From ec24b9558980c07c39a93a911480cf260c12e9c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Lindstr=C3=B6m?= Date: Tue, 3 Dec 2024 18:10:16 +0100 Subject: [PATCH] December 2024 (#231) * December 2024 release --- 00 - Swedish eID Framework - Introduction.md | 2 +- 00 - Tekniskt ramverk - Introduktion.md | 2 +- ...t Profile for the Swedish eID Framework.md | 116 +- 03 - Registry for Identifiers.md | 188 +- ...ification for the Swedish eID Framework.md | 418 ++--- ...ategories for the Swedish eID Framework.md | 98 +- ...r using DSS in Central Signing Services.md | 34 +- ...xtension for Federated Signing Services.md | 26 +- ...D Profile for the Swedish eID Framework.md | 31 +- 13 - Signature Activation Protocol.md | 18 +- ...tension in SAML Authentication Requests.md | 20 +- Identity Binding.md | 11 +- ...Connect Claims and Scopes Specification.md | 17 +- OpenID Connect Profile for Sweden Connect.md | 11 +- ..._Swedish_eID_Framework_-_Introduction.html | 569 ++++++ .../00_-_Tekniskt_ramverk_-_Introduktion.html | 587 ++++++ ...Profile_for_the_Swedish_eID_Framework.html | 1594 ++++++++++++++++ .../03_-_Registry_for_Identifiers.html | 1204 ++++++++++++ ...ication_for_the_Swedish_eID_Framework.html | 1222 ++++++++++++ ...egories_for_the_Swedish_eID_Framework.html | 689 +++++++ ...using_DSS_in_Central_Signing_Services.html | 683 +++++++ ..._Profile_for_Central_Signing_Services.html | 350 ++++ ...ension_for_Federated_Signing_Services.html | 1668 +++++++++++++++++ ...ication_for_the_Swedish_eID_Framework.html | 648 +++++++ ...Profile_for_the_Swedish_eID_Framework.html | 487 +++++ .../13_-_Signature_Activation_Protocol.html | 489 +++++ ...ction_in_SAML_Authentication_Requests.html | 234 +++ ...nsion_in_SAML_Authentication_Requests.html | 220 +++ ...nnect_Claims_and_Scopes_Specification.html | 381 ++++ ...ID_Connect_Profile_for_Sweden_Connect.html | 247 +++ docs/december-2024/index.html | 278 +-- ..._Swedish_eID_Framework_-_Introduction.html | 2 +- .../00_-_Tekniskt_ramverk_-_Introduktion.html | 2 +- ...Profile_for_the_Swedish_eID_Framework.html | 2 +- .../latest/03_-_Registry_for_Identifiers.html | 2 +- ...ication_for_the_Swedish_eID_Framework.html | 2 +- ...egories_for_the_Swedish_eID_Framework.html | 2 +- ...using_DSS_in_Central_Signing_Services.html | 2 +- ..._Profile_for_Central_Signing_Services.html | 2 +- ...ension_for_Federated_Signing_Services.html | 2 +- ...ication_for_the_Swedish_eID_Framework.html | 2 +- ...Profile_for_the_Swedish_eID_Framework.html | 2 +- .../13_-_Signature_Activation_Protocol.html | 2 +- ...ction_in_SAML_Authentication_Requests.html | 2 +- ...nsion_in_SAML_Authentication_Requests.html | 1 + ...600_-_Tekniskt_ramverk_-_Introduktion.html | 1 - ...Profile_for_the_Swedish_eID_Framework.html | 1 - .../ELN-0603_-_Registry_for_Identifiers.html | 1 - ...ication_for_the_Swedish_eID_Framework.html | 1 - ...egories_for_the_Swedish_eID_Framework.html | 1 - ...using_DSS_in_Central_Signing_Services.html | 1 - ..._Profile_for_Central_Signing_Services.html | 1 - ...ension_for_Federated_Signing_Services.html | 1 - ...ication_for_the_Swedish_eID_Framework.html | 1 - ...Profile_for_the_Swedish_eID_Framework.html | 1 - ...-0613_-_Signature_Activation_Protocol.html | 1 - ...ction_in_SAML_Authentication_Requests.html | 1 - ...nnect_Claims_and_Scopes_Specification.html | 1 + ...ID_Connect_Profile_for_Sweden_Connect.html | 1 + ...using_DSS_in_Central_Signing_Services.html | 48 +- ..._Profile_for_Central_Signing_Services.html | 94 +- ...ension_for_Federated_Signing_Services.html | 26 +- ...ication_for_the_Swedish_eID_Framework.html | 391 ++-- ...Profile_for_the_Swedish_eID_Framework.html | 441 ++--- ...ction_in_SAML_Authentication_Requests.html | 122 +- ..._Swedish_eID_Framework_-_Introduction.html | 531 +----- .../00_-_Tekniskt_ramverk_-_Introduktion.html | 549 +----- ...Profile_for_the_Swedish_eID_Framework.html | 1586 +--------------- .../03_-_Registry_for_Identifiers.html | 1215 +----------- ...ication_for_the_Swedish_eID_Framework.html | 1228 +----------- ...egories_for_the_Swedish_eID_Framework.html | 690 +------ ...using_DSS_in_Central_Signing_Services.html | 2 +- ..._Profile_for_Central_Signing_Services.html | 2 +- ...ension_for_Federated_Signing_Services.html | 2 +- ...ication_for_the_Swedish_eID_Framework.html | 2 +- ...Profile_for_the_Swedish_eID_Framework.html | 2 +- .../13_-_Signature_Activation_Protocol.html | 497 +---- ...ction_in_SAML_Authentication_Requests.html | 2 +- .../15_-_Signature_Validation_Token.html | 726 ------- ...ofile_for_Signature_Validation_Tokens.html | 215 --- ...ofile_for_Signature_Validation_Tokens.html | 247 --- ...nsion_in_SAML_Authentication_Requests.html | 221 +-- ...nnect_Claims_and_Scopes_Specification.html | 1 + ...ID_Connect_Profile_for_Sweden_Connect.html | 1 + scripts/release.sh | 12 +- 85 files changed, 12486 insertions(+), 8950 deletions(-) create mode 100644 docs/december-2024/00_-_Swedish_eID_Framework_-_Introduction.html create mode 100644 docs/december-2024/00_-_Tekniskt_ramverk_-_Introduktion.html create mode 100644 docs/december-2024/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html create mode 100644 docs/december-2024/03_-_Registry_for_Identifiers.html create mode 100644 docs/december-2024/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html create mode 100644 docs/december-2024/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html create mode 100644 docs/december-2024/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html create mode 100644 docs/december-2024/08_-_Certificate_Profile_for_Central_Signing_Services.html create mode 100644 docs/december-2024/09_-_DSS_Extension_for_Federated_Signing_Services.html create mode 100644 docs/december-2024/11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html create mode 100644 docs/december-2024/12_-_BankID_Profile_for_the_Swedish_eID_Framework.html create mode 100644 docs/december-2024/13_-_Signature_Activation_Protocol.html create mode 100644 docs/december-2024/14_-_Principal_Selection_in_SAML_Authentication_Requests.html create mode 100644 docs/december-2024/18_-_User_Message_Extension_in_SAML_Authentication_Requests.html create mode 100644 docs/december-2024/OpenID_Connect_Claims_and_Scopes_Specification.html create mode 100644 docs/december-2024/OpenID_Connect_Profile_for_Sweden_Connect.html create mode 120000 docs/latest/18_-_User_Message_Extension_in_SAML_Authentication_Requests.html delete mode 120000 docs/latest/ELN-0600_-_Tekniskt_ramverk_-_Introduktion.html delete mode 120000 docs/latest/ELN-0602_-_Deployment_Profile_for_the_Swedish_eID_Framework.html delete mode 120000 docs/latest/ELN-0603_-_Registry_for_Identifiers.html delete mode 120000 docs/latest/ELN-0604_-_Attribute_Specification_for_the_Swedish_eID_Framework.html delete mode 120000 docs/latest/ELN-0606_-_Entity_Categories_for_the_Swedish_eID_Framework.html delete mode 120000 docs/latest/ELN-0607_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html delete mode 120000 docs/latest/ELN-0608_-_Certificate_Profile_for_Central_Signing_Services.html delete mode 120000 