Denne guide beskriver hvordan en STS skal omveksle et DGWS ID kort (system / bruger) udstedt af et anvendersystem og returnere et OIO SAML Token.
I det følgende vises nogle stykker kode der viser hvordan man en STS kan lave denne omveksling.
Der findes et komplet eksempel (incl. hvordan anvender opbygger request og modtager response) sidst på siden.
Beskrivelse af hvordan Seal.Java anvendes til at opbygge et STS request findes her: Seal.Java - Guide til anvendere (Consumer) - DGWS ID kort (system og bruger)
public class TestFactoryFlow extends AbstractUserIDCardTest {
@Test
public void testSosi2OIOSaml() {
/**
* Consumer sender request
*/
// CredentialVault og Factory
OIOSAMLFactory factory = new OIOSAMLFactory();
CredentialVault signingVault = CredentialVaultTestUtil.getVoces3CredentialVault();
CredentialVault holderOfKey = CredentialVaultTestUtil.getVocesHolderOfKeyCredentialVault();
UserIDCard uidc = createUserIDCard();
final IDCardToOIOSAMLAssertionRequestDOMBuilder requestBuilder = factory.createIDCardToOIOSAMLAssertionRequestDOMBuilder();
requestBuilder.setAudience("http://fmk-online.dk");
requestBuilder.setUserIDCard(uidc);
Document consumerStsRequestDocument = requestBuilder.build();
/**
* Send request over netværk
*/
String consumerStsRequestXml = XmlUtil.node2String(consumerStsRequestDocument, false, false);
consumerStsRequestDocument = XmlUtil.readXml(new java.util.Properties(), consumerStsRequestXml, false);
/**
* STS modtager request
*/
IDCardToOIOSAMLAssertionRequest stsRequest = factory.createIDCardToOIOSAMLAssertionRequestModelBuilder().build(consumerStsRequestDocument);
// Her vil STS'en verificere ID kortet. I dette eksempel verificeres følgende tre attributter:
IDCard idCard = stsRequest.getUserIDCard();
Assert.assertEquals("1.0.1", idCard.getVersion());
Assert.assertEquals(AuthenticationLevel.MOCES_TRUSTED_USER, idCard.getAuthenticationLevel());
Assert.assertEquals("hans@dampf.dk", idCard.getAlternativeIdentifier());
/**
* STS bygger response
*/
// Byg OIOSAMLAssertion
OIOSAMLAssertionBuilder oiosamlAssertionBuilder = factory.createOIOSAMLAssertionBuilder();
oiosamlAssertionBuilder.setAudienceRestriction("http://fmk-online.dk");
oiosamlAssertionBuilder.setRecipientURL("https://fmk");
oiosamlAssertionBuilder.setIssuer("https://oio3bst-issuer.dk");
oiosamlAssertionBuilder.setUserIdCard(uidc);
oiosamlAssertionBuilder.setNotBefore(notBefore);
oiosamlAssertionBuilder.setNotOnOrAfter(notOnOrAfter);
oiosamlAssertionBuilder.setDeliveryNotOnOrAfter(d(10000L));
oiosamlAssertionBuilder.setSigningVault(signingVault);
OIOSAMLAssertion assertion = oiosamlAssertionBuilder.build();
IDCardToOIOSAMLAssertionResponseDOMBuilder responseBuilder = factory.createIDCardToOIOSAMLAssertionResponseDOMBuilder();
responseBuilder.setOIOSAMLAssertion(assertion);
responseBuilder.setSigningVault(signingVault);
responseBuilder.setEncryptionKey(signingVault.getSystemCredentialPair().getCertificate().getPublicKey());
responseBuilder.setRelatesTo("relatesTo");
responseBuilder.setContext("context");
Document consumerStsResponseDocument = responseBuilder.build();
/**
* Send response over netværk
*/
String consumerStsResponseXml = XmlUtil.node2String(consumerStsResponseDocument, false, false);
consumerStsResponseDocument = XmlUtil.readXml(new java.util.Properties(), consumerStsResponseXml, false);
/**
* Consumer modtager response
*/
IDCardToOIOSAMLAssertionResponse consumerStsResponse = factory.createIDCardToOIOSAMLAssertionResponseModelBuilder().build(consumerStsResponseDocument);
consumerStsResponse.validateSignature();
Element encryptedElement = EncryptionUtil.decryptAndDetach(consumerStsResponse.getEncryptedOIOSAMLAssertionElement(), signingVault.getSystemCredentialPair().getPrivateKey());
OIOSAMLAssertion assertionResponse = new OIOSAMLAssertion(encryptedElement);
Assert.assertEquals("DK-SAML-2.0", assertionResponse.getSpecVersion());
Assert.assertEquals("3", assertionResponse.getAssuranceLevel());
Assert.assertEquals("http://fmk-online.dk", assertionResponse.getAudienceRestriction());
}
} |