diff options
author | Alexander Marsalek <amarsalek@iaik.tugraz.at> | 2014-07-07 17:24:33 +0200 |
---|---|---|
committer | Alexander Marsalek <amarsalek@iaik.tugraz.at> | 2014-07-07 17:24:33 +0200 |
commit | 26a2ba4a0c171fb9cdf9ea2c769576b1062480eb (patch) | |
tree | 81eba1f7a442e7a121c2d1b783b1926a42e2a553 /id | |
parent | 8b8ea32ebd30b542a9b4ea1c797078377443f251 (diff) | |
parent | b6b155c4d55a31a13d189f50831fb7fa8c504b90 (diff) | |
download | moa-id-spss-26a2ba4a0c171fb9cdf9ea2c769576b1062480eb.tar.gz moa-id-spss-26a2ba4a0c171fb9cdf9ea2c769576b1062480eb.tar.bz2 moa-id-spss-26a2ba4a0c171fb9cdf9ea2c769576b1062480eb.zip |
Merge branch 'moa-2.1-Snapshot' into authnrequest_signrequest_split
Diffstat (limited to 'id')
16 files changed, 242 insertions, 92 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OASAML1Config.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OASAML1Config.java index 8d7d02048..7b5575a90 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OASAML1Config.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OASAML1Config.java @@ -42,6 +42,7 @@ public class OASAML1Config implements IOnlineApplicationData{ private Boolean provideCertificate = false; private Boolean provideFullMandateData = false; private Boolean useCondition = false; + private Boolean provideAllErrors = true; private int conditionLength = -1; @@ -71,6 +72,9 @@ public class OASAML1Config implements IOnlineApplicationData{ provideIdentityLink = saml1.isProvideIdentityLink(); provideStammZahl = saml1.isProvideStammzahl(); + if (saml1.isProvideAllErrors() != null) + provideAllErrors = saml1.isProvideAllErrors(); + if (saml1.isUseCondition() != null) useCondition = saml1.isUseCondition(); @@ -122,6 +126,7 @@ public class OASAML1Config implements IOnlineApplicationData{ saml1.setProvideIdentityLink(isProvideIdentityLink()); saml1.setProvideStammzahl(isProvideStammZahl()); saml1.setUseCondition(isUseCondition()); + saml1.setProvideAllErrors(provideAllErrors); saml1.setConditionLength(BigInteger.valueOf(getConditionLength())); // TODO: set sourceID // saml1.setSourceID(""); @@ -185,5 +190,21 @@ public class OASAML1Config implements IOnlineApplicationData{ */ public void setActive(boolean isActive) { this.isActive = isActive; + } + + /** + * @return the provideAllErrors + */ + public Boolean getProvideAllErrors() { + return provideAllErrors; + } + + /** + * @param provideAllErrors the provideAllErrors to set + */ + public void setProvideAllErrors(Boolean provideAllErrors) { + this.provideAllErrors = provideAllErrors; } + + } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java index 4036bc25f..e988cc292 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java @@ -181,7 +181,9 @@ public class OATargetConfiguration implements IOnlineApplicationData { num = num.substring(Constants.IDENIFICATIONTYPE_ERSB.length()); } - IdentificationNumber idnumber = new IdentificationNumber(); + IdentificationNumber idnumber = authoa.getIdentificationNumber(); + if (idnumber == null) + idnumber = new IdentificationNumber(); if (getIdentificationType().equals(Constants.IDENIFICATIONTYPE_STORK)) { idnumber.setValue(Constants.PREFIX_STORK + "AT" + "+" + num); diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties index 5b7f2cc01..e4e7a0b63 100644 --- a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties +++ b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties @@ -295,6 +295,7 @@ webpages.oaconfig.saml1.provideCertificate=Zertifikat \u00FCbertragen webpages.oaconfig.saml1.provideFullMandateData=Vollst\u00E4ndige Vollmacht \u00FCbertragen webpages.oaconfig.saml1.useCondition=Usecondition webpages.oaconfig.saml1.conditionLength=ConditionLength +webpages.oaconfig.saml1.provideAllErrors=Fehlermeldungen an OA \u00FCbertragen webpages.oaconfig.protocols.pvp2.header=PVP2.x Konfiguration webpages.oaconfig.pvp2.reload=PVP2.x konfiguration neu laden diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties index cc6e98964..dcf36103b 100644 --- a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties +++ b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties @@ -293,6 +293,7 @@ webpages.oaconfig.saml1.provideCertificate=Transfer certificate webpages.oaconfig.saml1.provideFullMandateData=Transfer complete mandate data webpages.oaconfig.saml1.useCondition=Use condition webpages.oaconfig.saml1.conditionLength=Condition length +webpages.oaconfig.saml1.provideAllErrors=Transfer errors to application webpages.oaconfig.protocols.pvp2.header=PVP2.x configuration webpages.oaconfig.pvp2.reload=Load new PVP2.x configuration diff --git