docs/latest/ELN-0609_-_DSS_Extension_for_Federated_Signing_Services.html delete mode 120000 docs/latest/ELN-0611_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html delete mode 120000 docs/latest/ELN-0612_-_BankID_Profile_for_the_Swedish_eID_Framework.html delete mode 120000 docs/latest/ELN-0613_-_Signature_Activation_Protocol.html delete mode 120000 docs/latest/ELN-0614_-_Principal_Selection_in_SAML_Authentication_Requests.html create mode 120000 docs/latest/OpenID_Connect_Claims_and_Scopes_Specification.html create mode 120000 docs/latest/OpenID_Connect_Profile_for_Sweden_Connect.html mode change 100644 => 120000 docs/updates/00_-_Swedish_eID_Framework_-_Introduction.html mode change 100644 => 120000 docs/updates/00_-_Tekniskt_ramverk_-_Introduktion.html mode change 100644 => 120000 docs/updates/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html mode change 100644 => 120000 docs/updates/03_-_Registry_for_Identifiers.html mode change 100644 => 120000 docs/updates/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html mode change 100644 => 120000 docs/updates/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html mode change 100644 => 120000 docs/updates/13_-_Signature_Activation_Protocol.html delete mode 100644 docs/updates/15_-_Signature_Validation_Token.html delete mode 100644 docs/updates/16_-_PDF_Profile_for_Signature_Validation_Tokens.html delete mode 100644 docs/updates/17_-_XML_Profile_for_Signature_Validation_Tokens.html mode change 100644 => 120000 docs/updates/18_-_User_Message_Extension_in_SAML_Authentication_Requests.html create mode 120000 docs/updates/OpenID_Connect_Claims_and_Scopes_Specification.html create mode 120000 docs/updates/OpenID_Connect_Profile_for_Sweden_Connect.html diff --git a/00 - Swedish eID Framework - Introduction.md b/00 - Swedish eID Framework - Introduction.md index 9992996..25b0c26 100644 --- a/00 - Swedish eID Framework - Introduction.md +++ b/00 - Swedish eID Framework - Introduction.md @@ -8,7 +8,7 @@ # Introduction to the Sweden Connect Technical Framework -### 2024-12-02 +### 2024-12-04 Registration number: **2019-267** diff --git a/00 - Tekniskt ramverk - Introduktion.md b/00 - Tekniskt ramverk - Introduktion.md index 144cac2..3078316 100644 --- a/00 - Tekniskt ramverk - Introduktion.md +++ b/00 - Tekniskt ramverk - Introduktion.md @@ -8,7 +8,7 @@ # En introduktion till Sweden Connect Tekniskt ramverk -### 2024-12-02 +### 2024-12-04 Diarienummer: **2019-267** diff --git a/02 - Deployment Profile for the Swedish eID Framework.md b/02 - Deployment Profile for the Swedish eID Framework.md index 4726496..beb38fa 100644 --- a/02 - Deployment Profile for the Swedish eID Framework.md +++ b/02 - Deployment Profile for the Swedish eID Framework.md @@ -8,7 +8,7 @@ # Deployment Profile for the Swedish eID Framework -### Version 1.8 - 2024-12-04 - *Draft version* +### Version 1.8 - 2024-12-04 Registration number: **2019-308** @@ -141,7 +141,7 @@ by this profile. ### 1.1. Requirements Notation -The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", +The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in \[[RFC2119](http://www.ietf.org/rfc/rfc2119.txt)\]. @@ -279,9 +279,9 @@ messages using both the old and new key. ##### 2.1.1.3. Declaring Algorithm Support -Services MAY declare encryption and signature capabilities as defined in \[[SAML2MetaAlgSupport](#saml2metaalg)\]. The declared algorithms MUST meet the algorithm requirements defined by the Swedish eID Framework or by the federation operator . Thus, it is not allowed to declare an algorithm, or key size, that is prohibited from use. +Services MAY declare encryption and signature capabilities as defined in \[[SAML2MetaAlgSupport](#saml2metaalg)\]. The declared algorithms MUST meet the algorithm requirements defined by the Sweden Connect Framework or by the federation operator . Thus, it is not allowed to declare an algorithm, or key size, that is prohibited from use. -All services conformant with this specification MUST support the mandatory algorithms defined by the Swedish eID Framework, meaning that a service has no possibility to opt-out from a certain mandatory algorithm by excluding it from the declared capabilities. The main purpose of declaring an algorithm using any of the elements ``, `` or `` is to declare which algorithm the service prefers. +All services conformant with this specification MUST support the mandatory algorithms defined by the Sweden Connect Framework, meaning that a service has no possibility to opt-out from a certain mandatory algorithm by excluding it from the declared capabilities. The main purpose of declaring an algorithm using any of the elements ``, `` or `` is to declare which algorithm the service prefers. #### 2.1.2. Service Providers @@ -290,7 +290,7 @@ The `` element of a Service Provider’s entity descriptor SHOULD contain one entity category attribute \[[EntCat](#entcat)\] that holds at least one attribute value representing a service entity category as defined in -\[[EidEntCat](#eidentcat)\], identifying the Service Provider requirements in relation to +\[[SC.EntCat](#sc-entcat)\], identifying the Service Provider requirements in relation to identity services concerning attribute release and level of assurance. The example below illustrates how an entity declares the service entity @@ -324,7 +324,7 @@ combination with `` elements under the Provider metadata. The `` elements in the Service Provider metadata, when present, hold a list of requested and/or required attributes. This list of attributes MUST be interpreted in the -context of present service entity categories defined in \[[EidEntCat](#eidentcat)\]. +context of present service entity categories defined in \[[SC.EntCat](#sc-entcat)\]. > Note: Only the requirements for attributes that are not implicitly requested through a declared service entity category need to be expressed as `` elements. @@ -394,7 +394,7 @@ The `` element of an Identity Provider’s entity descriptor SHOULD contain one entity category attribute \[[EntCat](#entcat)\] that holds at least one attribute value representing a service entity category as defined in -\[[EidEntCat](#eidentcat)\], defining the Identity Provider ability to deliver +\[[SC.EntCat](#sc-entcat)\], defining the Identity Provider ability to deliver assertions (defining the level of assurance and attribute release). If an Identity Provider has the ability to release attributes, other than those @@ -408,8 +408,8 @@ metadata SHALL contain an attribute according to `urn:oasis:names:tc:SAML:attribute:assurance-certification` and holding at least one attribute value identifying a Level of Assurance (LoA) for which the Identity Provider has been approved. -The Swedish eID Framework defines such identifier values in section 3.1.1 of -\[[SC.Registry](#sc-registry)\] and their meanings are defined in \[[EidTillit](#eidtillit)\]. +The Sweden Connect Framework defines such identifier values in section 3.1.1 of +\[[SC.Registry](#sc-registry)\] and their meanings are defined in \[[SE.Trust](#se-trust)\]. ``` @@ -434,7 +434,7 @@ element to a value of `true`. See further section E7, “Metadata for Agreeing to Sign Authentication Requests”, of \[[SAML v2.0 Errata 05](#saml2errata05)\]. -Identity Providers SHALL advertise support for the SAP protocol according to \[[SigSAP](#sigsap)\], by including the service property entity category URI +Identity Providers SHALL advertise support for the SAP protocol according to \[[SC.SAP](#sc-sap)\], by including the service property entity category URI `http://id.elegnamnden.se/sprop/1.0/scal2` in its metadata. An Identity Provider that does not advertise support for SAP MAY ignore requests for SAD. ``` @@ -451,12 +451,12 @@ Identity Providers SHALL advertise support for the SAP protocol according to \[[ ``` *Example of how an Identity Provider advertises its support for SCAL2 authentication.