For chain authorizations (Vervallen_Interface specifications HM-MR chain authorization), the identification number of the represented service consumer are included in the assertion for the HM in the same way as for single authorizations. The additional information about the chain is stored in a separate attribute.
Note: The HM will not identify the MRs from which the underlying assertions originate. Additional attributes relate to the represented service consumer or the user. There is no mechanism to include an additional attribute that relates specifically to an intermediary.
| Element/@Attribute | 0..n | Description |
|---|
@ID | 1 | SAML: Unique message characteristic. MUST identify the message uniquely within the scope of the sender and receiver for a period of at least 12 months. |
|---|
@InResponseTo | 1 | SAML: Unique attribute of the AuthnRequest for which this Response message is the answer. |
|---|
@Version | 1 | SAML: Version of the SAML protocol. The value MUST be '2.0'. |
|---|
@IssueInstant | 1 | SAML: Time of issuing of the Response. |
|---|
@Destination | 1 | SAML: URL of the endpoint of the DV on which the message is offered. MUST match the DV's metadata. |
|---|
@Consent | 0..1 | Elektronische Toegangsdiensten: MAY be included. When Consent is included, the default value MUST contain urn:oasis:names:tc:SAML:2.0:consent:unspecified. |
|---|
Issuer | 1 | Elektronische Toegangsdiensten: MUST contain the EntityID of the HM. |
|---|
| @NameQualifier | 0 | Elektronische Toegangsdiensten: MUST NOT be included. |
|---|
| @SPNameQualifier | 0 | Elektronische Toegangsdiensten: MUST NOT be included. |
|---|
| @Format | 0 | Elektronische Toegangsdiensten: MUST NOT be included. |
|---|
| @SPProvidedID | 0 | Elektronische Toegangsdiensten: MUST NOT be included. |
|---|
Signature | 0..1 | Elektronische Toegangsdiensten: MUST contain the Digital signature of the HM for the enveloping message. When communicated within a ArtifactResolveResponse the signature on the SAML:Response MAY be omitted, since the parent message already guarantees the integrity. |
|---|
Extensions | 0 | Elektronische Toegangsdiensten: MUST NOT be included. |
|---|
Status | 1 | Elektronische Toegangsdiensten: MUST contain a StatusCode element with the status of the authentication. See Error handling. |
|---|
StatusCode | 1 | SAML: MUST be present in a Status element. |
|---|
| @Value | 1 | If not 'success' additional information should be provided. (conform Elektronische Toegangsdiensten specifications). |
|---|
| StatusCode | 0..1 | Only present if top-level StatusCode is not 'success'. |
|---|
| @Value | 1 | In the event of a cancellation or error, the element MUST be populated with the value AuthnFailed. See Error handling. |
|---|
| StatusMessage | 0..1 | Only present if top-level StatusCode is not 'success'. |
|---|
| StatusDetail | 0 | Elektronische Toegangsdiensten: MUST NOT be included. |
|---|
Assertion | 0..1 | Elektronische Toegangsdiensten: MUST contain the <Assertion> that is delivered in the response, if the request was processed successfully. See below. |
|---|
| EncryptedAssertion | 0 | Elektronische Toegangsdiensten: MUST NOT be included. |
|---|
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="_5e702d5c-de06-11e4-a5a1-080027a35b78"
InResponseTo="6984066c-de03-11e4-a571-080027a35b78"
Version="2.0"
Destination="https://..."
IssueInstant="2015-04-08T16:30:06Z">
<saml:Issuer>urn:etoegang:HM:...</saml:Issuer>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_5e702d5c-de06-11e4-a5a1-080027a35b78">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyName>...</ds:KeyName>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion Version="2.0"
ID="_535162e2-de06-11e4-98a2-080027a35b78"
IssueInstant="2015-04-08T16:30:05Z">
<saml:Issuer>urn:etoegang:HM:...</saml:Issuer>
...
