA1UdIwQYMBaAFKuoAUQZsLNDmdr6fMzSABgD5zy/MB0GA1UdDgQWBBQBeqJr/Y3aBTNh08u88qjEhB6GETAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQB7XyjSExCey9MOZxwR7RYjAfbOz/hLVNe1/Maw7Q7tLDVFwjmyZMbpxEAGlTFlo8y8yW5Dc6QQQejQ8+OCtbsJ2MmZfRf4HvezKIVwhZO2wUBbtUroiiatGiKE75GELjDkCI5iEo+aQFxzZ+saKWB6iyQkk9LqQs4+ut4HwUj2a3pXyXc7NfY+ivOxYYYOoPqvrhqEWTdjJv6A2mF6cdWKlZKBnvr8ndkVGQpHDHIUq9BcwGw6iVhaJcAoSl+i4kAjg3gNyWcr0UonyjwkQmaFMQJTkO95lDtn6XOLgXTwKS5X65cLhBDZqXPyNMaR+jGkQ6Ert5jceanwXzaKkLT5</ds:X509Certificate>
          </ds:X509Data>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
    <wsa:Action wsu:Id="action">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</wsa:Action>
    <wsa:MessageID wsu:Id="messageID">urn:uuid:20d3cb77-a509-41bc-be6f-214f4453d2a8</wsa:MessageID>
  </soapenv:Header>
  <soapenv:Body wsu:Id="body">
    <wst:RequestSecurityToken Context="urn:uuid:2f0ca258-1916-4c20-876f-5331a349e2fc">
      <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
      <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
      <wst14:ActAs>
        <saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_84b6b907-4ae8-43d4-a922-28d04fa0d6c2" IssueInstant="2020-12-04T13:34:53Z" Version="2.0">
          <saml:Issuer>STS tester/issuer</saml:Issuer>
          <ds:Signature Id="OCESSignature">
            <ds:SignedInfo>
              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
              <ds:Reference URI="#_84b6b907-4ae8-43d4-a922-28d04fa0d6c2">
                <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>ufSXPtPiVJWLlt9ENfAfYOsMENo=</ds:DigestValue>
              </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>cH8TvxJusVbIFoFMzHYzrzYeaGKVUDf57qpUo8agEmRipV5AmRX3UdP1N5cKP6Isl8TJAZ3txePEedpBkdVopjBo2cx8ZVJTXgO2sD6uxbdhGKmVEGPR0f69k8vNOz9sXubNWIN+Xxh2GOHpGp91AV0Nsq9wqxCQURo9lNcdsc20QwC9zPbxCoSw+WV92hV10z72PvSX5OS0SeM+kBl83DTtBEJWOhlUFv9060pUXh17pt3QCK2LoMCb/2Ly40ab4DtbzLURf6aHSUfVNsIiV0DNp4IXrXPS5GOFs+j5gnEeRU80j2iC+tijm2wU4iUZ7GANVddVCfGnFFOYkHKL4g==</ds:SignatureValue>
            <ds:KeyInfo>
              <ds:X509Data>
                <ds:X509Certificate>MIIGNjCCBR6gAwIBAgIEWRzGcDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE4MDgyODE0MDc0NVoXDTIxMDgyODE0MDY0MVowgaExCzAJBgNVBAYTAkRLMS8wLQYDVQQKDCZTdGF0ZW5zIFNlcnVtIEluc3RpdHV0IC8vIENWUjo0NjgzNzQyODFhMCAGA1UEBRMZQ1ZSOjQ2ODM3NDI4LUZJRDo5MjQyMTMyNTA9BgNVBAMMNkZ1bmt0aW9uc3NpZ25hdHVyIHRpbCB0ZXN0bWlsasO4IChmdW5rdGlvbnNjZXJ0aWZpa2F0KTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJb1udNsBCGOyfmRu5yiVWLvuLEPV7vMBiyG/LD67zWHBSODuRoQBNBvrGE5iyXHskqQ8PEzK+N+MWyhp7XKXjU76HGQzSgsXS1nmbDa0QjlomYWyUVgoNiOFRtmSO2GT+CCGD0UvcuzPkxCPCpFGbmOcCaspkH/0wsWIzOGWAFtLdp63dFwgrtkNPr8TK7JxihfGl98n/A/Ibpw19h0sg3cnxTrbeW2whTg2iuP0QgmkggzR/kD7MH5oe98V5rgFD3gvdspfAW9tWgsG9DFxOzPhU6RVPKpUKrHnlQEKaVrDlDLExUx424HSHRESS9/42q7jy1Mi7oL4aMuTG8MoC8CAwEAAaOCAswwggLIMA4GA1UdDwEB/wQEAwIDuDCBlwYIKwYBBQUHAQEEgYowgYcwPAYIKwYBBQUHMAGGMGh0dHA6Ly9vY3NwLnN5c3RlbXRlc3QyMi50cnVzdDI0MDguY29tL3Jlc3BvbmRlcjBHBggrBgEFBQcwAoY7aHR0cDovL2YuYWlhLnN5c3RlbXRlc3QyMi50cnVzdDI0MDguY29tL3N5c3RlbXRlc3QyMi1jYS5jZXIwggEgBgNVHSAEggEXMIIBEzCCAQ8GDSsGAQQBgfRRAgQGBAIwgf0wLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cudHJ1c3QyNDA4LmNvbS9yZXBvc2l0b3J5MIHJBggrBgEFBQcCAjCBvDAMFgVEYW5JRDADAgEBGoGrRGFuSUQgdGVzdCBjZXJ0aWZpa2F0ZXIgZnJhIGRlbm5lIENBIHVkc3RlZGVzIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi40LjIuIERhbklEIHRlc3QgY2VydGlmaWNhdGVzIGZyb20gdGhpcyBDQSBhcmUgaXNzdWVkIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi40LjIuMIGsBgNVHR8EgaQwgaEwPaA7oDmGN2h0dHA6Ly9jcmwuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyMS5jcmwwYKBeoFykWjBYMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMQ4wDAYDVQQDDAVDUkw3NjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUw8wwIBeDjIYO/cn7TpNmW8hXaVAwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAXTQ5jb2Bk+nzr81zocF/HS3gPGSmF85dfBjoPpohjT8+gN2BgOpKxCd5RAbuCLnRHuJNcrJ1Km3Fi9hXkIVMki80MoJwmtTR2lRUxk+hiv6Q6+MvK7Dr2JzzHn/ktqd76Ej7+PpJn62GTZY+X+jNUzRoPPoO3ycKZFTrpUzH7s3LidFvhuBNculEXXI3yX9a+KrFRcOZ+F31Q1yQ/g5gPhdI6bIyzIK2RrjNhpjx1jAqv8ufvPPJeShkzZ0OZOxG3fr4MGdP84/8HSRhgaZE5AK5nVq9vP9dM+awU8gw5M1pTioAjGHkd0zWlv/XO76fN3tpn02ttgDPVzgTHTmF2w==</ds:X509Certificate>
              </ds:X509Data>
            </ds:KeyInfo>
          </ds:Signature>
          <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">C=DK,O=NETS DANID A/S // CVR:30808460,CN=TU GENEREL MOCES M CPR gyldig,Serial=CVR:30808460-RID:42634739</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
              <saml:SubjectConfirmationData NotOnOrAfter="2020-12-04T14:34:53Z" Recipient="STS tester/recipientUrl"/>
            </saml:SubjectConfirmation>
          </saml:Subject>
          <saml:Conditions NotBefore="2020-12-04T12:34:53Z" NotOnOrAfter="2020-12-04T14:34:53Z">
            <saml:AudienceRestriction>
              <saml:Audience>STS tester/audience</saml:Audience>
            </saml:AudienceRestriction>
          </saml:Conditions>
          <saml:AuthnStatement AuthnInstant="2020-12-04T12:34:53Z" SessionIndex="_84b6b907-4ae8-43d4-a922-28d04fa0d6c2">
            <saml:AuthnContext>
              <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml:AuthnContextClassRef>
            </saml:AuthnContext>
          </saml:AuthnStatement>
          <saml:AttributeStatement>
            <saml:Attribute FriendlyName="surName" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
              <saml:AttributeValue xsi:type="xs:string">Testesen</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute FriendlyName="CommonName" Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
              <saml:AttributeValue xsi:type="xs:string">Test Testesen</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute FriendlyName="email" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
              <saml:AttributeValue xsi:type="xs:string">test.testesen@nsi.dk</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="dk:gov:saml:attribute:SpecVer" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
              <saml:AttributeValue xsi:type="xs:string">DK-SAML-2.0</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="dk:gov:saml:attribute:AssuranceLevel" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
              <saml:AttributeValue xsi:type="xs:string">3</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="dk:gov:saml:attribute:CvrNumberIdentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
