Omveksler et eHDSI IDWS XUA Bootstrap token (DKNCPBST) udsted af "Danish National Contact Point" til et eHDSI IDWS XUA Identity Token (IDWS-eHDSI)
Bemærk, at den eHDSI IDWS XUA Saml sikkerhedsbillet, der veksles fra, skal være signeret af troværdig tredjepart
I det følgende vises nogle stykker kode der viser hvordan man som anvender skal bruge Seal.Java til denne omveksling.
Der findes et komplet eksempel (incl. STS omveksling) sidst på siden der virker uden at det kræver tilretning.
Der findes ikke metoder i EHDSIFactory der kan parse en eHDSI IDWS XUA Saml Assertion der stammer fra en Identity Provider (i et W3C Element) til et DkncpBootstrapSamlAssertion objekt.
Seal.Java kan anvendes til at opbygge en eHDSI IDWS XUA Saml Assertion. Dette vil typisk ske i forbindelse med test.
Først skal CredentialVaults sættes op og der skal lave en instans af den factory der kan håndtere eHDSI IDWS XUA:
CredentialVault signingVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Virksomhedscertifikat", "Kodeord til Virksomhedscertifikat"); CredentialVault holderOfKeyVault = new ClasspathCredentialVault(null, "Filnavn på PKCS#12 Holder of key certifikat", "Kodeord til Holder of key certifikat"); EHDSIFactory factory = new EHDSIFactory(); |
En signeret eHDSI IDWS XUA Saml Assertion opbygges vha. Seal.Java på denne måde:
DkncpBootstrapSamlAssertionBuilder dkncpBootstrapSamlAssertionBuilder = factory.createDkncpBootstrapSamlAssertionBuilder(vault, issuer);
dkncpBootstrapSamlAssertionBuilder.setIssuer("http://sosi");
dkncpBootstrapSamlAssertionBuilder.setAudienceRestriction("http://audience.nspoop.dk/dds");
dkncpBootstrapSamlAssertionBuilder.setNotBefore(notBeforeDateTime);
dkncpBootstrapSamlAssertionBuilder.setNotOnOrAfter(notOnOrAfterDateTime);
dkncpBootstrapSamlAssertionBuilder.setSubjectName("C=DK,O=LAKESIDE A/S // CVR:25450442,CN=Sårjournal TEST læge,Serial=CVR:25450442-RID:73570260");
dkncpBootstrapSamlAssertionBuilder.setSubjectNameID("nameid");
dkncpBootstrapSamlAssertionBuilder.setSubjectNameIDFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName");
dkncpBootstrapSamlAssertionBuilder.setDeliveryNotOnOrAfter(notOnOrAfterDateTime);
dkncpBootstrapSamlAssertionBuilder.setSigningVault(signingVault);
dkncpBootstrapSamlAssertionBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());
dkncpBootstrapSamlAssertionBuilder.setSubject("Alfonso Gonzalez");
dkncpBootstrapSamlAssertionBuilder.setRole("2221", "Nursing professionals");
List<String> permissions = new ArrayList<>();
permissions.add("urn:oasis:names:tc:xspa:1.0:subject:hl7:permission:PRD-004");
permissions.add("urn:oasis:names:tc:xspa:1.0:subject:hl7:permission:PRD-010");
dkncpBootstrapSamlAssertionBuilder.setPermissions(permissions);
dkncpBootstrapSamlAssertionBuilder.setOnBehalfOf("221", "Medical Doctors");
dkncpBootstrapSamlAssertionBuilder.setOrganization("Charité – Universitätsmedizin Berlin");
dkncpBootstrapSamlAssertionBuilder.setOrganizationId("urn:oid:1.3.6.1.4.1.44938");
dkncpBootstrapSamlAssertionBuilder.setHealthcareFacilityType("Hospital");
dkncpBootstrapSamlAssertionBuilder.setPurposeOfUse("TREATMENT");
dkncpBootstrapSamlAssertionBuilder.setLocality("Klinik am Berg, 83242 Reit im Winkl");
dkncpBootstrapSamlAssertionBuilder.setPatientId("0205756078^^^&1.2.208.176.1.2&ISO");
dkncpBootstrapSamlAssertionBuilder.setAssuranceLevelNIST(assuranceLevel);
dkncpBootstrapSamlAssertionBuilder.setSpecVersion("eHDSI-IDWS-XUA-1.0");
dkncpBootstrapSamlAssertionBuilder.setIssuancePolicy("urn:dk:sosi:sts:eHDSI-strict");
dkncpBootstrapSamlAssertionBuilder.setCountryOfTreatment("DE");
DkncpBootstrapSamlAssertion dkncpBootstrapSamlAssertion = dkncpBootstrapSamlAssertionBuilder.build(); |
Det samlede STS request med en NSP OIO SAML Assertion opbygges på denne måde:
// eHDSI IDWS XUA Saml Assertion findes i denne variabel:
DkncpBootstrapSamlAssertion dkncpBootstrapSamlAssertion = ...
