View Source

DB-DA sequence diagram

This paragraph describes a reference architecture and specification of Interface specifications DB-DA, for use with a machine-to-machine interface using WebServices (SOAP).

This reference architecture describes the interface offered by a Dienstaanbieder (DA)(Service supplier) for use with a Dienstaanbieder (DA) (service intermediary), in case of a Webservice interface based on SOAP in a Dienstbemiddeling use case. By nature, the exact interface specification and its contents depend on the service(s) offered and are specific for its context.

The generic reference architecture for such SOAP WebService with Dienstbemiddeling is described as:

The DA provides a service interface defined as a documented API, using a WSDL to define the service interface.
The DB requires recognition of the user, using Interface specifications DV-HM to request the applicable service with Dienstbemiddeling in the Service catalog.
The DB calls the service confirm this WSDL, adhering to Interface specifications DB-DA.
The DB provides the declarations, by adding the Assertion obtained from the HM as a SOAP-header.
The DB signs the SOAP-body (or all requests elements thereof) and the Assertion using a WS-Security Signature valid for the DB's own signing certificate.
The DA verifies upon receipt the SOAP-headers with the signature and Assertion before processing the message. The verification MUST validate the assertion (see processing rules in Interface specifications DV-HM) and the signature.

A practical implementation for providing the Assertion and a signature can be done as described in WS-Security SAML Token profile for the holder-of-key Subject Confirmation Method. Next to the SAML token, a WS-Security Signature (can be based on the WS-Security X509 token profile) over the SAML Assertion and SOAP Body is present to associate the Declaration with the request body. The example below is based on these specifications.

<?xml version="1.0"?>
<soap:Envelope xmlns:soap="..." xmlns:wsse="..." xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="..." xmlns:wsu="...">
 
  <soap:Header>
 
    <wsse:Security>
 
      <!-- eToegang SAML Assertion applicable to SOAP-request, authenticating the user -->
      <saml:Assertion ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc" IssueInstant="2016-02-05-17T10:06:02Z">
        <saml:Issuer>urn:etoegang:HM:...</saml:Issuer>
        <!-- Signature over assertion by HM -->
        <ds:Signature>
          ...
        </ds:Signature>
        <saml:Subject>
          <saml:EncryptedID NameQualifier="..." Format="">...</saml:EncryptedID>
          <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData InResponseTo="_52B816C631C564BACF59E758CBA91718" NotOnOrAfter="2016-02-05T10:11:48Z" Recipient="https://..."/>
          </saml:SubjectConfirmation>          
        </saml:Subject>
        <saml:Conditions NotBefore="2016-02-05T10:06:03.173Z" NotOnOrAfter="2016-02-05T10:11:33.173Z"/>
        <saml:AttributeStatement>
          ...
        </saml:AttributeStatement>
      </saml:Assertion>
 
      <!-- WS-Security Signature by DB over SOAP-Body and eToegang SAML Assertion, to associate message and assertion and proof authenticity  -->
      <ds:Signature>
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
          <!-- Signature covers SOAP-body: -->
          <ds:Reference URI="#MsgBody">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <ds:DigestValue>...</ds:DigestValue>
          </ds:Reference>
          <!-- Signature covers eToegang SAML Assertion: -->
          <ds:Reference URI="#_a75adf55-01d7-40cc-929f-dbd8372ebdfc">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <ds:DigestValue>...</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>...</ds:SignatureValue>
        <ds:KeyInfo>
          <wsse:SecurityTokenReference>
            <ds:X509IssuerSerial>
              <ds:X509IssuerName>CN=...,...,O=...,C=NL</ds:X509IssuerName>
              <ds:X509SerialNumber>...834756978854956...</ds:X509SerialNumber>
            </ds:X509IssuerSerial>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
 
    </wsse:Security>
 
  </soap:Header>
 
  <soap:Body wsu:Id="MsgBody">
 
    <!-- Actual SOAP-request from user to DA -->
    <MyRequest xmlns="...">
      <RequestDetails>...</RequestDetails>
      ...
    </MyRequest>
 
  </soap:Body>
 
</soap:Envelope>