a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/saml1.jsp b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/saml1.jsp index 4fd02aa61..a004a03a3 100644 --- a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/saml1.jsp +++ b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/saml1.jsp @@ -45,6 +45,14 @@ key="webpages.oaconfig.saml1.provideFullMandateData" cssClass="checkbox"> </s:checkbox> + <br> + <s:checkbox name="saml1OA.provideAllErrors" + value="%{saml1OA.provideAllErrors}" + labelposition="left" + key="webpages.oaconfig.saml1.provideAllErrors" + cssClass="checkbox"> + </s:checkbox> + <%-- <br> <br> <br> diff --git a/id/readme_2.1.0-RC3.txt b/id/readme_2.1.0-RC3.txt index 8f8a7b62d..19e0e9091 100644 --- a/id/readme_2.1.0-RC3.txt +++ b/id/readme_2.1.0-RC3.txt @@ -14,14 +14,15 @@ gleichen Verzeichnis): - IDP Interfederation für Single Sign-On - MOA-ID Truststore wird auch für Bezug PVP 2.1 metadaten über https verwendet. - Definition neuer Fehlercodes + - Single LogOut Unterstützung für PVP 2.1 (SAML2) als Feature mit Betastatus - Änderungen - Anpassung VIDP Code für STORK - - MOA-ID-Konfigurationstool mit überarbeiteter Online-Applikationskonfiguration - - Kleinere Bug-Fixes + - MOA-ID-Konfigurationstool mit überarbeiteter Online-Applikationskonfiguration - Anpassung der protokollspezifischen Fehlerrückgabe - - Anpassungen für die Verwendung von Oracle Datenbanksystemen - + - Anpassungen für die Verwendung von Oracle Datenbanksystemen + - Kleinere Bug-Fixes + ------------------------------------------------------------------------------- B. Durchführung eines Updates ------------------------------------------------------------------------------- diff --git a/id/server/auth/src/main/webapp/index.html b/id/server/auth/src/main/webapp/index.html index a411663b2..4d4529730 100644 --- a/id/server/auth/src/main/webapp/index.html +++ b/id/server/auth/src/main/webapp/index.html @@ -14,7 +14,7 @@ </tr>
</table>
<hr/>
- <p class="title">MOA-ID 2.1.0-RC3</p>
+ <p class="title">MOA-ID 2.1.0</p>
<hr/>
<h1>Inhalt</h1>
<ol>
diff --git a/id/server/data/deploy/conf/moa-spss/SampleMOASPSSConfiguration.xml b/id/server/data/deploy/conf/moa-spss/SampleMOASPSSConfiguration.xml index 14acd54f2..9759f1ac5 100644 --- a/id/server/data/deploy/conf/moa-spss/SampleMOASPSSConfiguration.xml +++ b/id/server/data/deploy/conf/moa-spss/SampleMOASPSSConfiguration.xml @@ -65,6 +65,18 @@ </cfg:DatabaseArchive> </cfg:Archive> </cfg:Archiving> + <cfg:CrlRetentionIntervals> + <!-- Retention Intervall (5 Jahre) fuer a-sign-corporate-light-03, damit Personenbindung trotz abgelaufenem Personenbindungszertifikat pruefbar bleibt --> + <cfg:CA> + <cfg:X509IssuerName>CN=a-sign-corporate-light-03,OU=a-sign-corporate-light-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT</cfg:X509IssuerName> + <cfg:Interval>1825</cfg:Interval> + </cfg:CA> + <!-- Retention Intervall (5 Jahre) fuer a-sign-corporate-light-02, damit Personenbindung trotz abgelaufenem Personenbindungszertifikat pruefbar bleibt --> + <cfg:CA> + <cfg:X509IssuerName>CN=a-sign-corporate-light-02,OU=a-sign-corporate-light-02,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT</cfg:X509IssuerName> + <cfg:Interval>1825</cfg:Interval> + </cfg:CA> + </cfg:CrlRetentionIntervals> </cfg:RevocationChecking> </cfg:CertificateValidation> <cfg:VerifyTransformsInfoProfile> diff --git a/id/server/doc/handbook/protocol/idp_metadata.xml b/id/server/doc/handbook/protocol/idp_metadata.xml index 2d2990917..e8915332e 100644 --- a/id/server/doc/handbook/protocol/idp_metadata.xml +++ b/id/server/doc/handbook/protocol/idp_metadata.xml @@ -1,18 +1,18 @@ -<md:EntitiesDescriptor ID="_8e844196b97a91dc47f59577edc2d2b7" Name="MOA-ID 2.0 Demo IDP (Version: 2.0-RC3)" validUntil="2014-03-26T11:34:06.707Z"> +<md:EntitiesDescriptor ID="_c0303e3081ac29bb8329cade76279069" Name="MOA-ID 2.0 Demo IDP (Version: 2.1.0)" validUntil="2014-07-04T11:23:29.736Z"> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> - <ds:Reference URI="#_8e844196b97a91dc47f59577edc2d2b7"> + <ds:Reference