<?xml version="1.0" encoding="UTF-8"?> <xs:schema targetNamespace="urn:etoegang:1.9:samlp-extension" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:element name="RequestedAttributes"> <xs:complexType> <xs:sequence> <xs:element ref="md:RequestedAttribute" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema> |
<?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:esp="urn:etoegang:1.9:samlp-extension" ID="_4b5af9ca-33ef-400f-9c97-398ab0c8e9c7" Destination="https://..." ForceAuthn="true" AssertionConsumerServiceIndex="1" AttributeConsumingServiceIndex="4" ProviderName="DV Name" IssueInstant="2015-04-10T12:30:03Z" Version="2.0"> <saml:Issuer/>urn:etoegang:HM:...</saml:Issuer> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI="#_4b5af9ca-33ef-400f-9c97-398ab0c8e9c7"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo> <ds:KeyName>...</ds:KeyName> </ds:KeyInfo> </ds:Signature> <samlp:Extensions> <saml:Attribute Name="urn:etoegang:core:IntendedAudience"> <saml:AttributeValue>urn:etoegang:DV:...:entities:...</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="urn:etoegang:core:ServiceID"> <saml:AttributeValue>urn:etoegang:DV:...:services:...</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="urn:etoegang:core:ServiceUUID"> <saml:AttributeValue>bf83ccef-6c9d-443f-ac11-9df0a0a9d299</saml:AttributeValue> </saml:Attribute> <esp:RequestedAttributes> <md:RequestedAttribute Name="urn:etoegang:1.9:attribute:FirstName" IsRequired="false" /> </esp:RequestedAttributes> </samlp:Extensions> <samlp:RequestedAuthnContext Comparison="minimum"> <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa3</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest> |
A requesting HM:
A receiving AD:
If one of the criteria is not met, the AD MUST handle this as a non-recoverable error (see Error handling).
Note: When an AD specifies a MR for the HM to use as the next hop, the AD may only specify a MR of the same version.
@ID | SAML: Unique message characteristic. |
---|---|
@InResponseTo | SAML: Unique attribute of the AuthnRequest for which this response message is the answer. |
@Version | SAML: Version of the SAML protocol. The value MUST be '2.0' |
@IssueInstant | SAML: Time at which the message was created. |
@Destination | SAML: URL of the HM on which the message is offered. MUST match the HM's metadata. |
@Consent | : MUST NOT be included. |
Issuer | : MUST contain the EntityID of the AD. The attributes NameQualifier, SPNameQualifier, Format and SPProvidedID MUST NOT be included. |
Signature | : MUST contain the Digital signature of the AD for the enveloped message. |
Extensions | : MUST NOT be included |
Status | : MUST be filled conform SAML 2.0 specs when the request is successfully processed. MUST be filled according to Error handling in case of an error or when the request was cancelled. |
Assertion | : MUST contain an assertion about the authentication (see the next section). |
<?xml version="1.0" encoding="UTF-8"?> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Destination="https://..." ID="_62619615-e452-47d3-a44b-93da2d5a76f9" InResponseTo="_4b5af9ca-33ef-400f-9c97-398ab0c8e9c7" IssueInstant="2015-04-10T11:16:28Z" Version="2.0"> <saml:Issuer>urn:etoegang:AD:...</saml:Issuer> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_62619615-e452-47d3-a44b-93da2d5a76f9"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo> <ds:KeyName>...</ds:KeyName> </ds:KeyInfo> </ds:Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion ID="_f0ba7712-50e4-4d30-8bb5-e63a771507de" IssueInstant="2015-04-10T11:16:28Z" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:etoegang:AD:...</saml:Issuer> .... </saml:Assertion> </samlp:Response> |
Note: the above example only provides the response. The response will be sent via an Artifact binding.
