DV-HM sequence diagram |
---|
This page describes the messages for the interface specification between a Dienstverlener (DV) (service provider) and an Herkenningsmakelaar (HM) (broker). For eIDAS Outbound, the eIDAS Berichtenservice acts as a DV, and as Dienstbemiddelaar (DB) for the BRP. Any statement in this page about the DV should therefore be interpreted as "DA (BRP) and/or EB". |
The interface specification described in this document is used to implement the use case GUC1 Gebruiken eToegang als dienstafnemer (Use eToegang as service consumer) and MUST (with the exception of alternative Bindings) be implemented by every and offered to their customers, the DVs. This is in order to prevent lock-in and enables middleware suppliers to write generic code that can be used by all s.
In the interface described here, the use case GUC1 Gebruiken eToegang als dienstafnemer is populated with an SAML 2.0 AuthnRequest and Response.
The specific contents of these messages is described below. A column in a message description that starts with 'SAML:' indicates that this is a standard value within the official SAML specification. A value that starts with '' indicates that the value is specific to .
This section describes regular Authentication Requests.
Element/@Attribute | 0..n | Description | ||
---|---|---|---|---|
@ID | 1 | SAML: Unique message characteristic. MUST identify the message uniquely within the scope of the sender and receiver for a period of at least 12 months. | ||
@Version | 1 | SAML: Version of the SAML protocol. The value MUST be '2.0'. | ||
@IssueInstant | 1 | SAML: Time of issuing of the request. | ||
@Destination | 1 | SAML: URL of the HM on which the message is offered. MUST match the HM's metadata. | ||
@Consent | 0..1 | : MAY be included. When Consent is included, the default value MUST contain urn:oasis:names:tc:SAML:2.0:consent:unspecified. | ||
@ForceAuthn | 0..1 | : The value 'true' indicates that an existing single sign-on session MUST NOT be used for the request in question. If the value is 'false' or empty or the specification is missing, the AD MUST use an existing SSO session if one exists, and is applicable (see Single sign-on and user sessions RFC2390). | ||
@IsPassive | 0..1 | : MAY be included. If IsPassive is included, the value MUST be 'false'. | ||
@ProtocolBinding | 0..1 | SAML: Specifies the used binding. MUST only be used when an @AssertionConsumerServiceURL is used, MUST NOT be used in combination with an @AssertionConsumerServiceIndex. | ||
@AssertionConsumerServiceIndex | 0..1 | : This attribute element specifies the URL to which the HM sends the response for the DV. If present this index MUST refer to an endpoint of an AssertionConsumerService in the DV metadata for HM. MUST NOT be present if @AssertionConsumerServiceURL is present. If neither @AssertionConsumerServiceIndex or @AssertionConsumerServiceURL is present, the HM MUST send the response to the endpoint in the metadata that is marked with 'isDefault=true' | ||
@AssertionConsumerServiceURL | 0..1 | SAML: If present, URL MUST point to a SAML endpoint acknowlegded in the DV metadata for HM. If present, the participant MUST check whether the @AssertionConsumerServiceUrl is included in the DV's DV metadata for HM. If it is not included in the metadata, the participant MUST reject the message with the status code RequestDenied. MUST NOT be present if @AssertionConsumerServiceIndex is present. | ||
@AttributeConsumingServiceIndex | 0..1 | SAML: If present, MUST refer to an AttributeConsumingService in the DV's metadata. If absent, the AttributeConsumingService marked as default in the DV metadata for HM SHOULD be used. The AttributeConsumingService MUST contain exactly one attribute with a name that is the same as a long formatted ServiceID. The AttributeConsumingService MAY contain attributes to be requested.
| ||
@ProviderName | 0..1 | (DV): MAY contain a more detailed description of the service, complimentary to the entry in the service catalog MAY NOT contain personally identifiable information | ||
Issuer | 1 | : MUST contain the EntityID of the DV. | ||
@NameQualifier | 0 | : MUST NOT be included. | ||
@SPNameQualifier | 0 | : MUST NOT be included. | ||
@Format | 0 | : MUST NOT be included. | ||
@SPProvidedID | 0 | : MUST NOT be included. | ||
Signature | 1 | : MUST contain the Digital signature of the DV for the envelopping message. | ||
Extensions | 0 | : MUST NOT be included. | ||
Subject | 0 | : MUST NOT be included. | ||
NameIDPolicy | 0 | : MUST NOT be included. | ||
Conditions | 0 | : MUST NOT be included. | ||
RequestedAuthnContext | 0..1 | : MAY be used to explicitly request a specific LoA. If specified, the HM summary response will communicate the detailed LoA, rather than SAML 'unspecified'. If present it MUST be used to request a equal to or lower than the level of assurance specified in the Service catalog. A lower LoA can for instance be used in requests to allow read-only access to services. If RequestedAuthnContext is absent, then the request will be further processed, using the Level of assurance (AuthnContextClassRef) as specified in the service catalog for the requested service. | ||
@Comparison | 1 | MUST use the value 'minimum'. | ||
AuthnContextClassRef | 1 | MUST be one of the following requested Level of assurance. | ||
Scoping | 0..1 | : MUST be included in case an AD is pre-selected by the user at the DV, MUST NOT be included otherwise. | ||
IDPList | 1 | MUST be present in case of pre-selection of an AD. | ||
IDPEntry | 1 | MUST be present in case of pre-selection of an AD. | ||
@ProviderID | 1 | EntityID of the AD selected by the user. | ||
@Name | 0 | MUST NOT be present. | ||
@Loc | 0..1 | In case an AD has multiple endpoints in the Network metadata, the endpoint selected by the user MUST be provided. |
A requesting DV:
The list of AD's for eHerkenning as returned by service requestADList will not contain the eIDAS Berichtenservice (anymore). |
Additionally a DV MUST present A separate "eIDAS" login option , to opt for the eIDAS-berichtenservice as an AD for login with an eIDAS-authentication scheme from another eIDAS-member state:
A responding HM:
MUST determine the branding to use based on the service classifier specified by the DV.
If one of the criteria is not met, the HM must handle this as a non-recoverable error (see Error handling).
Note: When a HM receives a DV request on a specific version of the DV-HM interface, it should only show AD’s that list eme:version in the Metadata with the same, or higher version.
Note: When a HM receives a response from an AD, and the AD specifies an MR that is not of the same version, the HM must handle this as a non-recoverable error.
With regards to determining the user's choice of AD/MR, the following processing rules apply;
Note: The examples below show only the AuthnRequest. Additional wrapping elements can be present in case of HTTP Artifact binding.
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_6984066c-de03-11e4-a571-080027a35b78" ForceAuthn="true" IsPassive="false" Destination="https://..." ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" AssertionConsumerServiceURL="https://" AttributeConsumingServiceIndex="1" IssueInstant="2015-04-08T16:30:03Z" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:etoegang:DV:...</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI=" "> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo> <ds:KeyName>...</ds:KeyName> </ds:KeyInfo> </ds:Signature> <samlp:RequestedAuthnContext Comparison="minimum"> <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:etoegang:core:assurance-class:loa3</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest> |
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_2962ac7c-de04-11e4-9801-080027a35b78" Destination="https://..." IssueInstant="2015-04-08T16:30:07Z" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:etoegang:DV:...</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_2962ac7c-de04-11e4-9801-080027a35b78"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo> <ds:KeyName>...</ds:KeyName> </ds:KeyInfo> </ds:Signature> </samlp:AuthnRequest> |