{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Modifying the PKI Policy","type":"text"}]},{"type":"paragraph","content":[{"text":"An example PKI policy is shown below. Trusted issuers are defined in the ","type":"text"},{"text":"Trust","type":"text","marks":[{"type":"em"}]},{"text":" elements enclosed in a ","type":"text"},{"text":"PKI","type":"text","marks":[{"type":"em"}]},{"text":" element. In this example, a base64-encoded certificate of the issuer of the HST certificates is introduced. Consequently, all the HST certificates are accepted as valid user credentials. The corresponding CRL distribution point is defined in the ","type":"text"},{"text":"crl","type":"text","marks":[{"type":"em"}]},{"text":" attribute.","type":"text"}]},{"type":"paragraph","content":[{"text":"Other trusted issuers may be added by defining a new ","type":"text"},{"text":"Trust","type":"text","marks":[{"type":"em"}]},{"text":" element for each trusted issuer.","type":"text"}]},{"type":"paragraph","content":[{"text":"The user's certificate is defined to be included in a SAML assertion by defining the ","type":"text"},{"text":"Subject","type":"text","marks":[{"type":"em"}]},{"text":" element's ","type":"text"},{"text":"KeyInfoConfirmationData","type":"text","marks":[{"type":"em"}]},{"text":" attribute as true. User's certificate is required by UAS to be able to perform a satu-hetu transformation in case of HST certificates. It may be omitted if the HST certificates are not used or if there is no need for the user's hetu.","type":"text"}]},{"type":"paragraph","content":[{"text":"Attributes to be sent to UAS are defined in the ","type":"text"},{"text":"Attribute","type":"text","marks":[{"type":"em"}]},{"text":" element. The name of the attribute is defined in the ","type":"text"},{"text":"name","type":"text","marks":[{"type":"em"}]},{"text":" attribute of the ","type":"text"},{"text":"Add","type":"text","marks":[{"type":"em"}]},{"text":" element. The content of the attribute is defined in the enclosed elements. In this example, three different attributes are defined. The ","type":"text"},{"text":"username","type":"text","marks":[{"type":"em"}]},{"text":" attribute is defined as a sha-1 digest (fingerprint) of the certificate. The ","type":"text"},{"text":"username.dn","type":"text","marks":[{"type":"em"}]},{"text":" attribute is defined as the subject-field of the certificate. The ","type":"text"},{"text":"satu","type":"text","marks":[{"type":"em"}]},{"text":" attribute is defined as the certificate subject-field's component with oid 2.5.4.5, which is satu in case of HST certificates.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Listing 1. Example policy.xml","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\n \n \n\nMIIFjDCCBHSgAwIBAgIDAYiZMA0GCSqGSIb3DQEBBQUAMIGjMQswCQYDVQQGEwJG\nSTEQMA4GA1UECBMHRmlubGFuZDEhMB8GA1UEChMYVmFlc3RvcmVraXN0ZXJpa2Vz\na3VzIENBMSkwJwYDVQQLEyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBTZXJ2aWNl\nczEZMBcGA1UECxMQVmFybWVubmVwYWx2ZWx1dDEZMBcGA1UEAxMQVlJLIEdvdi4g\nUm9vdCBDQTAeFw0wMzAxMTAxMjU5MDVaFw0xOTAxMDkxMjU4MzBaMIGhMQswCQYD\nVQQGEwJGSTEQMA4GA1UECBMHRmlubGFuZDEhMB8GA1UEChMYVmFlc3RvcmVraXN0\nZXJpa2Vza3VzIENBMSQwIgYDVQQLExtWYWx0aW9uIGthbnNhbGFpc3Zhcm1lbnRl\nZXQxNzA1BgNVBAMTLlZSSyBHb3YuIENBIGZvciBDaXRpemVuIFF1YWxpZmllZCBD\nZXJ0aWZpY2F0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5Aj52\n7olxDHOtkQQU+BG1FUs0xOy8Qw2z3NmgV7yOkYRwi/C7aAbvaye712