              <saml:AttributeValue xsi:type="xs:string">30808460</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute FriendlyName="organizationName" Name="urn:oid:2.5.4.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
              <saml:AttributeValue xsi:type="xs:string">Statens Serum Institut</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="dk:gov:saml:attribute:CprNumberIdentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
              <saml:AttributeValue xsi:type="xs:string">1802602810</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:oid:2.5.29.29" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
              <saml:AttributeValue xsi:type="xs:string">C=DK,O=TRUST2408,CN=TRUST2408 Systemtest XXII CA</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute FriendlyName="Uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
              <saml:AttributeValue xsi:type="xs:string">CVR:30808460-RID:42634739</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="dk:gov:saml:attribute:RidNumberIdentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
              <saml:AttributeValue xsi:type="xs:string">42634739</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute FriendlyName="serialNumber" Name="urn:oid:2.5.4.5" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
              <saml:AttributeValue xsi:type="xs:string">5bad375e</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="dk:gov:saml:attribute:IsYouthCert" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
              <saml:AttributeValue xsi:type="xs:string">false</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.8" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
              <saml:AttributeValue xsi:type="xs:string">MIIGFjCCBP6gAwIBAgIEW603XjANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE5MTIxMzEzMTcwNVoXDTIyMTIxMzEzMTY1MlowgYAxCzAJBgNVBAYTAkRLMScwJQYDVQQKDB5ORVRTIERBTklEIEEvUyAvLyBDVlI6MzA4MDg0NjAxSDAgBgNVBAUTGUNWUjozMDgwODQ2MC1SSUQ6NDI2MzQ3MzkwJAYDVQQDDB1UVSBHRU5FUkVMIE1PQ0VTIE0gQ1BSIGd5bGRpZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK7yIdJgvaiDNjpeJ9JXqj3dM52hfsgMTVQnpWTStD1IkP4rCgKg+yWFS6XBYiXEXO8soJzAhA79caT96aTWY5nEZ+KgX5Iw63U2fFM/X3i3fk0WSWykrrOBsnFI1yp1E7kQiISP5qG4bdY8kNJkLkkJqH+Gd8/EHKg8Kxd0Hj7XO05hUr+EJx691cLgq6CaCUM4YSAEKmdPFbLStchZaGvp74s9UsY9HnFAJ05qYg8UvJfk274PCqKHfV0EcmWMW4AECLnSAiv07AbQfhABkp3kBEfgBrcQmy5Dn7mJ6QZ8H6Vad+gRlR7pBCeHreFj3rsojNrWoY6SJ8tNpztXrwsCAwEAAaOCAs0wggLJMA4GA1UdDwEB/wQEAwID+DCBlwYIKwYBBQUHAQEEgYowgYcwPAYIKwYBBQUHMAGGMGh0dHA6Ly9vY3NwLnN5c3RlbXRlc3QyMi50cnVzdDI0MDguY29tL3Jlc3BvbmRlcjBHBggrBgEFBQcwAoY7aHR0cDovL20uYWlhLnN5c3RlbXRlc3QyMi50cnVzdDI0MDguY29tL3N5c3RlbXRlc3QyMi1jYS5jZXIwggEgBgNVHSAEggEXMIIBEzCCAQ8GDSsGAQQBgfRRAgQGAgYwgf0wLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cudHJ1c3QyNDA4LmNvbS9yZXBvc2l0b3J5MIHJBggrBgEFBQcCAjCBvDAMFgVEYW5JRDADAgEBGoGrRGFuSUQgdGVzdCBjZXJ0aWZpa2F0ZXIgZnJhIGRlbm5lIENBIHVkc3RlZGVzIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi4yLjYuIERhbklEIHRlc3QgY2VydGlmaWNhdGVzIGZyb20gdGhpcyBDQSBhcmUgaXNzdWVkIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi4yLjYuMIGtBgNVHR8EgaUwgaIwPaA7oDmGN2h0dHA6Ly9jcmwuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyMS5jcmwwYaBfoF2kWzBZMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMQ8wDQYDVQQDDAZDUkwyMTMwHwYDVR0jBBgwFoAUq6gBRBmws0OZ2vp8zNIAGAPnPL8wHQYDVR0OBBYEFKh4eb6AK8qIeIA2ZGrwcwV2d77mMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAEDup4Q2JuK5gmfpZ0jBhkzj4HSqLYhxTedDjewu7+c7QSDdFo599CngwjXgF6CHcz0MmizGyHe08quWsNcPo3BtKC54thE8gytOGdugvvwUv6EWRxfGl6YJieht6K9Qod8j/s6T+YfR+i7H3G+kxcocgVa5nImbv3Th1WsGSd1tt/OijOpdLjMWkhk8w8qFby9ubCV+YK+8sszrz471upjSZyJbsh4Gk50h2tbyfmTHqUBFtguYrioI4k/dVSukbt68jk+sZVLqH4p7Ilp6hA5R+MBMYftCyGrIbJU4LaqEn/DEulBX86sUgQmeVCljW1TnzSO9uKQgnBZSlZLT6XE=</saml:AttributeValue>
            </saml:Attribute>
          </saml:AttributeStatement>
        </saml:Assertion>
        <saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_f6d5e2dc-fabf-434d-b743-a708282844ff" IssueInstant="2020-12-04T13:34:53Z" Version="2.0">
          <saml:Issuer>STS tester</saml:Issuer>
          <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">C=DK,O=NETS DANID A/S // CVR:30808460,CN=TU GENEREL MOCES M CPR gyldig,Serial=CVR:30808460-RID:42634739</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
          </saml:Subject>
          <saml:AttributeStatement>
            <saml:Attribute Name="dk:healthcare:saml:attribute:UserEducationCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
              <saml:AttributeValue xsi:type="xs:string">7170</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="dk:healthcare:saml:attribute:UserSurName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
              <saml:AttributeValue xsi:type="xs:string">Testesen</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="dk:healthcare:saml:attribute:ITSystemName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
              <saml:AttributeValue xsi:type="xs:string">STS tester</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="dk:healthcare:saml:attribute:UserGivenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
              <saml:AttributeValue xsi:type="xs:string">Test</saml:AttributeValue>
            </saml:Attribute>
          </saml:AttributeStatement>
        </saml:Assertion>
      </wst14:ActAs>
      <wsp:AppliesTo>
        <wsa:EndpointReference>
          <wsa:Address>http://sosi.dk</wsa:Address>
        </wsa:EndpointReference>
      </wsp:AppliesTo>
    </wst:RequestSecurityToken>
  </soapenv:Body>
</soapenv:Envelope>

En succesfuld validering af requestet i STS resulterer i et succesfuldt response:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <soapenv:Header>
    <wsse:Security mustUnderstand="1" wsu:Id="security">
      <wsu:Timestamp wsu:Id="ts">
        <wsu:Created>2020-12-04T13:35:02Z</wsu:Created>
      </wsu:Timestamp>
      <ds:Signature>
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#body">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>C3ZxAnTYjBI6hkrznqHapBCfxtc=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#ts">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>aOnXKnwxBhHRCvFEqklkJqX1sYE=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#messageID">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>HWaea2VIk5szeWMz5pDbxRQ+xGg=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#relatesTo">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>E3jEzjOKeemlNmEX7GE2G1ASzUs=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