Versions Compared

Old Version 4

changes.mady.by.user Arto Vainiolehto

Saved on

compared with

New Version Current

changes.mady.by.user Arto Vainiolehto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Attributes to be sent to UAS are defined in the Attribute element. The name of the attribute is defined in the name attribute of the Add element. The content of the attribute is defined in the enclosed elements. In this example, three different attributes are defined. The username attribute is defined as a sha-1 digest (fingerprint) of the certificate. The username.dn attribute is defined as the subject-field of the certificate. The satu attribute is defined as the certificate subject-field's component with oid 2.5.4.5, which is satu in case of HST certificates.

...

Listing 1. Example policy.xml

...

This chapter provides in-depth description of PKI policy files. Policy files are XML documents defining the trusted issuers and attributes to be sent to service provider.

File Structure

All PKI policy –related configuration files are located in certap/webapp/WEB-INF/uap/pki and all paths discussed in this chapter are relative to that directory.

By default, a policy file policy.xml is used for all service providers. However, this may not be sufficient in some installations. Therefore, it is possible to define different policy-file for each service provider by creating a mapping file policy.properties.

https://example.com/uas/saml2/names/ac/hst.prod.1 = policy/hst_prod.xml https://example.com/uas/saml2/names/ac/hst.test.1 = policy/hst_test.
Code Block
languagetexttitlelisting 2. Example policy.properties
xml

...

PKI Policy XML-Document

An example of PKI policy XML document is provided below.

Code Block
languagetext
titleListing 3. Example policy.xml
<?xml version="1.0" encoding="iso-8859-1"?>
<Policy xmlns="http://ubisecure.com/schema/certagent.xsd">
  <PKI>
    <!-- VRK Gov. CA for Citizen Qualified Certificates -->
    <!-- CRL distribution point URL and trusted issuer's
base64-encoded certificate -->
    <Trust crl="ldap://ldap.fineid.fi:389/cn%3dVRK%20Gov.%20CA%20for%20Citizen%20Qualified%20Certificates,ou%3dValtion%20kansalaisvarmenteet,o%3dVaestorekisterikeskus%20CA,dmdName%3dFINEID,c%3dFI?certificateRevocationList??objectClass=cRLDistributionPoint">

MIIFjDCCBHSgAwIBAgIDAYiZMA0GCSqGSIb3DQEBBQUAMIGjMQswCQYDVQQGEwJG

STEQMA4GA1UECBMHRmlubGFuZDEhMB8GA1UEChMYVmFlc3RvcmVraXN0ZXJpa2Vz 
a3VzIENBMSkwJwYDVQQLEyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBTZXJ2aWNl 
czEZMBcGA1UECxMQVmFybWVubmVwYWx2ZWx1dDEZMBcGA1UEAxMQVlJLIEdvdi4g 
Um9vdCBDQTAeFw0wMzAxMTAxMjU5MDVaFw0xOTAxMDkxMjU4MzBaMIGhMQswCQYD 
VQQGEwJGSTEQMA4GA1UECBMHRmlubGFuZDEhMB8GA1UEChMYVmFlc3RvcmVraXN0

ZXJpa2Vza3VzIENBMSQwIgYDVQQLExtWYWx0aW9uIGthbnNhbGFpc3Zhcm1lbnRl

ZXQxNzA1BgNVBAMTLlZSSyBHb3YuIENBIGZvciBDaXRpemVuIFF1YWxpZmllZCBD

ZXJ0aWZpY2F0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5Aj52

7olxDHOtkQQU+BG1FUs0xOy8Qw2z3NmgV7yOkYRwi/C7aAbvaye712q8APGiDa+P

f0N/XzQNynWWyzC2krv+fQq5YjGypRbnvciAtGbJQSXBoX58eV6sd5CWLKGMo1gH

xsXNU6L9v9XlSWLUH4xbYvQt+oxfptgJbK5E+71OYC8DL0KU6xmlEfuPNQZ1Rf3p 
qqlEfmQjP24ubcgy3ZAHVTFBh7rT66pw+L5zAVPYBCyUG7rdXHS9hulRa4Y8w3BF 
RBxbChHsc7tuKk9kQmNGhQAJ7CdJx3V5kPsrxnuztOunimeBKoB5X3wgvk9f64n6