* -An Identity Provider that wishes to receive the `` extension in authentication requests SHOULD include the `` extension extending the `` element. In this extension the Identity Provider declares which attribute value(s) it wants to receive in authentication requests from requestors using the `` authentication request extension. See [section 5.3.3](#principal-selection) and \[[PrincipalSel](#principalsel)\]. +An Identity Provider that wishes to receive the `` extension in authentication requests SHOULD include the `` extension extending the `` element. In this extension the Identity Provider declares which attribute value(s) it wants to receive in authentication requests from requestors using the `` authentication request extension. See [section 5.3.3](#principal-selection) and \[[SC.Principal](#sc-principal)\]. ##### 2.1.3.1. Declaring Authorized Scopes -An Identity Provider that releases "scoped attributes", see section 3.1.3 of \[[EidAttributes](#eidattributes)\], +An Identity Provider that releases "scoped attributes", see section 3.1.3 of \[[SC.Attributes](#sc-attributes)\], MUST be authorized to do so by the federation operator. Each authorized scope MUST be declared in the Identity Provider metadata entry using a `` element, see section 3.5.2, "Scope Filtering", in \[[SAML2SubjIdAttr](#saml2subjidattr)\]. The `` elements MUST appear within the `` element of the ``. ``` @@ -510,13 +510,13 @@ If the Identity Provider also supports authentication according the ordinary Web #### 2.1.4. Signature Service -A Signature Service within the Swedish eID Framework is a Service +A Signature Service within the Sweden Connect Framework is a Service Provider with specific requirements concerning its representation in metadata. The `` element of a Signature Service SP entity descriptor SHALL include the service type entity category -identifier **`http://id.elegnamnden.se/st/1.0/sigservice`** (\[[EidEntCat](#eidentcat)\]) +identifier **`http://id.elegnamnden.se/st/1.0/sigservice`** (\[[SC.EntCat](#sc-entcat)\]) as a value to the entity category attribute \[[EntCat](#entcat)\]. ``` @@ -558,8 +558,8 @@ message). ## 4. Attributes -Attribute specifications for the Swedish eID Framework are defined in -\[[EidAttributes](#eidattributes)\]. +Attribute specifications for the Sweden Connect Framework are defined in +\[[SC.Attributes](#sc-attributes)\]. The content of `` elements exchanged via any SAML 2.0 messages or assertions SHOULD be limited to a single child text @@ -632,7 +632,7 @@ For the HTTP-POST binding the `` element MUST be signed using a `` element within the ``. -Before signing the authentication request, the Service Provider SHOULD consult the Identity Provider's metadata (`` and `` elements) to determine the intersection of algorithms, key sizes and other parameters as defined by particular algorithms that it supports and that the Identity Provider prefers. If the intersection is empty, or if the Identity Provider has not declared any algorithms, the Service Provider MUST use one of the mandatory signing and digest algorithms defined in the Swedish eID Framework during the signature operation. +Before signing the authentication request, the Service Provider SHOULD consult the Identity Provider's metadata (`` and `` elements) to determine the intersection of algorithms, key sizes and other parameters as defined by particular algorithms that it supports and that the Identity Provider prefers. If the intersection is empty, or if the Identity Provider has not declared any algorithms, the Service Provider MUST use one of the mandatory signing and digest algorithms defined in the Sweden Connect Framework during the signature operation. > \[\*\]: A Service Provider should be aware of web browser, or web server, size limitations of URL:s, and it is RECOMMENDED that a Service Provider use the HTTP-POST binding in cases where @@ -692,7 +692,7 @@ one out of a selection of acceptable authentication context URIs, then all of these URIs MUST be included in the request. The requested authentication context SHOULD be consistent with at least -one of the service entity categories \[[EidEntCat](#eidentcat)\] declared in the +one of the service entity categories \[[SC.EntCat](#sc-entcat)\] declared in the Service Provider’s metadata entry. See further [section 5.4.4](#authentication-context-and-level-of-assurance-handling) below. ``` @@ -715,7 +715,7 @@ message.* *Example of how several Authentication Context URIs are included in an authentication request message. In this case, the Service Provider states that it requests the authentication to be performed according to -either the LoA3 URI defined within the Swedish eID Framework or the +either the LoA3 URI defined within the Sweden Connect Framework or the substantial level for notified eIDs defined within the eIDAS Framework.* @@ -754,7 +754,7 @@ extension of the `AuthnRequest` message, see section [5.3.3](#principal-selectio #### 5.3.3. Principal Selection -The specification "Principal Selection in SAML Authentication Requests", \[[PrincipalSel](#principalsel)\], defines the `` extension that enables a requestor to inform the Identity Provider about known attributes for the principal that is about to be authenticated. +The specification "Principal Selection in SAML Authentication Requests", \[[SC.Principal](#sc-principal)\], defines the `` extension that enables a requestor to inform the Identity Provider about known attributes for the principal that is about to be authenticated. This may be relevant for Identity Provider services who prompt users for an identifier in order initiate an authentication process with the user's eID. In such cases, this extension can be used to avoid unnecessary prompting when the user's identity is known in advance to the service requesting authentication, such as when a previously authenticated user is requested to sign a document. @@ -855,7 +855,7 @@ the Identity Provider MAY return the result of a default authentication process that is consistent with the Identity Providers metadata. **Note**: The Identity Provider does not have to consider the service -entity categories (\[[EidEntCat](#eidentcat)\]) declared in the Service Provider’s +entity categories (\[[SC.EntCat](#sc-entcat)\]) declared in the Service Provider’s metadata entry when determining the