Sikkerhedsprotokollen

API’et anvender sikkerhedsprotokollen OIO IDWS REST. Se https://www.digitaliser.dk/resource/3457606 for yderlige detaljer.

API token flow diagram viser et sekvensdiagram for at få udstedt et token samt kalde Video API servicen.

Det skridt (se overblikstegningen via linket ovenfor), hvor WSC komponenten trækker et token fra STS er det skridt, der giver flest udfordringer.

Nedenfor vises et eksempel på et simpelt request og response mellem WSC og STS.

Request

Address: https://sts.vconf.dk/sts/service/sts
Encoding: UTF-8 Http-Method: POST
Content-Type: text/xml
Headers: {Accept=[*/*], SOAPAction=["http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"]}
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <Action xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_2451b4b1-38d6-4395-9a28-372560725c59">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action>
    <MessageID xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_04d30812-c0cc-46c4-9069-293e71d3b183">urn:uuid:3f58046c-0a79-4aa3-887d-81e8bd47108d</MessageID>
    <To xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_811c93ac-5639-4e4d-80e7-3c0a1d38015d">https://sts.test-vdxapi.vconf.dk/sts/service/sts</To>
    <ReplyTo xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_7ef42676-9114-434c-929d-eea3dbe9aeda">
      <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
    </ReplyTo>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
      <wsu:Timestamp wsu:Id="TS-dee96fa3-77a7-43bf-b3cf-6f43f0fc123d">
        <wsu:Created>2019-05-13T06:45:42.701Z</wsu:Created>
        <wsu:Expires>2019-05-13T06:50:42.701Z</wsu:Expires>
      </wsu:Timestamp>
      <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-7d8fe7e3-a8e9-4d49-afe2-97b58337c045">MIIDlTCCAn2gAwIBAgIJAMTl9AFLKJv3MA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNVBAYTAkRLMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGTAXBgNVBAMMEG1lZGNvbXN5c3RlbXVzZXIwIBcNMTgxMDAzMTIyMDAxWhgPNDc1NjA4MzAxMjIwMDFaMGAxCzAJBgNVBAYTAkRLMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGTAXBgNVBAMMEG1lZGNvbXN5c3RlbXVzZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtcCnHGMJaWwR94qBQ86XWYkL1qqSRaijJSA5T4qysf2pEKgr3FV0jtgl5vCvn5Mm0FtaQqS4P3bpIzElXUtjohPy0J+WiYiXgTkhl1Fk9yLU3vWVANXpJ824Y8c2kWkuyx1Jjfj63j++4Z5NnaUkHkg/iwO+MDEn6dcQJweZy6kQRC7fAjaeKNxaXiFFFJ2FS4oMH8CJpm+w8px0WPhZOVF17AlLi/mbWSHBx7pmPWPDo3s9JA8dqKwjGrHZIwe8qJ6k+4RKASmo/6wZFovYRIla4HWROw0eZ6vpwn5tr+m8nLfGtpjuauBG//NZr7o5/0tJXDaF8XHekSMGBgeGHAgMBAAGjUDBOMB0GA1UdDgQWBBR775w1dbL9oJKLjNFjL6MCEmcjaDAfBgNVHSMEGDAWgBR775w1dbL9oJKLjNFjL6MCEmcjaDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBNAVEu/vtt6GVvAP+POf6xPXGjgolqlU5Z3IF+itAsYud9jRrQ3gfZQ7MXKaeLAa/HWRblj2YaZzLT7p+YvhFRDVb6OjlSILT8X976dC/avvnz6R/Wnv0EgceSMmH98BpQ5ZEk6z2WRtjIp0V3D6FzZyds5XW/TxlQXN12d5+ycyhHWku7F4wTDvKmnGeJYQQyprGvFTh+ptXsJ6hJLRvtDn6aYvxR7mQQED0Gy+VO1BSFy9J4YPKttIV6vYHlpZJtrTyH79wD07v3Qo6qXR/N7D7FMLQmHE+RLey1b9ftNOxQc0hEbFSkW9r5CT8k3MunmywQPVN7xgK7owbQRGgt</wsse:BinarySecurityToken>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-835a6b6b-539b-4cb7-9d77-f21ca14a9c5a">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#TS-dee96fa3-77a7-43bf-b3cf-6f43f0fc123d">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse soap"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>QxQFn/ze0M89Qu5C0DOHVIn4sTk=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#_a7dd77e4-586d-47b5-9b83-2ed20ff0441c">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>6Ti/WbzSLhooohputXUobFNK7A0=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#_811c93ac-5639-4e4d-80e7-3c0a1d38015d">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>7VW2O5rq3Nd7hAmCRg05jt5JeUg=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#_7ef42676-9114-434c-929d-eea3dbe9aeda">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>2zlrWpq+9G6Bio519eBSat8oZpo=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#_04d30812-c0cc-46c4-9069-293e71d