Omveksler et eHDSI IDWS XUA Bootstrap token (DKNCPBST) udsted af "Danish National Contact Point" til et eHDSI IDWS XUA Identity Token (IDWS-eHDSI)
Bemærk, at den OIO Saml sikkerhedsbillet, der veksles, skal være signeret af troværdig tredjepart
I det følgende vises nogle stykker kode der viser hvordan man som anvender skal bruge Seal.Java til denne omveksling.
Der findes et komplet eksempel (incl. STS omveksling) sidst på siden der virker uden at det kræver tilretning.
public class TestFactoryFlow extends AbstractUserIDCardTest {
@Test
public void testDKNCPBST2EHDSIIdws() {
/**
* Consumer sender request
*/
// CredentialVault og Factory
CredentialVault signingVault = CredentialVaultTestUtil.getVoces3CredentialVault();
CredentialVault holderOfKeyVault = CredentialVaultTestUtil.getVocesHolderOfKeyCredentialVault();
EHDSIFactory factory = new EHDSIFactory();
// Build Dkncp Boostrap SAML Assertion
String issuer = "http://sosi";
DkncpBootstrapSamlAssertionBuilder dkncpBootstrapSamlAssertionBuilder = factory.createDkncpBootstrapSamlAssertionBuilder(signingVault, issuer);
dkncpBootstrapSamlAssertionBuilder.setIssuer(issuer);
dkncpBootstrapSamlAssertionBuilder.setAudienceRestriction("https://fmk");
Date now = new Date();
dkncpBootstrapSamlAssertionBuilder.setNotBefore(notBefore);
dkncpBootstrapSamlAssertionBuilder.setNotOnOrAfter(notOnOrAfter);
dkncpBootstrapSamlAssertionBuilder.setDeliveryNotOnOrAfter(notOnOrAfter);
dkncpBootstrapSamlAssertionBuilder.setSubjectName("C=DK,O=LAKESIDE A/S // CVR:25450442,CN=Sårjournal TEST læge,Serial=CVR:25450442-RID:73570260");
dkncpBootstrapSamlAssertionBuilder.setSubjectNameID("nameid");
dkncpBootstrapSamlAssertionBuilder.setSubjectNameIDFormat(SAMLValues.NAMEID_FORMAT_X509_SUBJECT_NAME);
dkncpBootstrapSamlAssertionBuilder.setSigningVault(signingVault);
dkncpBootstrapSamlAssertionBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());
// Mandatory attribute values
dkncpBootstrapSamlAssertionBuilder.setSubject("Alfonso Gonzalez");
dkncpBootstrapSamlAssertionBuilder.setRole("2221", "Nursing professionals");
dkncpBootstrapSamlAssertionBuilder.setOrganization("Charité – Universitätsmedizin Berlin");
dkncpBootstrapSamlAssertionBuilder.setOrganizationId("urn:oid:1.3.6.1.4.1.44938");
dkncpBootstrapSamlAssertionBuilder.setHealthcareFacilityType("Hospital");
dkncpBootstrapSamlAssertionBuilder.setPurposeOfUse("TREATMENT");
dkncpBootstrapSamlAssertionBuilder.setLocality("Klinik am Berg, 83242 Reit im Winkl");
dkncpBootstrapSamlAssertionBuilder.setPatientId("0205756078^^^&1.2.208.176.1.2&ISO");
dkncpBootstrapSamlAssertionBuilder.setAssuranceLevelNIST("3");
dkncpBootstrapSamlAssertionBuilder.setSpecVersion("eHDSI-IDWS-XUA-1.0");
dkncpBootstrapSamlAssertionBuilder.setIssuancePolicy("urn:dk:sosi:sts:eHDSI-strict");
dkncpBootstrapSamlAssertionBuilder.setCountryOfTreatment("DE");
DkncpBootstrapSamlAssertion dkncpBootstrapSamlAssertion = dkncpBootstrapSamlAssertionBuilder.build();
dkncpBootstrapSamlAssertion.validateSchema();
dkncpBootstrapSamlAssertion.validateSignatureAndTrust(signingVault);
// Build Dkncp Bootstrap request
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestDOMBuilder requestDomBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestDOMBuilder();
requestDomBuilder.setAudience("https://sosi");