URI="#_c0303e3081ac29bb8329cade76279069"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> - <ds:DigestValue>YPy6KJGNTbmKTzmLbQ3wsDhGgz8ktuUjud19b9xoHe0=</ds:DigestValue> + <ds:DigestValue>IjxuoZphYVmZdZ5HfoVDr35r2b1V840+SMeC89IO/SQ=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> - <ds:SignatureValue>Zg4iaALZ/pNrthme8PaH5iiWZQ+ay30oC14RJab99im9atRDd6tb5RGmmuKY0KXpxetHUnBp5yA8I2Oh+tUuaq4Vbhewq1k9TytZmo83KMJbWBwtPWhbgET/i40CcngDiKPZLSt793WJ/LJpFtj/YidJaq2Z4k5Mj4RUr/SBMdH2HN+fZio/K9uyGy7hOLWKIU9zrSj1sOeMvqwyT6vD8h2s2qWV4TZai2PMxUSMgqqmJS3be2yoI68+5JHX3lgdQ9xRfhasxk//hK/rx39UiljIKxRRUpq1V2TGimK6YYNKrimzzVznCoB25h1+NMF8vQvwSRj085MAQkeQ14gedw==</ds:SignatureValue> + <ds:SignatureValue>JILQKKPvsK7onsMweJauAcGEniFGJ5bXEOvfYhxAYCB+dXL6pH87USD1v9UqycllBDqQE/Rp2tPtqo11CjdcKs0KkceQCZjzmDlVPqMZrgh0FerTSysF0fcPKoKeAtqqk+WSu7Xk9lU+PCxGArGA+vBLTRRbAOuZpE7ORrS7AF2m5uaO1YOKfO0GN+LoxTiygI2aeqKsKMlPkboh4ZuEjv1ht9xUHeQtAf/MHtaXZDvaRQPXALf0oCRnDWpiiqvKdARJq5NXrrbrdow/M1FpoddtE0Mu65AsorIdXoPSXJnLhw/zDfHv82PQo0pW7ujc0yJY+5VzfURMZOyKmrfCmg==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIEFTCCAv2gAwIBAgIJAI/HXXgQpJtFMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNVBAYTAkFUMRMw @@ -37,7 +37,7 @@ cfmNJhb06H+6mmHz929Bk4HuHoQj8X8=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> - <md:EntityDescriptor entityID="https://demo.egiz.gv.at/demoportal_moaid-2.0" validUntil="2014-04-18T10:34:06.707Z"> + <md:EntityDescriptor entityID="https://demo.egiz.gv.at/demoportal_moaid-2.0" validUntil="2014-07-27T11:23:29.736Z"> <md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo> @@ -64,55 +64,114 @@ cfmNJhb06H+6mmHz929Bk4HuHoQj8X8=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> + <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp2/redirect"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp2/post"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp2/redirect"/> - <saml2:Attribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="pseudonym" Name="http://www.stork.gov.eu/1.0/pseudonym" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="MANDATOR-NATURAL-PERSON-BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.261.82" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="MANDATOR-NATURAL-PERSON-FAMILY-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.80" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="PRINCIPAL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="EID-CCS-URL" Name="urn:oid:1.2.40.0.10.2.1.1.261.64" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="MANDATOR-PROF-REP-OID" Name="urn:oid:1.2.40.0.10.2.1.1.261.86" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="EID-AUTH-BLOCK" Name="urn:oid:1.2.40.0.10.2.1.1.261.62" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="MANDATOR-LEGAL-PERSON-FULL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.84" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="MANDATE-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.68" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="EID-SIGNER-CERTIFICATE" Name="urn:oid:1.2.40.0.10.2.1.1.261.66" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="MANDATOR-PROF-REP-DESCRIPTION" Name="urn:oid:1.2.40.0.10.2.1.1.261.88" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="title" Name="http://www.stork.gov.eu/1.0/title" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="inheritedFamilyName" Name="http://www.stork.gov.eu/1.0/inheritedFamilyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="MANDATE-REFERENCE-VALUE" Name="urn:oid:1.2.40.0.10.2.1.1.261.90" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="maritalStatus" Name="http://www.stork.gov.eu/1.0/maritalStatus" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> <saml2:Attribute FriendlyName="fiscalNumber" Name="http://www.stork.gov.eu/1.0/fiscalNumber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="age" Name="http://www.stork.gov.eu/1.0/age" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="EID-IDENTITY-LINK" Name="urn:oid:1.2.40.0.10.2.1.1.261.38" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="canonicalResidenceAddress" Name="http://www.stork.gov.eu/1.0/canonicalResidenceAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="EID-SOURCE-PIN" Name="urn:oid:1.2.40.0.10.2.1.1.261.36" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="nationalityCode" Name="http://www.stork.gov.eu/1.0/nationalityCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="textResidenceAddress" Name="http://www.stork.gov.eu/1.0/textResidenceAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="countryCodeOfBirth" Name="http://www.stork.gov.eu/1.0/countryCodeOfBirth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="MANDATOR-NATURAL-PERSON-GIVEN-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.78" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="MANDATE-FULL-MANDATE" Name="urn:oid:1.2.40.0.10.2.1.1.261.92" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="adoptedFamilyName" Name="http://www.stork.gov.eu/1.0/adoptedFamilyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> <saml2:Attribute