</saml:Assertion>
</samlp:Response>
HM Summary assertion
This paragraph describes a HM summary <Assertion>
| Element/@Attribute | 0..1 | Description |
|---|
@ID | 1 | SAML: MUST identify the <Assertion> uniquely within the scope of the Issuer for a period of at least 12 months. |
|---|
@Version | 1 | SAML: Version of the SAML protocol. The value MUST be '2.0'. |
|---|
@IssueInstant | 1 | SAML: Time of issuing of the assertion. |
|---|
Issuer | 1 | Elektronische Toegangsdiensten: MUST contain the EntityID of the HM |
|---|
| @NameQualifier | 0 | Elektronische Toegangsdiensten: MUST NOT be included. |
|---|
| @SPNameQualifier | 0 | Elektronische Toegangsdiensten: MUST NOT be included. |
|---|
| @Format | 0 | Elektronische Toegangsdiensten: MUST NOT be included. |
|---|
| @SPProvidedID | 0 | Elektronische Toegangsdiensten: MUST NOT be included. |
|---|
Signature | 1 | Elektronische Toegangsdiensten: MUST contain the Digital signature of the Issuer (HM) for the enveloping Assertion. |
|---|
Subject | 1 | Elektronische Toegangsdiensten: MUST be included. |
|---|
| BaseID | 0 | Elektronische Toegangsdiensten: MUST NOT be included. |
|---|
| NameID | 0..1 | Rules for processing request requires NameID to contain a TransientID or an ActingEntityID (DV connects to r1.09 or older, for older specifications see https://afsprakenstelsel.etoegang.nl/display/archief/Archief). |
|---|
| EncryptedID | 0..1 | Elektronische Toegangsdiensten: MUST NOT be included. |
|---|
| SubjectConfirmation | 1...2 | SAML: Contains the SubjectConfirmation conform the WebSSO profile.
Other SubjectConfirmation or SubjectConfirmationData elements MUST NOT be included. |
|---|
Conditions | 1 | Elektronische Toegangsdiensten: MUST be included. |
|---|
| @NotBefore | 1 | Elektronische Toegangsdiensten: MUST be included. |
|---|
| @NotOnOrAfter | 0..1 | Elektronische Toegangsdiensten: MAY be included. |
|---|
| Condition | 0 | Elektronische Toegangsdiensten: MUST NOT be used. |
|---|
| AudienceRestriction | 1 | SAML: MUST be included. |
|---|
| Audience | 1 | Elektronische Toegangsdiensten: Contains the EntityID(s) for all relevant parties that are intended to receive and process this assertion, as per SAML WebSSO profile. In case of Dienstbemiddeling (service intermediation), both the Dienstaanbieder (service supplier) and Dienstbemiddelaar (service intermediary) are a relevant party and must be listed as audience. For a Dienstaanbieder for whom only the OIN is known, the notation 'urn:etoegang:DV: <OIN>' is to be used. |
|---|
| ProxyRestriction | 0 | Elektronische Toegangsdiensten: MUST NOT be included. |
|---|
Advice | 0..1 | Elektronische Toegangsdiensten: SHOULD be included. See below under processing rules. |
|---|
| AssertionIDRef | 0 | Elektronische Toegangsdiensten: MUST NOT be included. |
|---|
| AssertionURIRef | 0 | Elektronische Toegangsdiensten: MUST NOT be included. |
|---|
| Assertion | 1 | Elektronische Toegangsdiensten: Contains the original <Assertion> elements this assertion is composed of. |
|---|
| EncryptedAssertion | 0 | Elektronische Toegangsdiensten: MUST NOT be included. |
|---|
AuthnStatement | 1 | Elektronische Toegangsdiensten: MUST be included. The AuthenticatingAuthority element MUST be populated with the EntityID of the AD that performed the authentication. |
|---|
| @AuthnInstant | 1 | Elektronische Toegangsdiensten: MUST contain the time of authentication. |
|---|
| @SessionIndex | 0..1 | Elektronische Toegangsdiensten: MAY be included. |
|---|
| AuthnContext | 1 | Elektronische Toegangsdiensten: MUST be included. |
|---|
| AuthnContextClassRef | 1 | Elektronische Toegangsdiensten: MUST be included. Contains either the value 'urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified' (default) or the obtained effective Level of assurance, see below under "rules for processing responses". |
