{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Structuur","type":"text"}]},{"type":"paragraph","content":[{"text":"Het SAML concept-contracttoken is een afgegeven SAML assertion van partij B met betrekking tot het af te sluiten contract tussen beide partijen. Het concept-contracttoken wordt in zijn geheel Base64 geëncodeerd toegevoegd aan het contracttoken die gebruikt wordt bij berichtauthenticatie voor het landelijk EPD. Het SAML concept-contracttoken is ondertekend met behulp van het server-certificaat (UZI of EV/OV) van partij B. Het SAML contracttoken is ondertekend met behulp van het server-certificaat (UZI of EV/OV) van partij A. Het contracttoken is qua structuur en inhoud vrijwel identiek aan het concept-contracttoken. Enige verschillen zijn:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"De issuer van het concept-contracttoken is de Subject Distinguished Name van partij B; de issuer van het contracttoken is de Subject Distinguished Name van partij A.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Het subject is de Subject Distinguished Name van de tegenpartij, dus: in het concept-contracttoken de Subject Distinguished Name van partij A; in het contracttoken de Subject Distinguished Name van partij B","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Het contracttoken bevat (optioneel) een attribuut _CTR_locatie","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Het contracttoken bevat een attribuut _Concept-contract_token","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Het contracttoken bevat een attribuut _AC","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Beide tokens bevatten een attribuut _FQDN. Hierin is de FQDN van de tegenpartij opgenomen.","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Dientengevolge kan overal waar in de hiernavolgende tekst concept-contracttoken vermeld staat ook contracttoken gelezen worden tenzij in de paragraaf duidelijk onderscheid gemaakt wordt.","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Het request","type":"text"}]},{"type":"paragraph","content":[{"text":"Het request is een simpel XML bericht aan de te contracteren organisatie en bevat de Subject Distinguished Name van de contractnemer.","type":"text"}]},{"type":"paragraph","content":[{"text":"Noot: alhoewel het geen authenticatieverzoek betreft is het wel een verzoek om een SAML assertion. Hiermee wordt dus afgeweken van het zuivere SAML protocol.","type":"text"}]},{"type":"paragraph","content":[{"text":" Voorbeeld request:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\nhttps://sp.example.com/SAML2\n\n\n\nSubject Distiguished Name A\n\n\n","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Assertion","type":"text"}]},{"type":"paragraph","content":[{"text":"De SAML assertion heeft de volgende structuur (de waarden die in het token gebruikt worden zijn fictief):","type":"text"}]},{"type":"table","attrs":{"layout":"default","width":760.0,"localId":"0b76ab37-5a0a-417a-b74e-4a2a8975ded9"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":"Element/@Attribute","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"0..1","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Omschrijving","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":"@ID","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Unieke identificatie van de Assertion","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":"@Version","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Versie van het SAML Protocol. Vaste waarde moet zijn 2.0","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":"@IssueInstant","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Tijdstip van uitgifte van de Assertion.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":"Issuer","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Concept-contracttoken: De Subject Distinguished Name van de te contracteren partij (partij B).","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]},{"type":"paragraph","content":[{"text":"Contracttoken: De Subject Distinguished Name van de contractnemer (partij A)","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" @NameQualifier","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"0","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Niet gebruiken","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" @SPNameQualifier","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"0","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Niet gebruiken","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" @Format","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\"","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" @SPProviderID","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"0","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Niet gebruiken","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":"Signature","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Beide tokens kunnen ondertekend worden door zowel een UZI-servercertificaat als een EV/OV servercertificaat.