View Source

For chain authorizations (Vervallen_Interface specifications HM-MR chain authorization), the identification number of the represented service consumer are included in the assertion for the HM in the same way as for single authorizations. The additional information about the chain is stored in a separate attribute.

Note: The HM will not identify the MRs from which the underlying assertions originate. Additional attributes relate to the represented service consumer or the user. There is no mechanism to include an additional attribute that relates specifically to an intermediary.

Element/@Attribute	0..n	Description
@ID	1	SAML: Unique message characteristic. MUST identify the message uniquely within the scope of the sender and receiver for a period of at least 12 months.
@InResponseTo	1	SAML: Unique attribute of the AuthnRequest for which this Response message is the answer.
@Version	1	SAML: Version of the SAML protocol. The value MUST be '2.0'.
@IssueInstant	1	SAML: Time of issuing of the Response.
@Destination	1	SAML: URL of the endpoint of the DV on which the message is offered. MUST match the DV's metadata.
@Consent	0..1	: MAY be included. When Consent is included, the default value MUST contain urn:oasis:names:tc:SAML:2.0:consent:unspecified.
Issuer	1	: MUST contain the EntityID of the HM.
@NameQualifier	0	: MUST NOT be included.
@SPNameQualifier	0	: MUST NOT be included.
@Format	0	: MUST NOT be included.
@SPProvidedID	0	: MUST NOT be included.
Signature	0..1	: MUST contain the Digital signature of the HM for the enveloping message. When communicated within a ArtifactResolveResponse the signature on the SAML:Response MAY be omitted, since the parent message already guarantees the integrity.
Extensions	0	: MUST NOT be included.
Status	1	: MUST contain a StatusCode element with the status of the authentication. See Error handling.
StatusCode	1	SAML: MUST be present in a Status element.
@Value	1	If not 'success' additional information should be provided. (conform specifications).
StatusCode	0..1	Only present if top-level StatusCode is not 'success'.
@Value	1	In the event of a cancellation or error, the element MUST be populated with the value AuthnFailed. See Error handling.
StatusMessage	0..1	Only present if top-level StatusCode is not 'success'.
StatusDetail	0	: MUST NOT be included.
Assertion	0..1	: MUST contain the <Assertion> that is delivered in the response, if the request was processed successfully. See below.
EncryptedAssertion	0	: MUST NOT be included.

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    ID="_5e702d5c-de06-11e4-a5a1-080027a35b78"
    InResponseTo="6984066c-de03-11e4-a571-080027a35b78"
    Version="2.0"
    Destination="https://..."
    IssueInstant="2015-04-08T16:30:06Z">
    <saml:Issuer>urn:etoegang:HM:...</saml:Issuer>
    <ds:Signature>
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#_5e702d5c-de06-11e4-a5a1-080027a35b78">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>...</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>...</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:KeyName>...</ds:KeyName>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion Version="2.0"
        ID="_535162e2-de06-11e4-98a2-080027a35b78"
        IssueInstant="2015-04-08T16:30:05Z">
        <saml:Issuer>urn:etoegang:HM:...</saml:Issuer>
        ...
    </saml:Assertion>
</samlp:Response>