|---|
AttributeStatement | 1 | Elektronische Toegangsdiensten: MUST contain an <AttributeStatement> in accordance with the following section and the rules for processing responses. |
|---|
<saml:Assertion Version="2.0"
ID="_535162e2-de06-11e4-98a2-080027a35b78"
IssueInstant="2015-04-08T16:30:05Z">
<saml:Issuer>urn:etoegang:HM:...</saml:Issuer>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_535162e2-de06-11e4-98a2-080027a35b78">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyName>...</ds:KeyName>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="https://..." NotOnOrAfter="2015-04-08T16:40:03Z" InResponseTo="_6984066c-de03-11e4-a571-080027a35b78"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2015-04-08T16:29:04Z" NotOnOrAfter="2015-04-08T17:00:04Z">
<saml:AudienceRestriction>
<saml:Audience>urn:etoegang:DV:...</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:Advice>
<saml:Assertion IssueInstant="2015-04-08T16:30:04Z" ID="_8a792d9e-de07-11e4-9db2-080027a35b78" Version="2.0">
<saml:Issuer>urn:etoegang:AD:...</saml:Issuer>
<!-- Verbatim copy of AD declaration of identity contents -->
</saml:Assertion>
</saml:Advice>
<saml:AuthnStatement AuthnInstant="2015-04-08T16:30:04Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa4</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
...
</saml:AttributeStatement>
</saml:Assertion>
<saml:Assertion Version="2.0"
ID="_535162e2-de06-11e4-98a2-080027a35b78"
IssueInstant="2015-04-08T16:30:05Z">
<saml:Issuer>urn:etoegang:HM:...</saml:Issuer>
<ds:Signature>
...
</ds:Signature>
<saml:Subject>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="https://..." NotOnOrAfter="2015-04-08T16:40:03Z" InResponseTo="_6984066c-de03-11e4-a571-080027a35b78"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2015-04-08T16:29:04Z" NotOnOrAfter="2015-04-08T17:00:04Z">
<saml:AudienceRestriction>
<saml:Audience>urn:etoegang:DV:...</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:Advice>
<saml:Assertion IssueInstant="2015-04-08T16:30:04Z" ID="_8a792d9e-de07-11e4-9db2-080027a35b78" Version="2.0">
<saml:Issuer>urn:etoegang:AD:...</saml:Issuer>
<!-- Verbatim copy of AD declaration of identity contents -->
</saml:Assertion>
</saml:Advice>
<saml:AuthnStatement AuthnInstant="2015-04-08T16:30:04Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa4</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
...
</saml:AttributeStatement>
</saml:Assertion>
Vraag het op bij de BO / Ask BO
<saml:Assertion Version="2.0"
ID="_535162e2-de06-11e4-98a2-080027a35b78"
IssueInstant="2015-04-08T16:30:05Z">
<saml:Issuer>urn:etoegang:HM:...</saml:Issuer>
<ds:Signature>
...
</ds:Signature>
<saml:Subject>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="https://..." NotOnOrAfter="2015-04-08T16:40:03Z" InResponseTo="_6984066c-de03-11e4-a571-080027a35b78"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2015-04-08T16:29:04Z" NotOnOrAfter="2015-04-08T17:00:04Z">
<saml:AudienceRestriction>
<saml:Audience>urn:etoegang:DV:...</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:Advice>
<saml:Assertion IssueInstant="2015-04-08T16:30:04Z" ID="_8a792d9e-de07-11e4-9db2-080027a35b78" Version="2.0">
<saml:Issuer>urn:etoegang:AD:...</saml:Issuer>
<!-- Verbatim copy of AD declaration of identity contents -->
</saml:Assertion>
<saml:Assertion IssueInstant="2015-04-08T16:30:04Z" ID="_8a792d9e-de07-11e4-9db2-080027a35b78" Version="2.0">
<saml:Issuer>urn:etoegang:KR:...</saml:Issuer>
<!-- Verbatim copy of KR declaration of sectoral identity contents -->
</saml:Assertion>
</saml:Advice>
<saml:AuthnStatement AuthnInstant="2015-04-08T16:30:04Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa4</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
...
