PKI Policy defines the trusted issuer certificates and CRL/OSCP OCSP endpoints used when validating certificates or certificate chains and attributes generated from subject and issuer certificates.
The user's certificate is defined to be included in a SubjectConfirmation of SAML Assertion by defining the Subject element's KeyInfoConfirmationData attribute as true. User's certificate is used by SSO to write the audit log entry “certificate received”.
...
PKI Policy XML configuration file
An example PKI policy XML configuration file is shown below.
...
...
PKI Policy XML configuration file
An example PKI policy XML configuration file is shown below.
Code Block |
---|
| <?xml version="1.0" encoding="iso-8859-1"?>
<Policy
xmlns="http://ubisecure.com/schema/certagent.xsd">
<PKI>
<Trust crl="ldap://ldap.fineid.fi:389/cn%3dVRK%20Gov.%20CA%20for%20Citizen%20Qualified%20Certificates,ou%3dValtion%20kansalaisvarmenteet,o%3dVaestorekisterikeskus%20CA,dmdName%3dFINEID,c%3dFI?certificateRevocationList??objectClass=cRLDistributionPoint">
MIIFjDCCBHSgAwIBAgIDAYiZMA0GCSqGSIb3DQEBBQUAMIGjMQswCQYDVQQGEwJG
STEQMA4GA1UECBMHRmlubGFuZDEhMB8GA1UEChMYVmFlc3RvcmVraXN0ZXJpa2Vz
a3VzIENBMSkwJwYDVQQLEyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBTZXJ2aWNl
czEZMBcGA1UECxMQVmFybWVubmVwYWx2ZWx1dDEZMBcGA1UEAxMQVlJLIEdvdi4g
Um9vdCBDQTAeFw0wMzAxMTAxMjU5MDVaFw0xOTAxMDkxMjU4MzBaMIGhMQswCQYD
VQQGEwJGSTEQMA4GA1UECBMHRmlubGFuZDEhMB8GA1UEChMYVmFlc3RvcmVraXN0
ZXJpa2Vza3VzIENBMSQwIgYDVQQLExtWYWx0aW9uIGthbnNhbGFpc3Zhcm1lbnRl
ZXQxNzA1BgNVBAMTLlZSSyBHb3YuIENBIGZvciBDaXRpemVuIFF1YWxpZmllZCBD
ZXJ0aWZpY2F0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5Aj52
7olxDHOtkQQU+BG1FUs0xOy8Qw2z3NmgV7yOkYRwi/C7aAbvaye712q8APGiDa+P
f0N/XzQNynWWyzC2krv+fQq5YjGypRbnvciAtGbJQSXBoX58eV6sd5CWLKGMo1gH
xsXNU6L9v9XlSWLUH4xbYvQt+oxfptgJbK5E+71OYC8DL0KU6xmlEfuPNQZ1Rf3p
qqlEfmQjP24ubcgy3ZAHVTFBh7rT66pw+L5zAVPYBCyUG7rdXHS9hulRa4Y8w3BF
RBxbChHsc7tuKk9kQmNGhQAJ7CdJx3V5kPsrxnuztOunimeBKoB5X3wgvk9f64n6
0Jp0qumnY4l9V6oZAgMBAAGjggHHMIIBwzASBgNVHRMBAf8ECDAGAQH/AgEAMBEG
CWCGSAGG+EIBAQQEAwIBBjCBywYDVR0gBIHDMIHAMIG9BgkqgXaEBQEKAQEwga8w
gYQGCCsGAQUFBwICMHgadlZhcm1lbm5lcG9saXRpaWtrYSBvbiBzYWF0YXZpbGxh
IC0gQ2VydGlmaWthdCBwb2xpY3kgZmlubnMgLSBDZXJ0aWZpY2F0ZSBwb2xpY3kg
aXMgYXZhaWxhYmxlIGh0dHA6Ly93d3cuZmluZWlkLmZpL2NwczEwJgYIKwYBBQUH
AgEWGmh0dHA6Ly93d3cuZmluZWlkLmZpL2NwczEvMEIGCCsGAQUFBwEBBDYwNDAy
BggrBgEFBQcwAoYmaHR0cDovL3Byb3h5LmZpbmVpZC5maS9jYS92cmtyb290Yy5j
cnQwDgYDVR0PAQH/BAQDAgHGMB8GA1UdIwQYMBaAFNvp4ZvS0SQL/KvjoGfqrpxL
d/SwMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9wcm94eS5maW5laWQuZmkvYXJs
L3Zya3Jvb3RhLmNybDAdBgNVHQ4EFgQUiFpvHUJHgob91+kNslfPTVAoBBcwDQYJ
KoZIhvcNAQEFBQADggEBAEXit6ypQO+0RbVTK57SKT1jsqE8dUiwL8oevvdBiFpR
4HxEZZy8e/OGAvF3Hc/Hjc8cOjlsYToqztg16cOFI4vHZ+yC8rWh4TpuWgvkS80h
