Denne guide beskriver hvordan en STS skal omveksle et eHDSI IDWS XUA Bootstrap Token (DKNCPBST) udsted af "Danish National Contact Point" til et eHDSI IDWS XUA Identity Token (IDWS-eHDSI).
I det følgende vises nogle stykker kode der viser hvordan en STS kan lave denne omveksling.
Der findes et komplet eksempel (incl. hvordan anvender opbygger request og modtager response) sidst på siden.
Beskrivelse af hvordan Seal.Java anvendes til at opbygge et STS request findes her: Seal.Java 3 - Guide til anvendere (Consumer) - eHDSI Boostrap token til eHDSI Identity token
Opret en instans af EHDSIFactory og en CredentialVault der indeholder et virksomhedscertifikat der anvendes til denne omveksling:
// CredentialVault og Factory CredentialVault signingVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Virksomhedscertifikat", "Kodeord til Virksomhedscertifikat"); CredentialVault holderOfKeyVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Holder of key certifikat", "Kodeord til Holder of key certifikat"); EHDSIFactory factory = new EHDSIFactory(); |
En STS vil kunne anvende Seal.Java til at modtage et XML dokument indeholdende et request og det skal deserialiseres til et DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequest modelobjekt:
consumerStsRequestDocument = readXml(System.getProperties(), consumerStsRequestXml, false); DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequest request = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestModelBuilder().build(consumerStsRequestDocument); |
Nu vil en STS kunne verificere det indkomne eHDSI IDWS XUA Bootstrap Token. Dette er ikke relevant for denne anvenderguide, men her er et eksempel på hvordan man henter den indlejrede SAML Assertion ud validere det og verificere tre attributter:
// Validate assertion
DkncpBootstrapSamlAssertion assertion = request.getDkncpBootstrapSamlAssertion();
Assert.assertEquals("eHDSI-IDWS-XUA-1.0", assertion.getSpecVersion());
Assert.assertEquals("3", assertion.getAssuranceLevelNIST());
Assert.assertEquals("Alfonso Gonzalez", assertion.getSubject()); |
Nu vil en STS bygge et response og først bygge en signeret eHDSI IDWS XUA Identity Token:
// Build Ehdsi Idws Xua Employee identity token
EhdsiIdwsXuaEmployeeIdentityTokenBuilder tokenBuilder = factory.createEhdsiIdwsXuaEmployeeIdentityTokenBuilder();
tokenBuilder.setIssuer("http://sosi");
tokenBuilder.setAudienceRestriction("http://audience.nspoop.dk/dds");
tokenBuilder.setNotBefore(notBefore);
tokenBuilder.setNotOnOrAfter(notOnOrAfter);
tokenBuilder.setDeliveryNotOnOrAfter(notOnOrAfter);
tokenBuilder.setSubjectNameID("C=DK,O=Ingen organisatorisk tilknytning,CN=Lars Larsen,Serial=PID:9208-2002-2-514358910503");
tokenBuilder.setSubjectNameIDFormat(SAMLValues.NAMEID_FORMAT_X509_SUBJECT_NAME);
tokenBuilder.setSigningVault(signingVault);
tokenBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());
// Øvrige attributter sættes
tokenBuilder.setSubject("Alfonso Gonzalez");
tokenBuilder.setRole("2221", "Nursing professionals");
...