requestDomBuilder.setSigningVault(holderOfKeyVault);
requestDomBuilder.setDkncpBootstrapToken(dkncpBootstrapSamlAssertion);
// Serialize request to the same form as received by the STS
Document consumerStsRequestDocument = requestDomBuilder.build();
/**
* Send request over netværk
*/
String consumerStsRequestXml = XmlUtil.node2String(consumerStsRequestDocument, false, false);
consumerStsRequestDocument = readXml(System.getProperties(), consumerStsRequestXml, false);
/**
* STS modtager request
*/
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequest request = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestModelBuilder().build(consumerStsRequestDocument);
// validate request
request.validateSignatureAndTrust(holderOfKeyVault);
request.validateHolderOfKeyRelation();
// Validate assertion
DkncpBootstrapSamlAssertion assertion = request.getDkncpBootstrapSamlAssertion();
// The DKNCP BST Assertion can be schema validated after serialize/deserialize
assertion.validateSchema();
assertion.validateSignatureAndTrust(signingVault);
// Verify all attributes
Assert.assertEquals("Alfonso Gonzalez", assertion.getSubject());
Assert.assertEquals(EHDSI_ROLE_XSI_TYPE, assertion.getRoleType());
Assert.assertEquals("2221", assertion.getRoleCode());
Assert.assertEquals(EHDSI_ROLE_CODE_SYSTEM, assertion.getRoleCodeSystem());
Assert.assertEquals(EHDSI_ROLE_CODE_SYSTEM_NAME, assertion.getRoleCodeSystemName());
Assert.assertEquals("Nursing professionals", assertion.getRoleDisplayName());
Assert.assertEquals("Charité – Universitätsmedizin Berlin", assertion.getOrganization());
Assert.assertEquals("urn:oid:1.3.6.1.4.1.44938", assertion.getOrganizationId());
Assert.assertEquals("Hospital", assertion.getHealthcareFacilityType());
Assert.assertEquals("TREATMENT", assertion.getPurposeOfUseCode());
Assert.assertEquals("Klinik am Berg, 83242 Reit im Winkl", assertion.getLocality());
Assert.assertEquals("0205756078^^^&1.2.208.176.1.2&ISO", assertion.getPatientId());
Assert.assertEquals("3", assertion.getAssuranceLevelNIST());
Assert.assertEquals("eHDSI-IDWS-XUA-1.0", assertion.getSpecVersion());
Assert.assertEquals("urn:dk:sosi:sts:eHDSI-strict", assertion.getIssuancePolicy());
Assert.assertEquals("DE", assertion.getCountryOfTreatment());
/**
* STS bygger response
*/
// Build Ehdsi Idws Xua Employee identity token
EhdsiIdwsXuaEmployeeIdentityTokenBuilder tokenBuilder = factory.createEhdsiIdwsXuaEmployeeIdentityTokenBuilder();
tokenBuilder.setIssuer("http://sosi");
tokenBuilder.setAudienceRestriction("https://fmk");
tokenBuilder.setNotBefore(notBefore);
tokenBuilder.setNotOnOrAfter(notOnOrAfter);
tokenBuilder.setDeliveryNotOnOrAfter(notOnOrAfter);
tokenBuilder.setSubjectNameID("C=DK,O=Ingen organisatorisk tilknytning,CN=Lars Larsen,Serial=PID:9208-2002-2-514358910503");
tokenBuilder.setSubjectNameIDFormat(SAMLValues.NAMEID_FORMAT_X509_SUBJECT_NAME);
tokenBuilder.setSigningVault(signingVault);
tokenBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());
tokenBuilder.setSubject("Alfonso Gonzalez");
tokenBuilder.setRole("2221", "Nursing professionals");
tokenBuilder.setOrganization("Charité – Universitätsmedizin Berlin");
tokenBuilder.setOrganizationId("urn:oid:1.3.6.1.4.1.44938");