FriendlyName="residencePermit" Name="http://www.stork.gov.eu/1.0/residencePermit" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> <saml2:Attribute FriendlyName="EID-CITIZEN-QAA-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.94" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="MANDATOR-LEGAL-PERSON-SOURCE-PIN-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.76" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="isAgeOver" Name="http://www.stork.gov.eu/1.0/isAgeOver" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="EID-STORK-TOKEN" Name="urn:oid:1.2.40.0.10.2.1.1.261.96" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> <saml2:Attribute FriendlyName="MANDATOR-NATURAL-PERSON-SOURCE-PIN" Name="urn:oid:1.2.40.0.10.2.1.1.261.70" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="MANDATE-FULL-MANDATE" Name="urn:oid:1.2.40.0.10.2.1.1.261.92" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="nationalityCode" Name="http://www.stork.gov.eu/1.0/nationalityCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="MANDATOR-LEGAL-PERSON-SOURCE-PIN-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.76" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> <saml2:Attribute FriendlyName="MANDATOR-NATURAL-PERSON-BPK" Name="urn:oid:1.2.40.0.10.2.1.1.261.98" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="title" Name="http://www.stork.gov.eu/1.0/title" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="PRINCIPAL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="MANDATE-REFERENCE-VALUE" Name="urn:oid:1.2.40.0.10.2.1.1.261.90" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="adoptedFamilyName" Name="http://www.stork.gov.eu/1.0/adoptedFamilyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="EID-STORK-TOKEN" Name="urn:oid:1.2.40.0.10.2.1.1.261.96" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> <saml2:Attribute FriendlyName="MANDATOR-LEGAL-PERSON-SOURCE-PIN" Name="urn:oid:1.2.40.0.10.2.1.1.261.100" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="MANDATOR-PROF-REP-DESCRIPTION" Name="urn:oid:1.2.40.0.10.2.1.1.261.88" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="EID-SOURCE-PIN" Name="urn:oid:1.2.40.0.10.2.1.1.261.36" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> <saml2:Attribute FriendlyName="MANDATOR-NATURAL-PERSON-SOURCE-PIN-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.102" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="MANDATOR-NATURAL-PERSON-GIVEN-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.78" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> <saml2:Attribute FriendlyName="EID-SOURCE-PIN-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.104" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="MANDATE-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.68" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="maritalStatus" Name="http://www.stork.gov.eu/1.0/maritalStatus" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="EID-SIGNER-CERTIFICATE" Name="urn:oid:1.2.40.0.10.2.1.1.261.66" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="inheritedFamilyName" Name="http://www.stork.gov.eu/1.0/inheritedFamilyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="EID-CCS-URL" Name="urn:oid:1.2.40.0.10.2.1.1.261.64" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="MANDATOR-NATURAL-PERSON-BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.261.82" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="EID-AUTH-BLOCK" Name="urn:oid:1.2.40.0.10.2.1.1.261.62" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="MANDATOR-NATURAL-PERSON-FAMILY-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.80" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="EID-IDENTITY-LINK" Name="urn:oid:1.2.40.0.10.2.1.1.261.38" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="countryCodeOfBirth" Name="http://www.stork.gov.eu/1.0/countryCodeOfBirth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="age" Name="http://www.stork.gov.eu/1.0/age" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> <saml2:Attribute FriendlyName="gender" Name="http://www.stork.gov.eu/1.0/gender" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="MANDATOR-PROF-REP-OID" Name="urn:oid:1.2.40.0.10.2.1.1.261.86" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> - <saml2:Attribute