requested authentication context under which the authentication should be performed. The purpose of the service entity categories is primarily to support service matching in @@ -939,7 +939,7 @@ message. The elements `` and `` MUST NOT be used; instead the entire assertion MUST be encrypted. -Before performing encryption and signing, the Identity Provider SHOULD consult the Service Provider's metadata (``, `` and `` elements) to determine the intersection of algorithms, key sizes and other parameters as defined by particular algorithms that it supports and that the Service Provider prefers. If the intersection is empty, or if the Service Provider has not declared any algorithms, the Identity Provider MUST use algorithms listed as mandatory by the Swedish eID Framework. For encryption, the chosen algorithm MUST also be compatible with the Service Provider's encryption key +Before performing encryption and signing, the Identity Provider SHOULD consult the Service Provider's metadata (``, `` and `` elements) to determine the intersection of algorithms, key sizes and other parameters as defined by particular algorithms that it supports and that the Service Provider prefers. If the intersection is empty, or if the Service Provider has not declared any algorithms, the Identity Provider MUST use algorithms listed as mandatory by the Sweden Connect Framework. For encryption, the chosen algorithm MUST also be compatible with the Service Provider's encryption key declared in metadata. Service Providers SHOULD NOT accept unsolicited `` @@ -968,7 +968,7 @@ especially important in cases of re-use of already established security contexts at the Identity Provider side (Single Sign On). Each identity assertion MUST have a `` element that -specifies the principal that is the subject of all of the statements in +specifies the principal that is the subject of all the statements in the assertion. The value of the `` element under the @@ -1055,19 +1055,19 @@ An Identity Provider determines which attributes to include in the `` element of an assertion based on the Service Provider requirements and its agreements with the user being authenticated. Service Provider attribute preferences and requirements -are specified by the service entity categories \[[EidEntCat](#eidentcat)\] and +are specified by the service entity categories \[[SC.EntCat](#sc-entcat)\] and requested attributes in the `` element declared in the Service Provider metadata. A service entity category -specifies the attribute set (as defined in \[[EidAttributes](#eidattributes)\]) that is +specifies the attribute set (as defined in \[[SC.Attributes](#sc-attributes)\]) that is requested for the attribute release process. An Identity Provider declares service entity categories in order to publish its ability to deliver attributes according to certain attribute sets. For all declared service entity categories, the Identity Provider MUST possess the ability to deliver the mandatory attributes of the -underlying attribute set. See \[[EidEntCat](#eidentcat)\] and \[[EidAttributes](#eidattributes)\] for details. +underlying attribute set. See \[[SC.EntCat](#sc-entcat)\] and \[[SC.Attributes](#sc-attributes)\] for details. -An Identity Provider releasing scoped attributes, see section 3.1.3 of \[[EidAttributes](#eidattributes)\], MUST be authorized to release attributes with given scopes by the federation operator. An Identity Provider's authorized scopes are published in its metadata according to section [2.1.3.1](#declaring-authorized-scopes), "[Declaring Authorized Scopes](#declaring-authorized-scopes)". +An Identity Provider releasing scoped attributes, see section 3.1.3 of \[[SC.Attributes](#sc-attributes)\], MUST be authorized to release attributes with given scopes by the federation operator. An Identity Provider's authorized scopes are published in its metadata according to section [2.1.3.1](#declaring-authorized-scopes), "[Declaring Authorized Scopes](#declaring-authorized-scopes)". Consequently, a Service Provider consuming a scoped attribute SHOULD verify that the issuing Identity Provider has been authorized to release attributes for the given scope by asserting its presence in the Identity Provider's metadata, see section [2.1.3.1](#declaring-authorized-scopes) and section 3.5.2 of \[[SAML2SubjIdAttr](#saml2subjidattr)\]. A scoped attribute that fails this check MUST NOT be accepted by the Service Provider. @@ -1279,9 +1279,9 @@ If an Identity Provider detects suspicious fraudulent behaviour or if any of its ## 7. Authentication for Signature -“DSS Extension for Federated Central Signing Services”, \[[EidDSS](#eiddss)\], +“DSS Extension for Federated Central Signing Services”, \[[SC.DSS.Ext](#sc-dss-ext)\], defines an extension to the OASIS DSS protocol for providing centralized -Signature Services within the Swedish eID Framework. This specification +Signature Services within the Sweden Connect Framework. This specification defines the communication between a *Signature Requestor** and a Signature Service, but does not cover SAML specific requirements regarding the user authentication phase that is part of the signature @@ -1308,7 +1308,7 @@ following requirements: also be indicated in the Signature Service metadata record using the `AuthnRequestsSigned` attribute (see [section 2.1.4](#signature-service)). -If the receiving Identity Provider has declared that it wishes to receive principal selection information about the signer (see [section 5.3.3](#principal-selection)), and the Signature Service has received any of the requested attribute values in the `Signer` element of the `SignRequest` (\[[EidDSS](#eiddss)\]), the Signature Service SHOULD include those attribute values in a `` extension of the authentication request. +If the receiving Identity Provider has declared that it wishes to receive principal selection information about the signer (see [section 5.3.3](#principal-selection)), and the Signature Service has received any of the requested attribute values in the `Signer` element of the `SignRequest` (\[[SC.DSS.Ext](#sc-dss-ext)\]), the Signature Service SHOULD include those attribute values in a `` extension of the authentication request. It is RECOMMENDED that the `` element containing a `` element holding the entityID of the Service Requestor is included in `` messages generated by a Signature Service. @@ -1330,8 +1330,8 @@ end user is performing a signature. #### 7.1.1. Requesting Display of Signature Message -\[[EidDSS\_Profile](#eiddssprofile)\] specifies that a Signature Requestor may include a -`SignMessage` element (as defined by \[[EidDSS](#eiddss)\]) in a signature request. +\[[SC.DSS.Profile](#sc-dss-profile)\] specifies that a Signature Requestor may include a +`SignMessage` element (as defined by \[[SC.DSS.Ext](#sc-dss-ext)\]) in a signature request. This element holds a message that the Identity Provider, which is responsible for “authentication for signature”, should present to the user that is performing the signature. @@ -1345,7 +1345,7 @@ element in the `` message (see section 3.2.1 of All Identity