HM Summary assertion

This paragraph describes a HM summary <Assertion>

Element/@Attribute	0..1	Description
@ID	1	SAML: MUST identify the <Assertion> uniquely within the scope of the Issuer for a period of at least 12 months.
@Version	1	SAML: Version of the SAML protocol. The value MUST be '2.0'.
@IssueInstant	1	SAML: Time of issuing of the assertion.
Issuer	1	: MUST contain the EntityID of the HM
@NameQualifier	0	: MUST NOT be included.
@SPNameQualifier	0	: MUST NOT be included.
@Format	0	: MUST NOT be included.
@SPProvidedID	0	: MUST NOT be included.
Signature	1	: MUST contain the Digital signature of the Issuer (HM) for the enveloping Assertion.
Subject	1	: MUST be included.
BaseID	0	: MUST NOT be included.
NameID	0..1	Rules for processing request requires NameID to contain a TransientID or an ActingEntityID (DV connects to r1.09 or older, for older specifications see https://afsprakenstelsel.etoegang.nl/display/archief/Archief).
EncryptedID	0..1	Elektronische Toegangsdiensten: MUST NOT be included.
SubjectConfirmation	1...2	SAML: Contains the SubjectConfirmation conform the WebSSO profile. Other SubjectConfirmation or SubjectConfirmationData elements MUST NOT be included.
Conditions	1	: MUST be included.
@NotBefore	1	: MUST be included.
@NotOnOrAfter	0..1	: MAY be included.
Condition	0	: MUST NOT be used.
AudienceRestriction	1	SAML: MUST be included.
Audience	1	: Contains the EntityID(s) for all relevant parties that are intended to receive and process this assertion, as per SAML WebSSO profile. In case of Dienstbemiddeling (service intermediation), both the Dienstaanbieder (service supplier) and Dienstbemiddelaar (service intermediary) are a relevant party and must be listed as audience. For a Dienstaanbieder for whom only the OIN is known, the notation 'urn:etoegang:DV:<OIN>' is to be used.
ProxyRestriction	0	: MUST NOT be included.
Advice	0..1	: SHOULD be included. See below under processing rules.
AssertionIDRef	0	: MUST NOT be included.
AssertionURIRef	0	: MUST NOT be included.
Assertion	1	: Contains the original <Assertion> elements this assertion is composed of.
EncryptedAssertion	0	: MUST NOT be included.
AuthnStatement	1	: MUST be included. The AuthenticatingAuthority element MUST be populated with the EntityID of the AD that performed the authentication.
@AuthnInstant	1	: MUST contain the time of authentication.
@SessionIndex	0..1	: MAY be included.
AuthnContext	1	: MUST be included.
AuthnContextClassRef	1	: MUST be included. Contains either the value 'urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified' (default) or the obtained effective Level of assurance, see below under "rules for processing responses".
AttributeStatement	1	: MUST contain an <AttributeStatement> in accordance with the following section and the rules for processing responses.

<saml:Assertion Version="2.0"
    ID="_535162e2-de06-11e4-98a2-080027a35b78"
    IssueInstant="2015-04-08T16:30:05Z">
    <saml:Issuer>urn:etoegang:HM:...</saml:Issuer>
    <ds:Signature>
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#_535162e2-de06-11e4-98a2-080027a35b78">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>...</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>...</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:KeyName>...</ds:KeyName>
        </ds:KeyInfo>
    </ds:Signature>
    <saml:Subject>        
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData Recipient="https://..." NotOnOrAfter="2015-04-08T16:40:03Z" InResponseTo="_6984066c-de03-11e4-a571-080027a35b78"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2015-04-08T16:29:04Z" NotOnOrAfter="2015-04-08T17:00:04Z">
        <saml:AudienceRestriction>
            <saml:Audience>urn:etoegang:DV:...</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:Advice>
        <saml:Assertion IssueInstant="2015-04-08T16:30:04Z" ID="_8a792d9e-de07-11e4-9db2-080027a35b78" Version="2.0">
            <saml:Issuer>urn:etoegang:AD:...</saml:Issuer>
            <!-- Verbatim copy of AD declaration of identity contents -->
        </saml:Assertion>
    </saml:Advice>
    <saml:AuthnStatement AuthnInstant="2015-04-08T16:30:04Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa4</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
        ...
    </saml:AttributeStatement>
</saml:Assertion>

 <saml:Assertion Version="2.0"
    ID="_535162e2-de06-11e4-98a2-080027a35b78"
    IssueInstant="2015-04-08T16:30:05Z">
    <saml:Issuer>urn:etoegang:HM:...</saml:Issuer>
    <ds:Signature>
        ...
    </ds:Signature>
    <saml:Subject>        
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData Recipient="https://..." NotOnOrAfter="2015-04-08T16:40:03Z" InResponseTo="_6984066c-de03-11e4-a571-080027a35b78"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2015-04-08T16:29:04Z" NotOnOrAfter="2015-04-08T17:00:04Z">
        <saml:AudienceRestriction>
            <saml:Audience>urn:etoegang:DV:...</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:Advice>
        <saml:Assertion IssueInstant="2015-04-08T16:30:04Z" ID="_8a792d9e-de07-11e4-9db2-080027a35b78" Version="2.0">
            <saml:Issuer>urn:etoegang:AD:...</saml:Issuer>
            <!-- Verbatim copy of AD declaration of identity contents -->
        </saml:Assertion>
    </saml:Advice>
    <saml:AuthnStatement AuthnInstant="2015-04-08T16:30:04Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa4</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
        ...
    </saml:AttributeStatement>
</saml:Assertion>

