Skip to main content
Skip table of contents

snippet.Interface specification HM-MR response

Response (2)

@ID

SAML: Unique message attribute

@InResponseTo

SAML: Unique attribute of the XACMLAuthzDecisionQuery to which this response message is the answer.

@Version

SAML: Version of the SAML protocol. The value MUST be '2.0'.

@IssueInstant

SAML: Time at which the message was created.

@Destination

SAML: URL of the HM on which the message is offered. MUST match the SAML metadata.

@Consent

Elektronische Toegangsdiensten: MUST NOT be included

Issuer

Elektronische Toegangsdiensten: MUST contain the EntityID of the MR.

The attributes NameQualifier, SPNameQualifier, Format and SPProvidedID MUST NOT be included.

Signature

Elektronische Toegangsdiensten: MUST contain the Digital signature of the MR for the enveloped message.

Extensions

Elektronische Toegangsdiensten: MUST NOT be included

Status

Elektronische Toegangsdiensten: MUST be filled conform SAML 2.0 specs when the request is successfully processed.

MUST be filled according to Error handling in case of an error or when the request was cancelled.

Assertion

Elektronische Toegangsdiensten: MUST contain an assertion about the authorization (see the next section).

Rules for processing responses

A receiving HM:

  • MUST verify the structure and contents of the response.

A responding MR MUST:

  • The MR MUST communicate the Level of Assurance of the registered authorization. A MR MUST NOT communicate a level for which it is not certified.

    • In case of a chain of authorizations, the MR MUST communicatie the minimum of the LoA of all Representation authorizations in the applicable chain (so far).
    • In case of a request for a portal service, a MR MUST communicate the Level of Assurance as the minimum Level of Assurance of all applicable service authorizations chosen by the user.

Authorization assertion

Assertion

@Version

SAML: Version of the SAML protocol. The value MUST be '2.0'.

@ID

SAML: Unique reference to the assertion

@IssueInstant

SAML: Time at which the assertion was created

Issuer

Elektronische Toegangsdiensten: MUST contain the EntityID of the MR.

The attributes NameQualifier, SPNameQualifier, Format and SPProvidedID MUST NOT be included.

Signature

Elektronische Toegangsdiensten: MUST contain the Digital signature of the MR for the enveloped assertion.

Subject

Elektronische Toegangsdiensten: MUST contain a different transient <NameID> from the AD Assertion as received in the Request or preceding MR assertion in case of chain authorization. Each assertion MUST contain a new transient identifier, that is unique for the issuer during at least the past 12 months.

Conditions

Elektronische Toegangsdiensten: MAY be included. The attributes NotBefore and NotOnOrAfter MAY be included but should be ignored by the receiver.

Other conditions MUST NOT be included.

Advice

Elektronische Toegangsdiensten: MUST be included, containing an AssertionIDRef referencing the Assertion this declaration is directly linked to.

XACMLAuthz-Decision Statement

Elektronische Toegangsdiensten: MUST contain an SAML Statement of the type XACMLAuthzDecisionStatementType. See below.

XACMLAuthzDecision Statement

Response

Result

@ResourceID

Elektronische Toegangsdiensten: MUST NOT be included

Decision

XACML: One of the values allowed in XACML 2.0.

In the event of a cancellation or error, the element MUST be populated with the value 'Deny'. See also Error handling.

Status

XACML: must be filled with one of the values that are allowed according to the XACML 2.0 specifications

Obligations

Obligation urn:etoegang:core:RequireConfirmationFromNextMR
FulfillOn=Permit
AttributeAssignment urn:etoegang:core:AuthorizationRegistryID = <MR2> (see EntityID)

Elektronische Toegangsdiensten: In the event of chain authorization, such is established by the first MR, which then specifies, by means of an Obligation, that the second link MUST be verified or Decision = 'Permit' is otherwise invalid.

Request

Subject

Elektronische Toegangsdiensten:

Any received AuthenticationMeansID MUST be deleted and not returned in the response to the HM.

If the Decision is ‘Permit’ THEN

Depending on the Rules for processing request:

      • an ActingEntityID
      • an ActingSubjectID.EncryptedID@SP
      • one LegalSubjectID with one or more AttributeValues with an EncryptedID@SP 
      • a LinkedDeclarationSignatureValue

      Resource

      Elektronische Toegangsdiensten: MUST contain the attribute-elements contained in the resource element from the request.  

      If the Decision is 'Permit'

        • an EntityConcernedID
        • one or more ServiceRestrictions
        • an IntermediateEntityID.EncryptedID
        • one or more Encrypted Attributes

        NextAuthorizationRegistryID MAY be included. See EntityID.

        Other attributes MUST NOT be included.

        Action

        Elektronische Toegangsdiensten: MUST be the same as the Action element in the request. See XACMLAuthzDecisionQuery (above).

        Environment

        Elektronische Toegangsdiensten: MUST be empty.