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]},{"type":"paragraph","content":[{"text":"Concept-contracttoken: Bevat de handtekening over de assertion zoals gezet met behulp van het servercertificaat van partij B.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]},{"type":"paragraph","content":[{"text":"Contracttoken: Bevat de handtekening over de assertion zoals gezet met behulp van het servercertificaat van partij A.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":"Subject","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Subject Distinguished Name van de tegenpartij: concept-cotracttoken: Subject Distinguished Name van partij A; contracttoken: Subject Distinguished Name van partij B.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" BaseID","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"0","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Niet gebruiken","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" NameID","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Bevat de Subject Distinguished Name.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" EncryptedID","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"0","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Niet gebruiken","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" SubjectConfirmation","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Moet aanwezig zijn.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" @Method","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"'urn:oasis:names:tc:SAML:2.0:cm:sender-vouches’","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" SubjectConfirmationData","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Bevat Keyinfo","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" @Recipient","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"0","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Niet gebruiken","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" @NotOnOrAfter","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"0","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Niet gebruiken","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" @InResponseTo","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"0","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Niet gebruiken","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" @NotBefore","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"0","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Niet gebruiken","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" @Address","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"0","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Niet gebruiken","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" KeyInfo","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Voor beide tokens: Bevat het publieke deel van het X509 servercertificaat","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":"Conditions ","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Moet aanwezig zijn.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" @NotBefore","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Moet aanwezig zijn.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" @NotOnOrAfter","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Moet aanwezig zijn. Mag maximaal 10 jaar na @NotBefore liggen.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" Condition","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"0","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Niet gebruiken","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" AudienceRestriction","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Moet aanwezig zijn","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" Audience","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1..*","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Minimaal 1 element: urn:IIroot:2.16.840.1.113883.2.4.6.6:IIext:1 (is de ZIM). Voor het concept-contracttoken tevens de urn naar de contractnemer (partij A). Meerdere audiences zijn toegestaan.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" ProxyRestriction","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"0","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Niet gebruiken","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":"Advice","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"0","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Niet gebruiken","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":"AuthnStatement","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Moet aanwezig zijn","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" @AuthnInstant","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Tijdstip van aanmaak.