// Build Dkncp Bootstrap request
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestDOMBuilder requestDomBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestDOMBuilder();
requestDomBuilder.setAudience("https://sosi");
requestDomBuilder.setSigningVault(holderOfKeyVault);
requestDomBuilder.setDkncpBootstrapToken(dkncpBootstrapSamlAssertion);
Document consumerStsRequestDocument = requestDomBuilder.build(); |
Når requestet sendes over netværket skal det konverteres til XML:
String consumerStsRequestXml = XmlUtil.node2String(consumerStsRequestDocument, false, false); |
Nu vil en STS kunne modtage det og veksle det til et eHDSI IDWS XUA Identity Token der kan anvendes på NSP platformen. Eksempel på hvordan Seal.Java kan anvendes til denne omveksling findes her: Seal.Java - Guide til anvendere (STS) - Dkncp Boostrap token til eHDSI Identity token
En consumer vil typisk have et eHDSI IDWS XUA Bootstrap token som en stream der kan sendes direkte til en STS. Dette vil man selv kunne deserialisere hvis man vil se indholdet:
// Anvender har et XML dokument indeholdende NSP OIO SAML Bootstrap Token request: String consumerStsRequestXml = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" ... </soapenv:Envelope>"; Document requestDocument = XmlUtil.readXml(new Properties(), consumerStsRequestXml, false); DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequest request = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestModelBuilder().build(requestDocument); |
Det er nu muligt at se indholdet af requestet
public class TestFactoryFlow extends AbstractUserIDCardTest {
@Test
public void testDKNCPBST2EHDSIIdws() {
/**
* Consumer sender request
*/
// CredentialVault og Factory
CredentialVault signingVault = CredentialVaultTestUtil.getVoces3CredentialVault();
CredentialVault holderOfKeyVault = CredentialVaultTestUtil.getVocesHolderOfKeyCredentialVault();
EHDSIFactory factory = new EHDSIFactory();
// Build Dkncp Boostrap SAML Assertion
String issuer = "http://sosi";
DkncpBootstrapSamlAssertionBuilder dkncpBootstrapSamlAssertionBuilder = factory.createDkncpBootstrapSamlAssertionBuilder(signingVault, issuer);
dkncpBootstrapSamlAssertionBuilder.setIssuer(issuer);
dkncpBootstrapSamlAssertionBuilder.setAudienceRestriction("https://fmk");
Date now = new Date();
dkncpBootstrapSamlAssertionBuilder.setNotBefore(notBefore);
dkncpBootstrapSamlAssertionBuilder.setNotOnOrAfter(notOnOrAfter);
dkncpBootstrapSamlAssertionBuilder.setDeliveryNotOnOrAfter(notOnOrAfter);
dkncpBootstrapSamlAssertionBuilder.setSubjectName("C=DK,O=LAKESIDE A/S // CVR:25450442,CN=Sårjournal TEST læge,Serial=CVR:25450442-RID:73570260");
dkncpBootstrapSamlAssertionBuilder.setSubjectNameID("nameid");
dkncpBootstrapSamlAssertionBuilder.setSubjectNameIDFormat(SAMLValues.NAMEID_FORMAT_X509_SUBJECT_NAME);
dkncpBootstrapSamlAssertionBuilder.setSigningVault(signingVault);
dkncpBootstrapSamlAssertionBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());
// Mandatory attribute values
dkncpBootstrapSamlAssertionBuilder.setSubject("Alfonso Gonzalez");
dkncpBootstrapSamlAssertionBuilder.setRole("2221", "Nursing professionals");
dkncpBootstrapSamlAssertionBuilder.setOrganization("Charité – Universitätsmedizin Berlin");
dkncpBootstrapSamlAssertionBuilder.setOrganizationId("urn:oid:1.3.6.1.4.1.44938");
dkncpBootstrapSamlAssertionBuilder.setHealthcareFacilityType("Hospital");
dkncpBootstrapSamlAssertionBuilder.setPurposeOfUse("TREATMENT");
dkncpBootstrapSamlAssertionBuilder.setLocality("Klinik am Berg, 83242 Reit im Winkl");
dkncpBootstrapSamlAssertionBuilder.setPatientId("0205756078^^^&1.2.208.176.1.2&ISO");
