From 8f3f0922e06cc0fdd9f2d7562061a15570435e12 Mon Sep 17 00:00:00 2001 From: Klaus Stranacher Date: Wed, 25 Jun 2014 09:59:26 +0200 Subject: Retention interval in MOA-SPSS standard configuration (for MOA-ID deployment) set --- .../data/deploy/conf/moa-spss/SampleMOASPSSConfiguration.xml | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'id') diff --git a/id/server/data/deploy/conf/moa-spss/SampleMOASPSSConfiguration.xml b/id/server/data/deploy/conf/moa-spss/SampleMOASPSSConfiguration.xml index 14acd54f2..9759f1ac5 100644 --- a/id/server/data/deploy/conf/moa-spss/SampleMOASPSSConfiguration.xml +++ b/id/server/data/deploy/conf/moa-spss/SampleMOASPSSConfiguration.xml @@ -65,6 +65,18 @@ + + + + CN=a-sign-corporate-light-03,OU=a-sign-corporate-light-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT + 1825 + + + + CN=a-sign-corporate-light-02,OU=a-sign-corporate-light-02,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT + 1825 + + -- cgit v1.2.3 From 7830437391cf5fe927605e82492d79fdb872059e Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 30 Jun 2014 12:51:41 +0200 Subject: Log an error if authblock transformation is not found --- .../moa/id/config/legacy/BuildFromLegacyConfig.java | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java index e6e77911a..9554e3ca5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java @@ -29,7 +29,6 @@ import java.io.IOException; import java.io.InputStream; import java.math.BigInteger; import java.net.URI; -import java.net.URL; import java.nio.file.Path; import java.util.ArrayList; import java.util.Arrays; @@ -242,13 +241,19 @@ public class BuildFromLegacyConfig { for (int i=0; i Date: Mon, 30 Jun 2014 13:26:02 +0200 Subject: add checkbox to choose if all errors should be send back to online application --- .../id/configuration/data/oa/OASAML1Config.java | 21 +++++++++++++++++ .../resources/applicationResources_de.properties | 1 + .../resources/applicationResources_en.properties | 1 + .../src/main/webapp/jsp/snippets/OA/saml1.jsp | 8 +++++++ .../id/config/legacy/BuildFromLegacyConfig.java | 1 + .../moa/id/protocols/saml1/SAML1Protocol.java | 27 +++++++++++++--------- .../src/main/resources/config/moaid_config_2.0.xsd | 1 + 7 files changed, 49 insertions(+), 11 deletions(-) (limited to 'id') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OASAML1Config.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OASAML1Config.java index 8d7d02048..7b5575a90 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OASAML1Config.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OASAML1Config.java @@ -42,6 +42,7 @@ public class OASAML1Config implements IOnlineApplicationData{ private Boolean provideCertificate = false; private Boolean provideFullMandateData = false; private Boolean useCondition = false; + private Boolean provideAllErrors = true; private int conditionLength = -1; @@ -71,6 +72,9 @@ public class OASAML1Config implements IOnlineApplicationData{ provideIdentityLink = saml1.isProvideIdentityLink(); provideStammZahl = saml1.isProvideStammzahl(); + if (saml1.isProvideAllErrors() != null) + provideAllErrors = saml1.isProvideAllErrors(); + if (saml1.isUseCondition() != null) useCondition = saml1.isUseCondition(); @@ -122,6 +126,7 @@ public class OASAML1Config implements IOnlineApplicationData{ saml1.setProvideIdentityLink(isProvideIdentityLink()); saml1.setProvideStammzahl(isProvideStammZahl()); saml1.setUseCondition(isUseCondition()); + saml1.setProvideAllErrors(provideAllErrors); saml1.setConditionLength(BigInteger.valueOf(getConditionLength())); // TODO: set sourceID // saml1.setSourceID(""); @@ -185,5 +190,21 @@ public class OASAML1Config implements IOnlineApplicationData{ */ public void setActive(boolean isActive) { this.isActive = isActive; + } + + /** + * @return the provideAllErrors + */ + public Boolean getProvideAllErrors() { + return provideAllErrors; + } + + /** + * @param provideAllErrors the provideAllErrors to set + */ + public void setProvideAllErrors(Boolean provideAllErrors) { + this.provideAllErrors = provideAllErrors; } + + } diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties index 5b7f2cc01..e4e7a0b63 100644 --- a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties +++ b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties @@ -295,6 +295,7 @@ webpages.oaconfig.saml1.provideCertificate=Zertifikat \u00FCbertragen webpages.oaconfig.saml1.provideFullMandateData=Vollst\u00E4ndige Vollmacht \u00FCbertragen webpages.oaconfig.saml1.useCondition=Usecondition webpages.oaconfig.saml1.conditionLength=ConditionLength +webpages.oaconfig.saml1.provideAllErrors=Fehlermeldungen an OA \u00FCbertragen webpages.oaconfig.protocols.pvp2.header=PVP2.x Konfiguration webpages.oaconfig.pvp2.reload=PVP2.x konfiguration neu laden diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties index cc6e98964..dcf36103b 100644 --- a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties +++ b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties @@ -293,6 +293,7 @@ webpages.oaconfig.saml1.provideCertificate=Transfer certificate webpages.oaconfig.saml1.provideFullMandateData=Transfer complete mandate data webpages.oaconfig.saml1.useCondition=Use condition webpages.oaconfig.saml1.conditionLength=Condition length +webpages.oaconfig.saml1.provideAllErrors=Transfer errors to application webpages.oaconfig.protocols.pvp2.header=PVP2.x configuration webpages.oaconfig.pvp2.reload=Load new PVP2.x configuration diff --git a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/saml1.jsp b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/saml1.jsp index 4fd02aa61..a004a03a3 100644 --- a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/saml1.jsp +++ b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/saml1.jsp @@ -45,6 +45,14 @@ key="webpages.oaconfig.saml1.provideFullMandateData" cssClass="checkbox"> +
+ + + <%--


diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java index 9554e3ca5..864be253a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java @@ -453,6 +453,7 @@ public class BuildFromLegacyConfig { oa_saml1.setProvideStammzahl(oa.getProvideStammzahl()); oa_saml1.setUseCondition(oa.getUseCondition()); oa_saml1.setIsActive(true); + oa_saml1.setProvideAllErrors(false); //OA_PVP2 OAPVP2 oa_pvp2 = new OAPVP2(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index 399e7fa22..9c8c52e87 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -166,21 +166,26 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { IRequest protocolRequest) throws Throwable{ - SAML1AuthenticationServer saml1authentication = SAML1AuthenticationServer.getInstace(); + OAAuthParameter oa = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(protocolRequest.getOAURL()); + if (!oa.getSAML1Parameter().isProvideAllErrors()) + return false; - String samlArtifactBase64 = saml1authentication.BuildErrorAssertion(e, protocolRequest); + else { + SAML1AuthenticationServer saml1authentication = SAML1AuthenticationServer.getInstace(); + String samlArtifactBase64 = saml1authentication.BuildErrorAssertion(e, protocolRequest); - String url = AuthConfigurationProvider.getInstance().getPublicURLPrefix() + "/RedirectServlet"; - url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(protocolRequest.getOAURL(), "UTF-8")); - url = addURLParameter(url, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); - url = response.encodeRedirectURL(url); + String url = AuthConfigurationProvider.getInstance().getPublicURLPrefix() + "/RedirectServlet"; + url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(protocolRequest.getOAURL(), "UTF-8")); + url = addURLParameter(url, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); + url = response.encodeRedirectURL(url); - response.setContentType("text/html"); - response.setStatus(302); - response.addHeader("Location", url); - Logger.debug("REDIRECT TO: " + url); + response.setContentType("text/html"); + response.setStatus(302); + response.addHeader("Location", url); + Logger.debug("REDIRECT TO: " + url); - return true; + return true; + } } public IAction getAction(String action) { diff --git a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd index 2d5542b98..8bc532236 100644 --- a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd +++ b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd @@ -859,6 +859,7 @@ + -- cgit v1.2.3 From d8a98ad0bb51b55963b3672180ad092b5890bf7b Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 2 Jul 2014 12:40:59 +0200 Subject: update readme_2.1.0-RC3.txt --- id/readme_2.1.0-RC3.txt | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'id') diff --git a/id/readme_2.1.0-RC3.txt b/id/readme_2.1.0-RC3.txt index 8f8a7b62d..19e0e9091 100644 --- a/id/readme_2.1.0-RC3.txt +++ b/id/readme_2.1.0-RC3.txt @@ -14,14 +14,15 @@ gleichen Verzeichnis): - IDP Interfederation für Single Sign-On - MOA-ID Truststore wird auch für Bezug PVP 2.1 metadaten über https verwendet. - Definition neuer Fehlercodes + - Single LogOut Unterstützung für PVP 2.1 (SAML2) als Feature mit Betastatus - Änderungen - Anpassung VIDP Code für STORK - - MOA-ID-Konfigurationstool mit überarbeiteter Online-Applikationskonfiguration - - Kleinere Bug-Fixes + - MOA-ID-Konfigurationstool mit überarbeiteter Online-Applikationskonfiguration - Anpassung der protokollspezifischen Fehlerrückgabe - - Anpassungen für die Verwendung von Oracle Datenbanksystemen - + - Anpassungen für die Verwendung von Oracle Datenbanksystemen + - Kleinere Bug-Fixes + ------------------------------------------------------------------------------- B. Durchführung eines Updates ------------------------------------------------------------------------------- -- cgit v1.2.3 From 7886beb95d7aeeb6439d81c09f297f0c4fceeb8c Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 2 Jul 2014 12:41:27 +0200 Subject: set correct target type element --- .../egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index a82a51d07..670ce8b3d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -303,17 +303,14 @@ public class PEPSConnectorServlet extends AuthServlet { // retrieve target //TODO: check in case of SSO!!! String targetType = null; - String targetValue = null; if(oaParam.getBusinessService()) { String id = oaParam.getIdentityLinkDomainIdentifier(); if (id.