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" @SessionIndex","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"0","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Niet gebruiken","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" AuthnContext","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Moet aanwezig zijn","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" AuthnContextClassRef","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"urn:oasis:names:tc:SAML:2.0:ac:classes:X509","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":"AttributeStatement","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Moet aanwezig zijn","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" Attribute","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"0..1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Optioneel aanwezig; alleen in contracttoken.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" @Name","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Vaste waarde: “_CTR_locatie”","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" AttributeValue","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"0..1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"De URL naar het Contracttokenregister","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" Attribute","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Moet aanwezig zijn alleen in contracttoken.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" @Name","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Vaste waarde: “_Concept-contract_token”","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" AttributeValue","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Base64 representatie van het WID_token","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" Attribute","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Moet aanwezig zijn alleen in contracttoken.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" @Name","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Vaste waarde: “_AC”","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" AttributeValue","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Bevat een X.509 Attribute certificate","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" Attribute","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Moet aanwezig zijn in beide tokens","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" @Name","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Vaste waarde: “_Scope”","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[212.0]},"content":[{"type":"paragraph","content":[{"text":" AttributeValue","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[58.0]},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[489.0]},"content":[{"type":"paragraph","content":[{"text":"Bevat de scope (dienst) van het contract","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff991f"}}]}]}]}]}]},{"type":"paragraph","content":[{"text":"N.B.: bovenstaande tabel bevat de meest gebruikte elementen van SAML assertions en is derhalve niet volledig. Voor niet genoemde elementen geldt: Niet gebruiken.","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Namespaces","type":"text"}]},{"type":"paragraph","content":[{"text":"Het SAML concept-contracttoken die gebruikt wordt bij berichtauthenticatie maakt gebruik van de volgende namespaces. De prefixen zijn niet normatief maar worden in dit document als voorbeelden gebruikt.","type":"text"}]},{"type":"paragraph","content":[{"text":"Tabel AORTA.STK.t3300 - Namespaces","type":"text","marks":[{"type":"strong"}]}]},{"type":"table","attrs":{"layout":"default","width":760.0,"localId":"2d0c62e1-825f-40b6-807f-c08e9b613d96"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[162.0]},"content":[{"type":"paragraph","content":[{"text":"Prefix","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[596.0]},"content":[{"type":"paragraph","content":[{"text":"Namespace URI","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[162.0]},"content":[{"type":"paragraph","content":[{"text":"ds","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[596.0]},"content":[{"type":"paragraph","content":[{"text":"http://www.w3.org/2000/09/xmldsig#","type":"text","marks":[{"type":"link","attrs":{"href":"http://www.w3.org/2000/09/xmldsig#"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[162.0]},"content":[{"type":"paragraph","content":[{"text":"saml","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[596.0]},"content":[{"type":"paragraph","content":[{"text":"urn:oasis:names:tc:SAML:2.0:assertion","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[162.0]},"content":[{"type":"paragraph","content":[{"text":"samlp","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[596.0]},"content":[{"type":"paragraph","content":[{"text":"urn:oasis:names:tc:SAML:2.0:protocol","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[162.0]},"content":[{"type":"paragraph","content":[{"text":"wss","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[596.0]},"content":[{"type":"paragraph","content":[{"text":"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd","type":"text","marks":[{"type":"link","attrs":{"href":"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"}}]}]}]}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Bij