0Jp0qumnY4l9V6oZAgMBAAGjggHHMIIBwzASBgNVHRMBAf8ECDAGAQH/AgEAMBEG 
CWCGSAGG+EIBAQQEAwIBBjCBywYDVR0gBIHDMIHAMIG9BgkqgXaEBQEKAQEwga8w 
gYQGCCsGAQUFBwICMHgadlZhcm1lbm5lcG9saXRpaWtrYSBvbiBzYWF0YXZpbGxh 
IC0gQ2VydGlmaWthdCBwb2xpY3kgZmlubnMgLSBDZXJ0aWZpY2F0ZSBwb2xpY3kg 
aXMgYXZhaWxhYmxlIGh0dHA6Ly93d3cuZmluZWlkLmZpL2NwczEwJgYIKwYBBQUH

AgEWGmh0dHA6Ly93d3cuZmluZWlkLmZpL2NwczEvMEIGCCsGAQUFBwEBBDYwNDAy

BggrBgEFBQcwAoYmaHR0cDovL3Byb3h5LmZpbmVpZC5maS9jYS92cmtyb290Yy5j

cnQwDgYDVR0PAQH/BAQDAgHGMB8GA1UdIwQYMBaAFNvp4ZvS0SQL/KvjoGfqrpxL

d/SwMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9wcm94eS5maW5laWQuZmkvYXJs

L3Zya3Jvb3RhLmNybDAdBgNVHQ4EFgQUiFpvHUJHgob91+kNslfPTVAoBBcwDQYJ

KoZIhvcNAQEFBQADggEBAEXit6ypQO+0RbVTK57SKT1jsqE8dUiwL8oevvdBiFpR 
4HxEZZy8e/OGAvF3Hc/Hjc8cOjlsYToqztg16cOFI4vHZ+yC8rWh4TpuWgvkS80h 
//jcweAayp6E/Z0z928vTNILBD34YJQvpU4u7jyhSaY3tzybKjlSAo5lahiI32a9

MNZXGoNv+j+MKq1NJkpgpy6/VEa5Z4RdRx43/EZhs45WvxTfER+nUC1loQngFKOS 
jdWG3GhOAh13nM9jYASBtC7ONddvoByfzwUOQ+BOf08R2bvZA+2CDFI8PuYqxCFv 
BMCpQSCdVL6tEYxeWIQb+uIQsfAEfjC3AQuTNh/UiW8=
    </Trust>
  </PKI>

  <!-- Add certificate to saml assertion -->
  <Subject KeyInfoConfirmationData="true"/>

  <!-- Add attributes to saml assertion -->
  <Attributes>
    <!-- SHA-1 fingerprint -->
    <Add name="username">
      <Digest source="subject" algorithm="sha1"/>
    </Add>

    <!-- Subject's distinguished name -->
    <Add name="username.dn">
      <Field source="subject"/>
    </Add>

    <Add name="ais">
      <Field source="subject" normalize="altSecurityIdentities"/>
    </Add>

    <!-- Attribute 2.5.4.5 (satu in HST-certificates) -->
    <Add name="satu">
      <Attribute source="subject" oid="2.5.4.5"/>
    </Add>

    <!-- Subject's surname, space character and givenName concatenated -->
    <Add name="username.name">
      <Concat>
        <Attribute source="subject" oid="2.5.4.4"/>
        <Text content="&#32"/>
        <Attribute source="subject" oid="2.5.4.42"/>
      </Concat>
    </Add>
  </Attributes>
</Policy>

PKI Policy

This chapter provides in-depth description of PKI policy files. Policy files are XML documents defining the trusted issuers and attributes to be sent to service provider.

File Structure

All PKI policy –related configuration files are located in certap/webapp/WEB-INF/uap/pki and all paths discussed in this chapter are relative to that directory.

By default, a policy file policy.xml is used for all service providers. However, this may not be sufficient in some installations. Therefore, it is possible to define different policy-file for each service provider by creating a mapping file policy.properties.

Listing 2. Example policy.properties
Code Block
languagetext
https://example.com/uas/saml2/names/ac/hst.prod.1 = policy/hst_prod.xml
https://example.com/uas/saml2/names/ac/hst.test.1 = policy/hst_test.xml


Each line defines an entity id of a service provider and a policy file to be used. If mapping file is defined, all service providers must have an entry. If an entry is not found for specific service provider, authentication process fails.

PKI Policy XML-Document

Refer to PKI Policy for more information about the PKI Policy XML configuration file format.