#action">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>3cXAhlhZH22NiSh7AttxKxBap7Q=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>EFCMxLkjikWyOMV8Opf+UgcX2FTTpGTpCHELo307dpqJGq7rFbvLrqf9yPFzZ0R29E2+BJhKUMPFtZ8YmlOaWICkZXEagou5OcN6uR5mLf99nihWkNYmwHRo5mVzDOzwacU7n/5x6+qD9iZI8VXpGtH8+ilmENjO+jKwux/SQUWqib5jGCLi91WvwJNhjJ1fQ4VUp6E5Dw6QtfzLZnlr0djXdgzHJIAQmWcaLtUBzDhUZnChrMTYwufFVQaflzJSIEp0vXP+FYvwyAj5VZI8TlHIZiFCeHAjWnGfsJsKLrYAcqMnK1l+C34LYyqJtuqAWTvhlG08I63l9Js8ANv8uQ==</ds:SignatureValue>
        <ds:KeyInfo>
          <ds:X509Data>
            <ds:X509Certificate>MIIGKjCCBRKgAwIBAgIEW6uMBTANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE5MDQzMDA5MDcxN1oXDTIyMDQzMDA5MDYzOFowgZQxCzAJBgNVBAYTAkRLMS4wLAYDVQQKDCVTdW5kaGVkc2RhdGFzdHlyZWxzZW4gLy8gQ1ZSOjMzMjU3ODcyMVUwIAYDVQQFExlDVlI6MzMyNTc4NzItRklEOjE4OTExODYxMDEGA1UEAwwqU09TSSBUZXN0IEZlZGVyYXRpb24gKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyo57h9E/hM5gimxaDgHB0MLcgVfXGJbQh/8OC1vTdDsCUIzIwRd5lJE+ado8urHF7UmKubFZzfCPduoRv9b3TkNVKaixiHUMtP4egbL8vcgyalk28cNQdUk8f34mg8atgvd45EnIKz2iB+yjs5guJPDBg2OFSbP0r53NU8fVTq3aLtDpDVnkxsyjNQ7HOFtzavyMnKx0vDgafEvrUR3WTSLCGju4aUIg3ThgrWXA7i3lPIAXdV8mQmlY3wn/kIBiyIotmF98UsEket/sxpJNkJ6R6AUpxnGApCDP1Fw2BgxAQWWrtD/c5IoIZwGWNfLgpJEzfhnuIZJ7Bfs9RmHFdQIDAQABo4ICzTCCAskwDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vZi5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYEAjCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4wga0GA1UdHwSBpTCBojA9oDugOYY3aHR0cDovL2NybC5zeXN0ZW10ZXN0MjIudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MjIxLmNybDBhoF+gXaRbMFkxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJTAjBgNVBAMMHFRSVVNUMjQwOCBTeXN0ZW10ZXN0IFhYSUkgQ0ExDzANBgNVBAMMBkNSTDE0MjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUGYAVKKL17LHyVGSErL26MBNadTQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAjHMO4sWEf8M25WHczBTJYtMitn1wLOqE6raeM6oYyw6R/4FImpOzF6bxBlfNnhhR0vJSXMWTqL/onCyy4gCs9eLglRHZ9BC8a9fmirrguNpOWlR8NAf5GRwOqCyTnkTAfUD1fp0RzVo8TvAd73WiGeUTzTiAVf7OgZFnRIYkcALXLjNs6AwELWSh+bC/gGuQcHUDd8YGSzgKS6w2qz3fIASrykxzlYjeusks58CereC6WfvN0I+GGlL9fIgjpzh7JEELME7r9QJLL9NSrmlRKfhM8gzuE6Vm4vGzmSsnNJxGMf1vTzEve4lXI8pnOtHMTtNl5zw4jCJFakRqcWm3FQ==</ds:X509Certificate>
          </ds:X509Data>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
    <wsa:Action wsu:Id="action">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</wsa:Action>
    <wsa:MessageID wsu:Id="messageID">urn:uuid:8b3fc250-7384-44b6-828f-af16734867ed</wsa:MessageID>
    <wsa:RelatesTo wsu:Id="relatesTo">urn:uuid:20d3cb77-a509-41bc-be6f-214f4453d2a8</wsa:RelatesTo>
  </soapenv:Header>
  <soapenv:Body wsu:Id="body">
    <wst:RequestSecurityTokenResponseCollection>
      <wst:RequestSecurityTokenResponse Context="urn:uuid:2f0ca258-1916-4c20-876f-5331a349e2fc">
        <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
        <wst:RequestedSecurityToken>
          <saml:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2020-12-04T13:29:59Z" Version="2.0" id="IDCard">
            <saml:Issuer>TESTSTS</saml:Issuer>
            <saml:Subject>
              <saml:NameID Format="medcom:cprnumber">1802602810</saml:NameID>
              <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:holder-of-key</saml:ConfirmationMethod>