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) - targetValue = id.substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); + targetType = id; else - targetValue = moaSession.getDomainIdentifier(); - targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_; + targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_ + moaSession.getDomainIdentifier(); } else { - targetType = AuthenticationSession.TARGET_PREFIX_; - targetValue = oaParam.getTarget(); + targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget(); } Logger.debug("Starting connecting SZR Gateway"); @@ -322,7 +319,7 @@ public class PEPSConnectorServlet extends AuthServlet { try { identityLink = STORKResponseProcessor.connectToSZRGateway(authnResponse.getPersonalAttributeList(), oaParam.getFriendlyName(), - targetType, targetValue, + targetType, null, oaParam.getMandateProfiles()); } catch (STORKException e) { // this is really nasty but we work against the system here. We are supposed to get the gender attribute from -- cgit v1.2.3 From 37ffa16c121e5be8ad3c060b007ed200359007ea Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 2 Jul 2014 12:44:45 +0200 Subject: actually, STORK response processing does not verify the signature of signedDoc attribute --> check if signature verification response exists. --- .../moa/id/auth/builder/AuthenticationDataBuilder.java | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index c0e1dd3ca..9af2f5ee5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -478,11 +478,19 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { authData.setGivenName(identityLink.getGivenName()); authData.setFamilyName(identityLink.getFamilyName()); authData.setDateOfBirth(identityLink.getDateOfBirth()); - authData.setQualifiedCertificate(verifyXMLSigResp - .isQualifiedCertificate()); - authData.setPublicAuthority(verifyXMLSigResp.isPublicAuthority()); - authData.setPublicAuthorityCode(verifyXMLSigResp - .getPublicAuthorityCode()); + + if (verifyXMLSigResp != null) { + authData.setQualifiedCertificate(verifyXMLSigResp + .isQualifiedCertificate()); + authData.setPublicAuthority(verifyXMLSigResp.isPublicAuthority()); + authData.setPublicAuthorityCode(verifyXMLSigResp + .getPublicAuthorityCode()); + + } else { + Logger.warn("No signature verfication response found!"); + + } + authData.setBkuURL(session.getBkuURL()); authData.setStorkAttributes(session.getStorkAttributes()); -- cgit v1.2.3 From b3814742f6a15524a7204246e8ccda666d06befd Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 3 Jul 2014 12:52:57 +0200 Subject: solve bug with specialtext and ' in identitylink BKU remove ' encoding and response includes ' --- .../CreateXMLSignatureResponseValidator.java | 32 ++++++++++++---------- 1 file changed, 17 insertions(+), 15 deletions(-) (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index 762d9af2c..bc3b30334 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -288,15 +288,16 @@ public class CreateXMLSignatureResponseValidator { } if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { String samlSpecialText = (String)samlAttribute.getValue(); + samlSpecialText = samlSpecialText.replaceAll("'", "'"); - String text = ""; - try { + String text = ""; + try { OAAuthParameter oaparam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(session.getPublicOAURLPrefix()); if (MiscUtil.isNotEmpty(text = oaparam.getAditionalAuthBlockText())) Logger.info("Use addional AuthBlock Text from OA=" + oaparam.getPublicURLPrefix()); - } catch (ConfigurationException e) { - Logger.warn("Addional AuthBlock Text can not loaded from OA!", e); - } + } catch (ConfigurationException e) { + Logger.warn("Addional AuthBlock Text can not loaded from OA!", e); + } String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant); @@ -516,22 +517,23 @@ public class CreateXMLSignatureResponseValidator { } if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { String samlSpecialText = (String)samlAttribute.getValue(); + samlSpecialText = samlSpecialText.replaceAll("'", "'"); - String text = ""; - try { - if (MiscUtil.isNotEmpty(text = AuthConfigurationProvider.getInstance().getSSOSpecialText())) + String text = ""; + try { + if (MiscUtil.isNotEmpty(text = AuthConfigurationProvider.getInstance().getSSOSpecialText())) Logger.info("Use addional AuthBlock Text from SSO=" +text); else text = new String(); - } catch (ConfigurationException e) { - Logger.warn("Addional AuthBlock Text can not loaded from SSO!", e); - } + } catch (ConfigurationException e) { + Logger.warn("Addional AuthBlock Text can not loaded from SSO!", e); + } - String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant); - if (!samlSpecialText.equals(specialText)) { - throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); - } + String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, identityLink.getName(), identityLink.getDateOfBirth(), identityLink.getIssueInstant()); + if (!samlSpecialText.equals(specialText)) { + throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); + } } else { throw new ValidateException("validator.35", null); } -- cgit v1.2.3 From 667e2aa623bec0ccadf9c47d3c993e896ad5bc9a Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 3 Jul 2014 13:57:20 +0200 Subject: update handbook and change version to 2.1.0 --- id/server/auth/src/main/webapp/index.html | 2 +- id/server/doc/handbook/protocol/idp_metadata.xml | 137 +++++++++++++++------ id/server/doc/handbook/protocol/protocol.html | 30 ++++- .../CreateXMLSignatureResponseValidator.java | 2 +- 4 files changed, 128 insertions(+), 43 deletions(-) (limited to 'id') diff --git a/id/server/auth/src/main/webapp/index.html b/id/server/auth/src/main/webapp/index.html index a411663b2..4d4529730 100644 --- a/id/server/auth/src/main/webapp/index.html +++ b/id/server/auth/src/main/webapp/index.html @@ -14,7 +14,7 @@
-