Assertion | @Version | SAML: Version of the SAML protocol. The value MUST be '2.0' | |
---|---|---|---|
@ID | SAML: Unique reference to the assertion | ||
@IssueInstant | SAML: Time at which the assertion was created | ||
Issuer | : MUST contain the EntityID of the AD. The attributes NameQualifier, SPNameQualifier, Format and SPProvidedID MUST NOT be included. | ||
Signature | : MUST be included | ||
Subject | : MUST contain a <NameID> with a Transient ID. A SubjectConfirmation element that meets the Web Browser SSO profile MUST be included. Other SubjectConfirmation or SubjectConfirmationData elements MUST NOT be included. | ||
Conditions | : MUST be included. The attributes NotBefore and NotOnOrAfter MAY be included but should be ignored by the receiver. An Audience element in the AudienceRestriction element that meets the Web Browser SSO profile MUST be included. Other audience elements MUST include relevant parties: EntityIDs of the requesting DV and the MR/KR/HM (if applicable) to whom the assertion will be targeted. In case of Dienstbemiddeling (service intermediation), both the Dienstaanbieder (service supplier) and Dienstbemiddelaar (service intermediary) are a relevant party and must be listed as audience. For a Dienstaanbieder for whom only the OIN is known, the notation 'urn:etoegang:DV:<OIN>' is to be used.
Other conditions MUST NOT be included. | ||
Advice | : MUST NOT be included | ||
AuthnStatement | : The attribute AuthnInstant MUST contain the time of authentication. The AuthnContext element MUST contain an AuthnContextClassRef element containing the level of assurance at which authentication took place and an AuthenticatingAuthority element containing the OIN format of the KvK number of the AD. In the case of proxying, AuthenticatingAuthority element MUST be populated with a unique identifying attribute for the party that carried out the authentication. Other attributes and elements MUST NOT be included. | ||
Optional Attribute-Statement | : MUST be included if StatusCode is 'Success'. MUST NOT be included otherwise. In case of representation:
|
The <AttributeStatement> in the summary assertion MUST hold the relevant attribute values obtained in the assertions of the authentication process. The HM MUST NOT add any attributes that are not present in the gathered assertion.
Element/@Attribute | 0..1 | Description |
---|---|---|
Attribute | 0..n | Depending on Rules for processing request:
Other Attribute elements MUST NOT be included. |
EncryptedAttribute | 0..n | Depending on Rules for processing request
Other EncryptedAttribute elements MUST NOT be included. |
A responding AD:
Identifiers:
|
Note: At this moment the use of ASTA-sets and Service Intermediarion is limited to the EB for eIDAS Outgoing.
Attributes:
|
LevelOfAssurance:
Determine appropriate ECTA and Identifiers:
|
<saml:Attribute Name="urn:etoegang:1.9:attribute:FirstName" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:attrext="urn:oasis:names:tc:SAML:attributes:ext" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" attrext:OriginalIssuer="urn:etoegang:1.9:attribute-sourceid:NLWID" attrext:LastModified="2015-03-31T12:00:00Z"> <saml:AttributeValue xsi:type="xs:string">...</saml:AttributeValue> </saml:Attribute> |
<?xml version="1.0" encoding="UTF-8"?> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" ID="_f0ba7712-50e4-4d30-8bb5-e63a771507de" IssueInstant="2015-04-10T11:16:28Z" Version="2.0"> <saml:Issuer>urn:etoegang:AD:...</saml:Issuer> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_f0ba7712-50e4-4d30-8bb5-e63a771507de"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo> <ds:KeyName>...</ds:KeyName> </ds:KeyInfo> </ds:Signature> <saml:Subject> <saml:EncrypedID> <xenc:EncryptedData Id="_cd52e15a16e2a0aa751725ce76a6b866" Type="http://www.w3.org/2001/04/xmlenc#Element"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> <ds:KeyInfo> <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" URI="#_15531f77a9f1e0b5e0cce442aa31bbd4" /> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> <xenc:EncryptedKey Id="_15531f77a9f1e0b5e0cce442aa31bbd4" Recipient="urn:etoegang:MR:..."> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> </xenc:EncryptionMethod> <ds:KeyInfo> <ds:KeyName>...