//jcweAayp6E/Z0z928vTNILBD34YJQvpU4u7jyhSaY3tzybKjlSAo5lahiI32a9
MNZXGoNv+j+MKq1NJkpgpy6/VEa5Z4RdRx43/EZhs45WvxTfER+nUC1loQngFKOS
jdWG3GhOAh13nM9jYASBtC7ONddvoByfzwUOQ+BOf08R2bvZA+2CDFI8PuYqxCFv
BMCpQSCdVL6tEYxeWIQb+uIQsfAEfjC3AQuTNh/UiW8=
</Trust>
</PKI>
<Subject KeyInfoConfirmationData="true"/>
<Attributes>
<!-- SHASubject's SHA-1 fingerprint -->
<Add name="subject.fingerprint">
<Digest source="subject" algorithm="sha1" />
</Add>
<!-- Subject's distinguished name -->
<Add name="subject.dn">
<Field source="subject"/>
</Add>
<!-- Issuer's distinguished name -->
<Add name="issuer.dn">
<Field source="issuer"/>
</Add>
<!-- Subject's attributes 2.5.4.4 (surname) and
2.5.4.42 (givenName) separated by space -->
<Add name="subject.name">
<Concat>
<Attribute source="subject" oid="2.5.4.4"/>
<Text content=" " />
<Attribute source="subject" oid="2.5.4.42"/>
</Concat>
</Add>
</Attributes>
</Policy> |
|
Trusted issuers are defined in the Trust elements enclosed in a PKI element. The corresponding CRL distribution point is defined in the crl attribute. Other trusted issuers may be added by defining a new Trust element for each trusted issuer.
...
.5.4.42"/>
</Concat>
</Add>
</Attributes>
</Policy> |
|
Trusted issuers are defined in the Trust elements enclosed in a PKI element. The corresponding CRL distribution point is defined in the crl attribute. Other trusted issuers may be added by defining a new Trust element for each trusted issuer.
The subject certificate is defined to be included in a SubjectConfirmation of SAML Assertion by defining the Subject element's KeyInfoConfirmationData attribute as true. The subject certificate is used by SSO to write the audit log entry “certificate received”.
Attributes to be sent to SSO as SAML Assertion attributes and OpenID Connect id_token claims are defined in the Attributes element. The name of the attribute is defined in the name attribute of the Add element. The content of the attribute is defined in the enclosed elements. In this example:
The attribute subject.fingerprint
is defined as a SHA-1 digest (fingerprint) of the subject certificate.
The attribute subject.dn
is defined as the distinguished name of the subject certificate.
The attribute issuer.dn
is defined as the distinguished name of the issuer certificate.
The attribute subject.name
is defined to be concatenated from attribute OID 2.5.4.4 (surname),  
(a space character) and attribute OID 2.5.4.42 (givenName).
The structure and data types of the configuration document are described in the following schema.
...
The <Field /> element allows submitting either the subject's or CAissuer's distinguished name. The names' string representations are, by default, serialized by the JDK X500Principal.toString() –method. The normalization routine can be controlled by defining one of the following values:
...