MOA-ID 2.1.0-RC3

+

MOA-ID 2.1.0

Inhalt

    diff --git a/id/server/doc/handbook/protocol/idp_metadata.xml b/id/server/doc/handbook/protocol/idp_metadata.xml index 2d2990917..e8915332e 100644 --- a/id/server/doc/handbook/protocol/idp_metadata.xml +++ b/id/server/doc/handbook/protocol/idp_metadata.xml @@ -1,18 +1,18 @@ - + - + - YPy6KJGNTbmKTzmLbQ3wsDhGgz8ktuUjud19b9xoHe0= + IjxuoZphYVmZdZ5HfoVDr35r2b1V840+SMeC89IO/SQ= - Zg4iaALZ/pNrthme8PaH5iiWZQ+ay30oC14RJab99im9atRDd6tb5RGmmuKY0KXpxetHUnBp5yA8I2Oh+tUuaq4Vbhewq1k9TytZmo83KMJbWBwtPWhbgET/i40CcngDiKPZLSt793WJ/LJpFtj/YidJaq2Z4k5Mj4RUr/SBMdH2HN+fZio/K9uyGy7hOLWKIU9zrSj1sOeMvqwyT6vD8h2s2qWV4TZai2PMxUSMgqqmJS3be2yoI68+5JHX3lgdQ9xRfhasxk//hK/rx39UiljIKxRRUpq1V2TGimK6YYNKrimzzVznCoB25h1+NMF8vQvwSRj085MAQkeQ14gedw== + JILQKKPvsK7onsMweJauAcGEniFGJ5bXEOvfYhxAYCB+dXL6pH87USD1v9UqycllBDqQE/Rp2tPtqo11CjdcKs0KkceQCZjzmDlVPqMZrgh0FerTSysF0fcPKoKeAtqqk+WSu7Xk9lU+PCxGArGA+vBLTRRbAOuZpE7ORrS7AF2m5uaO1YOKfO0GN+LoxTiygI2aeqKsKMlPkboh4ZuEjv1ht9xUHeQtAf/MHtaXZDvaRQPXALf0oCRnDWpiiqvKdARJq5NXrrbrdow/M1FpoddtE0Mu65AsorIdXoPSXJnLhw/zDfHv82PQo0pW7ujc0yJY+5VzfURMZOyKmrfCmg== MIIEFTCCAv2gAwIBAgIJAI/HXXgQpJtFMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNVBAYTAkFUMRMw @@ -37,7 +37,7 @@ cfmNJhb06H+6mmHz929Bk4HuHoQj8X8= - + @@ -64,55 +64,114 @@ cfmNJhb06H+6mmHz929Bk4HuHoQj8X8= + urn:oasis:names:tc:SAML:2.0:nameid-format:persistent urn:oasis:names:tc:SAML:2.0:nameid-format:transient urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified - - + + + + + + + + + + + + + + + + - - - - - - - - - - - - + - - - + + + + + - - - - - - + - + + + + - - - - - - - - + + + - - + + + + + + + + + MIIEFTCCAv2gAwIBAgIJAI/HXXgQpJtFMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNVBAYTAkFUMRMw +EQYDVQQIEwpTb21lLVN0YXRlMQ0wCwYDVQQHEwRHcmF6MQ0wCwYDVQQKEwRFR0laMSIwIAYDVQQD +ExlNT0EtSUQgSURQIChUZXN0LVZlcnNpb24pMB4XDTE0MDEyMTA4NDAxOFoXDTE1MDEyMTA4NDAx +OFowZDELMAkGA1UEBhMCQVQxEzARBgNVBAgTClNvbWUtU3RhdGUxDTALBgNVBAcTBEdyYXoxDTAL +BgNVBAoTBEVHSVoxIjAgBgNVBAMTGU1PQS1JRCBJRFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFETzd0nLV2P4pUGnlLKj3V+MZ4bUyYkNK5NnkzB0PO8hm +tsrdg+HSNsnPiU5KvD26tFpxq9lfibZcAp9JHFqjA/capOHcTDhYkTvJcSdaKJzttTPy4wivTbRu +y+ocK9jjz6g8BFvP9wQ5/k2AwFaqj0SeJt0jJTn4CZ8XMNozA2hwkQA2heuMtOl24Ie9PRC3/Af7 +utV2CNfV2MysGHIxazsZDIgFF+5/nybyR1yiIxKb0BYDh3gbNdyH5uLVBHOP4hvzQN5Z1xc/cdzq +lzKn/4v6HJraNn00xLzK6nrG6gB6HvDok2l8T1Cc7f8I+sNlO2aM8rY4hGSGCfhiL6IFAgMBAAGj +gckwgcYwHQYDVR0OBBYEFKG3LzuPtAGCXUPTw3fo9dtsS9wWMIGWBgNVHSMEgY4wgYuAFKG3LzuP +tAGCXUPTw3fo9dtsS9wWoWikZjBkMQswCQYDVQQGEwJBVDETMBEGA1UECBMKU29tZS1TdGF0ZTEN +MAsGA1UEBxMER3JhejENMAsGA1UEChMERUdJWjEiMCAGA1UEAxMZTU9BLUlEIElEUCAoVGVzdC1W +ZXJzaW9uKYIJAI/HXXgQpJtFMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAME3wzEi +UAcF2pCDtMMJzX4IDhSkWNuvWtSMMy8Vgtcc2t570teIKh+qNKQWZyX3QFVE6ovDABg3ZUhn780l +G4/t6aMOUEeGg4udl7l0QRBRbdd+9oc0Aw5dQqku02AQ6wQd695PLj+F0GeA7cdef90aLPu6Rwa5 +z5BiKpReJZoul3NpjQXz7A1IslZOlIhEDcFUlBSn/+QfLOeNDKurvPT0OzUGSGfrv0AoniNHc/fz +lfyRmgFbzAVHedU5cIxcE0yHtEKFjFSVwtGng9rTJpoOoY4pvGvAHlw6GEgO+HwFukPDtnvY8vi/ +cfmNJhb06H+6mmHz929Bk4HuHoQj8X8= + + + + + + + MIIEFTCCAv2gAwIBAgIJAI/HXXgQpJtFMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNVBAYTAkFUMRMw +EQYDVQQIEwpTb21lLVN0YXRlMQ0wCwYDVQQHEwRHcmF6MQ0wCwYDVQQKEwRFR0laMSIwIAYDVQQD +ExlNT0EtSUQgSURQIChUZXN0LVZlcnNpb24pMB4XDTE0MDEyMTA4NDAxOFoXDTE1MDEyMTA4NDAx +OFowZDELMAkGA1UEBhMCQVQxEzARBgNVBAgTClNvbWUtU3RhdGUxDTALBgNVBAcTBEdyYXoxDTAL +BgNVBAoTBEVHSVoxIjAgBgNVBAMTGU1PQS1JRCBJRFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFETzd0nLV2P4pUGnlLKj3V+MZ4bUyYkNK5NnkzB0PO8hm +tsrdg+HSNsnPiU5KvD26tFpxq9lfibZcAp9JHFqjA/capOHcTDhYkTvJcSdaKJzttTPy4wivTbRu +y+ocK9jjz6g8BFvP9wQ5/k2AwFaqj0SeJt0jJTn4CZ8XMNozA2hwkQA2heuMtOl24Ie9PRC3/Af7 +utV2CNfV2MysGHIxazsZDIgFF+5/nybyR1yiIxKb0BYDh3gbNdyH5uLVBHOP4hvzQN5Z1xc/cdzq +lzKn/4v6HJraNn00xLzK6nrG6gB6HvDok2l8T1Cc7f8I+sNlO2aM8rY4hGSGCfhiL6IFAgMBAAGj +gckwgcYwHQYDVR0OBBYEFKG3LzuPtAGCXUPTw3fo9dtsS9wWMIGWBgNVHSMEgY4wgYuAFKG3LzuP +tAGCXUPTw3fo9dtsS9wWoWikZjBkMQswCQYDVQQGEwJBVDETMBEGA1UECBMKU29tZS1TdGF0ZTEN +MAsGA1UEBxMER3JhejENMAsGA1UEChMERUdJWjEiMCAGA1UEAxMZTU9BLUlEIElEUCAoVGVzdC1W +ZXJzaW9uKYIJAI/HXXgQpJtFMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAME3wzEi +UAcF2pCDtMMJzX4IDhSkWNuvWtSMMy8Vgtcc2t570teIKh+qNKQWZyX3QFVE6ovDABg3ZUhn780l +G4/t6aMOUEeGg4udl7l0QRBRbdd+9oc0Aw5dQqku02AQ6wQd695PLj+F0GeA7cdef90aLPu6Rwa5 +z5BiKpReJZoul3NpjQXz7A1IslZOlIhEDcFUlBSn/+QfLOeNDKurvPT0OzUGSGfrv0AoniNHc/fz +lfyRmgFbzAVHedU5cIxcE0yHtEKFjFSVwtGng9rTJpoOoY4pvGvAHlw6GEgO+HwFukPDtnvY8vi/ +cfmNJhb06H+6mmHz929Bk4HuHoQj8X8= + + + + + urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + + + EGIZ E-Government Innovationszentrum diff --git a/id/server/doc/handbook/protocol/protocol.html b/id/server/doc/handbook/protocol/protocol.html index b98561d7e..e7658875c 100644 --- a/id/server/doc/handbook/protocol/protocol.html +++ b/id/server/doc/handbook/protocol/protocol.html @@ -32,7 +32,11 @@
  • Single Sign-On
    • -
  • SSO Logout
    • +
  • SSO Logout +
      +
    1. Single LogOut
      2. +
    +
  • Legacy Request (Bürgerkartenauswahl beim Service Provider)
    • @@ -109,6 +113,11 @@ Redirect Binding Attribut Query für IDP Interfederation https://<host>:<port>/moa-id-auth/pvp2/attributequery + + PVP 2.1 + Single LogOut + https://<host>:<port>/moa-id-auth/pvp2/redirect + OpenID Connect Authentifizierungsrequest
    @@ -132,11 +141,17 @@ Redirect Binding