</saml:AttributeStatement>
</saml:Assertion>
<saml2:Assertion ID="_67d2200a8bd8401dc1b7274106731ca6" IssueInstant="2019-02-26T10:35:43.000Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:etoegang:HM:00000003271247010000:entities:7611</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_67d2200a8bd8401dc1b7274106731ca6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue/>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>f04a58c387f4f8b5f1fa3a614f79f073f3f08953</ds:KeyName>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">ed3d5655-b6ee-47bf-87d5-fb77302e14b4</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:SubjectConfirmationData InResponseTo="_d3fda417414c17b2667995961cf79fc5" NotOnOrAfter="2019-02-26T10:37:39Z" Recipient="https://brk.eid-tst.ad.nl/brk/HM1CServiceProvider" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml2:Conditions NotBefore="2019-02-26T10:35:43Z" NotOnOrAfter="2019-02-26T10:37:43Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AudienceRestriction>
<saml2:Audience>urn:etoegang:DV:00000001111111110000:entities:9113</saml2:Audience>
<saml2:Audience>urn:etoegang:DV:00000002222222220000:entities:9613</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml:AuthnStatement AuthnInstant="2019-04-08T16:30:07Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa4</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml2:Advice>
<saml:Assertion IssueInstant="2019-04-08T16:30:04Z" ID="_8a792d9e-de07-11e4-9db2-080027a35b78" Version="2.0">
<saml:Issuer> urn:etoegang:AD:00000004444444445001:entities:9042</saml:Issuer>
<!-- Verbatim copy of AD declaration of identity contents -->
</saml:Assertion>
<saml:Assertion IssueInstant="2019-04-08T16:30:07Z" ID="dd4dae83-0f35-4695-b24a-29d470a63ea7" Version="2.0">
<saml:Issuer> urn:etoegang:MR:00000005555555555001:entities:9042</saml:Issuer>
<!-- Verbatim copy of MR declaration of identity contents -->
</saml:Assertion>
</saml2:Advice>
<saml2:AuthnStatement AuthnInstant="2019-02-26T10:35:43Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa4</saml2:AuthnContextClassRef>
<saml2:AuthenticatingAuthority>urn:etoegang:AD:00000004444444445001:entities:9042</saml2:AuthenticatingAuthority>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
. . . . .
</saml2:AttributeStatement>
</saml2:Assertion>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="urn:etoegang:core:ServiceUUID">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">dafca82e-4806-408e-956e-3a7092643e54</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:etoegang:core:ServiceID">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:etoegang:DV:00000001111111110000:services:8002</saml2:AttributeValue>
</saml2:Attribute>
<saml:Attribute Name="urn:etoegang:core:Representation" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:boolean">true</saml:AttributeValue>
</saml:Attribute>
<!-- igv de service via de Service Catalog vraagt om een ServiceRestriction en de MR-->
<!-- heeft een service restriction bij de machtiging. Vb restrictie op KvK Vestigingsnr-->
<saml:Attribute Name="urn:etoegang:1.9:ServiceRestriction:Vestigingsnr">
<saml:AttributeValue xsi:type="xs:string">123456789012</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:etoegang:core:ActingSubjectID" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:AttributeValue>
<!-- # ActingSubjectID - BSN:VP@RVO (PseudoID voor de EB) -->
<saml:EncrypedID>
<xenc:EncryptedData Id="_cd52e15a16e2a0aa751725ce76a6b866" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<ds:KeyInfo>
<ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"URI="#_15531f42aa31bbd4" />
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<xenc:EncryptedKey Id="_15531f77a9f1e0b5e0cce442aa31bbd4" Recipient="urn:etoegang:DV:00000001111111110000:entities:9613">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