FriendlyName="MANDATOR-LEGAL-PERSON-FULL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.84" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="textResidenceAddress" Name="http://www.stork.gov.eu/1.0/textResidenceAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="canonicalResidenceAddress" Name="http://www.stork.gov.eu/1.0/canonicalResidenceAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="isAgeOver" Name="http://www.stork.gov.eu/1.0/isAgeOver" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> + <saml2:Attribute FriendlyName="pseudonym" Name="http://www.stork.gov.eu/1.0/pseudonym" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> </md:IDPSSODescriptor> + <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> + <md:KeyDescriptor use="signing"> + <ds:KeyInfo> + <ds:X509Data> + <ds:X509Certificate>MIIEFTCCAv2gAwIBAgIJAI/HXXgQpJtFMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNVBAYTAkFUMRMw +EQYDVQQIEwpTb21lLVN0YXRlMQ0wCwYDVQQHEwRHcmF6MQ0wCwYDVQQKEwRFR0laMSIwIAYDVQQD +ExlNT0EtSUQgSURQIChUZXN0LVZlcnNpb24pMB4XDTE0MDEyMTA4NDAxOFoXDTE1MDEyMTA4NDAx +OFowZDELMAkGA1UEBhMCQVQxEzARBgNVBAgTClNvbWUtU3RhdGUxDTALBgNVBAcTBEdyYXoxDTAL +BgNVBAoTBEVHSVoxIjAgBgNVBAMTGU1PQS1JRCBJRFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFETzd0nLV2P4pUGnlLKj3V+MZ4bUyYkNK5NnkzB0PO8hm +tsrdg+HSNsnPiU5KvD26tFpxq9lfibZcAp9JHFqjA/capOHcTDhYkTvJcSdaKJzttTPy4wivTbRu +y+ocK9jjz6g8BFvP9wQ5/k2AwFaqj0SeJt0jJTn4CZ8XMNozA2hwkQA2heuMtOl24Ie9PRC3/Af7 +utV2CNfV2MysGHIxazsZDIgFF+5/nybyR1yiIxKb0BYDh3gbNdyH5uLVBHOP4hvzQN5Z1xc/cdzq +lzKn/4v6HJraNn00xLzK6nrG6gB6HvDok2l8T1Cc7f8I+sNlO2aM8rY4hGSGCfhiL6IFAgMBAAGj +gckwgcYwHQYDVR0OBBYEFKG3LzuPtAGCXUPTw3fo9dtsS9wWMIGWBgNVHSMEgY4wgYuAFKG3LzuP +tAGCXUPTw3fo9dtsS9wWoWikZjBkMQswCQYDVQQGEwJBVDETMBEGA1UECBMKU29tZS1TdGF0ZTEN +MAsGA1UEBxMER3JhejENMAsGA1UEChMERUdJWjEiMCAGA1UEAxMZTU9BLUlEIElEUCAoVGVzdC1W +ZXJzaW9uKYIJAI/HXXgQpJtFMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAME3wzEi +UAcF2pCDtMMJzX4IDhSkWNuvWtSMMy8Vgtcc2t570teIKh+qNKQWZyX3QFVE6ovDABg3ZUhn780l +G4/t6aMOUEeGg4udl7l0QRBRbdd+9oc0Aw5dQqku02AQ6wQd695PLj+F0GeA7cdef90aLPu6Rwa5 +z5BiKpReJZoul3NpjQXz7A1IslZOlIhEDcFUlBSn/+QfLOeNDKurvPT0OzUGSGfrv0AoniNHc/fz +lfyRmgFbzAVHedU5cIxcE0yHtEKFjFSVwtGng9rTJpoOoY4pvGvAHlw6GEgO+HwFukPDtnvY8vi/ +cfmNJhb06H+6mmHz929Bk4HuHoQj8X8=</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </md:KeyDescriptor> + <md:KeyDescriptor use="encryption"> + <ds:KeyInfo> + <ds:X509Data> + <ds:X509Certificate>MIIEFTCCAv2gAwIBAgIJAI/HXXgQpJtFMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNVBAYTAkFUMRMw +EQYDVQQIEwpTb21lLVN0YXRlMQ0wCwYDVQQHEwRHcmF6MQ0wCwYDVQQKEwRFR0laMSIwIAYDVQQD +ExlNT0EtSUQgSURQIChUZXN0LVZlcnNpb24pMB4XDTE0MDEyMTA4NDAxOFoXDTE1MDEyMTA4NDAx +OFowZDELMAkGA1UEBhMCQVQxEzARBgNVBAgTClNvbWUtU3RhdGUxDTALBgNVBAcTBEdyYXoxDTAL +BgNVBAoTBEVHSVoxIjAgBgNVBAMTGU1PQS1JRCBJRFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFETzd0nLV2P4pUGnlLKj3V+MZ4bUyYkNK5NnkzB0PO8hm +tsrdg+HSNsnPiU5KvD26tFpxq9lfibZcAp9JHFqjA/capOHcTDhYkTvJcSdaKJzttTPy4wivTbRu +y+ocK9jjz6g8BFvP9wQ5/k2AwFaqj0SeJt0jJTn4CZ8XMNozA2hwkQA2heuMtOl24Ie9PRC3/Af7 +utV2CNfV2MysGHIxazsZDIgFF+5/nybyR1yiIxKb0BYDh3gbNdyH5uLVBHOP4hvzQN5Z1xc/cdzq +lzKn/4v6HJraNn00xLzK6nrG6gB6HvDok2l8T1Cc7f8I+sNlO2aM8rY4hGSGCfhiL6IFAgMBAAGj +gckwgcYwHQYDVR0OBBYEFKG3LzuPtAGCXUPTw3fo9dtsS9wWMIGWBgNVHSMEgY4wgYuAFKG3LzuP +tAGCXUPTw3fo9dtsS9wWoWikZjBkMQswCQYDVQQGEwJBVDETMBEGA1UECBMKU29tZS1TdGF0ZTEN +MAsGA1UEBxMER3JhejENMAsGA1UEChMERUdJWjEiMCAGA1UEAxMZTU9BLUlEIElEUCAoVGVzdC1W +ZXJzaW9uKYIJAI/HXXgQpJtFMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAME3wzEi +UAcF2pCDtMMJzX4IDhSkWNuvWtSMMy8Vgtcc2t570teIKh+qNKQWZyX3QFVE6ovDABg3ZUhn780l +G4/t6aMOUEeGg4udl7l0QRBRbdd+9oc0Aw5dQqku02AQ6wQd695PLj+F0GeA7cdef90aLPu6Rwa5 +z5BiKpReJZoul3NpjQXz7A1IslZOlIhEDcFUlBSn/+QfLOeNDKurvPT0OzUGSGfrv0AoniNHc/fz +lfyRmgFbzAVHedU5cIxcE0yHtEKFjFSVwtGng9rTJpoOoY4pvGvAHlw6GEgO+HwFukPDtnvY8vi/ +cfmNJhb06H+6mmHz929Bk4HuHoQj8X8=</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </md:KeyDescriptor> + <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp2/sp/redirect"/> + <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> + <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> + <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> + <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp2/sp/post" index="0" isDefault="true"/> + <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp2/sp/redirect" index="1"/> + </md:SPSSODescriptor> <md:Organization> <md:OrganizationName xml:lang="de">EGIZ</md:OrganizationName> <md:OrganizationDisplayName xml:lang="de">E-Government Innovationszentrum</md:OrganizationDisplayName> diff --git a/id/server/doc/handbook/protocol/protocol.html b/id/server/doc/handbook/protocol/protocol.html index b98561d7e..e7658875c 100644 --- a/id/server/doc/handbook/protocol/protocol.html +++ b/id/server/doc/handbook/protocol/protocol.html @@ -32,7 +32,11 @@ </ol> </li> <li><a href="#allgemeines_sso">Single Sign-On</a></li> - <li><a href="#allgemeines_ssologout">SSO Logout </a></li> + <li><a href="#allgemeines_ssologout">SSO Logout</a> + <ol> + <li><a href="#allgemeines_ssologout_slo">Single LogOut</a></li> + </ol> + </li> <li><a href="#allgemeines_legacy">Legacy Request (Bürgerkartenauswahl beim Service Provider)</a></li> </ol> </li> @@ -110,6 +114,11 @@ Redirect Binding</td> <td>https://<host>:<port>/moa-id-auth/pvp2/attributequery</td> </tr> <tr> + <td><a href="#./../interfederation/interfederation.html#config_idps">PVP 2.1</a></td> + <td>Single LogOut</td> + <td>https://<host>:<port>/moa-id-auth/pvp2/redirect</td> + </tr> + <tr> <td><a href="#openid">OpenID Connect</a></td> <td>Authentifizierungsrequest <br> (AuthCode-Request)</td> @@ -132,11 +141,17 @@ Redirect Binding</td> <p>http://<host>:<port>/moa-id-auth/services/GetAuthenticationData</p></td> </tr> <tr> - <td><a href="#allgemeines_ssologout">SSO Logout</a></td> + <td><a href="#allgemeines_ssologout">SSO LogOut</a></td> <td>LogOut</td> <td><p>https://<host>:<port>/moa-id-auth/LogOut</p> <p>http://<host>:<port>/moa-id-auth/LogOut</p></td> </tr> + <tr> + <td>IDP Single LogOut</td> + <td>Single LogOut</td> + <td><p>https://<host>:<port>/moa-id-auth/idpSingleLogout</p> + <p>http://<host>:<port>/moa-id-auth/idpSingleLogout</p></td> + </tr> </table> <h2><a name="allgemeines_attribute" id="allgemeines_zugangspunkte2"></a>1.2 Übersicht der möglichen Attribute</h2> <p>Die nachfolgende Tabelle beinhaltet eine Liste aller Attribute die vom Modul MOA-ID-Auth an die Online-Applikation zurückgeliefert werden können, sofern diese nach der Authentifizierung zur Verfügung stehen. Alle Namen beziehen sich auf den Attributnamen im jeweiligen Protokoll. Detailinformationen zu den einzelnen Attributen finden Sie in der <a href="#referenzierte_spezifikation">PVP 2.1 Spezifikation</a> der der <a href="#referenzierte_spezifikation">STORK Spezifikation</a>.</p> @@ -882,6 +897,17 @@ https://<host>:<port>/moa-id-auth/LogOut <pre>https://demo.egiz.gv.at/moa-id-auth/LogOut?redirect=https://demo.egiz.gv.at/demoportal-openID_demo </pre> <p><strong>Hinweis:</strong> Dieses Service bietet jedoch NICHT eine vollständige Single Log-Out Funktionalität wie sie im SAML 2 Protokoll vorgesehen ist, sondern beendet ausschließlich die SSO Session in der MOA-ID-Auth Instanz.</p> +<h3><a name="allgemeines_ssologout_slo" id="allgemeines_zugangspunkte25"></a>1.5.1 Single LogOut</h3> +<p>Ab der Version 2.1 unterstützt das Modul MOA-ID-Auth Single LogOut (SLO) laut SAML2 Spezifikation. Die SLO Funktionaltität steht jedoch nur für Online-Applikationen zur Verfügung welche als Authentifizierungsprotokoll PVP 2.1 verwenden. Für alle anderen Authentifizierungsprotokolle steht aktuell kein SLO zur Verfügung. </p> +<p>Für Single LogOut stehen sowohl IDP initialisiertes SLO als auch Service Provider initialisiertes SLO zur Verfügung. Als Einsprungpunkt für IDP initialisiertes SLO stellt das Modul MOA-ID-Auth folgende Web Adressen zur Verfügung. Nach dem Aufruf dieses Services wird der Single LogOut Vorgang gestartet. Nach erfolgreicher Bearbeitung aller SLO Requests / Response erfolgt die Statusausgabe in den Browser.</p> +<pre>https://<host>:<port>/moa-id-auth/idpSingleLogout</pre> +<p>bzw.</p> +<pre>http://<host>:<port>/moa-id-auth/idpSingleLogout</pre> +<p> </p> +<p>Die Endpunkte für Service Provider initialisietes SLO finden Sie in den <a href="#pvp21_metadata">PVP 2.1 Metadaten</a>.</p> +<p> </p> +<p><strong>Hinweis:</strong> Wenn Single Sign-On mit Authentifizierungsprotokollen, welche kein SLO untersützen verwendet wurde, schlägt der Single LogOut Vorgang auf jeden Fall fehl, da der Benutzer an den jeweiligen Online-Applikationen nicht angemeldet werden kann. Die SSO Session am Identityprovider wird jedoch auf jeden Fall beendet</p> +<p> </p> <h2><a name="allgemeines_legacy" id="allgemeines_zugangspunkte4"></a>1.6 Legacy Request (Bürgerkartenauswahl beim Service Provider)</h2> <p>Soll die Bürgerkartenauswahl jedoch weiterhin, wie aus MOA-ID 1.5.1 bekannt direkt in der Online-Applikation des Service Providers erfolgen muss für das jeweilige Protokoll der <a href="./../config/config.html#konfigurationsparameter_allgemein_protocol_legacy">Legacy Modus aktiviert</a> werden. Wird der Legacy Modus verwendet muss jedoch zusätzlich zu den protokollspezifischen Parametern mindestens der Parameter <em>bkuURI</em>, welcher die gewählte Bürgerkartenumgebung enthält, im Authentifizierungsrequest an MOA-ID-Auth übergeben werden (siehe <a href="#saml1_startauth">Protokoll SAML 1</a>). Die folgenden Parameter stehen bei Verwendung des Legacy Modus unabhängig vom verwendeten Protokoll zur Verfügung und bilden den gesamten Umfang der Bürgerkartenauswahl, wie aus MOA-ID 1.5.1 bekannt, ab.