IdP Renew
Transaction to renew a IdP Assertion. Primary systems may use this transaction to retrieve a new IdP Assertion, without requiring the user to enter her credentials.
Overview
Primary systems shall use this transaction retrieve a new IdP Assertion by sending an assertion retrieved beforehand.
Transaction
Message Semantics
Messages are encoded as described in Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 and the ordinances to the Swiss EPR.
Request Message
Primary systems shall use this transaction to renew a assertion whose lifetime is exceeded.
The following snippet is adapted from a sample request recorded during the EPR projectathon in September 2020. Some elements and namespaces were omitted to increase readability. The raw request file may be found here.
The Header element of the SOAP envelope contains the data used to sign the request message, as required from the ordinances of the Swiss EPR in Annex 8 and specified in the Web Service Security: SOAP Message Security 1.1. specification.
| SOAP header |
|---|
| <Envelope>
<Header>
<Security mustUnderstand="1">
<Timestamp Id="TS-15277e04-85e0-4b9c-9692-76c3e7be17bc">
<Created>2019-03-26T15:13:15.144Z</Created>
<Expires>2019-03-26T15:18:15.144Z</Expires>
</Timestamp>
<BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
Id="X509-6dfe58da-6804-48ba-ad52-e871c63455df">
MIIDPTCCAiWgAwIBAgIEPVbC1zANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEqSqEb/3VB3ITUav3DIo2o2mRCKyfHV471QUNt4qNFmEwRxpsoGst/UYoTqW8/buv4A=
</BinarySecurityToken>
<Signature Id="SIG-98f468bf-4022-4e31-9886-6f30f1c676bc">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="soap"/>
</CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256" />
<Reference URI="#TS-15277e04-85e0-4b9c-9692-76c3e7be17bc" >
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" >
<InclusiveNamespaces PrefixList="soap wsse"/>
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue >LCxW9EORpApnpju2Q17b0MB1LGt8CMCuvoOqCtlhFx0=</DigestValue>
</Reference>
<Reference URI="#_33c9f0c5-c7d2-4d53-ad2f-944320637754" >
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue >TwKUz3SxOx1NaFVvy55AbbpWXbUJmfn+mreDpkNa/pg=</ds:DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
<!-- signature value omitted -->
</SignatureValue>
<KeyInfo Id="KI-2c6438fa-738a-4ffb-aa52-379bd9380b1a" >
<SecurityTokenReference Id="STR-76ccd654-581d-446e-a00b-8ed529bcc4ab">
<X509Data>
<X509IssuerSerial>
<X509IssuerName >CN=lk,OU=lk,O=lk,L=lsn,ST=vd,C=ch</X509IssuerName>
<X509SerialNumber >1029096151</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</SecurityTokenReference>
</KeyInfo>
</Signature>
</Security>
</Header>
|
Primary systems shall embed the SAML Assertion in the the Body of the SOAP envelope (see lines 58 .. 60 in example below).
| SOAP body |
|---|
| <Body Id="_33c9f0c5-c7d2-4d53-ad2f-944320637754">
<RequestSecurityToken>
<RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew</RequestType>
<TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType>
<RenewTarget>
<Assertion ID="ID_6ff2590e-8df8-4f04-9ae0-cfd16d816c49" IssueInstant="2019-03-26T15:12:13.246Z" Version="2.0">
<!-- assertion omitted -->
</Assertion>
</RenewTarget>
<Renewing/>
</RequestSecurityToken>
</Body>
</Envelope>
|
Response Message
The community responds with a SAML 2.0 IdP assertion whose lifetime is updated.
The following snippet is adapted from a sample request recorded during the EPR projectathon in September 2020. Some elements and namespaces were ommitted to increase readability. The raw request file may be found here.
A SAML 2.0 IdP Assertion with identical attributes but updated lifetime is conveyed in the the Body of the SOAP envelope (see lines 67 .. 69). Examples of Swiss EPR compliant XUA assertions may be found here.
| Response |
|---|
| <Envelope>
<Header/>
<Body>
<RequestSecurityTokenResponse Context="">
<TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType>
<Lifetime>
<wsu:Created>2019-03-26T15:13:13.378Z</wsu:Created>
<wsu:Expires>2019-03-26T15:18:13.378Z</wsu:Expires>
</Lifetime>
<RequestedSecurityToken>
<Assertion>
<!-- Assertion returned by the IdP ommitted for brevity -->
</Assertion>
</RequestedSecurityToken>
<RequestedAttachedReference>
<SecurityTokenReference TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
<KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">#ID_cf6f7da6-c670-4c35-b413-39182b5672f2</KeyIdentifier>
</SecurityTokenReference>
</RequestedAttachedReference>
</RequestSecurityTokenResponse>
</Body>
</Envelope>
|
Transport Protocol
The primary system shall send the request messages to the registry of the community using the http POST binding as defined in the W3C SOAP specification. It may look like:
| POST /RegistryStoredQueryService HTTP/1.1
Host: company.example.org
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Content-Type: application/soap+xml; charset="utf-8"
Content-Length: nnnn
|
Audit Log
Primary systems shall protocol the request and response for traceability. There are no further requirements on protocols defined in the ordinances of the Swiss EPR.
Security Requirements
To ensure privacy the transaction must be secured using the TLS SOAP backchannel with mutual authentication by server and client certificate validation.
Test Opportunity
The transaction can be tested with the Gazelle test suite of the EPR reference environment, or test systems of the EPR communities.
Last update: 2024-08-09