Token specification for Energinet.dk DataHub



Similar documents
Introduction to NemID and the NemID Service Provider Package

Terms and concepts in LSS for NemID

SAML Security Assertion Markup Language

Server based signature service. Overview

CS 356 Lecture 28 Internet Authentication. Spring 2013

OIOIDWS for Healthcare Token Profile for Authentication Tokens

Introduction to SAML. Jason Rouault Section Architect Internet Security Solutions Lab Hewlett-Packard. An XML based Security Assertion Markup Language

Implementation guide for LSS

Guidelines for the LSS for NemID interaction design and user selection

Cryptonite. SSO: Single Sign-On Security Overview. Áron SZABÓ. H.A.C.K. Hackerspace Budapest (hsbp.org)

Guidelines on the use of LSS for NemID test tools

SAML Security Analysis. Huang Zheng Xiong Jiaxi Ren Sijun

Signature policy for TUPAS Witnessed Signed Document

Specification document for LDAP API

OIO SAML Profile for Identity Tokens

Authentication Applications

Den Gode Webservice - Security Analysis

Single Sign-On Implementation Guide

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Specifikationsdokument for OCES II

IBM WebSphere Application Server

Corporate Access File Transfer Service Description Version /05/2015

OIOSAML Rich Client to Browser Scenario Version 1.0

Compass Security. [The ICT-Security Experts] SAML 2.0 [Beer Talk Berlin 2/16/2016] Stephan Sekula

SAML Single-Sign-On (SSO)

Setting Up Federated Identity with IBM SmartCloud

Key Management and Distribution

NemID JS Developer Support site. Guidelines

Cryptography and Network Security Chapter 14. Key Distribution. Key Management and Distribution. Key Distribution Task 4/19/2010

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Public Key Infrastructure (PKI)

Specification document for the PID-CPR service

Cryptography and Network Security Chapter 14

Implementation Guide SAP NetWeaver Identity Management Identity Provider

ADFS Integration Guidelines

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

JVA-122. Secure Java Web Development

TELSTRA RSS CA Subscriber Agreement (SA)

Web Based Single Sign-On and Access Control

RECOMMENDATIONS for the PROCESSING of EXTENDED VALIDATION SSL CERTIFICATES January 2, 2014 Version 2.0

Microsoft vs. Red Hat. A Comparison of PKI Vendors

Digital Signature Verification using Historic Data

SEZ SEZ Online Manual- DSC Signing with Java Applet. V Version 1.0 ersion 1.0

Purpose of PKI PUBLIC KEY INFRASTRUCTURE (PKI) Terminology in PKIs. Chain of Certificates

Chapter 4. Authentication Applications. COSC 490 Network Security Annie Lu 1

Authentication Applications

Specification document for the RID-CPR service

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Single Sign-On Implementation Guide

E-Signing Functional description

Authentication Application

Appendix report 1: Syntax and structure of EDIFACT and XML messages Regulation F1:

Bugzilla ID: Bugzilla Summary:

SAFE Digital Signatures in PDF

Biometric Single Sign-on using SAML Architecture & Design Strategies

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Optimized Certificates A New Proposal for Efficient Electronic Document Signature Validation

TeliaSonera Public Root CA. Certification Practice Statement. Revision Date: Version: Rev A. Published by: TeliaSonera Sverige AB

Certification Practice Statement

Transnet Registration Authority Charter

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

Copyright: WhosOnLocation Limited

SAML Profile for Privacy-enhanced Federated Identity Management

Department of Industry and Science

Using CertAgent to Obtain Domain Controller and Smart Card Logon Certificates for Active Directory Authentication

Copyright Pivotal Software Inc, of 10

Introduction to SAML

HKUST CA. Certification Practice Statement

OSOR.eu eid/pki/esignature Community Workshop in Brussels, 13. November 2008 IT Architect Søren Peter Nielsen - spn@itst.dk

You can also find the conditions at

Security Assertion Markup Language (SAML) 2.0 Technical Overview

Secure Web Access Solution

Authentication Context Classes for Levels of Assurance for the Swedish eid Framework

CS 392/681 - Computer Security

Web Access Management and Single Sign-On

Single Sign-On Implementation Guide

Guide. - How to setup secure communication for REST services in Automatisk kortbetaling. Revision 1.3. Nets A/S. Lautrupbjerg 10.

