cdaefa:EFA Policy Assertion SAML2 Binding: Unterschied zwischen den Versionen

Aus Hl7wiki
Wechseln zu: Navigation, Suche
K
Zeile 18: Zeile 18:
 
|colspan="4"|@IssueInstant
 
|colspan="4"|@IssueInstant
 
|R
 
|R
|time instant of issuance in UTC
+
|Time instant of issuance in UTC
 
|-
 
|-
 
|colspan="4"|Issuer
 
|colspan="4"|Issuer
 
|R
 
|R
|address URI that identifies the endpoint of the issuing service   
+
|Address URI that identifies the endpoint of the issuing service   
 
|-
 
|-
 
|colspan="4"|Subject
 
|colspan="4"|Subject
Zeile 86: Zeile 86:
 
|-
 
|-
 
|
 
|
|colspan="3"|Policy or PolicySet  
+
|colspan="3"|PolicySet  
 
|R
 
|R
|Policy or PolicySet that expresses the given authorization (see section below for details).
+
|PolicySet that expresses the given authorization (see section below for details).
 
|-
 
|-
 
|colspan="4"|ds:Signature
 
|colspan="4"|ds:Signature
Zeile 95: Zeile 95:
 
|}
 
|}
  
=== Policy or PolicySet Profile ===
+
=== PolicySet Profile ===
  
 +
The ECR 2.0 specification differentiates three kinds of an authorization statement as it is described logically in the security token services section for the [[cdaefa:EFA_Sicherheitsdienste_(logische_Spezifikation)|Policy Provider]]. These are:
 +
* Reference without semantics (policyId) to an access policy which contains the valid authorization rules for an eCR Consumer
 +
* Reference with semantics (e.g., as per IHE BPPC)
 +
* Access policy which contains the valid authorization rules for an eCR Consumer
  
 +
In order to implement such differentiations the ''<PolicySet>'' element has different sub-elements.
  
 +
==== Policy Assignment ====
 +
{|class="wikitable" style="text-align: left; cellpadding: 10;"
 +
!colspan="4"|PolicySet Element
 +
!Opt
 +
!Usage Convention
 +
|-
 +
|colspan="4"|@PolicySetId
 +
|R
 +
|URN encoded unique identifier (UUID) of the policy set.
 +
|-
 +
|colspan="4"|@PolicyCombiningAlgId
 +
|R
 +
|This attribute is REQUIRED. Its value is a predefined identifier of the policy-combining algorithm for this policy set (see Appendix C and section B.10 in [XACML2.0Core]). The ''urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:ordered-permit-overrides'' algorithm has been used. Other algorithms are not allowed.
 +
|-
 +
|colspan="4"|Target
 +
|R
 +
|TODO
 +
|-
 +
|colspan="4"|PolicySetIdReference
 +
|R
 +
|Its value either references an assigned access policy that is expressed in a separate XACML ''PolicySet'' or already expresses the given authorization.
 +
|-
 +
|}
  
 +
==== Policy Attachment ====
 +
It is implementation-specific how the ''PolicySet'' with the authorization rules is defined - there are no restrictions made. However, there MUST NOT be used further ''PolicyIdReference'' or ''PolicySetIdReference'' elements.
  
 
== Assertion Signature ==
 
== Assertion Signature ==

Version vom 5. April 2013, 07:19 Uhr

SAML 2.0 Profile for ECR Policy Assertions

Information icon.svg This profile applies to scenarios where the eCR Context Manager requests an Access Policy Assertion from the eCR Policy Provider and thus implements a policy push authorization model. There is no specification in the case that the Authorization Decision Provider requests policies from the eCR Policy Provider.
Assertion Element Opt Usage Convention
@Version R MUST be “2.0”
@ID R URN encoded unique identifier (UUID) of the assertion
@IssueInstant R Time instant of issuance in UTC
Issuer R Address URI that identifies the endpoint of the issuing service
Subject R This element defines the subject confirmation method of the user in order to use the Policy Assertion as a supporting token. Moreover, it defines the subject name identifier that accords with the user identity from an Identity Assertion.
NameID R Identifier of the HP given in the Identity Asstertion encoded as an X.509 subject name, an e-Mail address or as a string value (unspecified format). Only identifiers must be used that can be long-term tracked back to an individual person.
@Format R MUST be urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

or urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
or urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
For providing an OID as a subject identifier the unspecified format must be used. The OID must be provided as a string encoded in ISO format.

SubjectConfirmation R
@Method R This element MUST hold a URI reference that identifies a protocol to be used to authenticate the subject.[SAML2.0core] The value of this element MUST be set to

urn:oasis:names:tc:SAML:2.0:cm:holder-of-key

SubjectConfirmationData R
ds:KeyInfo R The XML Signature [XMLSignature] element MUST embed a cryptographic key that is only held by the user. This can be the user’s public key (ds:KeyValue/ds:RSAKeyValue), the complete user’s X.509 certificate (ds:X509Data/ds:X509Certificate), or an encrypted symmetric key (xenc:EncryptedKey [XMLEncryption]). This symmetric key MUST be encrypted by using the public key of the consumer service’s certificate [eFA PKI 1.2].
Conditions R
@NotBefore R time instant from which the assertion is useable. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion.
@NotOnOrAfter R Time instant at which the assertion expires. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. The maximum validity timespan for a Policy Assertion MUST NOT be more than 4 hours.
XACMLPolicyStatement R
PolicySet R PolicySet that expresses the given authorization (see section below for details).
ds:Signature R Enveloped XML signature of the issuer of the Policy Assertion (see section below for details).