                <saml:SubjectConfirmationData>
                  <ds:KeyInfo>
                    <ds:KeyName>OCESSignature</ds:KeyName>
                  </ds:KeyInfo>
                </saml:SubjectConfirmationData>
              </saml:SubjectConfirmation>
            </saml:Subject>
            <saml:Conditions NotBefore="2020-12-04T13:29:59Z" NotOnOrAfter="2020-12-05T13:29:59Z"/>
            <saml:AttributeStatement id="IDCardData">
              <saml:Attribute Name="sosi:IDCardID">
                <saml:AttributeValue>sDWguk1pErZyKWMNZiZXTw==</saml:AttributeValue>
              </saml:Attribute>
              <saml:Attribute Name="sosi:IDCardVersion">
                <saml:AttributeValue>1.0.1</saml:AttributeValue>
              </saml:Attribute>
              <saml:Attribute Name="sosi:IDCardType">
                <saml:AttributeValue>user</saml:AttributeValue>
              </saml:Attribute>
              <saml:Attribute Name="sosi:AuthenticationLevel">
                <saml:AttributeValue>4</saml:AttributeValue>
              </saml:Attribute>
              <saml:Attribute Name="sosi:OCESCertHash">
                <saml:AttributeValue>kiE6PLwGDGs4sn01w3m0kvHmG4A=</saml:AttributeValue>
              </saml:Attribute>
            </saml:AttributeStatement>
            <saml:AttributeStatement id="UserLog">
              <saml:Attribute Name="medcom:UserCivilRegistrationNumber">
                <saml:AttributeValue>1802602810</saml:AttributeValue>
              </saml:Attribute>
              <saml:Attribute Name="medcom:UserGivenName">
                <saml:AttributeValue>Test</saml:AttributeValue>
              </saml:Attribute>
              <saml:Attribute Name="medcom:UserSurName">
                <saml:AttributeValue>Testesen</saml:AttributeValue>
              </saml:Attribute>
              <saml:Attribute Name="medcom:UserEmailAddress">
                <saml:AttributeValue>test.testesen@nsi.dk</saml:AttributeValue>
              </saml:Attribute>
              <saml:Attribute Name="medcom:UserRole">
                <saml:AttributeValue>7170</saml:AttributeValue>
              </saml:Attribute>
              <saml:Attribute Name="medcom:UserAuthorizationCode">
                <saml:AttributeValue>ZXCVB</saml:AttributeValue>
              </saml:Attribute>
            </saml:AttributeStatement>
            <saml:AttributeStatement id="SystemLog">
              <saml:Attribute Name="medcom:ITSystemName">
                <saml:AttributeValue>STS tester</saml:AttributeValue>
              </saml:Attribute>
              <saml:Attribute Name="medcom:CareProviderID" NameFormat="medcom:cvrnumber">
                <saml:AttributeValue>30808460</saml:AttributeValue>
              </saml:Attribute>
              <saml:Attribute Name="medcom:CareProviderName">
                <saml:AttributeValue>Statens Serum Institut</saml:AttributeValue>
              </saml:Attribute>
            </saml:AttributeStatement>
            <ds:Signature id="OCESSignature">
              <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <ds:Reference URI="#IDCard">
                  <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  <ds:DigestValue>nmnINoROyYfXXQev43SXwa6MOso=</ds:DigestValue>