dkncpBootstrapSamlAssertionBuilder.setAssuranceLevelNIST("3");
dkncpBootstrapSamlAssertionBuilder.setSpecVersion("eHDSI-IDWS-XUA-1.0");
dkncpBootstrapSamlAssertionBuilder.setIssuancePolicy("urn:dk:sosi:sts:eHDSI-strict");
dkncpBootstrapSamlAssertionBuilder.setCountryOfTreatment("DE");
DkncpBootstrapSamlAssertion dkncpBootstrapSamlAssertion = dkncpBootstrapSamlAssertionBuilder.build();
dkncpBootstrapSamlAssertion.validateSchema();
dkncpBootstrapSamlAssertion.validateSignatureAndTrust(signingVault);
// Build Dkncp Bootstrap request
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestDOMBuilder requestDomBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestDOMBuilder();
requestDomBuilder.setAudience("https://sosi");
requestDomBuilder.setSigningVault(holderOfKeyVault);
requestDomBuilder.setDkncpBootstrapToken(dkncpBootstrapSamlAssertion);
// Serialize request to the same form as received by the STS
Document consumerStsRequestDocument = requestDomBuilder.build();
/**
* Send request over netværk
*/
String consumerStsRequestXml = XmlUtil.node2String(consumerStsRequestDocument, false, false);
consumerStsRequestDocument = readXml(System.getProperties(), consumerStsRequestXml, false);
/**
* STS modtager request
*/
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequest request = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenRequestModelBuilder().build(consumerStsRequestDocument);
// validate request
request.validateSignatureAndTrust(holderOfKeyVault);
request.validateHolderOfKeyRelation();
// Validate assertion
DkncpBootstrapSamlAssertion assertion = request.getDkncpBootstrapSamlAssertion();
// The DKNCP BST Assertion can be schema validated after serialize/deserialize
assertion.validateSchema();
assertion.validateSignatureAndTrust(signingVault);
// Verify all attributes
Assert.assertEquals("Alfonso Gonzalez", assertion.getSubject());
Assert.assertEquals(EHDSI_ROLE_XSI_TYPE, assertion.getRoleType());
Assert.assertEquals("2221", assertion.getRoleCode());
Assert.assertEquals(EHDSI_ROLE_CODE_SYSTEM, assertion.getRoleCodeSystem());
Assert.assertEquals(EHDSI_ROLE_CODE_SYSTEM_NAME, assertion.getRoleCodeSystemName());
Assert.assertEquals("Nursing professionals", assertion.getRoleDisplayName());
Assert.assertEquals("Charité – Universitätsmedizin Berlin", assertion.getOrganization());
Assert.assertEquals("urn:oid:1.3.6.1.4.1.44938", assertion.getOrganizationId());
Assert.assertEquals("Hospital", assertion.getHealthcareFacilityType());
Assert.assertEquals("TREATMENT", assertion.getPurposeOfUseCode());
Assert.assertEquals("Klinik am Berg, 83242 Reit im Winkl", assertion.getLocality());
Assert.assertEquals("0205756078^^^&1.2.208.176.1.2&ISO", assertion.getPatientId());
Assert.assertEquals("3", assertion.getAssuranceLevelNIST());
Assert.assertEquals("eHDSI-IDWS-XUA-1.0", assertion.getSpecVersion());
Assert.assertEquals("urn:dk:sosi:sts:eHDSI-strict", assertion.getIssuancePolicy());
Assert.assertEquals("DE", assertion.getCountryOfTreatment());
/**
* STS bygger response
*/
// Build Ehdsi Idws Xua Employee identity token
EhdsiIdwsXuaEmployeeIdentityTokenBuilder tokenBuilder = factory.createEhdsiIdwsXuaEmployeeIdentityTokenBuilder();
tokenBuilder.setIssuer("http://sosi");
tokenBuilder.setAudienceRestriction("https://fmk");
tokenBuilder.setNotBefore(notBefore);
tokenBuilder.setNotOnOrAfter(notOnOrAfter);
tokenBuilder.setDeliveryNotOnOrAfter(notOnOrAfter);
tokenBuilder.setSubjectNameID("C=DK,O=Ingen organisatorisk tilknytning,CN=Lars Larsen,Serial=PID:9208-2002-2-514358910503");
tokenBuilder.setSubjectNameIDFormat(SAMLValues.NAMEID_FORMAT_X509_SUBJECT_NAME);
tokenBuilder.setSigningVault(signingVault);