</p> <table border="1" width="1247"> diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index c0e1dd3ca..9af2f5ee5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -478,11 +478,19 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { authData.setGivenName(identityLink.getGivenName()); authData.setFamilyName(identityLink.getFamilyName()); authData.setDateOfBirth(identityLink.getDateOfBirth()); - authData.setQualifiedCertificate(verifyXMLSigResp - .isQualifiedCertificate()); - authData.setPublicAuthority(verifyXMLSigResp.isPublicAuthority()); - authData.setPublicAuthorityCode(verifyXMLSigResp - .getPublicAuthorityCode()); + + if (verifyXMLSigResp != null) { + authData.setQualifiedCertificate(verifyXMLSigResp + .isQualifiedCertificate()); + authData.setPublicAuthority(verifyXMLSigResp.isPublicAuthority()); + authData.setPublicAuthorityCode(verifyXMLSigResp + .getPublicAuthorityCode()); + + } else { + Logger.warn("No signature verfication response found!"); + + } + authData.setBkuURL(session.getBkuURL()); authData.setStorkAttributes(session.getStorkAttributes()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index 2d49eb809..5a2fda67f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -301,17 +301,14 @@ public class PEPSConnectorServlet extends AuthServlet { // retrieve target
//TODO: check in case of SSO!!!
String targetType = null;
- String targetValue = null;
if(oaParam.getBusinessService()) {
String id = oaParam.getIdentityLinkDomainIdentifier();
if (id.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
- targetValue = id.substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length());
+ targetType = id;
else
- targetValue = moaSession.getDomainIdentifier();
- targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_;
+ targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_ + moaSession.getDomainIdentifier();
} else {
- targetType = AuthenticationSession.TARGET_PREFIX_;
- targetValue = oaParam.getTarget();
+ targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget();
}
Logger.debug("Starting connecting SZR Gateway");
@@ -320,7 +317,7 @@ public class PEPSConnectorServlet extends AuthServlet { try {
identityLink = STORKResponseProcessor.connectToSZRGateway(authnResponse.getPersonalAttributeList(),
oaParam.getFriendlyName(),
- targetType, targetValue,
+ targetType, null,
oaParam.getMandateProfiles());
} catch (STORKException e) {
// this is really nasty but we work against the system here. We are supposed to get the gender attribute from
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index 762d9af2c..547a86bd9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -288,15 +288,16 @@ public class CreateXMLSignatureResponseValidator { } if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { String samlSpecialText = (String)samlAttribute.getValue(); + samlSpecialText = samlSpecialText.replaceAll("'", "'"); - String text = ""; - try { + String text = ""; + try { OAAuthParameter oaparam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(session.getPublicOAURLPrefix()); if (MiscUtil.isNotEmpty(text = oaparam.getAditionalAuthBlockText())) Logger.info("Use addional AuthBlock Text from OA=" + oaparam.getPublicURLPrefix()); - } catch (ConfigurationException e) { - Logger.warn("Addional AuthBlock Text can not loaded from OA!", e); - } + } catch (ConfigurationException e) { + Logger.warn("Addional AuthBlock Text can not loaded from OA!", e); + } String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant); @@ -516,22 +517,23 @@ public class CreateXMLSignatureResponseValidator { } if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { String samlSpecialText = (String)samlAttribute.getValue(); + samlSpecialText = samlSpecialText.replaceAll("'", "'"); - String text = ""; - try { - if (MiscUtil.isNotEmpty(text = AuthConfigurationProvider.getInstance().getSSOSpecialText())) + String text = ""; + try { + if (MiscUtil.isNotEmpty(text = AuthConfigurationProvider.getInstance().getSSOSpecialText())) Logger.info("Use addional AuthBlock Text from SSO=" +text); else text = new String(); - } catch (ConfigurationException e) { - Logger.warn("Addional AuthBlock Text can not loaded from SSO!", e); - } + } catch (ConfigurationException e) { + Logger.warn("Addional AuthBlock Text can not loaded from