Providers compliant with this profile MUST be able to parse and understand the `SignMessage` extension. -If the `Message`-element of the `SignMessage` is to be encrypted, the Service Provider SHOULD consult the Identity Provider's metadata (`` elements) to determine the intersection of algorithms, key sizes and other parameters as defined by particular algorithms that it supports and that the Identity Provider prefers. If the intersection is empty, or if the Identity Provider has not declared any algorithms, the Service Provider MUST use one of the mandatory algorithms defined in the Swedish eID Framework during the encryption operation, which is compatible with the Identity Provider's encryption key declared in metadata. +If the `Message`-element of the `SignMessage` is to be encrypted, the Service Provider SHOULD consult the Identity Provider's metadata (`` elements) to determine the intersection of algorithms, key sizes and other parameters as defined by particular algorithms that it supports and that the Identity Provider prefers. If the intersection is empty, or if the Identity Provider has not declared any algorithms, the Service Provider MUST use one of the mandatory algorithms defined in the Sweden Connect Framework during the encryption operation, which is compatible with the Identity Provider's encryption key declared in metadata. If an Identity Provider that has ways of determining the principal's identity before displaying a sign message receives a `` extension in the authentication request @@ -1372,7 +1372,7 @@ from signature services): return an error response. - If authentication and sign message confirmation by the user was successful, the Identity Provider - MUST include the `signMessageDigest` attribute (see section 3.2.4 of \[[EidAttributes](#eidattributes)\]) + MUST include the `signMessageDigest` attribute (see section 3.2.4 of \[[SC.Attributes](#sc-attributes)\]) in the assertion that is issued. - The Identity Provider MUST NOT return an assertion without performing an authentication process @@ -1383,18 +1383,18 @@ from signature services): #### 7.1.2. Requesting SCAL2 Signature Activation Data -The type of signature requested in a signature request is, according to \[[EidDSS_Profile](#eiddssprofile)\], specified by the `CertType` attribute of the `` element. When the value of this attribute is set to `QC/SSCD`, the requested signature is a Qualified Signature created in a Qualified Signature Creation Device (QSCD). To achieve this level of signature the Authentication Request MUST include a request for Signature Activation Data (SAD) for Sole Control Assurance Level 2 (SCAL2) in accordance with the "Signature Activation Protocol for Federated Signing" \[[SigSAP](#sigsap)\], and MUST include the `SignMessage` extension (as described above). +The type of signature requested in a signature request is, according to \[[SC.DSS.Profile](#sc-dss-profile)\], specified by the `CertType` attribute of the `` element. When the value of this attribute is set to `QC/SSCD`, the requested signature is a Qualified Signature created in a Qualified Signature Creation Device (QSCD). To achieve this level of signature the Authentication Request MUST include a request for Signature Activation Data (SAD) for Sole Control Assurance Level 2 (SCAL2) in accordance with the "Signature Activation Protocol for Federated Signing" \[[SC.SAP](#sc-sap)\], and MUST include the `SignMessage` extension (as described above). As pointed out in [section 2.1.3](#identity-providers) an Identity Provider that supports processing of SAD requests and issuance of SAD-attributes SHALL advertise this by declaring the service property entity category `http://id.elegnamnden.se/sprop/1.0/scal2` in its metadata. An Identity Provider that has declared this entity category MUST return a SAD attribute in an issued assertion if the corresponding `` message contains the `` extension. A SAD returned from the Identity Provider MUST have a signature which can be verified using a certificate from the Identity Provider's metadata entry. The signature algorithm used to sign the SAD MUST be equivalent to the algorithm used to sign the responses and assertions from the Identity Provider. -Verification of a received SAD-attribute MUST follow the verification rules specified in section 3.2.3 of \[[SigSAP](#sigsap)\]. +Verification of a received SAD-attribute MUST follow the verification rules specified in section 3.2.3 of \[[SC.SAP](#sc-sap)\]. ### 7.2. Authentication Responses -By including the `signMessageDigest` attribute (see section 3.2.4 of \[[EidAttributes](#eidattributes)\]) +By including the `signMessageDigest` attribute (see section 3.2.4 of \[[SC.Attributes](#sc-attributes)\]) in the SAML assertion, the Identity Provider asserts that it has successfully displayed the sign message received in the request for the user and that the user has accepted to sign under the context of this sign message. This attribute MUST be included in the issued assertion if a sign message was displayed for, and accepted by, the user. @@ -1505,7 +1505,7 @@ A service wishing to receive encrypted messages where SHA-1 is not used as the k ``` *Example of how a service announces that it wishes that the peer uses SHA-256 as the key transport digest when encrypting using RSA-OAEP-MGF1P.* -> \[*\]: Note that the use if SHA-1 in this context (both as digest algoritm and as mask generation function) is limited to providing randomness of padding data and as a hash over optional OAEP parameter data which typically is an empty string. It is not used as a hash function to assert the integrity of the encrypted data. No weaknesses of SHA-1 is is known to be relevant to its use in this context. +> \[*\]: Note that the use if SHA-1 in this context (both as digest algoritm and as mask generation function) is limited to providing randomness of padding data and as a hash over optional OAEP parameter data which typically is an empty string. It is not used as a hash function to assert the integrity of the encrypted data. No weaknesses of SHA-1 are known to be relevant to its use in this context. ## 9. Normative References @@ -1604,38 +1604,38 @@ A service wishing to receive encrypted messages where SHA-1 is not used as the k **\[SAML2HokAP\]** > [OASIS Committee Specification, SAML V2.0 Holder-of-Key Assertion Profile Version 1.0, January 2010](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml2-holder-of-key.pdf). - -**\[EidTillit\]** + +**\[SE.Trust\]** > [Tillitsramverket för Svensk e-legitimation](https://www.digg.se/digitala-tjanster/e-legitimering/tillitsnivaer-for-e-legitimering/tillitsramverk-for-svensk-e-legitimation). **\[SC.Registry\]** > [Sweden Connect - Registry for identifiers](https://docs.swedenconnect.se/technical-framework/latest/03_-_Registry_for_Identifiers.html). - -**\[EidAttributes\]** + +**\[SC.Attributes\]** > [Attribute Specification for the Swedish eID Framework](https://docs.swedenconnect.se/technical-framework/latest/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html). - -**\[EidEntCat\]** + +**\[SC.EntCat\]** > [Entity