</xenc:EncryptionMethod>
<ds:KeyInfo>
<ds:KeyName>...</ds:KeyName>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>yRy923JJlgAi2MTgx1qohLiDBgi...</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#_cd52e15a16e2a0aa751725ce76a6b866" />
</xenc:ReferenceList>
</xenc:EncryptedKey>
</saml:EncrypedID>
</saml:AttributeValue>
<saml:AttributeValue>
<!-- # ActingSubjectID - BSN:VI@RVIG (BSN voor BRP-Attributendienst)-->
<saml:EncrypedID>
<xenc:EncryptedData Id="_ed3457856888ad576a0aa751725ce76a6b866" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<ds:KeyInfo>
<ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"URI="#_4567788aa31bbd4" />
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<xenc:EncryptedKey Id="_15531f77a9f1e0b5e0cce442aa31bbd4" Recipient="urn:etoegang:DV:00000002222222220000">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
</xenc:EncryptionMethod>
<ds:KeyInfo>
<ds:KeyName>...</ds:KeyName>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>UtEw923JJlgAi2MTgx1qohLiDBgi...</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#_cd52e15a16e2a0aa751725ce76a6b866" />
</xenc:ReferenceList>
</xenc:EncryptedKey>
</saml:EncrypedID>
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:etoegang:core:LegalSubjectID" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:AttributeValue>
<!-- # LegalSubjectID - KvK voor de EB)-->
<saml:EncryptedID>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_6bc1c98ef545444da370efd74371ff6f" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:RetrievalMethod URI="#_105e787ebce14ea2b6655adb4d736b86" Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" />
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>lx922tGEfI9T7WgoduHAZ941XA....</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_105e787ebce14ea2b6655adb4d736b86" Recipient="urn:etoegang:DV:00000001111111110000:entities:9613">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
</xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>022A8DEA6C6F6CFA466BF18AF714F4CD0611DF3A4CAF23CF67B8BB8F7FC07CAF</ds:KeyName>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>gNDIheioi3mgjeyCTviEXDui3.....</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#_6bc1c98ef545444da370efd74371ff6f" />
</xenc:ReferenceList>
</xenc:EncryptedKey>
</saml:EncryptedID>
</saml:AttributeValue>
<! # LegalSubjectID - Geen KvK voor de dienstaanbieder.>
</saml:Attribute>
<!-- # CompanyName werkgever voor de EB.-->
<saml:EncryptedAttribute>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_67947663adfasdf9410780097b9bf2f04fa8" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
</xenc:EncryptionMethod>
<ds:KeyInfo>
<ds:KeyName>57890EA6C6F6CFA466BF18AF714F4CD0611DF3A4CAF23CF67B8BB8F7FC07CAF</ds:KeyName>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>WYuIOsaf1aNbZdRQPXepQjlw4Tg...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml:EncryptedAttribute>
<!-- # Optionele Bedrijfs attributen (CompanyName) voor de EB.-->
<saml:EncryptedAttribute>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_6974a3dsdf9410780097b9bf2f04fa8" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
</xenc:EncryptionMethod>
<!-- # EB should recognise KeyName.-->
<ds:KeyInfo>
<ds:KeyName>57890EA6C6F6CFA466BF18AF714F4CD0611DF3A4CAF23CF67B8BB8F7FC07CAF</ds:KeyName>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>WYuIOsaf1aNbZdRQPXepQjlw4Tg...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml:EncryptedAttribute>
</saml2:AttributeStatement>
AttributeStatement
The <AttributeStatement> in the summary assertion MUST hold the relevant attribute values obtained in the assertions of the authentication process. The HM MUST NOT add any attributes that are not present in the gathered assertion.