SSO!", e); + } - String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant); - if (!samlSpecialText.equals(specialText)) { - throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); - } + String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant); + if (!samlSpecialText.equals(specialText)) { + throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); + } } else { throw new ValidateException("validator.35", null); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java index e6e77911a..864be253a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java @@ -29,7 +29,6 @@ import java.io.IOException; import java.io.InputStream; import java.math.BigInteger; import java.net.URI; -import java.net.URL; import java.nio.file.Path; import java.util.ArrayList; import java.util.Arrays; @@ -242,13 +241,19 @@ public class BuildFromLegacyConfig { for (int i=0; i<transformsInfos.length; i++) { TransformsInfoType transforminfotype = new TransformsInfoType(); - - String fileURL = FileUtils.makeAbsoluteURL(transformsInfoFileNames[i], rootConfigFileDir); - Path fileName_ = new File(new URI(fileURL)).toPath().getFileName(); - transforminfotype.setFilename(fileName_.toString()); - transforminfotype.setTransformation(Base64Utils.encode(transformsInfos[i].getBytes("UTF-8")).getBytes("UTF-8")); - auth_transformInfos.add(transforminfotype); + if (transformsInfoFileNames[i] != null && + transformsInfos[i] != null) { + String fileURL = FileUtils.makeAbsoluteURL(transformsInfoFileNames[i], rootConfigFileDir); + Path fileName_ = new File(new URI(fileURL)).toPath().getFileName(); + transforminfotype.setFilename(fileName_.toString()); + + transforminfotype.setTransformation(Base64Utils.encode(transformsInfos[i].getBytes("UTF-8")).getBytes("UTF-8")); + auth_transformInfos.add(transforminfotype); + + } else + Logger.warn("AuthBlock Transformation " + transformsInfoFileNames[i] + + "not found."); } } @@ -448,6 +453,7 @@ public class BuildFromLegacyConfig { oa_saml1.setProvideStammzahl(oa.getProvideStammzahl()); oa_saml1.setUseCondition(oa.getUseCondition()); oa_saml1.setIsActive(true); + oa_saml1.setProvideAllErrors(false); //OA_PVP2 OAPVP2 oa_pvp2 = new OAPVP2(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index 399e7fa22..9c8c52e87 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -166,21 +166,26 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { IRequest protocolRequest) throws Throwable{ - SAML1AuthenticationServer saml1authentication = SAML1AuthenticationServer.getInstace(); + OAAuthParameter oa = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(protocolRequest.getOAURL()); + if (!oa.getSAML1Parameter().isProvideAllErrors()) + return false; - String samlArtifactBase64 = saml1authentication.BuildErrorAssertion(e, protocolRequest); + else { + SAML1AuthenticationServer saml1authentication = SAML1AuthenticationServer.getInstace(); + String samlArtifactBase64 = saml1authentication.BuildErrorAssertion(e, protocolRequest); - String url = AuthConfigurationProvider.getInstance().getPublicURLPrefix() + "/RedirectServlet"; - url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(protocolRequest.getOAURL(), "UTF-8")); - url = addURLParameter(url, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); - url = response.encodeRedirectURL(url); + String url = AuthConfigurationProvider.getInstance().getPublicURLPrefix() + "/RedirectServlet"; + url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(protocolRequest.getOAURL(), "UTF-8")); + url = addURLParameter(url, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); + url = response.encodeRedirectURL(url); - response.setContentType("text/html"); - response.setStatus(302); - response.addHeader("Location", url); - Logger.debug("REDIRECT TO: " + url); + response.setContentType("text/html"); + response.setStatus(302); + response.addHeader("Location", url); + Logger.debug("REDIRECT TO: " + url); - return true; + return true; + } } public IAction getAction(String action) { diff --git a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd index 5b3075c68..45adecb92 100644 --- a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd +++ b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd @@ -862,6 +862,7 @@ <xsd:element name="useCondition" type="xsd:boolean" minOccurs="0" maxOccurs="1"/> <xsd:element name="conditionLength" type="xsd:integer" minOccurs="0" maxOccurs="1"/> <xsd:element name="sourceID" type="xsd:string" minOccurs="0" maxOccurs="1"/> + <xsd:element name="provideAllErrors" type="xsd:boolean" default="true" minOccurs="0" maxOccurs="1"/> </xsd:sequence> </xsd:complexType> </xsd:element> |