het gebruik van de namespace-prefixes is het van belang deze na het ondertekenen niet meer te veranderen, dit maakt de digitale handtekening ongeldig.","type":"text"}]}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Inhoud","type":"text"}]},{"type":"paragraph","content":[{"text":"De volgende paragrafen beschrijven de verschillende kenmerken en beveiligingsgerelateerde gegevens die het SAML (concept-)contracttoken onderscheiden, zoals in [IH tokens generiek] beschreven is.","type":"text"}]},{"type":"codeBlock","content":[{"text":"","type":"text"}]},{"type":"paragraph","content":[{"text":"Het SAML (concept-)contracttoken begint met het Assertion element en een verwijzing naar de XML SAML namespace voor SAML 2.0 assertions. De attributen behorende bij het Assertion element wordt in paragraaf 2.4.1 Uniekheid beschreven.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Uniekheid","type":"text"}]},{"type":"codeBlock","content":[{"text":"ID=\"token_dd1c1f96-f0b0-4026-a978-4d724c0a0a4f\"\nIssueInstant=\"2009-06-24T11:47:34Z\"\nVersion=\"2.0\">","type":"text"}]},{"type":"paragraph","content":[{"text":"De volgende attributen van het SAML assertion element maken van de SAML assertion een uniek gegeven, uitgegeven door de verzender van het bericht. Het attribuut ID identificeert op een unieke wijze de assertion. De waarde moet ","type":"text"},{"text":"mondiaal uniek","type":"text","marks":[{"type":"em"}]},{"text":" zijn voor alle berichten, zodat bij samenvoegen van meerdere XML bestanden (in een HL7v3 batch of anderszins) de waarde uniek blijft.","type":"text"}]},{"type":"paragraph","content":[{"text":" ","type":"text"}]},{"type":"paragraph","content":[{"text":"Het wordt aanbevolen een UUID (Universally Unique Identifier) te gebruiken. Bij het gebruik van andere vormen is er een kans, hoe klein ook, dat een ID samenvalt met een ID gemaakt volgens een andere methode van een andere leverancier).","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":" Een ID in XML mag niet met een cijfer beginnen. Bij het gebruik van een UUID is het dus aan te raden een prefix te gebruiken, welke met een letter of underscore (‘_’) begint.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"Het attribuut IssueInstant is een tijdsmoment van uitgifte van de SAML assertion. De tijdswaarde is gecodeerd in UTC. Het attribuut Version is de gebruikte SAML versie van de SAML assertion. De aanduiding voor de versie van SAML gedefinieerd in deze specificatie is \"2.0\".","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Afzender","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n \n VOORBEELD ziekenhuis ABC\n","type":"text"}]},{"type":"paragraph","content":[{"text":"In de issuer dient de Subject Distinguished Name uit het servercertificaat waarmee het token is ondertekend overgenomen te worden.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":" Onderwerp","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n \n VOORBEELD Vendor XYZ\n \n \n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"De ","type":"text"},{"text":"Subject ","type":"text","marks":[{"type":"code"}]},{"text":"verwijst naar de door de organisatorische (tegen) partij waarmee het contract afgesloten wordt. Dus voor de contractnemer de te contracteren partij; voor de contractgever de contractnemer.","type":"text"}]},{"type":"paragraph","content":[{"text":"Vervolgens moet de SubjectConfirmation nog toegevoegd worden:","type":"text"}]},{"type":"codeBlock","content":[{"text":" \n ","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Geldigheid","type":"text"}]},{"type":"codeBlock","content":[{"text":"","type":"text"}]},{"type":"paragraph","content":[{"text":"Het attribuut ","type":"text"},{"text":"NotBefore","type":"text","marks":[{"type":"em"}]},{"text":" is de tijd waarop de SAML assertion geldig wordt. NotBefore moet altijd op of na de aanvang van de geldigheidsdatum van het certificaat (waarmee het concept-contracttoken is getekend) liggen.","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Wordt een bericht met een concept-contracttoken ontvangen voor ","type":"text"},{"text":"NotBefore","type":"text","marks":[{"type":"em"}]},{"text":" is aangevangen, dan ","type":"text"},{"text":"moet","type":"text","marks":[{"type":"strong"}]},{"text":" dit bericht geweigerd worden.