 Vraag het op bij de BO / Ask BO

 <saml:Assertion Version="2.0"
    ID="_535162e2-de06-11e4-98a2-080027a35b78"
    IssueInstant="2015-04-08T16:30:05Z">
    <saml:Issuer>urn:etoegang:HM:...</saml:Issuer>
    <ds:Signature>
        ...
    </ds:Signature>
    <saml:Subject>       
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData Recipient="https://..." NotOnOrAfter="2015-04-08T16:40:03Z" InResponseTo="_6984066c-de03-11e4-a571-080027a35b78"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2015-04-08T16:29:04Z" NotOnOrAfter="2015-04-08T17:00:04Z">
        <saml:AudienceRestriction>
            <saml:Audience>urn:etoegang:DV:...</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:Advice>
        <saml:Assertion IssueInstant="2015-04-08T16:30:04Z" ID="_8a792d9e-de07-11e4-9db2-080027a35b78" Version="2.0">
            <saml:Issuer>urn:etoegang:AD:...</saml:Issuer>
            <!-- Verbatim copy of AD declaration of identity contents -->
        </saml:Assertion>
        <saml:Assertion IssueInstant="2015-04-08T16:30:04Z" ID="_8a792d9e-de07-11e4-9db2-080027a35b78" Version="2.0">
            <saml:Issuer>urn:etoegang:KR:...</saml:Issuer>
            <!-- Verbatim copy of KR declaration of sectoral identity contents -->
        </saml:Assertion>
    </saml:Advice>
    <saml:AuthnStatement AuthnInstant="2015-04-08T16:30:04Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa4</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
        ...
    </saml:AttributeStatement>
</saml:Assertion>

<saml2:Assertion ID="_67d2200a8bd8401dc1b7274106731ca6" IssueInstant="2019-02-26T10:35:43.000Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:etoegang:HM:00000003271247010000:entities:7611</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#_67d2200a8bd8401dc1b7274106731ca6">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue/>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue/>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:KeyName>f04a58c387f4f8b5f1fa3a614f79f073f3f08953</ds:KeyName>
        </ds:KeyInfo>
    </ds:Signature>
    <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">ed3d5655-b6ee-47bf-87d5-fb77302e14b4</saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml:SubjectConfirmationData InResponseTo="_d3fda417414c17b2667995961cf79fc5" NotOnOrAfter="2019-02-26T10:37:39Z" Recipient="https://brk.eid-tst.ad.nl/brk/HM1CServiceProvider" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml2:Conditions NotBefore="2019-02-26T10:35:43Z" NotOnOrAfter="2019-02-26T10:37:43Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:AudienceRestriction>
            <saml2:Audience>urn:etoegang:DV:00000001111111110000:entities:9113</saml2:Audience>
            <saml2:Audience>urn:etoegang:DV:00000002222222220000:entities:9613</saml2:Audience>
        </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml:AuthnStatement AuthnInstant="2019-04-08T16:30:07Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa4</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml2:Advice>
        <saml:Assertion IssueInstant="2019-04-08T16:30:04Z" ID="_8a792d9e-de07-11e4-9db2-080027a35b78" Version="2.0">
            <saml:Issuer> urn:etoegang:AD:00000004444444445001:entities:9042</saml:Issuer>
            <!-- Verbatim copy of AD declaration of identity contents -->
        </saml:Assertion>
        <saml:Assertion IssueInstant="2019-04-08T16:30:07Z" ID="dd4dae83-0f35-4695-b24a-29d470a63ea7" Version="2.0">
            <saml:Issuer> urn:etoegang:MR:00000005555555555001:entities:9042</saml:Issuer>
            <!-- Verbatim copy of MR declaration of identity contents -->
        </saml:Assertion>
    </saml2:Advice>
    <saml2:AuthnStatement AuthnInstant="2019-02-26T10:35:43Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa4</saml2:AuthnContextClassRef>
            <saml2:AuthenticatingAuthority>urn:etoegang:AD:00000004444444445001:entities:9042</saml2:AuthenticatingAuthority>
        </saml2:AuthnContext>
    </saml2:AuthnStatement>
    <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        . . . . . 
    </saml2:AttributeStatement>
</saml2:Assertion>