PolicySet Profile

The ECR 2.0 specification differentiates three kinds of an authorization statement as it is described logically in the security token services section for the Policy Provider. These are:

  • Reference without semantics (policyId) to an access policy which contains the valid authorization rules for an eCR Consumer
  • Reference with semantics (e.g., as per IHE BPPC)
  • Access policy which contains the valid authorization rules for an eCR Consumer

In order to implement such differentiations the <PolicySet> element has different sub-elements.

Policy Assignment

PolicySet Element Opt Usage Convention
@PolicySetId R URN encoded unique identifier (UUID) of the policy set.
@PolicyCombiningAlgId R This attribute is REQUIRED. Its value is a predefined identifier of the policy-combining algorithm for this policy set (see Appendix C and section B.10 in [XACML2.0Core]). The urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:ordered-permit-overrides algorithm has been used. Other algorithms are not allowed.
Target R TODO
PolicySetIdReference R Its value either references an assigned access policy that is expressed in a separate XACML PolicySet or already expresses the given authorization.

Policy Attachment

It is implementation-specific how the PolicySet with the authorization rules is defined - there are no restrictions made. However, there MUST NOT be used further PolicyIdReference or PolicySetIdReference elements.

Assertion Signature

Every Policy Assertion MUST be signed by its issuer. The XML signature MUST be applied by using the saml:Assertion/ds:Signature element as defined below.

Signature Parameter Usage Convention
CanonicalizationMethod SHOULD be http://www.w3.org/2001/10/xml-exc-c14n#
Transformation Enveloped signature transform acc. to section 6.6.4 of [W3C XMLDSig] SHOULD be used (http://www.w3.org/2000/09/xmldsig#enveloped-signature). In addition, exclusive canonicalization SHOULD be defined as transformation (http://www.w3.org/2001/10/xml-exc-c14n#, acc. [W3C XMLDSig] and [W3C XML-EXC 1.0]). As inclusive namespaces other prefixes than the ones defined in EFA Namespaces MUST NOT be used.
SignatureMethod For signing assertions the signature method

http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 or
http://www.w3.org/2000/09/xmldsig#rsa-sha1
SHOULD be used. An assertion consumer MAY reject signatures that use SHA-1 for digesting.

DigestMethod For signing assertions the digest method

http://www.w3.org/2000/09/xmldsig#sha1 or
http://www.w3.org/2001/04/xmlenc#sha256
SHOULD be used. An assertion consumer MAY reject SHA-1 digests.

KeyInfo This element MUST either contain a wsse:SecurityTokenReference element which references the X.509 certificate of the assertion’s issuer by using a subject key identifier OR contain a ds:X509Data element which contains the X.509 certificate of the assertion issuer.

Example Assertion

 <soap12:Envelope … >
 <soap12:Header … >
  <wsse:Security … > 
   <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
     ID="uuid-6dbb391c-20d3-4568-8c04-ff9d91d049c1" 
     IssueInstant="2013-04-05T08:14:28.788Z" Version="2.0">
   <saml:Issuer>urn:de:berlin:hp:pap</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <ds:SignedInfo>
      <ds:CanonicalizationMethod
       Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
       <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
       <ds:Reference URI="#urn:uuid:7102AC72154DCFD1F51253534608780">
        <ds:Transforms>
         <ds:Transform 
          Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
         <ds:Transform 
          Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
          <ec:InclusiveNamespaces 
           xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" 
           PrefixList="ds saml xs" />
         </ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <ds:DigestValue>A1LyLvFHRrYaOJ28YVFd3MfKGSI=</ds:DigestValue>
       </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>ggyn … LQ==</ds:SignatureValue>
      <ds:KeyInfo>
       <ds:X509Data>
        <ds:X509Certificate> … </ds:X509Certificate>
       </ds:X509Data>
      </ds:KeyInfo>
     </ds:Signature>
     <saml:Subject>
      <saml:NameID 
       Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
       ...
      </saml:NameID>
      <saml:SubjectConfirmation 
       Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
       <saml:SubjectConfirmationData>
         <ds:KeyInfo>
           <ds:X509Data>
             <ds:X509Certificate> … </ds:X509Certificate>
           </ds:X509Data>
         </ds:KeyInfo>
        </saml:SubjectConfirmationData/>
      </saml:SubjectConfirmation>
     </saml:Subject>
     <saml:Conditions 
      NotBefore="2013-04-05T08:14:28.788Z" 
      NotOnOrAfter="2013-04-05T12:14:28.788Z">
    </saml:Conditions>
    <xacml-saml:XACMLPolicyStatement>
     <xacml:PolicySet>
       ...
     </xacml:PolicySet>
    </xacml-saml:XACMLPolicyStatement>
 </saml:Assertion>
</wsse:Security>
Abgerufen von „https://wiki.hl7.de/index.php?title=cdaefa:EFA_Policy_Assertion_SAML2_Binding&oldid=12458