3b183">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>Y7W85weS4kvpm4XTYetPLcbzEBE=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#_2451b4b1-38d6-4395-9a28-372560725c59">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>aYM0q7zmkC68KbPYOoJG8oe8Feo=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>H8p8n6DeVN8QlbZt8HQJD7Qzz4Q6mErPNDRnHoMopQs7PcK5SIT7nkYb6PtdutiXNPPa/MWtVanspXMaEHODhSy7DeVCFvGBd9ilOgwA9G7uc4d4GpJVeBa7zLUCbr9kJcv6zbph1KQeoGudVKWASUmfl+LWGbLpbuILTtrCr0WF7HXTzoFz9rrbWT0AqlKytQKeT0vdOTYkIZCUEPInMk+/zqowvMUyOc+GH1XiUO0uOOrftZDSI4JascOMS90Xcslu0FKuqiS4v66dDoZuHSfNAZjWo0QU/9I+bHHI1/x8HbaiitcWMad3Ot8GMIflPJAg8kD0RhZUDWpbMYDOZg==</ds:SignatureValue>
        <ds:KeyInfo Id="KI-5bce550d-8c6d-4a50-96e0-c709de9e0fac">
          <wsse:SecurityTokenReference wsu:Id="STR-07354c7b-ae40-49c8-b5c4-a7d196942e4e">
            <wsse:Reference URI="#X509-7d8fe7e3-a8e9-4d49-afe2-97b58337c045" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
  </soap:Header>
  <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_a7dd77e4-586d-47b5-9b83-2ed20ff0441c">
    <wst:RequestSecurityToken xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
      <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
      <wsp:AppliesTo xmlns:wsp="http://www.w3.org/ns/ws-policy">
        <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
          <wsa:Address>urn:medcom:videoapi</wsa:Address>
        </wsa:EndpointReference>
      </wsp:AppliesTo>
      <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
      <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</wst:KeyType>
      <wst:UseKey>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:KeyValue>
            <ds:RSAKeyValue>
              <ds:Modulus>rXApxxjCWlsEfeKgUPOl1mJC9aqkkWooyUgOU+KsrH9qRCoK9xVdI7YJebwr5+TJtBbWkKkuD926SMxJV1LY6IT8tCflomIl4E5IZdRZPci1N71lQDV6SfNuGPHNpFpLssdSY34+t4/vuGeTZ2lJB5IP4sDvjAxJ+nXECcHmcupEEQu3wI2nijcWl4hRRSdhUuKDB/AiaZvsPKcdFj4WTlRdewJS4v5m1khwce6Zj1jw6N7PSQPHaisIxqx2SMHvKiepPuESgEpqP+sGRaL2ESJWuB1kTsNHmer6cJ+ba/pvJy3xraY7mrgRv/zWa+6Of9LSVw2hfFx3pEjBgYHhhw==</ds:Modulus>
              <ds:Exponent>AQAB</ds:Exponent>
            </ds:RSAKeyValue>
          </ds:KeyValue>
        </ds:KeyInfo>
      </wst:UseKey>
      <wst:Renewing/>
    </wst:RequestSecurityToken>
  </soap:Body>
</soap:Envelope>
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <Action xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_2451b4b1-38d6-4395-9a28-372560725c59">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action>
    <MessageID xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_04d30812-c0cc-46c4-9069-293e71d3b183">urn:uuid:3f58046c-0a79-4aa3-887d-81e8bd47108d</MessageID>
    <To xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_811c93ac-5639-4e4d-80e7-3c0a1d38015d">https://sts.test-vdxapi.vconf.dk/sts/service/sts</To>
    <ReplyTo xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_7ef42676-9114-434c-929d-eea3dbe9aeda">
      <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
    </ReplyTo>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
      <wsu:Timestamp wsu:Id="TS-dee96fa3-77a7-43bf-b3cf-6f43f0fc123d">
        <wsu:Created>2019-05-13T06:45:42.701Z</wsu:Created>
        <wsu:Expires>2019-05-13T06:50:42.701Z</wsu:Expires>
      </wsu:Timestamp>
      <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-7d8fe7e3-a8e9-4d49-afe2-97b58337c045">MIIDlTCCAn2gAwIBAgIJAMTl9AFLKJv3MA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNVBAYTAkRLMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGTAXBgNVBAMMEG1lZGNvbXN5c3RlbXVzZXIwIBcNMTgxMDAzMTIyMDAxWhgPNDc1NjA4MzAxMjIwMDFaMGAxCzAJBgNVBAYTAkRLMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGTAXBgNVBAMMEG1lZGNvbXN5c3RlbXVzZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtcCnHGMJaWwR94qBQ86XWYkL1qqSRaijJSA5T4qysf2pEKgr3FV0jtgl5vCvn5Mm0FtaQqS4P3bpIzElXUtjohPy0J+WiYiXgTkhl1Fk9yLU3vWVANXpJ824Y8c2kWkuyx1Jjfj63j++4Z5NnaUkHkg/iwO+MDEn6dcQJweZy6kQRC7fAjaeKNxaXiFFFJ2FS4oMH8CJpm+w8px0WPhZOVF17AlLi/mbWSHBx7pmPWPDo3s9JA8dqKwjGrHZIwe8qJ6k+4RKASmo/6wZFovYRIla4HWROw0eZ6vpwn5tr+m8nLfGtpjuauBG//NZr7o5/0tJXDaF8XHekSMGBgeGHAgMBAAGjUDBOMB0GA1UdDgQWBBR775w1dbL9oJKLjNFjL6MCEmcjaDAfBgNVHSMEGDAWgBR775w1dbL9oJKLjNFjL6MCEmcjaDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBNAVEu/vtt6GVvAP+POf6xPXGjgolqlU5Z3IF+itAsYud9jRrQ3gfZQ7MXKaeLAa/HWRblj2YaZzLT7p+YvhFRDVb6OjlSILT8X976dC/avvnz6R/Wnv0EgceSMmH98BpQ5ZEk6z2WRtjIp0V3D6FzZyds5XW/TxlQXN12d5+ycyhHWku7F4wTDvKmnGeJYQQyprGvFTh+ptXsJ6hJLRvtDn6aYvxR7mQQED0Gy+VO1BSFy9J4YPKttIV6vYHlpZJtrTyH79wD07v3Qo6qXR/N7D7FMLQmHE+RLey1b9ftNOxQc0hEbFSkW9r5CT8k3MunmywQPVN7xgK7owbQRGgt</wsse:BinarySecurityToken>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-835a6b6b-539b-4cb7-9d77-f21ca14a9c5a">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#TS-dee96fa3-77a7-43bf-b3cf-6f43f0fc123d">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse soap"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>QxQFn/ze0M89Qu5C0DOHVIn4sTk=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#_a7dd77e4-586d-47b5-9b83-2ed20ff0441c">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>6Ti/WbzSLhooohputXUobFNK7A0=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#_811c93ac-5639-4e4d-80e7-3c0a1d38015d">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>7VW2O5rq3Nd7hAmCRg05jt5JeUg=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#_7ef42676-9114-434c-929d-eea3dbe9aeda">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>2zlrWpq+9G6Bio519eBSat8oZpo=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#_04d30812-c0cc-46c4-9069-293e71d3b183">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>Y7W85weS4kvpm4XTYetPLcbzEBE=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#_2451b4b1-38d6-4395-9a28-372560725c59">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>aYM0q7zmkC68KbPYOoJG8oe8Feo=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>H8p8n6DeVN8QlbZt8HQJD7Qzz4Q6mErPNDRnHoMopQs7PcK5SIT7nkYb6PtdutiXNPPa/MWtVanspXMaEHODhSy7DeVCFvGBd9ilOgwA9G7uc4d4GpJVeBa7zLUCbr9kJcv6zbph1KQeoGudVKWASUmfl+LWGbLpbuILTtrCr0WF7HXTzoFz9rrbWT0AqlKytQKeT0vdOTYkIZCUEPInMk+/zqowvMUyOc+GH1XiUO0uOOrftZDSI4JascOMS90Xcslu0FKuqiS4v66dDoZuHSfNAZjWo0QU/9I+bHHI1/x8HbaiitcWMad3Ot8GMIflPJAg8kD0RhZUDWpbMYDOZg==</ds:SignatureValue>
        <ds:KeyInfo Id="KI-5bce550d-8c6d-4a50-96e0-c709de9e0fac">
          <wsse:SecurityTokenReference wsu:Id="STR-07354c7b-ae40-49c8-b5c4-a7d196942e4e">
            <wsse:Reference URI="#X509-7d8fe7e3-a8e9-4d49-afe2-97b58337c045" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
  </soap:Header>
  <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_a7dd77e4-586d-47b5-9b83-2ed20ff0441c">
    <wst:RequestSecurityToken xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
      <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
      <wsp:AppliesTo xmlns:wsp="http://www.w3.org/ns/ws-policy">
        <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
          <wsa:Address>urn:medcom:videoapi</wsa:Address>
        </wsa:EndpointReference>
      </wsp:AppliesTo>
      <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
      <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</wst:KeyType>
      <wst:UseKey>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:KeyValue>
            <ds:RSAKeyValue>
              <ds:Modulus>rXApxxjCWlsEfeKgUPOl1mJC9aqkkWooyUgOU+KsrH9qRCoK9xVdI7YJebwr5+TJtBbWkKkuD926SMxJV1LY6IT8tCflomIl4E5IZdRZPci1N71lQDV6SfNuGPHNpFpLssdSY34+t4/vuGeTZ2lJB5IP4sDvjAxJ+nXECcHmcupEEQu3wI2nijcWl4hRRSdhUuKDB/AiaZvsPKcdFj4WTlRdewJS4v5m1khwce6Zj1jw6N7PSQPHaisIxqx2SMHvKiepPuESgEpqP+sGRaL2ESJWuB1kTsNHmer6cJ+ba/pvJy3xraY7mrgRv/zWa+6Of9LSVw2hfFx3pEjBgYHhhw==</ds:Modulus>
              <ds:Exponent>AQAB</ds:Exponent>
            </ds:RSAKeyValue>
          </ds:KeyValue>
        </ds:KeyInfo>
      </wst:UseKey>
      <wst:Renewing/>
    </wst:RequestSecurityToken>
  </soap:Body>
</soap:Envelope>