Department of Defense PKI Use Case/Experiences

Single Sign-On Implementation Guide

Key Management and Distribution

Enhancing Web Application Security

SECURITY IN ELECTRONIC COMMERCE MULTIPLE-CHOICE QUESTIONS

Configuring SSL Termination

Agenda. How to configure

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

OIOSAML 2.0 Toolkits Test results May 2009

PUBLIC-KEY CERTIFICATES

IGI Portal architecture and interaction with a CA- online

McAfee Cloud Identity Manager

X.509 Certificate Policy for the Australian Department of Defence Root Certificate Authority and Subordinate Certificate Authorities

Enterprise Access Control Patterns For REST and Web APIs

IAM Application Integration Guide

HP Software as a Service

Transcription:

Token specification for Energinet.dk DataHub Author: Jakob Gadegaard Bendixen, Signaturgruppen A/S Review: Peter Buus, Morten Storm Petersen, Thomas Mostrup Nymand Version: 0.4 Introduction The purpose of this document is to specify the format of the security tokens to be used when an energy consumer wants to get an overview of his energy consumption from a number of different providers. 30. marts 2012 JHH Choice of technologies The technology of choice will be SAML 2.0 assertions as specified in the OASIS SAML 2.0 specification [1]. SAML 2.0 assertions have been chosen as the token format as SAML 2.0 is the de facto standard for distributed authorization within digitalization of public services in Denmark. The alternative solutions considered was either to invent a proprietary XML format or to use the tokens provided by NemId logon. Both solutions where rejected due to their limitations. The assertions are always created on the website of the electricity supplier and there will be no need for requesting additional attributes from the electricity supplier once the signed assertion has been issued to the Datahub. Therefore the solution will not utilize the entire SAML 2.0 standard. Protocol The consumer is authenticated using his NemId. If the authentication is successful an authorization token is issued and the consumer is redirected to the Energinet.dk DataHub. The consumer is presented his consumption data. The token consists of a signed SAML 2.0 assertion containing the following attributes: - SubjectSerialNumber from the consumer's certificate - A friendly name of the consumer - A friendly name of the electricity supplier who authenticated the user. The friendly name of the consumer will be taken from the certificate Common Name (CN). In the OCES infrastructure it is possible to be anonymous in which case the certificate CN will be Pseudonym. If the authentication is done using an employee certificate (MOCES) CN is chosen by the LRA of the company in question. Although the LRA is obliged by contract to fill in the name of the employee, there is no technical mechanism to enforce this obligation. The friendly name of the provider is set by the provider himself and is not validated and should be used for presentation purposes only. The contents of the certificate fields are regulated by the OCES II specification [5]. All attributes are UTF8 strings. The SAML assertion will be signed with the VOCES certificate of the authenticating electricity supplier. The Attributes provided in the SAML assertion is the full name of the user as the provider name and the consumer subject serial number are given in the saml:issuer and saml:subject fields respectively. Doc 23823-12_v1, Case 10/3365 1/6

An issue of consideration is the time gap given in the saml:constraint. It must be sufficiently big to allow server time skews and sufficiently small to avoid replay attacks. In order to avoid time skews the implementing parties are advised to synchronize with a timeserver such as ntp1.tele.dk. Please refer to the following assertion sample for reference. This example illustrates the minimum number of fields to be filled out. Any SAML 2.0 compliant assertion containing those fields and attributes will be accepted. The following table outlines the fields which must be present and their expected content. All other fields in the assertion will be ignored in the validation. Name Xpath Expected content Issuer /assertion/issuer Friendly name of the provider Subject /assertion/subject SubjectSerialNumber of the consumer ConsumerName AttributeStatement/Attribute[@Name= ConsumerName ]/AttributeValue Common Name of the consumer Time constraint before Time constraint after /assertion/conditions@notbefore /assertion/conditions@notonorafter Beginning of the valid period End of the valid period Signature /assertion/signature XML-Dsig signature signed with the VOCES of the provider The signature of the assertion is of type enveloped as specified in the XML-Dsig standard[6] Sample SAML 2.0 assertion <?xml version="1.0" encoding="utf-8"?> <saml:assertion xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion" ID="_706381eabe57febe9a041d0119850f41" IssueInstant="2009-08-13T19:57:39.171Z" Version="2.0"> <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:signature> <saml:issuer>dong Energy</saml:Issuer> <saml:subject> <saml:nameid Format="urn:oasis:names:tc:SAML:2.0:nameidformat:persistent"> CVR:29915938-RID:1176198964730 </saml:nameid> </saml:subject> <saml:conditions NotBefore="2009-08-13T19:57:29.171Z" NotOnOrAfter="2009-08-13T20:27:39.171Z"/> <saml:attributestatement> <saml:attribute Name="ConsumerName"> <saml:attributevalue>test Testesen</saml:AttributeValue> Doc 23823-12_v1, Case 10/3365 2/6