EhdsiIdwsXuaEmployeeIdentityToken ehdsiIdwsXuaEmployeeIdentityToken = tokenBuilder.build(); |
Dette eHDSI IDWS XUA Identity Token kan nu indlejres i det samlede svar fra STS:
// Build Ehdsi Idws Xua Employee response
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder responseBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder();
responseBuilder.setEhdsiIdwsXuaEmployeeIdentityToken(ehdsiIdwsXuaEmployeeIdentityToken);
responseBuilder.setSigningVault(holderOfKeyVault);
responseBuilder.setRelatesTo("relatesTo");
responseBuilder.setContext("context");
Document consumerStsResponseDocument = responseBuilder.build(); |
Svaret kan sendes over netværket som XML:
String consumerStsResponseXml = XmlUtil.node2String(consumerStsResponseDocument, false, false); |
Nu vil en anvender kunne modtage det omvekslede eHDSI IDWS XUA Identity Token og hvordan man anvender Seal.Java til at behandle dette svar er beskrevet her: Seal.Java 3 - Guide til anvendere (Consumer) - eHDSI Boostrap token til eHDSI Identity token
public class TestFactoryFlow {
private final String NAMEID_FORMAT_X509_SUBJECT_NAME = "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName";
@Test
public void testDKNCPBST2EHDSIIdws() {
/**
* Consumer sender request
*/
// CredentialVault og Factory
CredentialVault signingVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Virksomhedscertifikat", "Kodeord til Virksomhedscertifikat");
CredentialVault holderOfKeyVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Holder of key certifikat", "Kodeord til Holder of key certifikat");
EHDSIFactory factory = new EHDSIFactory();
// Build Dkncp Boostrap SAML Assertion
String issuer = "http://sosi";
DkncpBootstrapSamlAssertionBuilder dkncpBootstrapSamlAssertionBuilder = factory.createDkncpBootstrapSamlAssertionBuilder(signingVault, issuer);
dkncpBootstrapSamlAssertionBuilder.setIssuer(issuer);
dkncpBootstrapSamlAssertionBuilder.setAudienceRestriction("https://fmk");
Date now = new Date();
dkncpBootstrapSamlAssertionBuilder.setNotBefore(notBefore);
dkncpBootstrapSamlAssertionBuilder.setNotOnOrAfter(notOnOrAfter);
dkncpBootstrapSamlAssertionBuilder.setDeliveryNotOnOrAfter(notOnOrAfter);
dkncpBootstrapSamlAssertionBuilder.setSubjectName("C=DK,O=LAKESIDE A/S // CVR:25450442,CN=Sårjournal TEST læge,Serial=CVR:25450442-RID:73570260");
dkncpBootstrapSamlAssertionBuilder.setSubjectNameID("nameid");
dkncpBootstrapSamlAssertionBuilder.setSubjectNameIDFormat(SAMLValues.NAMEID_FORMAT_X509_SUBJECT_NAME);
dkncpBootstrapSamlAssertionBuilder.setSigningVault(signingVault);
dkncpBootstrapSamlAssertionBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());
// Mandatory attribute values
dkncpBootstrapSamlAssertionBuilder.setSubject("Alfonso Gonzalez");
dkncpBootstrapSamlAssertionBuilder.setRole("2221", "Nursing professionals");
dkncpBootstrapSamlAssertionBuilder.setOrganization("Charité – Universitätsmedizin Berlin");
dkncpBootstrapSamlAssertionBuilder.setOrganizationId("urn:oid:1.3.6.1.4.1.44938");
dkncpBootstrapSamlAssertionBuilder.setHealthcareFacilityType("Hospital");
dkncpBootstrapSamlAssertionBuilder.setPurposeOfUse("TREATMENT");
dkncpBootstrapSamlAssertionBuilder.setLocality("Klinik am Berg, 83242 Reit im Winkl");
dkncpBootstrapSamlAssertionBuilder.setPatientId("0205756078^^^&1.2.208.176.1.2&ISO");
dkncpBootstrapSamlAssertionBuilder.setAssuranceLevelNIST("3");
dkncpBootstrapSamlAssertionBuilder.setSpecVersion("eHDSI-IDWS-XUA-1.0");
dkncpBootstrapSamlAssertionBuilder.setIssuancePolicy("urn:dk:sosi:sts:eHDSI-strict");