Categories for the Swedish eID Framework](https://docs.swedenconnect.se/technical-framework/latest/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html). - -**\[EidDSS\]** + +**\[SC.Principal\]** +> [Principal Selection in SAML Authentication Requests](https://docs.swedenconnect.se/technical-framework/latest/14_-_Principal_Selection_in_SAML_Authentication_Requests.html). + + +**\[SC.DSS.Ext\]** > [DSS Extension for Federated Central Signing Services](https://docs.swedenconnect.se/technical-framework/latest/09_-_DSS_Extension_for_Federated_Signing_Services.html). - -**\[EidDSS\_Profile\]** + +**\[SC.DSS.Profile\]** > [Implementation Profile for Using OASIS DSS in Central Signing Services](https://docs.swedenconnect.se/technical-framework/latest/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html). - -**\[SigSAP\]** + +**\[SC.SAP\]** > [Signature Activation Protocol for Federated Signing](https://docs.swedenconnect.se/technical-framework/latest/13_-_Signature_Activation_Protocol.html). - -**\[PrincipalSel\]** -> [Principal Selection in SAML Authentication Requests](https://docs.swedenconnect.se/technical-framework/latest/14_-_Principal_Selection_in_SAML_Authentication_Requests.html). - **\[RFC4051\]** > [IETF RFC 4051, Additional XML Security Uniform Resource Identifiers, April 2005](https://www.ietf.org/rfc/rfc4051.txt). @@ -1650,7 +1650,7 @@ A service wishing to receive encrypted messages where SHA-1 is not used as the k **Changes between version 1.7 and 1.8:** -- Section 7.1.2 was updated to state that the requirement to include both a SAD and a SignMessage extension only applies when the requested CertType is "QC/SSCD". Voluntary use of SAD for other types of signatures (e.g. non qualified signatures) does not automatically trigger a requirement to include SignMessage. +- Section 7.1.2 was updated to state that the requirement to include both a SAD and a SignMessage extension only applies when the requested CertType is "QC/SSCD". Voluntary use of SAD for other types of signatures (e.g., nonqualified signatures) does not automatically trigger a requirement to include SignMessage. **Changes between version 1.6 and 1.7:** @@ -1667,7 +1667,7 @@ A service wishing to receive encrypted messages where SHA-1 is not used as the k **Changes between version 1.5 and 1.6:** - In order to facilitate algorithm interoperability between peers additions concerning "Metadata Profile for Algorithm Support" \[[SAML2MetaAlgSupport](#saml2metaalg)\] was added. Section 2.1.1 was updated with a section defining how preferred algorithms are declared in metadata, and sections 5.2, 6.1 and 7.2.1 was updated with requirements for algorithm selection during signing and encryption. -- Section 5.3, "Message Content", was re-structured with sub-chapters for requested authentication contexts, scoping and principal selection. +- Section 5.3, "Message Content", was re-structured with subchapters for requested authentication contexts, scoping and principal selection. - The `PrincipalSelection` and `RequestedPrincipalSelection` extensions were introduced to sections 2.1.3, 5.3.3 and 7.2. - The link for the "Tillitsramverk för Svensk e-legitimation" specification was updated. - This profile is no longer normatively dependent upon SAML2Int. Therefore, the profile has been updated with requirements that previously was implicit (due to the normative dependency to SAML2Int). @@ -1713,7 +1713,7 @@ and the use of the `signMessageDigest` attribute was introduced. - In section 7.1, a set of authentication context URIs for the eIDAS Framework was added. -- In section 6.4, the requirement to use the sub-level status code +- In section 6.4, the requirement to use the sublevel status code `http://id.elegnamnden.se/status/1.0/cancel` was added. This status should be used to indicate a cancelled operation. @@ -1760,7 +1760,7 @@ and the use of the `signMessageDigest` attribute was introduced. difficult to make use of the `` element to store authentication context parameters, and that no commercial, or open source, Identity Provider software had support for this - feature. \[EidAttributes\] now describe how the `authContextParams` + feature. \[SC.Attributes\] now describe how the `authContextParams` attribute may be used for the same purpose, and the examples where this information was stored under the `` element was removed from chapter 6.2, “Message Content”. diff --git a/03 - Registry for Identifiers.md b/03 - Registry for Identifiers.md index 611c2c0..e437af7 100644 --- a/03 - Registry for Identifiers.md +++ b/03 - Registry for Identifiers.md @@ -8,7 +8,7 @@ # Sweden Connect - Registry for identifiers -### Version 1.8 - 2024-11-26 - *Draft version* +### Version 1.8 - 2024-12-04 Registration number: **2019-309** @@ -193,14 +193,14 @@ The following category codes are defined: #### 3.1.1. Authentication Context URIs Authentication Context URIs representing assurance levels (Tillitsnivåer) relevant to -\[[TillitRamv](#tillitramv)\] and \[[EidDeploy](#eiddeploy)\]. +\[[SE.Trust](#se-trust)\] and \[[SC.SAML.Profile](#sc-saml-profile)\]. | **URL** | **Object** | **Reference** | | :--- | :--- | :--- | -| `http://id.elegnamnden.se/loa/1.0/loa1` | Assurance level 1. | \[[TillitRamv](#tillitramv)\] | -| `http://id.elegnamnden.se/loa/1.0/loa2` | Assurance level 2. | \[[TillitRamv](#tillitramv)\] | -| `http://id.elegnamnden.se/loa/1.0/loa3` | Assurance level 3. | \[[TillitRamv](#tillitramv)\] | -| `http://id.elegnamnden.se/loa/1.0/loa4` | Assurance level 4. | \[[TillitRamv](#tillitramv)\] | +| `http://id.elegnamnden.se/loa/1.0/loa1` | Assurance level 1. | \[[SE.Trust](#se-trust)\] | +| `http://id.elegnamnden.se/loa/1.0/loa2` | Assurance level 2. | \[[SE.Trust](#se-trust)\] | +| `http://id.elegnamnden.se/loa/1.0/loa3` | Assurance level 3. | \[[SE.Trust](#se-trust)\] | +| `http://id.elegnamnden.se/loa/1.0/loa4` | Assurance level 4. | \[[SE.Trust](#se-trust)\] | | `http://id.elegnamnden.se/loa/1.0/eidas-low`\* | Authentication accordance to eIDAS assurance level low for non-notified and notified eID schemes. | \[[eIDAS](#eidas)\] | | `http://id.elegnamnden.se/loa/1.0/eidas-sub`\* | Authentication accordance to eIDAS assurance level substantial for non-notified and notified eID schemes. | \[[eIDAS](#eidas)\] | | `http://id.elegnamnden.se/loa/1.0/eidas-high`\* | Authentication accordance to eIDAS assurance level high for non-notified and notified eID schemes. | \[[eIDAS](#eidas)\] | @@ -227,12 +227,12 @@ following `AuthnContextClassRef` URI:s defined by the EU commission: > \[*\]: The authentication context URI:s are intended to be used to represent authentication over the eIDAS authentication framework using an official eIDAS-connector. Authorization to issue assertions using these authentication context URI:s is determined by declaration of the -"assurance certification" for the connector (see section 2.1.3 of \[[EidDeploy](#eiddeploy)\]). +"assurance certification" for the connector (see section 2.1.3 of \[[SC.SAML.Profile](#sc-saml-profile)\]). ##### 3.1.1.1. Authentication Context URIs for Swedish Non-residents -The