<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Attribute Name="urn:etoegang:core:ServiceUUID">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">dafca82e-4806-408e-956e-3a7092643e54</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="urn:etoegang:core:ServiceID">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:etoegang:DV:00000001111111110000:services:8002</saml2:AttributeValue>
    </saml2:Attribute>
    <saml:Attribute Name="urn:etoegang:core:Representation" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:boolean">true</saml:AttributeValue>
    </saml:Attribute>
    <!-- igv de service via de Service Catalog vraagt om een ServiceRestriction en de MR-->
    <!-- heeft een service restriction bij de machtiging. Vb restrictie op KvK Vestigingsnr-->
    <saml:Attribute Name="urn:etoegang:1.9:ServiceRestriction:Vestigingsnr">
        <saml:AttributeValue xsi:type="xs:string">123456789012</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:etoegang:core:ActingSubjectID" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml:AttributeValue>
            <!-- # ActingSubjectID - BSN:VP@RVO (PseudoID voor de EB) -->
            <saml:EncrypedID>
                <xenc:EncryptedData Id="_cd52e15a16e2a0aa751725ce76a6b866" Type="http://www.w3.org/2001/04/xmlenc#Element">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
                    <ds:KeyInfo>
                        <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"URI="#_15531f42aa31bbd4" />
                    </ds:KeyInfo>
                    <xenc:CipherData>
                        <xenc:CipherValue>...</xenc:CipherValue>
                    </xenc:CipherData>
                </xenc:EncryptedData>
                <xenc:EncryptedKey Id="_15531f77a9f1e0b5e0cce442aa31bbd4" Recipient="urn:etoegang:DV:00000001111111110000:entities:9613">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    </xenc:EncryptionMethod>
                    <ds:KeyInfo>
                        <ds:KeyName>...</ds:KeyName>
                    </ds:KeyInfo>
                    <xenc:CipherData>
                        <xenc:CipherValue>yRy923JJlgAi2MTgx1qohLiDBgi...</xenc:CipherValue>
                    </xenc:CipherData>
                    <xenc:ReferenceList>
                        <xenc:DataReference URI="#_cd52e15a16e2a0aa751725ce76a6b866" />
                    </xenc:ReferenceList>
                </xenc:EncryptedKey>
            </saml:EncrypedID>
        </saml:AttributeValue>
        <saml:AttributeValue>
            <!-- # ActingSubjectID - BSN:VI@RVIG (BSN voor BRP-Attributendienst)-->
            <saml:EncrypedID>
                <xenc:EncryptedData Id="_ed3457856888ad576a0aa751725ce76a6b866" Type="http://www.w3.org/2001/04/xmlenc#Element">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
                    <ds:KeyInfo>
                        <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"URI="#_4567788aa31bbd4" />
                    </ds:KeyInfo>
                    <xenc:CipherData>
                        <xenc:CipherValue>...</xenc:CipherValue>
                    </xenc:CipherData>
                </xenc:EncryptedData>
                <xenc:EncryptedKey Id="_15531f77a9f1e0b5e0cce442aa31bbd4" Recipient="urn:etoegang:DV:00000002222222220000">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    </xenc:EncryptionMethod>
                    <ds:KeyInfo>
                        <ds:KeyName>...</ds:KeyName>
                    </ds:KeyInfo>
                    <xenc:CipherData>
                        <xenc:CipherValue>UtEw923JJlgAi2MTgx1qohLiDBgi...</xenc:CipherValue>
                    </xenc:CipherData>
                    <xenc:ReferenceList>
                        <xenc:DataReference URI="#_cd52e15a16e2a0aa751725ce76a6b866" />
                    </xenc:ReferenceList>
                </xenc:EncryptedKey>
            </saml:EncrypedID>
        </saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:etoegang:core:LegalSubjectID" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml:AttributeValue>
            <!-- # LegalSubjectID - KvK voor de EB)-->
            <saml:EncryptedID>
                <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_6bc1c98ef545444da370efd74371ff6f" Type="http://www.w3.org/2001/04/xmlenc#Element">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
                    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ds:RetrievalMethod URI="#_105e787ebce14ea2b6655adb4d736b86" Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" />
                    </ds:KeyInfo>
                    <xenc:CipherData>
                        <xenc:CipherValue>lx922tGEfI9T7WgoduHAZ941XA....</xenc:CipherValue>
                    </xenc:CipherData>
                </xenc:EncryptedData>
                <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_105e787ebce14ea2b6655adb4d736b86" Recipient="urn:etoegang:DV:00000001111111110000:entities:9613">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    </xenc:EncryptionMethod>
                    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ds:KeyName>022A8DEA6C6F6CFA466BF18AF714F4CD0611DF3A4CAF23CF67B8BB8F7FC07CAF</ds:KeyName>
                    </ds:KeyInfo>
                    <xenc:CipherData>
                        <xenc:CipherValue>gNDIheioi3mgjeyCTviEXDui3.....</xenc:CipherValue>
                    </xenc:CipherData>
                    <xenc:ReferenceList>
                        <xenc:DataReference URI="#_6bc1c98ef545444da370efd74371ff6f" />
                    </xenc:ReferenceList>
                </xenc:EncryptedKey>
            </saml:EncryptedID>
        </saml:AttributeValue>
        <! # LegalSubjectID - Geen KvK voor de dienstaanbieder.>
    </saml:Attribute>
    <!-- # CompanyName werkgever voor de EB.-->
    <saml:EncryptedAttribute>
        <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_67947663adfasdf9410780097b9bf2f04fa8" Type="http://www.w3.org/2001/04/xmlenc#Element">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            </xenc:EncryptionMethod>
            <ds:KeyInfo>
                <ds:KeyName>57890EA6C6F6CFA466BF18AF714F4CD0611DF3A4CAF23CF67B8BB8F7FC07CAF</ds:KeyName>
            </ds:KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>WYuIOsaf1aNbZdRQPXepQjlw4Tg...</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </saml:EncryptedAttribute>
    <!-- # Optionele Bedrijfs attributen (CompanyName) voor de EB.-->
    <saml:EncryptedAttribute>
        <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_6974a3dsdf9410780097b9bf2f04fa8" Type="http://www.w3.org/2001/04/xmlenc#Element">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            </xenc:EncryptionMethod>
            <!-- # EB should recognise KeyName.-->
            <ds:KeyInfo>
                <ds:KeyName>57890EA6C6F6CFA466BF18AF714F4CD0611DF3A4CAF23CF67B8BB8F7FC07CAF</ds:KeyName>
            </ds:KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>WYuIOsaf1aNbZdRQPXepQjlw4Tg...</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </saml:EncryptedAttribute>
</saml2:AttributeStatement>