    http://<host>:<port>/moa-id-auth/services/GetAuthenticationData

    - SSO Logout + SSO LogOut LogOut

    https://<host>:<port>/moa-id-auth/LogOut

    http://<host>:<port>/moa-id-auth/LogOut

    + + IDP Single LogOut + Single LogOut +

    https://<host>:<port>/moa-id-auth/idpSingleLogout

    +

    http://<host>:<port>/moa-id-auth/idpSingleLogout

    +

    1.2 Übersicht der möglichen Attribute

    Die nachfolgende Tabelle beinhaltet eine Liste aller Attribute die vom Modul MOA-ID-Auth an die Online-Applikation zurückgeliefert werden können, sofern diese nach der Authentifizierung zur Verfügung stehen. Alle Namen beziehen sich auf den Attributnamen im jeweiligen Protokoll. Detailinformationen zu den einzelnen Attributen finden Sie in der PVP 2.1 Spezifikation der der STORK Spezifikation.

    @@ -882,6 +897,17 @@ https://<host>:<port>/moa-id-auth/LogOut 
    https://demo.egiz.gv.at/moa-id-auth/LogOut?redirect=https://demo.egiz.gv.at/demoportal-openID_demo

    Hinweis: Dieses Service bietet jedoch NICHT eine vollständige Single Log-Out Funktionalität wie sie im SAML 2 Protokoll vorgesehen ist, sondern beendet ausschließlich die SSO Session in der MOA-ID-Auth Instanz.