Som det ses i eksemplet ovenfor udstedes tokenet med en række attributter, som anvendes af API’et:

  • dk:medcom:organisation_id viser, hvilken organisation kaldet til API’et kommer fra (der skal være angivet een)
  • dk:medcom:email viser, hvilken bruger kaldet til API’et laves på vegne af (der skal være een)
  • dk:medcom:video:role viser, hvilke roller den pågældende bruger har

Brugerens identitet

Det kan være nyttigt for kaldende systemer at kunne angive f.eks. brugerens identitet: Hvis det kaldende system selv har stået for login i forhold til brugeren og dennes identitet derfor er kendt af det kaldende system, kan dette bede STS’en om at indlejre en brugeridentitet i tokenet. Dette forgår ved hjælp af claims i kaldet til STS (læs mere om claims i request her OIO WS-Trust Profile V1.2.pdf.

Nedenfor ses et eksempel på request og response til STS, hvor kalderen (WSC) claimer en bestemt identitet.

Request

Address: https://sts.vconf.dk/sts/service/sts
Encoding: UTF-8 Http-Method: POST
Content-Type: text/xml
Headers: {Accept=[*/*], SOAPAction=["http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"]}
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <Action xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_4f0eb2d6-ae7d-4573-bbb4-6e3593d80c5f">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action>
    <MessageID xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_8278c575-cf49-455e-b2d9-ec63f391dc44">urn:uuid:b1dc6767-6983-4694-8c82-27e70635056e</MessageID>
    <To xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_c569e213-a4e6-40e1-9f28-3a1753868b6b">https://sts.test-vdxapi.vconf.dk/sts/service/sts</To>
    <ReplyTo xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_fe2cf8cb-961e-4430-93c4-f084751cf801">
      <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
    </ReplyTo>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
      <wsu:Timestamp wsu:Id="TS-74f0523b-31fe-4670-9d9e-7548ff92846d">
        <wsu:Created>2019-05-13T07:01:34.487Z</wsu:Created>
        <wsu:Expires>2019-05-13T07:06:34.487Z</wsu:Expires>
      </wsu:Timestamp>
      <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-913154a7-5391-4dcc-a992-eecf98cba66c">MIIDlTCCAn2gAwIBAgIJAMTl9AFLKJv3MA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNVBAYTAkRLMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGTAXBgNVBAMMEG1lZGNvbXN5c3RlbXVzZXIwIBcNMTgxMDAzMTIyMDAxWhgPNDc1NjA4MzAxMjIwMDFaMGAxCzAJBgNVBAYTAkRLMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGTAXBgNVBAMMEG1lZGNvbXN5c3RlbXVzZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtcCnHGMJaWwR94qBQ86XWYkL1qqSRaijJSA5T4qysf2pEKgr3FV0jtgl5vCvn5Mm0FtaQqS4P3bpIzElXUtjohPy0J+WiYiXgTkhl1Fk9yLU3vWVANXpJ824Y8c2kWkuyx1Jjfj63j++4Z5NnaUkHkg/iwO+MDEn6dcQJweZy6kQRC7fAjaeKNxaXiFFFJ2FS4oMH8CJpm+w8px0WPhZOVF17AlLi/mbWSHBx7pmPWPDo3s9JA8dqKwjGrHZIwe8qJ6k+4RKASmo/6wZFovYRIla4HWROw0eZ6vpwn5tr+m8nLfGtpjuauBG//NZr7o5/0tJXDaF8XHekSMGBgeGHAgMBAAGjUDBOMB0GA1UdDgQWBBR775w1dbL9oJKLjNFjL6MCEmcjaDAfBgNVHSMEGDAWgBR775w1dbL9oJKLjNFjL6MCEmcjaDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBNAVEu/vtt6GVvAP+POf6xPXGjgolqlU5Z3IF+itAsYud9jRrQ3gfZQ7MXKaeLAa/HWRblj2YaZzLT7p+YvhFRDVb6OjlSILT8X976dC/avvnz6R/Wnv0EgceSMmH98BpQ5ZEk6z2WRtjIp0V3D6FzZyds5XW/TxlQXN12d5+ycyhHWku7F4wTDvKmnGeJYQQyprGvFTh+ptXsJ6hJLRvtDn6aYvxR7mQQED0Gy+VO1BSFy9J4YPKttIV6vYHlpZJtrTyH79wD07v3Qo6qXR/N7D7FMLQmHE+RLey1b9ftNOxQc0hEbFSkW9r5CT8k3MunmywQPVN7xgK7owbQRGgt</wsse:BinarySecurityToken>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-49cab7c5-ba19-4c7c-808a-a66b2f63bce8">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#TS-74f0523b-31fe-4670-9d9e-7548ff92846d">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse soap"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>aD2ojgOuWQhpflNPP7EIo4qEekw=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#_7c03f5fa-e202-4066-b80f-ce1a83751d3d">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>RT2e6+EwG4Q/pO49k97IUZWmhu4=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#_c569e213-a4e6-40e1-9f28-3a1753868b6b">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>6ZAqXbTM3uYhO8yPON4JbtcEzHU=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#_fe2cf8cb-961e-4430-93c4-f084751cf801">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>npQGRj7h2W/xbCq7aFFRB3v9/Xs=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#_8278c575-cf49-455e-b2d9-ec63f391dc44">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>CfSsWEw14K97QbY4M9hCVPS1imM=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#_4f0eb2d6-ae7d-4573-bbb4-6e3593d80c5f">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>WaWuutNWMpzM1kxKZ74cYmTKeNg=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>TANeFQXGsHJ30dASi51elI1UTP28yWx1r65Me3XnW0zBCb4dpMOBsEdFJdOObvEExMNuK7Gl56266zHLHVh+8Nv37HSwRr+nZAqwRTNhV0XWmw6moFrx/RwoBkqkvb04ttB8k3zi8swQBcEX9EZ6TDQ8LOQo5eDsthVmq6bdR/8XsH/W5GLmH//HQ+1FrqmCY2Pi03Tr7CAdCGlUTAH6Ulmv1kjL3oZ0gppKKCjAUGsTS3k0YMGC/XRiOaKI6NfPEM7Vbs+oAlGYuYSUCyQ2Urz17atMYBD4DzwFRXvW8CaDvoUUKD4khzJRiSxi11g0802QTF35+wq5c09Y9Y4CPg==</ds:SignatureValue>
        <ds:KeyInfo Id="KI-ac65c490-275a-4610-9440-ee31d2c46cba">
          <wsse:SecurityTokenReference wsu:Id="STR-3594c631-4b28-4e76-b947-964e593bde80">
            <wsse:Reference URI="#X509-913154a7-5391-4dcc-a992-eecf98cba66c" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
  </soap:Header>
  <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_7c03f5fa-e202-4066-b80f-ce1a83751d3d">
    <wst:RequestSecurityToken xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
      <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
      <wsp:AppliesTo xmlns:wsp="http://www.w3.org/ns/ws-policy">
        <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
          <wsa:Address>urn:medcom:videoapi</wsa:Address>
        </wsa:EndpointReference>
      </wsp:AppliesTo>
      <wst:Claims xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity">
        <ic:ClaimValue xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" Uri="dk:medcom:email">
          <ic:Value>eva@medcom.dk</ic:Value>
        </ic:ClaimValue>
      </wst:Claims>
      <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
      <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</wst:KeyType>
      <wst:UseKey>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:KeyValue>
            <ds:RSAKeyValue>
              <ds:Modulus>rXApxxjCWlsEfeKgUPOl1mJC9aqkkWooyUgOU+KsrH9qRCoK9xVdI7YJebwr5+TJtBbWkKkuD926SMxJV1LY6IT8tCflomIl4E5IZdRZPci1N71lQDV6SfNuGPHNpFpLssdSY34+t4/vuGeTZ2lJB5IP4sDvjAxJ+nXECcHmcupEEQu3wI2nijcWl4hRRSdhUuKDB/AiaZvsPKcdFj4WTlRdewJS4v5m1khwce6Zj1jw6N7PSQPHaisIxqx2SMHvKiepPuESgEpqP+sGRaL2ESJWuB1kTsNHmer6cJ+ba/pvJy3xraY7mrgRv/zWa+6Of9LSVw2hfFx3pEjBgYHhhw==</ds:Modulus>
              <ds:Exponent>AQAB</ds:Exponent>
            </ds:RSAKeyValue>
          </ds:KeyValue>
        </ds:KeyInfo>
      </wst:UseKey>
      <wst:Renewing/>
    </wst:RequestSecurityToken>
  </soap:Body>
</soap:Envelope>
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <Action xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_53fb8235-3d5a-48f8-afca-155d7599d81e">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal</Action>
    <MessageID xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_f308267d-3119-4cc6-87d6-cecf29105f6b">urn:uuid:25e45095-faa5-4768-a006-42036201b92b</MessageID>
    <To xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_16797a7f-f3f8-48a9-9bd9-bf9ff9188973">http://www.w3.org/2005/08/addressing/anonymous</To>
    <RelatesTo xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_3390bd5d-f6ab-4f2f-b15c-3ac4fe9207f1">urn:uuid:b1dc6767-6983-4694-8c82-27e70635056e</RelatesTo>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
      <wsu:Timestamp wsu:Id="TS-54e4fa5c-c543-4ce5-91c2-504a2cce03a3">
        <wsu:Created>2019-05-13T07:01:35.097Z</wsu:Created>
        <wsu:Expires>2019-05-13T07:06:35.097Z</wsu:Expires>