Swedish assurance framework, \[[TillitRamv](#tillitramv)\], states that a Swedish eID +The Swedish assurance framework, \[[SE.Trust](#se-trust)\], states that a Swedish eID according to any of the defined assurance levels must only be issued to an individual holding a Swedish personal identity number (personnummer) or a Swedish coordination number (samordningsnummer). @@ -240,7 +240,7 @@ a Swedish personal identity number (personnummer) or a Swedish coordination numb In some cases, a certified eID-issuer may also issue eIDs to persons that do not hold a Swedish identity number (non-residents). If this is the case, and the original identification of the person has a strength that corresponds to the requirements -put in \[[TillitRamv](#tillitramv)\], a certified Identity Provider or OpenID Provider MAY use the URIs +put in \[[SE.Trust](#se-trust)\], a certified Identity Provider or OpenID Provider MAY use the URIs defined below: | **URL** | **Object** | **Reference** | @@ -255,14 +255,14 @@ This is per definition since these URIs are intended to be used for non-resident ##### 3.1.1.2. Authentication Context URIs for Uncertified Providers -The assurance levels defined in section [3.1.1](#authentication-context-uris) may only be used by Identity Providers, or OpenID Providers, that have been reviewed and approved by the Swedish Agency for Digital Government (Digg) according to \[[TillitRamv](#tillitramv)\]. For providers that have not undergone a review process but make a self declaration to be compliant with \[[TillitRamv](#tillitramv)\] this specification defines the following authentication context URIs: +The assurance levels defined in section [3.1.1](#authentication-context-uris) may only be used by Identity Providers, or OpenID Providers, that have been reviewed and approved by the Swedish Agency for Digital Government (Digg) according to \[[SE.Trust](#se-trust)\]. For providers that have not undergone a review process but make a self declaration to be compliant with \[[SE.Trust](#se-trust)\] this specification defines the following authentication context URIs: | **URL** | **Object** | **Reference** | | :--- | :--- | :--- | | `http://id.swedenconnect.se/loa/1.0/`
`uncertified-loa2` | URI that is indented to be used by uncertified providers that make a self declaration of providing an assurance level comparable to Assurance level 2 - `http://id.elegnamnden.se/loa/1.0/loa2`. | This document | | `http://id.swedenconnect.se/loa/1.0/`
`uncertified-loa3` | URI that is indented to be used by uncertified providers that make a self declaration of providing an assurance level comparable to Assurance level 3 - `http://id.elegnamnden.se/loa/1.0/loa3`. | This document | -Proxy providers that have eIDAS authentication as an option MUST NOT use the eIDAS authentication context URIs defined in section [3.1.1](#authentication-context-uris). Instead they should use: +Proxy providers that have eIDAS authentication as an option MUST NOT use the eIDAS authentication context URIs defined in section [3.1.1](#authentication-context-uris), instead they should use: | **URL** | **Object** | **Reference** | | :--- | :--- | :--- | @@ -277,12 +277,12 @@ Identifiers for attribute sets defined in the Sweden Connect SAML Attribute Spec | **Identifier** | **URL** | **Object** | **Reference** | | :--- | :--- | :--- | :--- | -| ELN-AP-Pseudonym-01 | `http://id.elegnamnden.se/ap/1.0/pseudonym-01` | Pseudonym identity attribute set. | \[[EidAttributes](#eidattributes)\] | -| ELN-AP-NaturalPerson-01 | `http://id.elegnamnden.se/ap/1.0/natural-person-01` | Personal identity without civic registration number attribute set. | \[[EidAttributes](#eidattributes)\] | -| ELN-AP-Pnr-01 | `http://id.elegnamnden.se/ap/1.0/pnr-01` | Personal identity with civic registration number attribute set. | \[[EidAttributes](#eidattributes)\] | -| ELN-AP-OrgPerson-01 | `http://id.elegnamnden.se/ap/1.0/org-person-01` | Organizational identity attribute set. | \[[EidAttributes](#eidattributes)\] | -| ELN-AP-eIDAS-NatPer-01 | `http://id.elegnamnden.se/ap/1.0/eidas-natural-person-01` | Natural person identity for the eIDAS Framework. | \[[EidAttributes](#eidattributes)\] | -| DIGG-AP-HSAid-01 | `http://id.swedenconnect.se/ap/1.0/hsaid-01` | Natural Person Identity with HSA-ID | \[[EidAttributes](#eidattributes)\] | +| ELN-AP-Pseudonym-01 | `http://id.elegnamnden.se/ap/1.0/pseudonym-01` | Pseudonym identity attribute set. | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | +| ELN-AP-NaturalPerson-01 | `http://id.elegnamnden.se/ap/1.0/natural-person-01` | Personal identity without civic registration number attribute set. | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | +| ELN-AP-Pnr-01 | `http://id.elegnamnden.se/ap/1.0/pnr-01` | Personal identity with civic registration number attribute set. | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | +| ELN-AP-OrgPerson-01 | `http://id.elegnamnden.se/ap/1.0/org-person-01` | Organizational identity attribute set. | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | +| ELN-AP-eIDAS-NatPer-01 | `http://id.elegnamnden.se/ap/1.0/eidas-natural-person-01` | Natural person identity for the eIDAS Framework. | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | +| DIGG-AP-HSAid-01 | `http://id.swedenconnect.se/ap/1.0/hsaid-01` | Natural Person Identity with HSA-ID | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | #### 3.1.3. Entity Category Identifiers @@ -296,20 +296,20 @@ Identifiers for entity categories representing alternative sets of requirements. | **URL** | **Object** | **Reference** | | :--- | :--- | :--- | -| `http://id.elegnamnden.se/`
`ec/1.0/loa2-pnr` | Service consuming/providing assertions based on assurance level 2, implementing the attribute set `http://id.elegnamnden.se/ap/1.0/pnr-01`. | \[[EidEntityCat](#eidentitycat)\] | -| `http://id.elegnamnden.se/`
`ec/1.0/loa3-pnr` | Service consuming/providing assertions based on assurance level 3, implementing the attribute set `http://id.elegnamnden.se/ap/1.0/pnr-01`. | \[[EidEntityCat](#eidentitycat)\] | +| `http://id.elegnamnden.se/`
`ec/1.0/loa2-pnr` | Service consuming/providing assertions based on assurance level 2, implementing the attribute set `http://id.elegnamnden.se/ap/1.0/pnr-01`. | \[[SC.SAML.EntCat](#sc-saml-entcat)\] | +| `http://id.elegnamnden.se/`
`ec/1.0/loa3-pnr` | Service consuming/providing assertions based on assurance level 3, implementing the attribute set `http://id.elegnamnden.se/ap/1.0/pnr-01`. | \[[SC.SAML.EntCat](#sc-saml-entcat)\] | | `http://id.swedenconnect.se/`
`ec/sc/uncertified-loa3-pnr` | Service consuming/providing assertions based on uncertified-loa3, as defined above, implementing the attribute set `http://id.elegnamnden.se/ap/1.0/pnr-01`. | | -| `http://id.elegnamnden.se/`
`ec/1.0/loa4-pnr` | Service consuming/providing assertions based on assurance level 4, implementing the attribute set `http://id.elegnamnden.se/ap/1.0/pnr-01`. | \[[EidEntityCat](#eidentitycat)\] | -| `http://id.elegnamnden.se/`