AttributeStatement

The <AttributeStatement> in the summary assertion MUST hold the relevant attribute values obtained in the assertions of the authentication process. The HM MUST NOT add any attributes that are not present in the gathered assertion.

Element/@Attribute	0..1	Description
Attribute	0..n	: Depending on Rules for processing request: one or more ActingSubjectID's one or more LegalSubjectID one or more EntityConcernedID ServiceID as multi-valued XACML attribute exactely one IntermediateEntityID, the identity of Intermediate one or more ServiceRestrictions, eg ServiceRestriction:Vestigingsnr In case of Ketenmachtiging, MUST contain the attribute IntermediateEntityID.
EncryptedAttribute	0..n	Depending on Rules for processing request one or more EncryptedAttributes requested by the DV and provided by the AD and/or MR

<saml:AttributeStatement>
    <saml:Attribute Name="urn:etoegang:core:ServiceUUID">
        <saml:AttributeValue xsi:type="xs:string">1ff84f14-df64-11e4-ba1a-080027a35b78</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:etoegang:core:AuthorizationRegistryID">
        <saml:AttributeValue xsi:type="xs:string">urn:etoegang:AD:...</saml:AttributeValue>
    </saml:Attribute>
</saml:AttributeStatement>

<saml:AttributeStatement>
    <saml:Attribute Name="urn:etoegang:core:ServiceUUID">
        <saml:AttributeValue xsi:type="xs:string">0013c492-84cd-4c4b-8206-b13007ac2a1c</saml:AttributeValue>
    </saml:Attribute>
    <saml:EncryptedAttribute>
        <xenc:EncryptedData Id="_copy_Encrypted_FirstName" Type="http://www.w3.org/2001/04/xmlenc#Element">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
            <ds:KeyInfo>
                <ds:Keyname>...</ds:Keyname>
            </ds:KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>...</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </saml:EncryptedAttribute>
    <saml:EncryptedAttribute>
        <xenc:EncryptedData Id="_copy_Encrypted_18OrOlder" Type="http://www.w3.org/2001/04/xmlenc#Element">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
            <ds:KeyInfo>
                <ds:Keyname>...</ds:Keyname>
            </ds:KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>...</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </saml:EncryptedAttribute>
</saml:AttributeStatement>