tokenBuilder.setHealthcareFacilityType("Hospital");
tokenBuilder.setPurposeOfUse("TREATMENT");
tokenBuilder.setLocality("Klinik am Berg, 83242 Reit im Winkl");
tokenBuilder.setPatientId("0205756078^^^&1.2.208.176.1.2&ISO");
tokenBuilder.setAssuranceLevel("3");
tokenBuilder.setSpecVersion("eHDSI-IDWS-XUA-1.0");
tokenBuilder.setIssuancePolicy("urn:dk:sosi:sts:eHDSI-strict");
tokenBuilder.setCountryOfTreatment("DE");
EhdsiIdwsXuaEmployeeIdentityToken ehdsiIdwsXuaEmployeeIdentityToken = tokenBuilder.build();
// Validate Identity Token
ehdsiIdwsXuaEmployeeIdentityToken.validateSchema();
ehdsiIdwsXuaEmployeeIdentityToken.validateSignatureAndTrust(signingVault);
// Build Ehdsi Idws Xua Employee response
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder responseBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder();
responseBuilder.setEhdsiIdwsXuaEmployeeIdentityToken(ehdsiIdwsXuaEmployeeIdentityToken);
responseBuilder.setSigningVault(holderOfKeyVault);
responseBuilder.setRelatesTo("relatesTo");
responseBuilder.setContext("context");
Document consumerStsResponseDocument = responseBuilder.build();
/**
* Send response over netværk
*/
String consumerStsResponseXml = XmlUtil.node2String(consumerStsResponseDocument, false, false);
consumerStsResponseDocument = readXml(System.getProperties(), consumerStsResponseXml, false);
/**
* Consumer modtager response
*/
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseModelBuilder responseModelBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseModelBuilder();
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponse response = responseModelBuilder.build(consumerStsResponseDocument);
// Validate entire response
response.validateSignature();
// Validate the Ehdsi Idws Xua Employee Identity token from the response
EhdsiIdwsXuaEmployeeIdentityToken employeeIdentityToken = response.getEhdsiIdwsXuaEmployeeIdentityToken();
// The Ehdsi Idws Xua Employee Identity token can be schema validated after serialize/deserialize
employeeIdentityToken.validateSchema();
employeeIdentityToken.validateSignatureAndTrust(signingVault);
// Verify all attributes
assertEquals("3", employeeIdentityToken.getAssuranceLevel());
assertEquals("Alfonso Gonzalez", employeeIdentityToken.getSubject());
Assert.assertEquals("2221", employeeIdentityToken.getRoleCode());
Assert.assertEquals("Nursing professionals", employeeIdentityToken.getRoleDisplayName());
Assert.assertEquals("Charité – Universitätsmedizin Berlin", employeeIdentityToken.getOrganization());
Assert.assertEquals("urn:oid:1.3.6.1.4.1.44938", employeeIdentityToken.getOrganizationId());
Assert.assertEquals("Hospital", employeeIdentityToken.getHealthcareFacilityType());
Assert.assertEquals("TREATMENT", employeeIdentityToken.getPurposeOfUseCode());
Assert.assertEquals("Klinik am Berg, 83242 Reit im Winkl", employeeIdentityToken.getLocality());
Assert.assertEquals("0205756078^^^&1.2.208.176.1.2&ISO", employeeIdentityToken.getPatientId());
Assert.assertEquals("3", employeeIdentityToken.getAssuranceLevel());
Assert.assertEquals("eHDSI-IDWS-XUA-1.0", employeeIdentityToken.getSpecVersion());
Assert.assertEquals("urn:dk:sosi:sts:eHDSI-strict", employeeIdentityToken.getIssuancePolicy());
Assert.assertEquals("DE", employeeIdentityToken.getCountryOfTreatment());
}
} |