</saml:attribute> </saml:attributestatement> </saml:assertion> Verification rules The verification of the token consists of the following steps. 1. Verify that the SAML assertion is valid according to the XML schema[2]. 2. Verify the contained XML signature including validation of the certificate chain 3. Verify that the assertion is valid w.r.t. the time constraints specified 4. Verify that the signing electricity supplier is trusted 5. If the consumer is a company the RID given in the SAML assertion must be authorized against the attribute service provided by DanId.[4] The validation of the XML structure is done by comparing it to the SAML 2.0 scheme as defined in http://docs.oasis-open.org/security/saml/v2.0/samlschema-assertion-2.0.xsd The XML signature is validated w.r.t. the XML-DSig signature standard. The XML element signed is the entire assertion element, which is canonicalized using the http://www.w3.org/2001/10/xml-exc-c14n algorithm. The certificate is validated by verifying the signature of the certification authority (CA), checking if it is still valid in terms of expiry date and by checking that it has not been revoked. The last step is done by either checking the certificate revocation list (CRL) of the CA or by performing a request to the OCSP service of the CA. This solution will be using CRL checking for revocation check. Step 3 is performed by checking the values in saml:conditions element in the assertion and comparing them to current time. Step 4 is performed by checking if the CVR number in the signing VOCES certificate is known to the database Obligations Electricity supplier obligations In order to participate the electricity suppliers must hold a valid VOCES issued by DanId and a mechanism for authenticating users using NemId. By signing the SAML assertion with their VOCES the electricity supplier guarantees that they have authenticated the user who s subject serial number is given in the saml:subject field. The electricity suppliers must not use SAML assertions issued on behalf of a user to retrieve the metering data of the user. The servers of the electricity suppliers must be reasonable synchronized. Maximum time skew is 5 minutes. Energinet.dk obligations Energinet.dk is obliged to present a consumer s metering data if and only if given a valid SAML assertion with respect to the verification rules outlined in this document. Workflow The workflow for private consumers is illustrated by the following: Doc 23823-12_v1, Case 10/3365 3/6

1. The consumer authenticates himself at the electricity suppliers website using NemId. 2. The electricity supplier validates the NemId of the consumer and signs the DataHub token with their VOCES. 3. The consumer is presented a web page containing an iframe which refers to Energinet.dk s customer web application and the token is forwarded using a GET parameter. The token is validated with respect to rules outlined in this document and the subject serial number is mapped to the relevant installation addresses. 4. Energinet.dk s customer web application returns the relevant metering data to the consumer. The next illustration illustrates the workflow for commercial consumers Doc 23823-12_v1, Case 10/3365 4/6

DanID NemID Attribut PID/CPR CRL Grant access 4: Check attribute Administ Web rator application Administrator Browser 5: data Token Validation Attribut Data 3: Token iframe Internet Employee 2: iframe w. token 1: NemID login Web Application NemID VOCES tool Token VOCES 1. An employee of the consuming company authenticates himself to the electricity supplier using his MOCES / commercial NemId. 2. The electricity supplier validates the NemId/Signature of the employee and signs the token using his VOCES. 3. The employee is presented a web page containing an iframe which refers to Energinet.dk s customer web application and the token is forwarded using a GET parameter. The token is validated with respect to rules outlined in this document. Energinet.dk s customer web application validates the employee s authorization against the DanId attribute service. Should this authorization fail the employee is referred to his local administrator. 4. Energinet.dk s customer web application returns the relevant metering data to the consumer. Doc 23823-12_v1, Case 10/3365 5/6

References 1. OASIS SAML 2.0 standard 2. SAML Assertion schema: http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion- 2.0.xsd 3. Contract number 42992-11 4. Attribute Service Specification 5. OCES II specification: https://www.netsdanid.dk/produkter/nemid_til_erhverv/support/ocesii_specifikation.pdf 6. XML DSig specification: http://www.w3.org/tr/xmldsig-core/ Doc 23823-12_v1, Case 10/3365 6/6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information