<saml:AttributeStatement>
    <saml:Attribute Name="urn:etoegang:core:ServiceID">
        <saml:AttributeValue xsi:type="xs:string">urn:etoegang:DV:...:services:...</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:etoegang:core:ServiceUUID">
        <saml:AttributeValue xsi:type="xs:string">dd4dae83-0f35-4695-b24a-29d470a63ea7</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:etoegang:1.9:EntityConcernedID:KvKnr">
        <saml:AttributeValue xsi:type="xs:string">12345678</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:etoegang:1.9:ServiceRestriction:Vestigingsnr">
        <saml:AttributeValue xsi:type="xs:string">123456789012</saml:AttributeValue>
    </saml:Attribute>
</saml:AttributeStatement>

<saml:AttributeStatement>
    <saml:Attribute Name="urn:etoegang:core:ServiceID">
        <saml:AttributeValue xsi:type="xs:string">urn:etoegang:DV:...:services:...</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:etoegang:core:ServiceUUID">
        <saml:AttributeValue xsi:type="xs:string">dd4dae83-0f35-4695-b24a-29d470a63ea7</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:etoegang:1.9:EntityConcernedID:KvKnr">
        <saml:AttributeValue xsi:type="xs:string">12345678</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:etoegang:1.9:EntityConcernedID:RSIN">         
        <saml:AttributeValue xsi:type="xs:string">987654321</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:etoegang:1.9:ServiceRestriction:Vestigingsnr">
        <saml:AttributeValue xsi:type="xs:string">123456789012</saml:AttributeValue>
    </saml:Attribute>
</saml:AttributeStatement>

Rules for processing responses

On a successful authentication the HM MUST generate a 'Summary Assertion' based on the Assertions gathered during the authentication process, using the following processing rules.

MUST sign the enclosed <Assertion> as well as the <Response> (and/or the enclosing <ArtifactResponse>).
MUST verify each collected assertion has at minimum the Level of Assurance as requested by the DV. If verification fails, MUST handle the received responses as an unrecoverable error.
MUST provide an <AuthnContextClassRef>:
- By default fill the AuthnContextClassRef with the value 'urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified'.
- When a DV explicitly requests a detailed LoA by including an AuthnContextClassRef in its AuthnRequest (see above): .
HM MUST provide an <Subject> with the following <NameID>
- IF DV connects to r1.13 (or newer) AND non-represenation THEN copy AD-assertion: Subject.NameID.TransientID
- IF DV connects to r1.13 (or newer) AND representation THEN copy MR-assertion: Subject.NameID.TransientID
- IF DV connects to r1.11 (or older) THEN copy MR-assertion: XACMLAuthz-Decision.Subject.ActingEntityID
HM MUST provide an <AttributeStatement> with the following <Attributes> and <EncryptedAttributes>
- IF DV connects to r1.13 (or newer) THEN
  - the HM must copy all relevant information (see Interface specifications DV-HM) from the below sources to the ActingSubjectID attribute:
    - MR-Assertion: XACMLAuthz-Decision.Subject.ActingSubjectID (EncryptedID)
    - AD-assertion: Response.Assertion.AttributeStatement.ActingSubjectID.
    - copy all relevant AD-assertion: AttributeStatement.EncryptedAttribute
- IF Representation THEN
  - IF DV connects to r1.13 (or newer) THEN
    - copy all relevant EncryptedID from MR-Assertion: XACMLAuthz-Decision.Subject.LegalSubjectID to <LegalSubjectID>
    - copy all relevant EncryptedID from MR-Assertion: XACMLAuthz-Decision.Subject.ActingSubjectID to <ActingSubjectID>
    - copy all relevant MR-assertion: XACMLAuthz-Decision.Resource.EncryptedAttribute
  - IF DV connects to r1.11 (or older) AND Representation THEN copy MR-assertion: XACMLAuthz-Decision.Resource.EntityConcernedID
  - copy MR-Assertion: XACMLAuthz-Decision.Statement.Request.Resource.ServiceID
  - IF available copy all MR-assertion: XACMLAuthz-Decision.Resource.ServiceRestrictions
  - IF Ketenmachtiging THEN copy MR2-Assertion: XACMLAuthz-Decision.Statement.Request.Resource.IntermediateEntityID

- MUST provide an <Advice>, by default filled with verbatim copy of all Assertions – so that original signatures over the assertions remains verifiable – gathered during the authentication process. HM MAY offer their DV to omit this information, if they archive this information and allow for later retrieval.