                </ds:Reference>
              </ds:SignedInfo>
              <ds:SignatureValue>AEd0FyGPJl4hR7q36JVlWqfjSlNWMbpU0iKwokswdlgsncdhbpQGFetp1HH3MsFpRVg1NREADKcAgWIyud5Fwr7w2/gXhF0J8E+AdagXc88CFbeSIQ3nt5ML8icKTmvv015RCsASOgXDllNV2wCQqxwgLuO/VUQ2cvUi7vipXYXk/JIuw0A235uFdvdymyoymlGmdufmbi7veQyzI1HdYm33eIcIrMzjFGURMo1MiUZjG1aiNmn8SkTWBZRs4gjiSD3tIDXq+99UNoXHc3fGPxbvf2Hc/6R3nucrWHTTkV8t5CTd5bTgynEi/foiiD0Cu0ZT7RRF2gsmtx6aUMgEhg==</ds:SignatureValue>
              <ds:KeyInfo>
                <ds:X509Data>
                  <ds:X509Certificate>MIIGKjCCBRKgAwIBAgIEW6uMBTANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMB4XDTE5MDQzMDA5MDcxN1oXDTIyMDQzMDA5MDYzOFowgZQxCzAJBgNVBAYTAkRLMS4wLAYDVQQKDCVTdW5kaGVkc2RhdGFzdHlyZWxzZW4gLy8gQ1ZSOjMzMjU3ODcyMVUwIAYDVQQFExlDVlI6MzMyNTc4NzItRklEOjE4OTExODYxMDEGA1UEAwwqU09TSSBUZXN0IEZlZGVyYXRpb24gKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyo57h9E/hM5gimxaDgHB0MLcgVfXGJbQh/8OC1vTdDsCUIzIwRd5lJE+ado8urHF7UmKubFZzfCPduoRv9b3TkNVKaixiHUMtP4egbL8vcgyalk28cNQdUk8f34mg8atgvd45EnIKz2iB+yjs5guJPDBg2OFSbP0r53NU8fVTq3aLtDpDVnkxsyjNQ7HOFtzavyMnKx0vDgafEvrUR3WTSLCGju4aUIg3ThgrWXA7i3lPIAXdV8mQmlY3wn/kIBiyIotmF98UsEket/sxpJNkJ6R6AUpxnGApCDP1Fw2BgxAQWWrtD/c5IoIZwGWNfLgpJEzfhnuIZJ7Bfs9RmHFdQIDAQABo4ICzTCCAskwDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vZi5haWEuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYEAjCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMi4wga0GA1UdHwSBpTCBojA9oDugOYY3aHR0cDovL2NybC5zeXN0ZW10ZXN0MjIudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MjIxLmNybDBhoF+gXaRbMFkxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJTAjBgNVBAMMHFRSVVNUMjQwOCBTeXN0ZW10ZXN0IFhYSUkgQ0ExDzANBgNVBAMMBkNSTDE0MjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNVHQ4EFgQUGYAVKKL17LHyVGSErL26MBNadTQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAjHMO4sWEf8M25WHczBTJYtMitn1wLOqE6raeM6oYyw6R/4FImpOzF6bxBlfNnhhR0vJSXMWTqL/onCyy4gCs9eLglRHZ9BC8a9fmirrguNpOWlR8NAf5GRwOqCyTnkTAfUD1fp0RzVo8TvAd73WiGeUTzTiAVf7OgZFnRIYkcALXLjNs6AwELWSh+bC/gGuQcHUDd8YGSzgKS6w2qz3fIASrykxzlYjeusks58CereC6WfvN0I+GGlL9fIgjpzh7JEELME7r9QJLL9NSrmlRKfhM8gzuE6Vm4vGzmSsnNJxGMf1vTzEve4lXI8pnOtHMTtNl5zw4jCJFakRqcWm3FQ==</ds:X509Certificate>
                </ds:X509Data>
              </ds:KeyInfo>
            </ds:Signature>
          </saml:Assertion>
        </wst:RequestedSecurityToken>
        <wsp:AppliesTo>
          <wsa:EndpointReference>
            <wsa:Address>http://sosi.dk</wsa:Address>
          </wsa:EndpointReference>
        </wsp:AppliesTo>
        <wst:Lifetime>
          <wsu:Created>2020-12-04T13:29:59Z</wsu:Created>
          <wsu:Expires>2020-12-05T13:29:59Z</wsu:Expires>
        </wst:Lifetime>
      </wst:RequestSecurityTokenResponse>
      <wst:RequestedAttachedReference>
        <wsse:SecurityTokenReference>
          <wsse:Reference URI="#IDCard"/>
        </wsse:SecurityTokenReference>
      </wst:RequestedAttachedReference>
      <wst:RequestedUnattachedReference>
        <wsse:SecurityTokenReference>
          <wsse:Reference URI="#IDCard"/>
        </wsse:SecurityTokenReference>
      </wst:RequestedUnattachedReference>
    </wst:RequestSecurityTokenResponseCollection>
  </soapenv:Body>
</soapenv:Envelope>