dkncpBootstrapSamlAssertionBuilder.setCountryOfTreatment("DE");
DkncpBootstrapSamlAssertion dkncpBootstrapSamlAssertion = dkncpBootstrapSamlAssertionBuilder.build();
dkncpBootstrapSamlAssertion.validateSchema();
dkncpBootstrapSamlAssertion.validateSignatureAndTrust(signingVault);
// Build Dkncp Bootstrap request
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestDOMBuilder requestDomBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestDOMBuilder();
requestDomBuilder.setAudience("https://sosi");
requestDomBuilder.setSigningVault(holderOfKeyVault);
requestDomBuilder.setDkncpBootstrapToken(dkncpBootstrapSamlAssertion);
// Serialize request to the same form as received by the STS
Document consumerStsRequestDocument = requestDomBuilder.build();
/**
* Send request over netværk
*/
String consumerStsRequestXml = XmlUtil.node2String(consumerStsRequestDocument, false, false);
consumerStsRequestDocument = readXml(System.getProperties(), consumerStsRequestXml, false);
/**
* STS modtager request
*/
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequest request = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestModelBuilder().build(consumerStsRequestDocument);
// validate request
request.validateSignatureAndTrust(holderOfKeyVault);
request.validateHolderOfKeyRelation();
// Validate assertion
DkncpBootstrapSamlAssertion assertion = request.getDkncpBootstrapSamlAssertion();
// The DKNCP BST Assertion can be schema validated after serialize/deserialize
assertion.validateSchema();
assertion.validateSignatureAndTrust(signingVault);
// Verify all attributes
Assert.assertEquals("Alfonso Gonzalez", assertion.getSubject());
Assert.assertEquals(EHDSI_ROLE_XSI_TYPE, assertion.getRoleType());
Assert.assertEquals("2221", assertion.getRoleCode());
Assert.assertEquals(EHDSI_ROLE_CODE_SYSTEM, assertion.getRoleCodeSystem());
Assert.assertEquals(EHDSI_ROLE_CODE_SYSTEM_NAME, assertion.getRoleCodeSystemName());
Assert.assertEquals("Nursing professionals", assertion.getRoleDisplayName());
Assert.assertEquals("Charité – Universitätsmedizin Berlin", assertion.getOrganization());
Assert.assertEquals("urn:oid:1.3.6.1.4.1.44938", assertion.getOrganizationId());
Assert.assertEquals("Hospital", assertion.getHealthcareFacilityType());
Assert.assertEquals("TREATMENT", assertion.getPurposeOfUseCode());
Assert.assertEquals("Klinik am Berg, 83242 Reit im Winkl", assertion.getLocality());
Assert.assertEquals("0205756078^^^&1.2.208.176.1.2&ISO", assertion.getPatientId());
Assert.assertEquals("3", assertion.getAssuranceLevelNIST());
Assert.assertEquals("eHDSI-IDWS-XUA-1.0", assertion.getSpecVersion());
Assert.assertEquals("urn:dk:sosi:sts:eHDSI-strict", assertion.getIssuancePolicy());
Assert.assertEquals("DE", assertion.getCountryOfTreatment());
/**
* STS bygger response
*/
// Build Ehdsi Idws Xua Employee identity token
EhdsiIdwsXuaEmployeeIdentityTokenBuilder tokenBuilder = factory.createEhdsiIdwsXuaEmployeeIdentityTokenBuilder();
tokenBuilder.setIssuer("http://sosi");
tokenBuilder.setAudienceRestriction("https://fmk");
tokenBuilder.setNotBefore(notBefore);
tokenBuilder.setNotOnOrAfter(notOnOrAfter);
tokenBuilder.setDeliveryNotOnOrAfter(notOnOrAfter);
tokenBuilder.setSubjectNameID("C=DK,O=Ingen organisatorisk tilknytning,CN=Lars Larsen,Serial=PID:9208-2002-2-514358910503");
tokenBuilder.setSubjectNameIDFormat(SAMLValues.NAMEID_FORMAT_X509_SUBJECT_NAME);
tokenBuilder.setSigningVault(signingVault);
tokenBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());