</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>yRy923JJlgAi2MTgx1qohLiDBgi...</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#_cd52e15a16e2a0aa751725ce76a6b866" /> </xenc:ReferenceList> </xenc:EncryptedKey> </saml:EncrypedID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="_4b5af9ca-33ef-400f-9c97-398ab0c8e9c7" NotOnOrAfter="2015-04-10T11:18:28Z" Recipient="https://..." /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2015-04-10T11:16:28Z" NotOnOrAfter="2015-04-10T11:18:28Z"> <saml:AudienceRestriction> <saml:Audience>urn:etoegang:HM:...</saml:Audience> <saml:Audience>urn:etoegang:MR:...</saml:Audience> <saml:Audience>urn:etoegang:DV:...</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2015-04-10T11:16:28Z"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa4</saml:AuthnContextClassRef> <saml:AuthenticatingAuthority>...</saml:AuthenticatingAuthority> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="urn:etoegang:core:Representation"> <saml:AttributeValue>true</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="urn:etoegang:core:ServiceUUID"> <saml:Attribute>bf83ccef-6c9d-443f-ac11-9df0a0a9d299</saml:Attribute> </saml:Attribute> <saml:Attribute Name="urn:etoegang:core:ActingSubjectID"> <saml:AttributeValue> <saml:EncrypedID> <xenc:EncryptedData Id="_cd52e15a16e2a0aa751725ce76a6b866" Type="http://www.w3.org/2001/04/xmlenc#Element"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> <ds:KeyInfo> <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" URI="#_15531f77a9f1e0b5e0cce442aa31bbd4" /> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> <xenc:EncryptedKey Id="_15531f77a9f1e0b5e0cce442aa31bbd4" Recipient="urn:etoegang:MR:..."> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> </xenc:EncryptionMethod> <ds:KeyInfo> <ds:KeyName>...</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>yRy923JJlgAi2MTgx1qohLiDBgi...</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#_cd52e15a16e2a0aa751725ce76a6b866" /> </xenc:ReferenceList> </xenc:EncryptedKey> </saml:EncrypedID> </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> |
<?xml version="1.0" encoding="UTF-8"?> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" ID="_f0ba7712-50e4-4d30-8bb5-e63a771507de" IssueInstant="2015-04-10T11:16:28Z" Version="2.0"> <saml:Issuer>urn:etoegang:AD:...</saml:Issuer> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_f0ba7712-50e4-4d30-8bb5-e63a771507de"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo> <ds:KeyName>...</ds:KeyName> </ds:KeyInfo> </ds:Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">d6730e65-500a-44e2-961e-cca53e7c60a4</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="_4b5af9ca-33ef-400f-9c97-398ab0c8e9c7" NotOnOrAfter="2015-04-10T11:18:28Z" Recipient="https://..." /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2015-04-10T11:16:28Z" NotOnOrAfter="2015-04-10T11:18:28Z"> <saml:AudienceRestriction> <saml:Audience>urn:etoegang:HM:...</saml:Audience> <saml:Audience>urn:etoegang:KR:...</saml:Audience> <saml:Audience>urn:etoegang:DV:...</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2015-04-10T11:16:28Z"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa4</saml:AuthnContextClassRef> <saml:AuthenticatingAuthority>...</saml:AuthenticatingAuthority> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="urn:etoegang:core:Representation"> <saml:AttributeValue>false</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="urn:etoegang:core:ServiceUUID"> <saml:Attribute>bf83ccef-6c9d-443f-ac11-9df0a0a9d299</saml:Attribute> </saml:Attribute> <saml:Attribute Name="urn:etoegang:core:ActingSubjectID"> <saml:AttributeValue> <saml:EncrypedID> <xenc:EncryptedData Id="_cd52e15a16e2a0aa751725ce76a6b866" Type="http://www.w3.org/2001/04/xmlenc#Element"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> <ds:KeyInfo> <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" URI="#_15531f77a9f1e0b5e0cce442aa31bbd4" /> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> <xenc:EncryptedKey Id="_15531f77a9f1e0b5e0cce442aa31bbd4" Recipient="urn:etoegang:KR:..."> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> </xenc:EncryptionMethod> <ds:KeyInfo> <ds:KeyName>...</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#_cd52e15a16e2a0aa751725ce76a6b866" /> </xenc:ReferenceList> </xenc:EncryptedKey> </saml:EncrypedID> </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> |