<saml:AttributeStatement>
<saml:Attribute Name="urn:etoegang:core:ServiceUUID">
<saml:AttributeValue xsi:type="xs:string">1ff84f14-df64-11e4-ba1a-080027a35b78</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:etoegang:core:AuthorizationRegistryID">
<saml:AttributeValue xsi:type="xs:string">urn:etoegang:AD:...</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AttributeStatement>
<saml:Attribute Name="urn:etoegang:core:ServiceUUID">
<saml:AttributeValue xsi:type="xs:string">0013c492-84cd-4c4b-8206-b13007ac2a1c</saml:AttributeValue>
</saml:Attribute>
<saml:EncryptedAttribute>
<xenc:EncryptedData Id="_copy_Encrypted_FirstName" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<ds:KeyInfo>
<ds:Keyname>...</ds:Keyname>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml:EncryptedAttribute>
<saml:EncryptedAttribute>
<xenc:EncryptedData Id="_copy_Encrypted_18OrOlder" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<ds:KeyInfo>
<ds:Keyname>...</ds:Keyname>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml:EncryptedAttribute>
</saml:AttributeStatement>
<saml:AttributeStatement>
<saml:Attribute Name="urn:etoegang:core:ServiceID">
<saml:AttributeValue xsi:type="xs:string">urn:etoegang:DV:...:services:...</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:etoegang:core:ServiceUUID">
<saml:AttributeValue xsi:type="xs:string">dd4dae83-0f35-4695-b24a-29d470a63ea7</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:etoegang:1.9:EntityConcernedID:KvKnr">
<saml:AttributeValue xsi:type="xs:string">12345678</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:etoegang:1.9:ServiceRestriction:Vestigingsnr">
<saml:AttributeValue xsi:type="xs:string">123456789012</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AttributeStatement>
<saml:Attribute Name="urn:etoegang:core:ServiceID">
<saml:AttributeValue xsi:type="xs:string">urn:etoegang:DV:...:services:...</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:etoegang:core:ServiceUUID">
<saml:AttributeValue xsi:type="xs:string">dd4dae83-0f35-4695-b24a-29d470a63ea7</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:etoegang:1.9:EntityConcernedID:KvKnr">
<saml:AttributeValue xsi:type="xs:string">12345678</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:etoegang:1.9:EntityConcernedID:RSIN">
<saml:AttributeValue xsi:type="xs:string">987654321</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:etoegang:1.9:ServiceRestriction:Vestigingsnr">
<saml:AttributeValue xsi:type="xs:string">123456789012</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
Rules for processing responses
On a successful authentication the HM MUST generate a 'Summary Assertion' based on the Assertions gathered during the authentication process, using the following processing rules.
- MUST sign the enclosed <Assertion> as well as the <Response> (and/or the enclosing <ArtifactResponse>).
- MUST verify each collected assertion has at minimum the Level of Assurance as requested by the DV. If verification fails, MUST handle the received responses as an unrecoverable error.
- MUST provide an <AuthnContextClassRef>:
- HM MUST provide an <Subject> with the following <NameID>
- HM MUST provide an <AttributeStatement> with the following <Attributes> and <EncryptedAttributes>
- IF DV connects to r1.13 (or newer) THEN
- the HM must copy all relevant information (see Interface specifications DV-HM) from the below sources to the ActingSubjectID attribute:
- MR-Assertion: XACMLAuthz-Decision.Subject.ActingSubjectID (EncryptedID)
- AD-assertion: Response.Assertion.AttributeStatement.ActingSubjectID.
- copy all relevant AD-assertion: AttributeStatement.EncryptedAttribute
- IF Representation THEN
- IF DV connects to r1.13 (or newer) THEN
- copy all relevant EncryptedID from MR-Assertion: XACMLAuthz-Decision.Subject.LegalSubjectID to <LegalSubjectID>
- copy all relevant EncryptedID from MR-Assertion: XACMLAuthz-Decision.Subject.ActingSubjectID to <ActingSubjectID>
- copy all relevant MR-assertion: XACMLAuthz-Decision.Resource.EncryptedAttribute
- IF DV connects to r1.11 (or older) AND Representation THEN copy MR-assertion: XACMLAuthz-Decision.Resource.EntityConcernedID
- copy MR-Assertion: XACMLAuthz-Decision.Statement.Request.Resource.ServiceID
- IF available copy all MR-assertion: XACMLAuthz-Decision.Resource.ServiceRestrictions
- IF Ketenmachtiging THEN copy MR2-Assertion: XACMLAuthz-Decision.Statement.Request.Resource.IntermediateEntityID
- MUST provide an <Advice>, by default filled with verbatim copy of all Assertions – so that original signatures over the assertions remains verifiable – gathered during the authentication process. HM MAY offer their DV to omit this information, if they archive this information and allow for later retrieval.