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"Het attribuut ","type":"text"},{"text":"NotOnOrAfter","type":"text","marks":[{"type":"em"}]},{"text":" is de tijd waarop de SAML assertion vervalt. ","type":"text"},{"text":"NotOnOrAfter ","type":"text","marks":[{"type":"em"}]},{"text":"mag na het verstrijken van de geldigheid van het certifcaat (waarmee het concept-contracttoken is getekend) liggen.","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Wordt een bericht met een concept-contracttoken ontvangen op of nadat ","type":"text"},{"text":"NotOnOrAfter","type":"text","marks":[{"type":"em"}]},{"text":" is verstreken, dan ","type":"text"},{"text":"moet","type":"text","marks":[{"type":"strong"}]},{"text":" dit bericht geweigerd worden.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"Deze tijd is als bovenstaande tijd geformatteerd. Het maximaal toegestane verschil tussen ","type":"text"},{"text":"NotBefore","type":"text","marks":[{"type":"em"}]},{"text":" en ","type":"text"},{"text":"NotOnOrAfter","type":"text","marks":[{"type":"em"}]},{"text":" is tien jaar.","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"De geldigheidsduur van een concept-contracttoken (","type":"text"},{"text":"NotOnOrAfter","type":"text","marks":[{"type":"em"}]},{"text":" minus ","type":"text"},{"text":"NotBefore","type":"text","marks":[{"type":"em"}]},{"text":") kan langer zijn dan de geldigheidsduur van het identiteitscertificaat waarmee het token wordt getekend.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"Bij het ondertekenen van het concept-contracttoken moet er een geldig certificaat gebruikt worden. Indien bij ondertekening van het concept-contracttoken het certificaat al op de CRL is geplaatst, dan dient het concept-contracttoken wel geweigerd te worden.","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Indien het certificaat vóór ondertekening van het concept-contracttoken op de CRL is geplaatst, dan dient het concept-contracttoken geweigerd te worden door het LSP.","type":"text"}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Indien het certificaat na ondertekening van het concept-contracttoken op de CRL is geplaatst, dan dient het concept-contracttoken niet geweigerd te worden.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"Het inperken van bepaalde partijen (","type":"text"},{"text":"AudienceRestriction","type":"text","marks":[{"type":"code"}]},{"text":") waarvoor de assertion bedoeld is wordt beschreven in paragraaf 2.4.5 Ontvanger.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Ontvanger","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n \n urn:IIroot:2.16.840.1.113883.2.4.6.6:IIext:1\n","type":"text"}]},{"type":"paragraph","content":[{"text":"In de ","type":"text"},{"text":"AudienceRestriction ","type":"text","marks":[{"type":"code"}]},{"text":"wordt beschreven aan wie de SAML assertion is gericht. In ieder geval dient de ZIM als audience voor te komen (","type":"text"},{"text":"IIext:1","type":"text","marks":[{"type":"code"}]},{"text":"). Meerdere Audience elementen is toegestaan.","type":"text"}]},{"type":"paragraph","content":[{"text":"Voor de ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" parameter is gekozen voor URN. De URN string is opgebouwd uit een IIroot en een IIext. \"II\" staat voor het HL7v3 datatype Instance Indentifier. Om de namespace in URN uniek te krijgen is II als prefix voor de root en ext geplaatst.","type":"text"}]},{"type":"paragraph","content":[{"text":"AORTA Applicatie-id’s worden uitgedrukt als een id onder het identificatiesysteem “2.16.840.1.113883.2.4.6.6”. Het correcte applicatie-id voor de GBZ-applicatie wordt toegekend bij aansluiting op de AORTA. Stel dat dit “300” zou zijn, dan ziet de URN er als volgt uit:","type":"text"}]},{"type":"paragraph","content":[{"text":"urn:IIroot:2.16.840.1.113883.2.4.6.6:IIext:300","type":"text","marks":[{"type":"code"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Authenticatie","type":"text"}]},{"type":"codeBlock","content":[{"text":"","type":"text"}]},{"type":"paragraph","content":[{"text":"Het subject, de contactpartij binnen het contract, in de SAML assertion is geauthenticeerd door middel van het X509 servercertificaat van de betreffende organisatie.","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n urn:oasis:names:tc:SAML:2.0:ac:classes:X509\n\n\n","type":"text"}]},{"type":"paragraph","content":[{"text":"Afsluiting authentication statement.