<?xml version="1.0" encoding="UTF-8"?> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" ID="_f0ba7712-50e4-4d30-8bb5-e63a771507de" IssueInstant="2015-04-10T11:16:28Z" Version="2.0"> <saml:Issuer>urn:etoegang:AD:...</saml:Issuer> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_f0ba7712-50e4-4d30-8bb5-e63a771507de"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo> <ds:KeyName>...</ds:KeyName> </ds:KeyInfo> </ds:Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">d6730e65-500a-44e2-961e-cca53e7c60a4</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="_4b5af9ca-33ef-400f-9c97-398ab0c8e9c7" NotOnOrAfter="2015-04-10T11:18:28Z" Recipient="https://..." /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2015-04-10T11:16:28Z" NotOnOrAfter="2015-04-10T11:18:28Z"> <saml:AudienceRestriction> <saml:Audience>urn:etoegang:HM:...</saml:Audience> <saml:Audience>urn:etoegang:DV:...</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2015-04-10T11:16:28Z"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa4</saml:AuthnContextClassRef> <saml:AuthenticatingAuthority>...</saml:AuthenticatingAuthority> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="urn:etoegang:core:Representation"> <saml:AttributeValue>false</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="urn:etoegang:core:ServiceUUID"> <saml:Attribute>bf83ccef-6c9d-443f-ac11-9df0a0a9d299</saml:Attribute> </saml:Attribute> <saml:Attribute Name="urn:etoegang:core:ActingSubjectID"> <saml:AttributeValue> <saml:EncrypedID> <xenc:EncryptedData Id="_cd52e15a16e2a0aa751725ce76a6b866" Type="http://www.w3.org/2001/04/xmlenc#Element"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> <ds:KeyInfo> <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" URI="#_15531f77a9f1e0b5e0cce442aa31bbd4" /> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> <xenc:EncryptedKey Id="_15531f77a9f1e0b5e0cce442aa31bbd4" Recipient="urn:etoegang:DV:..."> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> </xenc:EncryptionMethod> <ds:KeyInfo> <ds:KeyName>...</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#_cd52e15a16e2a0aa751725ce76a6b866" /> </xenc:ReferenceList> </xenc:EncryptedKey> </saml:EncrypedID> </saml:AttributeValue> </saml:Attribute> <saml:EncryptedAttribute> <xenc:EncryptedData Id="Encrypted_urn_etoegang_1.9_attribute_FirstName" Type="http://www.w3.org/2001/04/xmlenc#Element"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> <ds:KeyInfo> <ds:Keyname>...</ds:Keyname> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> <xenc:EncryptedKey> ... </xenc:EncryptedKey> </saml:EncryptedAttribute> <saml:EncryptedAttribute> <xenc:EncryptedData Id="Encrypted_urn_etoegang_1.9_attribute_18OrOlder" Type="http://www.w3.org/2001/04/xmlenc#Element"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> <ds:KeyInfo> <ds:Keyname>...</ds:Keyname> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> <xenc:EncryptedKey> ... </xenc:EncryptedKey> </saml:EncryptedAttribute> </saml:AttributeStatement> </saml:Assertion> |
For single logout, the Single Logout Profile that is part of the SAML 2.0 Web Browser SSO Profile is applied on the understanding that the logout message is sent to the AD through the HM. The interface for this message is described below.
@ID | SAML: Unique message attribute |
---|---|
@Version | SAML: Version of the SAML protocol. The value MUST be '2.0'. |
@IssueInstant | SAML: Time at which the message was created. |
@Destination | SAML: URL of the AD on which the message is offered. |
NameID | : MUST contain a NameID element, this MUST NOT contain the Internal pseudonym or Specific pseudonym of the user. |
Issuer | : MUST contain the EntityID of the HM. |
Signature | : MUST contain the Digital signature of the HM for the enveloped message. |