        Example message

        XML
        <?xml version="1.0" encoding="UTF-8"?>
        <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID=" " InResponseTo=" " Version="2.0" IssueInstant=" " Destination=" ">
            <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> </saml:Issuer>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                    <ds:Reference URI=" ">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <ds:DigestValue> </ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue> </ds:SignatureValue>
                <ds:KeyInfo>
                    <ds:KeyName> </ds:KeyName>
                </ds:KeyInfo>
            </ds:Signature>
            <samlp:Status>
                <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"> </samlp:StatusCode>
            </samlp:Status>
            <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID=" " IssueInstant=" ">
                <saml:Issuer> </saml:Issuer>
                <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:SignedInfo>
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                        <ds:Reference URI=" ">
                            <ds:Transforms>
                                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                            </ds:Transforms>
                            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                            <ds:DigestValue> </ds:DigestValue>
                        </ds:Reference>
                    </ds:SignedInfo>
                    <ds:SignatureValue> </ds:SignatureValue>
                    <ds:KeyInfo>
                        <ds:KeyName> </ds:KeyName>
                    </ds:KeyInfo>
                </ds:Signature>
                <saml:Subject>
                    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"> </saml:NameID>
                </saml:Subject>
                <saml:Conditions NotBefore=" " NotOnOrAfter=" "> </saml:Conditions>
                <saml:Statement xmlns:xacml-saml="urn:oasis:xacml:2.0:saml:assertion:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xacml-saml:XACMLAuthzDecisionStatementType">
                    <xacml-context:Response xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os">
                        <xacml-context:Result>
                            <xacml-context:Decision>Permit</xacml-context:Decision>
                            <xacml-context:Status>
                                <xacml-context:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"> </xacml-context:StatusCode>
                            </xacml-context:Status>
                        </xacml-context:Result>
                    </xacml-context:Response>
                    <xacml-context:Request xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os">
                        <xacml-context:Subject>
                            <xacml-context:Attribute AttributeId="urn:etoegang:core:ActingEntityID" DataType="http://www.w3.org/2001/XMLSchema#string" Issuer=" ">
                                <xacml-context:AttributeValue> </xacml-context:AttributeValue>
                            </xacml-context:Attribute>
                        </xacml-context:Subject>
                        <xacml-context:Resource>
                            <xacml-context:Attribute AttributeId="urn:etoegang:core:ServiceID" DataType="http://www.w3.org/2001/XMLSchema#string">
                                <xacml-context:AttributeValue> </xacml-context:AttributeValue>
                            </xacml-context:Attribute>
                            <xacml-context:Attribute AttributeId="urn:etoegang:core:ServiceUUID" DataType="http://www.w3.org/2001/XMLSchema#string">
                                <xacml-context:AttributeValue> </xacml-context:AttributeValue>
                            </xacml-context:Attribute>
                            <xacml-context:Attribute AttributeId="urn:etoegang:core:LevelOfAssurance" DataType="http://www.w3.org/2001/XMLSchema#string">
                                <xacml-context:AttributeValue> </xacml-context:AttributeValue>
                            </xacml-context:Attribute>
                            <xacml-context:Attribute AttributeId="urn:etoegang:core:LevelOfAssuranceUsed" DataType="http://www.w3.org/2001/XMLSchema#string">
                                <xacml-context:AttributeValue> </xacml-context:AttributeValue>
                            </xacml-context:Attribute>
                            <xacml-context:Attribute AttributeId="urn:etoegang:1.9:EntityConcernedID:KvKnr" DataType="http://www.w3.org/2001/XMLSchema#string">
                                <xacml-context:AttributeValue> </xacml-context:AttributeValue>
                            </xacml-context:Attribute>
                            <xacml-context:ResourceContent>
                                <saml:EncryptedAttribute>
                                    <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" Id="_DE46C6F5E2E3111255D3A715C4760656">
                                        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
                                        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                                            <xenc:EncryptedKey>
                                                <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
                                                <ds:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                                                    <ds:KeyName>62355fbd1f624503c5c9677402ecca00ef1f6277</ds:KeyName>
                                                </ds:KeyInfo>
                                                <xenc:CipherData>
                                                    <xenc:CipherValue>.....</xenc:CipherValue>
                                                </xenc:CipherData>
                                            </xenc:EncryptedKey>
                                        </ds:KeyInfo>
                                        <xenc:CipherData>
                                            <xenc:CipherValue>.......</xenc:CipherValue>
                                        </xenc:CipherData>
                                    </xenc:EncryptedData>
                                </saml:EncryptedAttribute>
                            </xacml-context:ResourceContent>
                        </xacml-context:Resource>
                        <xacml-context:Action>
                            <xacml-context:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string">
                                <xacml-context:AttributeValue>Authenticate</xacml-context:AttributeValue>
                            </xacml-context:Attribute>
                        </xacml-context:Action>
                        <xacml-context:Environment> </xacml-context:Environment>
                    </xacml-context:Request>
                </saml:Statement>
            </saml:Assertion>
        </samlp:Response>
        JavaScript errors detected

        Please note, these errors can depend on your browser setup.

        If this problem persists, please contact our support.