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Attributen","type":"text"}]},{"type":"codeBlock","content":[{"text":"","type":"text"}]},{"type":"paragraph","content":[{"text":"De volgorde van de attributen in het AttributeStatement is niet relevant. Er mogen geen andere attributen opgenomen worden in het AttributeStatement dan hier beschreven is.","type":"text"}]},{"type":"paragraph"},{"type":"paragraph","content":[{"text":"_CTR_locatie (optioneel, alleen in contracttoken)","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"text":"\n \n http://aorta-zorg.nl/contractregister\n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"Het attribuut _CTR_locatie geeft de locatie aan van een contractregister aan indien het uitwisselsysteem van zo een register gebruikt maakt. Binnen AORTA is dit:","type":"text"}]},{"type":"paragraph","content":[{"text":"http://aorta-zorg.nl/contractregister","type":"text","marks":[{"type":"code"}]}]},{"type":"paragraph","content":[{"text":"Het attribuut is optioneel en dient alleen voor te komen in het contracttoken.","type":"text"}]},{"type":"paragraph"},{"type":"paragraph","content":[{"text":"_Concept-contract_token (alleen in contracttoken)","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"text":"\n \n Base64 representatie van het WID_token\n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"Het attribuut WID_token bevat de gehele SAML assertion van het concept-contract Base64 geëncodeerd.","type":"text"}]},{"type":"paragraph"},{"type":"paragraph","content":[{"text":"_FQDN (beide tokens)","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"text":"\n \n FQDN uit servercertificaat\n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"Het attribuut _FQDN bevat de FQDN uit het servercertificaat waarmee het token is ondertekend, dus van de issuer.","type":"text"}]},{"type":"paragraph"},{"type":"paragraph","content":[{"text":"_Scope (beide tokens)","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"text":"\n \nurn:IIroot:2.16.840.1.113883.2.4.6.10:IIext:””\n \n

","type":"text"}]},{"type":"paragraph","content":[{"text":"Het attribuut _Scope bevat de code van de dienst waar het contract betrekking op heeft.","type":"text"}]},{"type":"paragraph","content":[{"text":"De lijst met diensten en bijbehorende codes wordt gemeenschappelijk bijgehouden en aangevuld.","type":"text"}]},{"type":"paragraph","content":[{"text":"De in het voorbeeld genoemde OID (","type":"text"},{"text":"2.16.840.1.113883.2.4.6.10","type":"text","marks":[{"type":"code"}]},{"text":") is fictief en dient nog nader vastgesteld te worden.","type":"text"}]},{"type":"paragraph"},{"type":"paragraph","content":[{"text":"_AC (alleen in contracttoken)","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"text":"\n   \n      Attribute certificate \n  \n","type":"text"}]},{"type":"paragraph","content":[{"text":"Het attribuut _AC bevat een, door de contractnemer gegenereerd, X.509 certificate een AttributeCertificate (AC)","type":"text"}]},{"type":"paragraph","content":[{"text":"Een AC heeft geen eigen sleutelpaar maar wordt ondertekend met het private certificate van de uitgever ervan. Bij wijze van trust wordt verwacht dat een AC-verifier de publieke sleutel heeft bijvoorbeeld door die eenmalig uit te wisselen.","type":"text"}]},{"type":"paragraph","content":[{"text":"Standaard attributen van een AC zijn:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Version = v2","type":"text"}]}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Holder: De FQDN van de gecontracteerde","type":"text"}]}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Issuer: het issuerserial van de uitgever van het AC meer concreet: de issuerserial van het UZI-servercertificaat van de zorgverlener. Met dit certificaat moet het AC ondertekend worden. Indien geen UZI-partij, dan dient het publieke deel van het EV/OV servcertificaat eenmalig uitgewisseld te worden.","type":"text"}]}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Serialnumber: Uniek nummer gegenereerd door de uitgever (issuer)","type":"text"}]}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Validity period: Voorlopig vaststellen op 10 jaar?","type":"text"}]}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"CRL: locatie waar de Certificate Revocation List gevonden kan worden","type":"text"}]}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"De signature","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Het cerificaat waarmee het AC ondertekend is dient geldig te zijn (geweest) ten tijde van de ondertekening.","type":"text"}]},{"type":"paragraph","content":[{"text":"Het contract kan opgezegd worden door het AttributeCertificate op de CRL te plaatsen.","type":"text"}]},{"type":"paragraph","content":[{"text":"Tenslotte wordt het attributen statement blok afgesloten met","type":"text"}]},{"type":"codeBlock","content":[{"text":"