tokenBuilder.setSubject("Alfonso Gonzalez");
tokenBuilder.setRole("2221", "Nursing professionals");
tokenBuilder.setOrganization("Charité – Universitätsmedizin Berlin");
tokenBuilder.setOrganizationId("urn:oid:1.3.6.1.4.1.44938");
tokenBuilder.setHealthcareFacilityType("Hospital");
tokenBuilder.setPurposeOfUse("TREATMENT");
tokenBuilder.setLocality("Klinik am Berg, 83242 Reit im Winkl");
tokenBuilder.setPatientId("0205756078^^^&1.2.208.176.1.2&ISO");
tokenBuilder.setAssuranceLevel("3");
tokenBuilder.setSpecVersion("eHDSI-IDWS-XUA-1.0");
tokenBuilder.setIssuancePolicy("urn:dk:sosi:sts:eHDSI-strict");
tokenBuilder.setCountryOfTreatment("DE");
EhdsiIdwsXuaEmployeeIdentityToken ehdsiIdwsXuaEmployeeIdentityToken = tokenBuilder.build();
// Validate Identity Token
ehdsiIdwsXuaEmployeeIdentityToken.validateSchema();
ehdsiIdwsXuaEmployeeIdentityToken.validateSignatureAndTrust(signingVault);
// Build Ehdsi Idws Xua Employee response
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder responseBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder();
responseBuilder.setEhdsiIdwsXuaEmployeeIdentityToken(ehdsiIdwsXuaEmployeeIdentityToken);
responseBuilder.setSigningVault(holderOfKeyVault);
responseBuilder.setRelatesTo("relatesTo");
responseBuilder.setContext("context");
Document consumerStsResponseDocument = responseBuilder.build();
/**
* Send response over netværk
*/
String consumerStsResponseXml = XmlUtil.node2String(consumerStsResponseDocument, false, false);
consumerStsResponseDocument = readXml(System.getProperties(), consumerStsResponseXml, false);
/**
* Consumer modtager response
*/
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseModelBuilder responseModelBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseModelBuilder();
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponse response = responseModelBuilder.build(consumerStsResponseDocument);
// Validate entire response
response.validateSignature();
// Validate the Ehdsi Idws Xua Employee Identity token from the response
EhdsiIdwsXuaEmployeeIdentityToken employeeIdentityToken = response.getEhdsiIdwsXuaEmployeeIdentityToken();
// The Ehdsi Idws Xua Employee Identity token can be schema validated after serialize/deserialize
employeeIdentityToken.validateSchema();
employeeIdentityToken.validateSignatureAndTrust(signingVault);
// Verify all attributes
assertEquals("3", employeeIdentityToken.getAssuranceLevel());
assertEquals("Alfonso Gonzalez", employeeIdentityToken.getSubject());
Assert.assertEquals("2221", employeeIdentityToken.getRoleCode());
Assert.assertEquals("Nursing professionals", employeeIdentityToken.getRoleDisplayName());
Assert.assertEquals("Charité – Universitätsmedizin Berlin", employeeIdentityToken.getOrganization());
Assert.assertEquals("urn:oid:1.3.6.1.4.1.44938", employeeIdentityToken.getOrganizationId());
Assert.assertEquals("Hospital", employeeIdentityToken.getHealthcareFacilityType());
Assert.assertEquals("TREATMENT", employeeIdentityToken.getPurposeOfUseCode());
Assert.assertEquals("Klinik am Berg, 83242 Reit im Winkl", employeeIdentityToken.getLocality());
Assert.assertEquals("0205756078^^^&1.2.208.176.1.2&ISO", employeeIdentityToken.getPatientId());
Assert.assertEquals("3", employeeIdentityToken.getAssuranceLevel());
Assert.assertEquals("eHDSI-IDWS-XUA-1.0", employeeIdentityToken.getSpecVersion());
Assert.assertEquals("urn:dk:sosi:sts:eHDSI-strict", employeeIdentityToken.getIssuancePolicy());
Assert.assertEquals("DE", employeeIdentityToken.getCountryOfTreatment());
}
} |