    +

    1.5.1 Single LogOut

    +

    Ab der Version 2.1 unterstützt das Modul MOA-ID-Auth Single LogOut (SLO) laut SAML2 Spezifikation. Die SLO Funktionaltität steht jedoch nur für Online-Applikationen zur Verfügung welche als Authentifizierungsprotokoll PVP 2.1 verwenden. Für alle anderen Authentifizierungsprotokolle steht aktuell kein SLO zur Verfügung.

    +

    Für Single LogOut stehen sowohl IDP initialisiertes SLO als auch Service Provider initialisiertes SLO zur Verfügung. Als Einsprungpunkt für IDP initialisiertes SLO stellt das Modul MOA-ID-Auth folgende Web Adressen zur Verfügung. Nach dem Aufruf dieses Services wird der Single LogOut Vorgang gestartet. Nach erfolgreicher Bearbeitung aller SLO Requests / Response erfolgt die Statusausgabe in den Browser.

    +
    https://<host>:<port>/moa-id-auth/idpSingleLogout
    +

    bzw.

    +
    http://<host>:<port>/moa-id-auth/idpSingleLogout
    +

     

    +

    Die Endpunkte für Service Provider initialisietes SLO finden Sie in den PVP 2.1 Metadaten.

    +

     

    +

    Hinweis: Wenn Single Sign-On mit Authentifizierungsprotokollen, welche kein SLO untersützen verwendet wurde, schlägt der Single LogOut Vorgang auf jeden Fall fehl, da der Benutzer an den jeweiligen Online-Applikationen nicht angemeldet werden kann. Die SSO Session am Identityprovider wird jedoch auf jeden Fall beendet

    +

     

    1.6 Legacy Request (Bürgerkartenauswahl beim Service Provider)

    Soll die Bürgerkartenauswahl jedoch weiterhin, wie aus MOA-ID 1.5.1 bekannt direkt in der Online-Applikation des Service Providers erfolgen muss für das jeweilige Protokoll der Legacy Modus aktiviert werden. Wird der Legacy Modus verwendet muss jedoch zusätzlich zu den protokollspezifischen Parametern mindestens der Parameter bkuURI, welcher die gewählte Bürgerkartenumgebung enthält, im Authentifizierungsrequest an MOA-ID-Auth übergeben werden (siehe Protokoll SAML 1). Die folgenden Parameter stehen bei Verwendung des Legacy Modus unabhängig vom verwendeten Protokoll zur Verfügung und bilden den gesamten Umfang der Bürgerkartenauswahl, wie aus MOA-ID 1.5.1 bekannt, ab.

    diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index bc3b30334..547a86bd9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -530,7 +530,7 @@ public class CreateXMLSignatureResponseValidator { } - String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, identityLink.getName(), identityLink.getDateOfBirth(), identityLink.getIssueInstant()); + String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant); if (!samlSpecialText.equals(specialText)) { throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); } -- cgit v1.2.3 From d4037454494f7aac6b4e60050104244a481930ca Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 4 Jul 2014 14:01:53 +0200 Subject: store OA businessservice identification type --- .../moa/id/configuration/data/oa/OATargetConfiguration.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'id') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java index 4036bc25f..e988cc292 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java @@ -181,7 +181,9 @@ public class OATargetConfiguration implements IOnlineApplicationData { num = num.substring(Constants.IDENIFICATIONTYPE_ERSB.length()); } - IdentificationNumber idnumber = new IdentificationNumber(); + IdentificationNumber idnumber = authoa.getIdentificationNumber(); + if (idnumber == null) + idnumber = new IdentificationNumber(); if (getIdentificationType().equals(Constants.IDENIFICATIONTYPE_STORK)) { idnumber.setValue(Constants.PREFIX_STORK + "AT" + "+" + num); -- cgit v1.2.3