      </wsu:Timestamp>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-ed3b89d2-2c07-4332-9bd4-2ad32b37a175">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#TS-54e4fa5c-c543-4ce5-91c2-504a2cce03a3">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse soap"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>ChRa1hqy6Ceq9huVixPbv/OrVO8=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#_aa334147-05c0-4817-b9a9-a89734e13c45">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>NYjCRXj8b9oDZlKXKe+jmA9MYv0=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#_16797a7f-f3f8-48a9-9bd9-bf9ff9188973">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>vFWOPm5Om3FmeHA0IMrhaL2PIM0=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#_f308267d-3119-4cc6-87d6-cecf29105f6b">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>qXzaGmrrN9g9JcGEOrXfvNcwvzE=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#_3390bd5d-f6ab-4f2f-b15c-3ac4fe9207f1">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>N15fcXkiK30+AeA+6/roq5yxhqY=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#_53fb8235-3d5a-48f8-afca-155d7599d81e">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>0hzSE+R/uEFK+nZmxddHKI9C2vE=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>rczVIJHSJ8Mo84iVF9sjNqoAIaWA7JrpuQNnWI+qkpzrWjb0Cr4RW9j8uOyEPUPXmFUyuwZILvKsF2DuTt0ZsY+gF30CuZcsg3j/npGNAwFlU8ElsPb0iBxLJh7n6ae48NCBvdPyAjsmw94ZZaQEO/OV+F6N+LPWc+cpoa9srHIOMRGWs1XHnNZQmOO5E4VkVeJQVh1B4J0Tfi1wckyNeS3EQnpV4nmNcMPNCgZDrtg8TJTediy5wAhtrIY6eNPiJbF3cFpg7bRGnl9Mt6YdVGXjBxLJNWpRv0+D4WCdQE0L3lWZ3oRE8zqY9xB17fQtjaZNc4P4HxvmR+0k3CURuA==</ds:SignatureValue>
        <ds:KeyInfo Id="KI-9ead8c1a-6565-4862-9674-a2608592f5fd">
          <wsse:SecurityTokenReference wsu:Id="STR-03dd8161-ff94-41f4-9ef8-477708540916">
            <ds:X509Data>
              <ds:X509IssuerSerial>
                <ds:X509IssuerName>CN=sts.test-vdxapi.vconf.dk,O=Internet Widgits Pty Ltd,ST=Some-State,C=DK</ds:X509IssuerName>
                <ds:X509SerialNumber>11514252267591079057</ds:X509SerialNumber>
              </ds:X509IssuerSerial>
            </ds:X509Data>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
  </soap:Header>
  <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_aa334147-05c0-4817-b9a9-a89734e13c45">
    <ns2:RequestSecurityTokenResponseCollection xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200802" xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns5="http://www.w3.org/2005/08/addressing">
      <ns2:RequestSecurityTokenResponse>
        <ns2:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</ns2:TokenType>
        <ns2:RequestedSecurityToken>
          <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_0e0ccf1f-9a1b-4766-850e-99e749306acf" IssueInstant="2019-05-13T07:01:35.068Z" Version="2.0" xsi:type="saml2:AssertionType">
            <saml2:Issuer>medcom-test-sts</saml2:Issuer>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
              <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <ds:Reference URI="#_0e0ccf1f-9a1b-4766-850e-99e749306acf">
                  <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                      <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
                    </ds:Transform>
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  <ds:DigestValue>tKz85jPlLD67tbtVmgLb1wSAEx0=</ds:DigestValue>
                </ds:Reference>
              </ds:SignedInfo>
              <ds:SignatureValue>bJCAE2DaAz/JbHpVQzdKBLawA/C/Kt6JWvmY++Fek0OJtf0fi2h5f8Xl5YNWkloMFtk0NRNlddlV/u4Sgtm1AKFfLvX0/5zcHIwFMvY6FsosBSl16odbXY1N70b+OdVAvahgLl0Cv5OXdQv0pJ8euTQMt4eMTOVrio5DY9hklxf9stWNSY7MN/m2mx/LBPTqnWNYcV90JxHe9wJwvWgCazOfekYXevswNNdY/GFFHNAdaaLwbbSb4ezjoB+wETQijJiPFdnW1CJoSHdNaTgTfqZLvdWaVrShLonK0zLRYGCmlIHI75c3P2jgTOKSoGOnZVAOBYS+iiOcDSe6VI4yqQ==</ds:SignatureValue>
              <ds:KeyInfo>
                <ds:X509Data>
                  <ds:X509Certificate>MIIDozCCAougAwIBAgIJAJ/K126oAJSRMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAYTAkRLMRMw
EQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxITAf
BgNVBAMMGHN0cy50ZXN0LXZkeGFwaS52Y29uZi5kazAeFw0xODA5MjAxNTE2MjVaFw0yNzEyMDcx
NTE2MjVaMGgxCzAJBgNVBAYTAkRLMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
cm5ldCBXaWRnaXRzIFB0eSBMdGQxITAfBgNVBAMMGHN0cy50ZXN0LXZkeGFwaS52Y29uZi5kazCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL0emEBcDo5D6YhzaZJ/m73wmtNua5ha1jCb
TJScAoXJ2ttxOdXbq6WWoeu60kMhv9HBmTYypkvIyCfPimcwTrCYJ3QrtbXkka+C8669aXR1GjEQ
VrUI/egJhycgnTxBz5EqmbXJQIVjzkXA67z6aUtVppzCEdoQqTFzT61Ei067k1Mn4Vdw8yom8Tz3
eW8CidcPBJ/yjSDUIp9SyNEebyADKEiHs2PRrvA1dLUp/7r0CjW4uLJ8Z//jG+jmGvS8Q7tFq4at
CWzAivnEb/QMJrj9Rfs5Eumzmh2ELT9IzOg+Czm2bezTjEdsLnj5K5WBqDeXOj/j+OJF0jEuP3bi
6i0CAwEAAaNQME4wHQYDVR0OBBYEFF5ly6BhVZ4jqUBWuWdTrdR6fYpfMB8GA1UdIwQYMBaAFF5l