q8APGiDa+P\nf0N/XzQNynWWyzC2krv+fQq5YjGypRbnvciAtGbJQSXBoX58eV6sd5CWLKGMo1gH\nxsXNU6L9v9XlSWLUH4xbYvQt+oxfptgJbK5E+71OYC8DL0KU6xmlEfuPNQZ1Rf3p\nqqlEfmQjP24ubcgy3ZAHVTFBh7rT66pw+L5zAVPYBCyUG7rdXHS9hulRa4Y8w3BF\nRBxbChHsc7tuKk9kQmNGhQAJ7CdJx3V5kPsrxnuztOunimeBKoB5X3wgvk9f64n6\n0Jp0qumnY4l9V6oZAgMBAAGjggHHMIIBwzASBgNVHRMBAf8ECDAGAQH/AgEAMBEG\nCWCGSAGG+EIBAQQEAwIBBjCBywYDVR0gBIHDMIHAMIG9BgkqgXaEBQEKAQEwga8w\ngYQGCCsGAQUFBwICMHgadlZhcm1lbm5lcG9saXRpaWtrYSBvbiBzYWF0YXZpbGxh\nIC0gQ2VydGlmaWthdCBwb2xpY3kgZmlubnMgLSBDZXJ0aWZpY2F0ZSBwb2xpY3kg\naXMgYXZhaWxhYmxlIGh0dHA6Ly93d3cuZmluZWlkLmZpL2NwczEwJgYIKwYBBQUH\nAgEWGmh0dHA6Ly93d3cuZmluZWlkLmZpL2NwczEvMEIGCCsGAQUFBwEBBDYwNDAy\nBggrBgEFBQcwAoYmaHR0cDovL3Byb3h5LmZpbmVpZC5maS9jYS92cmtyb290Yy5j\ncnQwDgYDVR0PAQH/BAQDAgHGMB8GA1UdIwQYMBaAFNvp4ZvS0SQL/KvjoGfqrpxL\nd/SwMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9wcm94eS5maW5laWQuZmkvYXJs\nL3Zya3Jvb3RhLmNybDAdBgNVHQ4EFgQUiFpvHUJHgob91+kNslfPTVAoBBcwDQYJ\nKoZIhvcNAQEFBQADggEBAEXit6ypQO+0RbVTK57SKT1jsqE8dUiwL8oevvdBiFpR\n4HxEZZy8e/OGAvF3Hc/Hjc8cOjlsYToqztg16cOFI4vHZ+yC8rWh4TpuWgvkS80h\n//jcweAayp6E/Z0z928vTNILBD34YJQvpU4u7jyhSaY3tzybKjlSAo5lahiI32a9\nMNZXGoNv+j+MKq1NJkpgpy6/VEa5Z4RdRx43/EZhs45WvxTfER+nUC1loQngFKOS\njdWG3GhOAh13nM9jYASBtC7ONddvoByfzwUOQ+BOf08R2bvZA+2CDFI8PuYqxCFv\nBMCpQSCdVL6tEYxeWIQb+uIQsfAEfjC3AQuTNh/UiW8=\n \n \n\n \n \n\n \n \n \n \n \n \n\n \n \n \n \n\n \n \n \n\n \n \n \n \n\n \n \n \n \n \n \n \n \n \n","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"PKI Policy","type":"text"}]},{"type":"paragraph","content":[{"text":"This chapter provides in-depth description of PKI policy files. Policy files are XML documents defining the trusted issuers and attributes to be sent to service provider.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"File Structure","type":"text"}]},{"type":"paragraph","content":[{"text":"All PKI policy –related configuration files are located in certap/webapp/WEB-INF/uap/pki and all paths discussed in this chapter are relative to that directory.","type":"text"}]},{"type":"paragraph","content":[{"text":"By default, a policy file policy.xml is used for all service providers. However, this may not be sufficient in some installations. Therefore, it is possible to define different policy-file for each service provider by creating a mapping file policy.properties.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Listing 2. Example policy.properties","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"plaintext"},"content":[{"text":"https://example.com/uas/saml2/names/ac/hst.prod.1 = policy/hst_prod.xml\nhttps://example.com/uas/saml2/names/ac/hst.test.1 = policy/hst_test.xml","type":"text"}]},{"type":"paragraph","content":[{"type":"hardBreak"},{"text":"Each line defines an entity id of a service provider and a policy file to be used. If mapping file is defined, all service providers must have an entry. If an entry is not found for specific service provider, authentication process fails.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"PKI Policy XML-Document","type":"text"}]},{"type":"paragraph","content":[{"text":"Refer to ","type":"text"},{"text":"PKI Policy","type":"text","marks":[{"type":"link","attrs":{"href":"https://ubisecuredev.atlassian.net/wiki/spaces/IDS20242/pages/9721544726"}}]},{"text":" for more information about the PKI Policy XML configuration file format.","type":"text"}]}],"version":1}

Browser not supported