","type":"text"}]},{"type":"paragraph"},{"type":"paragraph","content":[{"text":"attributeStatement blok","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"Het attributen statement blok ziet er dan bijvoorbeeld zo uit (de volgorde van de attributen is niet relevant):","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n\n   \n      http://aorta-zorg.nl/contractregister\n  \n\n\n   \n      Base64 representatie van het WID_token\n  \n\n\n   \n      FQDN uit servercertificaat\n  \n\n\n   \nurn:IIroot:2.16.840.1.113883.2.4.6.10:IIext:””\n  \n\n\n   \n      Attribute certificate \n  \n\n","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Algoritmes","type":"text"}]},{"type":"paragraph","content":[{"text":"Om de integriteit en onweerlegbaarheid van het SAML concept-contracttoken te waarborgen wordt een XML Signature geplaatst, zoals beschreven in [IH tokens generiek]. Na plaatsen van de XML Signature kan de ontvanger, met gebruikmaking van het publieke deel van het servercertificaat, onomstotelijk vaststellen dat het SAML concept-contracttoken ondertekend is met de privé sleutel behorend bij het gebruikte severcertificaat van de te contracteren organisatie en dat het contracttoken ondertekend is met de privé sleutel van het servercertificaat van de contractnemer.","type":"text"}]},{"type":"paragraph","content":[{"text":"De XML Signature van het SAML concept-contracttoken die gebruikt wordt bij berichtauthenticatie met behulp van het identiteitscertificaat maakt gebruik van de volgende algoritmes, zoals beschreven in [IH tokens generiek]:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Voor het berekenen van de hashwaarde wordt SHA-256 gebruikt.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Voor de digitale handtekening in AORTA wordt gebruik gemaakt van een RSA handtekening over een SHA-256 digest.","type":"text"}]}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Omdat de XML Signature onderdeel is van het SAML concept-contracttoken en in het SAML concept-contracttoken geplaatst wordt, moet er een \"enveloped-signature\" transformatie uitgevoerd worden die de Signature tags uit het SAML concept-contracttoken verwijderd gevolgd door een “exc-c14n transformatie” (zie ook [SAML Core] §5.4.3 en §5.4.4).","type":"text"}]}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Opbouw","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"De headers","type":"text"}]},{"type":"paragraph","content":[{"text":"Eerst wordt het SAML concept-contracttoken – het ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element aangemaakt en gevuld met die elementen, zoals beschreven in paragraaf 2.4 Inhoud.","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n ... Zie paragraaf 2.4 Inhoud ...\n","type":"text"}]},{"type":"paragraph","content":[{"text":"Het XML Signature blok is onderdeel van het SAML concept-contracttoken. Het XML Signature blok komt na het ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element. Na de Signature volgt de rest van de inhoud van de assertion.","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n  \n   Subject Distinguished Name\n  \n  \n    \n    ...\n    \n    Wuwn...5e4=\n    \n      \n        \n        ...\n        \n      \n    \n    ...\n  ... Zie paragraaf 2.3 Inhoud ...\n

","type":"text"}]},{"type":"paragraph","content":[{"text":"Indien de Signature aangemaakt wordt moet niet meer met de strings (saml:Assertion en SignedInfo) gemanipuleerd worden, maar ze moeten octet-voor-octet overgenomen worden in het bericht. Strikt genomen is het toegestaan wijzigingen aan te brengen die door canonicalisatie bij de ontvanger weer opgeheven worden, maar wanneer de digitale handtekening door middel van strings wordt opgebouwd, is het een foutgevoelige handeling.","type":"text"}]},{"type":"paragraph","content":[{"text":"Lange Base 64 waarden zijn afgekort. Wederom kan dit als strings worden behandeld, waarbij drie waarden vervangen moeten worden.","type":"text"}]},{"type":"paragraph","content":[{"text":"Deze drie waarden worden ingevuld:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Neem het SignedInfo blok op.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Neem de SignatureValue op.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Neem certificaatgegevens in het KeyInfo blok op, in de vorm van het volledige publieke certificaat (in het concept-contracttoken het servercertificaat van de te contracteren partij; in het contracttoken het servercertificaat van de contractnemer).","type":"text"}]}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Wanneer een bericht een SAML assertion bevat, moet dat bericht precies één bijbehorende digitale handtekening bevatten.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"Het maken van de XML Signature uit strings levert de SAML assertion op met daarin de Signature.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Plaats van het SAML token en de digitale handtekening","type":"text"}]},{"type":"paragraph","content":[{"text":"Het SAML concept-contracttoken met daarin de digitale handtekening wordt Base64-geëncodeerd in het attribuut “_Concept-contract_token” van het contracttoken gezet.","type":"text"}]},{"type":"paragraph","content":[{"text":"Het gehele contracttoken wordt ondertekend met het servercertificaat van de contractnemer.","type":"text"}]},{"type":"paragraph"}],"version":1}

Browser not supported