y6BhVZ4jqUBWuWdTrdR6fYpfMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKEBDNGa
0mZEEIjFB8+1r377GXsCwhiuPW0+H/XYrvt/l4fEdSXwT25UAMXe1jIIX3M0gohx9UOKSUbb28+S
74hipclpF1JDu5egZvWYh+rervCS2VCOQQ7FrKtuvzoP39kA2wen0rM0eIzoPrx84bgl8LBaSPVC
+xU1e0gJQZgGLo+GXmb8iAappehUN0hU0E+PUYnSHloozKNyLqjukiB5ZEPGdXrRMYoK70Q2Yt+P
t0wt2KLKX7BGy80RZw7HnPyoPSeOlH+7Rf1yplrMBL/WjJO0IvJMJ/iUhV9gLfO/hj/vcejAKvZx
/exwJXauRhbC9I8L4ZcH+tuTIn7Da+8=</ds:X509Certificate>
                </ds:X509Data>
              </ds:KeyInfo>
            </ds:Signature>
            <saml2:Subject>
              <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="http://www.nextstepcitizen.dk/sts">CN=medcomsystemuser,O=Internet Widgits Pty Ltd,ST=Some-State,C=DK</saml2:NameID>
              <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
                <saml2:SubjectConfirmationData xsi:type="saml2:KeyInfoConfirmationDataType">
                  <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:KeyValue>
                      <ds:RSAKeyValue>
                        <ds:Modulus>rXApxxjCWlsEfeKgUPOl1mJC9aqkkWooyUgOU+KsrH9qRCoK9xVdI7YJebwr5+TJtBbWkKkuD926
SMxJV1LY6IT8tCflomIl4E5IZdRZPci1N71lQDV6SfNuGPHNpFpLssdSY34+t4/vuGeTZ2lJB5IP
4sDvjAxJ+nXECcHmcupEEQu3wI2nijcWl4hRRSdhUuKDB/AiaZvsPKcdFj4WTlRdewJS4v5m1khw
ce6Zj1jw6N7PSQPHaisIxqx2SMHvKiepPuESgEpqP+sGRaL2ESJWuB1kTsNHmer6cJ+ba/pvJy3x
raY7mrgRv/zWa+6Of9LSVw2hfFx3pEjBgYHhhw==</ds:Modulus>
                        <ds:Exponent>AQAB</ds:Exponent>
                      </ds:RSAKeyValue>
                    </ds:KeyValue>
                  </ds:KeyInfo>
                </saml2:SubjectConfirmationData>
              </saml2:SubjectConfirmation>
            </saml2:Subject>
            <saml2:Conditions NotBefore="2019-05-13T07:01:35.068Z" NotOnOrAfter="2019-05-13T15:01:35.068Z">
              <saml2:AudienceRestriction>
                <saml2:Audience>urn:medcom:videoapi</saml2:Audience>
              </saml2:AudienceRestriction>
            </saml2:Conditions>
            <saml2:AttributeStatement>
              <saml2:Attribute Name="dk:nextstepcitizen:attribute:it-system" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml2:AttributeValue xsi:type="xs:string">medcomsystem</saml2:AttributeValue>
              </saml2:Attribute>
              <saml2:Attribute Name="dk:medcom:video:role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml2:AttributeValue xsi:type="xs:string">meeting-user</saml2:AttributeValue>
              </saml2:Attribute>
              <saml2:Attribute Name="dk:medcom:organisation_id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml2:AttributeValue xsi:type="xs:string">medcom</saml2:AttributeValue>
              </saml2:Attribute>
              <saml2:Attribute Name="dk:medcom:email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml2:AttributeValue xsi:type="xs:string">eva@medcom.dk</saml2:AttributeValue>
              </saml2:Attribute>
            </saml2:AttributeStatement>
          </saml2:Assertion>
        </ns2:RequestedSecurityToken>
        <ns2:RequestedAttachedReference>
          <ns4:SecurityTokenReference xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
            <ns4:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_0e0ccf1f-9a1b-4766-850e-99e749306acf</ns4:KeyIdentifier>
          </ns4:SecurityTokenReference>
        </ns2:RequestedAttachedReference>
        <ns2:RequestedUnattachedReference>
          <ns4:SecurityTokenReference xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
            <ns4:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_0e0ccf1f-9a1b-4766-850e-99e749306acf</ns4:KeyIdentifier>
          </ns4:SecurityTokenReference>
        </ns2:RequestedUnattachedReference>
        <wsp:AppliesTo xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
          <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
            <wsa:Address>urn:medcom:videoapi</wsa:Address>
          </wsa:EndpointReference>
        </wsp:AppliesTo>
        <ns2:Lifetime>
          <ns3:Created>2019-05-13T07:01:35.068Z</ns3:Created>
          <ns3:Expires>2019-05-13T15:01:35.068Z</ns3:Expires>
        </ns2:Lifetime>
      </ns2:RequestSecurityTokenResponse>
    </ns2:RequestSecurityTokenResponseCollection>
  </soap:Body>
</soap:Envelope>