NOTE: When copying encrypted XML elements (<EncryptedID>, <EncryptedAttribute>) to create the summary declaration the HM MUST substitute used XML identifiers to point at the EncryptedTypes for a guaranteed unique identifier. This MAY be accomplished by pre- or suffixing the used identifier in the copy.

(Rationale: @ID values must uniquely identify the elements which bear them. Identifiers that appear once in the summary assertion and once in the advice assertion(s) will break schema validation of assertions).

All relevant

all <EncryptedID> or <EncryptedAttribute> elements except those encrypted for MR

A receiving DV:

MUST verify the response matches with the Request responded to.
MUST validate the signature on the Assertion as well as the Response (and/or the enclosing ArtifactResponse). Message (elements) MUST be signed using a certificate as listed in the SAML metadata of the HM for the purpose of signing for an IDPSSODescriptor of the responding HM. (NB this should correspond to the certificate as published in the network metadata).
SHOULD verify the structure and contents of the Response.
SHOULD validate the signature and linking of the Evidence assertions.
In case the receiving DV is a Dienstbemiddelaar, the Dienstbemiddelaar MUST provide a verbatim copy of the assertion – so that original signatures over the assertions remains verifiable – to the Dienstaanbieder (service supplier).
IF the DV wants to decrypt urn:etoegang:1.12:EntityConcernedID:PseudoID or urn:etoegang:1.12:EntityConcernedID:BSN the DV must use preinstalled BSNk-keymaterial and software to obtain the actual identifier.
IF the DV receives a pseudonym THEN the DV SHOULD create a mapping from the obtained Pseudonym to a user account, rather than using the obtained pseudoniem directly as unique key for an account.
MUST decrypt an Encrypted Pseudonym or Encrypted Identity in the EncryptedID in the Attribute Statement of the Assertion using preinstalled keymaterial and software to obtain the actual identifier.
SHOULD create a mapping from the obtained identifier to a user account, rather than using the obtained identifier directly as unique key for an account.
MUST be able to handle an EncryptedID and EncryptedAttribute encrypted with multiple PKI-certificates, possibly for Multiple Recipients* (see SAML Encryption).

Handling multiple PKI-certificates (of the same recipient) is important for a decent PKI-certificate replacement proces and portal-request functionality. Handling multiple recipients is important for Service Intermediation functionality and for Robustness purposes (eg in case of copy errors at HM).

NB. HM should check DV ability of handling Multiple Recipients in the DV onboardingproces or handle Multiple Recipients on behalve of the DV!

LogoutRequest

For single logout, the Single Logout Profile that is part of the SAML 2.0 Web Browser SSO Profile is applied, although considering that the logout message is sent to the AD via the HM. Only supported, is the DV's LogoutRequest where the user chooses to log out from the AD. The DV should never expect a LogoutRequest or a LogoutResponse. The interface for this message is described below.

@ID	SAML: Unique message characteristic
@Version	SAML: Version of the SAML protocol. The value MUST be '2.0'.
@IssueInstant	SAML: Time the message was created
@Destination	SAML: URL of the HM on which the message is offered.
NameID	: MUST contain a NameID element with the transient from the Subject of the concomitant AD assertion. This MUST NOT contain any identifier of the user.
Issuer	: MUST contain the EntityID of the DV.
Signature	: MUST contain the Digital signature of the DV for the envelopping message.

RequestKeyMaterial

The DV may request the HM for DV-specific key material which the DV can use to decrypt the EncryptedPseudonym into a DV-specific pseudonym or BSN, as per AUC9 Verstrekken sleutelmateriaal Dienstverleners. The HM can request the keys at the BSNk (see Interface specifications aux HM-BSNk - ProvideDVkeys).

A PKIo-certificate of the DV is required, the PKIo-certificate MUST have a (extended) key usage that allows for keyEncipherment. If the DV may request a BSN, the PKIo-certificate MUST have a Subject.serialNumber containing the organizations OIN.

ProvideKeyMaterial

The Herkenningsmakelaar MUST transfer the PKIo-encrypted key material to the DV unaltered. The HM will receive the DV-keys from the BSNk (see Interface specifications aux HM-BSNk - ProvideDVkeys).

The DV can decrypt the DV-keys using its private key corresponding with the PKIo-certificate used in the request.