A receiving DV:
- MUST verify the response matches with the Request responded to.
- MUST validate the signature on the Assertion as well as the Response (and/or the enclosing ArtifactResponse). Message (elements) MUST be signed using a certificate as listed in the SAML metadata of the HM for the purpose of signing for an IDPSSODescriptor of the responding HM. (NB this should correspond to the certificate as published in the network metadata).
- SHOULD verify the structure and contents of the Response.
- SHOULD validate the signature and linking of the Evidence assertions.
- In case the receiving DV is a Dienstbemiddelaar, the Dienstbemiddelaar MUST provide a verbatim copy of the assertion – so that original signatures over the assertions remains verifiable – to the Dienstaanbieder (service supplier).
- IF the DV wants to decrypt urn:etoegang:1.12:EntityConcernedID:PseudoID or urn:etoegang:1.12:EntityConcernedID:BSN the DV must use preinstalled BSNk-keymaterial and software to obtain the actual identifier.
- IF the DV receives a pseudonym THEN the DV SHOULD create a mapping from the obtained Pseudonym to a user account, rather than using the obtained pseudoniem directly as unique key for an account.
- MUST decrypt an Encrypted Pseudonym or Encrypted Identity in the EncryptedID in the Attribute Statement of the Assertion using preinstalled keymaterial and software to obtain the actual identifier.
- SHOULD create a mapping from the obtained identifier to a user account, rather than using the obtained identifier directly as unique key for an account.
- MUST be able to handle an EncryptedID and EncryptedAttribute encrypted with multiple PKI-certificates, possibly for Multiple Recipients* (see SAML Encryption).
LogoutRequest
For single logout, the Single Logout Profile that is part of the SAML 2.0 Web Browser SSO Profile is applied, although considering that the logout message is sent to the AD via the HM. Only supported, is the DV's LogoutRequest where the user chooses to log out from the AD. The DV should never expect a LogoutRequest or a LogoutResponse. The interface for this message is described below.
@ID | SAML: Unique message characteristic |
|---|
@Version | SAML: Version of the SAML protocol. The value MUST be '2.0'. |
|---|
@IssueInstant | SAML: Time the message was created |
|---|
@Destination | SAML: URL of the HM on which the message is offered. |
|---|
NameID | Elektronische Toegangsdiensten: MUST contain a NameID element with the transient from the Subject of the concomitant AD assertion. This MUST NOT contain any identifier of the user. |
|---|
Issuer | Elektronische Toegangsdiensten: MUST contain the EntityID of the DV. |
|---|
Signature | Elektronische Toegangsdiensten: MUST contain the Digital signature of the DV for the envelopping message. |
|---|
RequestKeyMaterial
The DV may request the HM for DV-specific key material which the DV can use to decrypt the EncryptedPseudonym into a DV-specific pseudonym or BSN, as per AUC9 Verstrekken sleutelmateriaal Dienstverleners. The HM can request the keys at the BSNk (see Interface specifications aux HM-BSNk - ProvideDVkeys).
A PKIo-certificate of the DV is required, the PKIo-certificate MUST have a (extended) key usage that allows for keyEncipherment. If the DV may request a BSN, the PKIo-certificate MUST have a Subject.serialNumber containing the organizations OIN.
ProvideKeyMaterial
The Herkenningsmakelaar MUST transfer the PKIo-encrypted key material to the DV unaltered. The HM will receive the DV-keys from the BSNk (see Interface specifications aux HM-BSNk - ProvideDVkeys).
The DV can decrypt the DV-keys using its private key corresponding with the PKIo-certificate used in the request.