Certifikater og krav til disse

Der anvendes en række certifikater i forbindelse med sikkerhedsprotokollen. Disse og kravene til disse er beskrevet nedenfor.

Certifikater anvendt til HTTPS kommunikation

Alt kommunikation sker via HTTPS. De certifikater der anvendes her er udstedt af Let’s Encrypt. I praksis betyder det at alle systemer automatisk stoler på dette rodcertifikat og der skal dermed ikke gøres yderligere for validere certifikaterne korrekt.

STS

Når STS’en skal udstede et token så skal det request der sendes signeres af klienten. Den offentlige del af dette certifikat skal være konfigureret i STS’en. Der skal anvendes et funktionscertifikat udstedt af nets.

Svaret, der indeholder token, er også signeret. Certifikatet der anvendes her er et self-signed certifikat. Derfor er det nødvendigt at truste dette certifikat. Den offentlige del af certifikatet kan hentes på https://docs.vconf.dk/sts/cert/sts.cer og har følgende SHA256 fingeraftryk 4C:1E:52:6E:79:D8:F2:44:0A:46:0F:4A:E7:F8:3D:56:D4:C2:10:9F:78:88:95:04:19:86:21:93:BA:FB:47:1B.

API kald

I forbindelse med API kald anvendes der mTLS. Det certifikat som klienten skal anvende er det samme som der er anvendt til at signere den request der er sendt til STS’en. Formålet med dette er at validere det token der sendes rent faktisk er udstedt til den der anvender token. Det er vigtigt at det kun er klientcertifikatet der anvendes og ikke hele certifikatkæden.