tokenBuilder.setHolderOfKeyCertificate(holderOfKeyVault.getSystemCredentialPair().getCertificate());
tokenBuilder.setSubject("Alfonso Gonzalez");
tokenBuilder.setRole("2221", "Nursing professionals");
tokenBuilder.setOrganization("Charité – Universitätsmedizin Berlin");
tokenBuilder.setOrganizationId("urn:oid:1.3.6.1.4.1.44938");
tokenBuilder.setHealthcareFacilityType("Hospital");
tokenBuilder.setPurposeOfUse("TREATMENT");
tokenBuilder.setLocality("Klinik am Berg, 83242 Reit im Winkl");
tokenBuilder.setPatientId("0205756078^^^&1.2.208.176.1.2&ISO");
tokenBuilder.setAssuranceLevel("3");
tokenBuilder.setSpecVersion("eHDSI-IDWS-XUA-1.0");
tokenBuilder.setIssuancePolicy("urn:dk:sosi:sts:eHDSI-strict");
tokenBuilder.setCountryOfTreatment("DE");
EhdsiIdwsXuaEmployeeIdentityToken ehdsiIdwsXuaEmployeeIdentityToken = tokenBuilder.build();
// Validate Identity Token
ehdsiIdwsXuaEmployeeIdentityToken.validateSchema();
ehdsiIdwsXuaEmployeeIdentityToken.validateSignatureAndTrust(signingVault);
// Build Ehdsi Idws Xua Employee response
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder responseBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseDOMBuilder();
responseBuilder.setEhdsiIdwsXuaEmployeeIdentityToken(ehdsiIdwsXuaEmployeeIdentityToken);
responseBuilder.setSigningVault(holderOfKeyVault);
responseBuilder.setRelatesTo("relatesTo");
responseBuilder.setContext("context");
Document consumerStsResponseDocument = responseBuilder.build();
/**
* Send response over netværk
*/
String consumerStsResponseXml = XmlUtil.node2String(consumerStsResponseDocument, false, false);
consumerStsResponseDocument = readXml(System.getProperties(), consumerStsResponseXml, false);
/**
* Consumer modtager response
*/
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseModelBuilder responseModelBuilder = factory.createDkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponseModelBuilder();
DkncpBootstrapSamlAssertionToEhdsiIdwsXuaEmployeeIdentityTokenResponse response = responseModelBuilder.build(consumerStsResponseDocument);
// Validate entire response
response.validateSignature();
// Validate the Ehdsi Idws Xua Employee Identity token from the response
EhdsiIdwsXuaEmployeeIdentityToken employeeIdentityToken = response.getEhdsiIdwsXuaEmployeeIdentityToken();
// The Ehdsi Idws Xua Employee Identity token can be schema validated after serialize/deserialize
employeeIdentityToken.validateSchema();
employeeIdentityToken.validateSignatureAndTrust(signingVault);
// Verify all attributes
assertEquals("3", employeeIdentityToken.getAssuranceLevel());
assertEquals("Alfonso Gonzalez", employeeIdentityToken.getSubject());
Assert.assertEquals("2221", employeeIdentityToken.getRoleCode());
Assert.assertEquals("Nursing professionals", employeeIdentityToken.getRoleDisplayName());
Assert.assertEquals("Charité – Universitätsmedizin Berlin", employeeIdentityToken.getOrganization());
Assert.assertEquals("urn:oid:1.3.6.1.4.1.44938", employeeIdentityToken.getOrganizationId());
Assert.assertEquals("Hospital", employeeIdentityToken.getHealthcareFacilityType());
Assert.assertEquals("TREATMENT", employeeIdentityToken.getPurposeOfUseCode());
Assert.assertEquals("Klinik am Berg, 83242 Reit im Winkl", employeeIdentityToken.getLocality());
Assert.assertEquals("0205756078^^^&1.2.208.176.1.2&ISO", employeeIdentityToken.getPatientId());
Assert.assertEquals("3", employeeIdentityToken.getAssuranceLevel());
Assert.assertEquals("eHDSI-IDWS-XUA-1.0", employeeIdentityToken.getSpecVersion());
Assert.assertEquals("urn:dk:sosi:sts:eHDSI-strict", employeeIdentityToken.getIssuancePolicy());
Assert.assertEquals("DE", employeeIdentityToken.getCountryOfTreatment());
}
} |