`ec/1.0/eidas-naturalperson` | Service consuming/providing assertions based on any eIDAS assurance level, implementing the attribute set `http://id.elegnamnden.se/ap/1.0/eidas-natural-person-01`. | \[[EidEntityCat](#eidentitycat)\] | -| `http://id.elegnamnden.se/`
`ec/1.0/eidas-pnr-delivery` | Service providing assertions to eIDAS services via Swedish eIDAS-node | \[[EidEntityCat](#eidentitycat)\] | +| `http://id.elegnamnden.se/`
`ec/1.0/loa4-pnr` | Service consuming/providing assertions based on assurance level 4, implementing the attribute set `http://id.elegnamnden.se/ap/1.0/pnr-01`. | \[[SC.SAML.EntCat](#sc-saml-entcat)\] | +| `http://id.elegnamnden.se/`
`ec/1.0/eidas-naturalperson` | Service consuming/providing assertions based on any eIDAS assurance level, implementing the attribute set `http://id.elegnamnden.se/ap/1.0/eidas-natural-person-01`. | \[[SC.SAML.EntCat](#sc-saml-entcat)\] | +| `http://id.elegnamnden.se/`
`ec/1.0/eidas-pnr-delivery` | Service providing assertions to eIDAS services via Swedish eIDAS-node | \[[SC.SAML.EntCat](#sc-saml-entcat)\] | | `http://id.swedenconnect.se/`
`ec/1.0/loa3-hsaid` | Service consuming/providing assertions based on assurance level 3, implementing the attribute set `http://id.swedenconnect.se/ap/1.0/hsaid-01`. | | | `http://id.swedenconnect.se/`
`ec/sc/uncertified-loa3-hsaid` | Service consuming/providing assertions based on uncertified-loa3, as defined above, implementing the attribute set `http://id.swedenconnect.se/ap/1.0/hsaid-01`. | | -| `http://id.swedenconnect.se/`
`ec/1.0/loa2-orgid` | Service consuming/providing assertions based on assurance level 2, implementing the attribute set `http://id.elegnamnden.se/ap/1.0/org-person-01`. | \[[EidEntityCat](#eidentitycat)\] | -| `http://id.swedenconnect.se/`
`ec/1.0/loa3-orgid` | Service consuming/providing assertions based on assurance level 3, implementing the attribute set `http://id.elegnamnden.se/ap/1.0/org-person-01`. | \[[EidEntityCat](#eidentitycat)\] | -| `http://id.swedenconnect.se/`
`ec/1.0/loa4-orgid` | Service consuming/providing assertions based on assurance level 4, implementing the attribute set `http://id.elegnamnden.se/ap/1.0/org-person-01`. | \[[EidEntityCat](#eidentitycat)\] | -| `http://id.swedenconnect.se/`
`ec/1.0/loa2-name` | Service consuming/providing assertions based on assurance level 2, implementing the attribute set `http://id.elegnamnden.se/ap/1.0/natural-person-01`. | \[[EidEntityCat](#eidentitycat)\] | -| `http://id.swedenconnect.se/`
`ec/1.0/loa3-name` | Service consuming/providing assertions based on assurance level 3, implementing the attribute set `http://id.elegnamnden.se/ap/1.0/natural-person-01`. | \[[EidEntityCat](#eidentitycat)\] | -| `http://id.swedenconnect.se/`
`ec/1.0/loa4-name` | Service consuming/providing assertions based on assurance level 4, implementing the attribute set `http://id.elegnamnden.se/ap/1.0/natural-person-01`. | \[[EidEntityCat](#eidentitycat)\] | +| `http://id.swedenconnect.se/`
`ec/1.0/loa2-orgid` | Service consuming/providing assertions based on assurance level 2, implementing the attribute set `http://id.elegnamnden.se/ap/1.0/org-person-01`. | \[[SC.SAML.EntCat](#sc-saml-entcat)\] | +| `http://id.swedenconnect.se/`
`ec/1.0/loa3-orgid` | Service consuming/providing assertions based on assurance level 3, implementing the attribute set `http://id.elegnamnden.se/ap/1.0/org-person-01`. | \[[SC.SAML.EntCat](#sc-saml-entcat)\] | +| `http://id.swedenconnect.se/`
`ec/1.0/loa4-orgid` | Service consuming/providing assertions based on assurance level 4, implementing the attribute set `http://id.elegnamnden.se/ap/1.0/org-person-01`. | \[[SC.SAML.EntCat](#sc-saml-entcat)\] | +| `http://id.swedenconnect.se/`
`ec/1.0/loa2-name` | Service consuming/providing assertions based on assurance level 2, implementing the attribute set `http://id.elegnamnden.se/ap/1.0/natural-person-01`. | \[[SC.SAML.EntCat](#sc-saml-entcat)\] | +| `http://id.swedenconnect.se/`
`ec/1.0/loa3-name` | Service consuming/providing assertions based on assurance level 3, implementing the attribute set `http://id.elegnamnden.se/ap/1.0/natural-person-01`. | \[[SC.SAML.EntCat](#sc-saml-entcat)\] | +| `http://id.swedenconnect.se/`
`ec/1.0/loa4-name` | Service consuming/providing assertions based on assurance level 4, implementing the attribute set `http://id.elegnamnden.se/ap/1.0/natural-person-01`. | \[[SC.SAML.EntCat](#sc-saml-entcat)\] | ##### 3.1.3.2. Entity Categories for Service Properties @@ -318,8 +318,8 @@ Identifiers for defined service properties. | **URL** | **Object** | **Reference** | | :--- | :--- | :--- | -| `http://id.elegnamnden.se/sprop/1.0/mobile-auth` | Service adapted to require/provide user authentication based on mobile devices. | \[[EidEntityCat](#eidentitycat)\] | -| `http://id.elegnamnden.se/sprop/1.0/scal2` | Service adapted to support authentication requests from signature services supporting Sole Control Assurance Level 2 (SCAL2). | \[[EidEntityCat](#eidentitycat)\] | +| `http://id.elegnamnden.se/sprop/1.0/mobile-auth` | Service adapted to require/provide user authentication based on mobile devices. | \[[SC.SAML.EntCat](#sc-saml-entcat)\] | +| `http://id.elegnamnden.se/sprop/1.0/scal2` | Service adapted to support authentication requests from signature services supporting Sole Control Assurance Level 2 (SCAL2). | \[[SC.SAML.EntCat](#sc-saml-entcat)\] | ##### 3.1.3.3. Entity Categories for Service Type @@ -328,9 +328,9 @@ Identifiers for defined service types. | **URL** | **Object** | **Reference** | | :--- | :--- | :--- | -| `http://id.elegnamnden.se/st/1.0/sigservice` | Electronic signature service | \[[EidEntityCat](#eidentitycat)\] | -| `http://id.elegnamnden.se/st/1.0/public-sector-sp` | Public sector Service Provider | \[[EidEntityCat](#eidentitycat)\] | -| `http://id.elegnamnden.se/st/1.0/private-sector-sp` | Private sector Service Provider | \[[EidEntityCat](#eidentitycat)\] | +| `http://id.elegnamnden.se/st/1.0/sigservice` | Electronic signature service | \[[SC.SAML.EntCat](#sc-saml-entcat)\] | +| `http://id.elegnamnden.se/st/1.0/public-sector-sp` | Public sector Service Provider | \[[SC.SAML.EntCat](#sc-saml-entcat)\] | +| `http://id.elegnamnden.se/st/1.0/private-sector-sp` | Private sector Service Provider | \[[SC.SAML.EntCat](#sc-saml-entcat)\] | ##### 3.1.3.4. Entity Categories for Service Contract @@ -339,7 +339,7 @@ Service Contract Entity Category identifiers are indented for performing service All Service Contract identifiers are prefixed with `http://id.swedenconnect.se/contract/`, where `org` is the identifier for the defining organization. -The Sweden Connect Framework specifications do not define any Service Contract identifiers. Instead the federation operator, or other parties, may define identifiers suitable for representing how consuming and providing services should be matched based on their respective agreements. +The Sweden Connect Framework specifications do not define any Service Contract identifiers, instead the federation operator, or other parties, may define identifiers suitable for representing how consuming and providing services should be matched based on their respective agreements. ##### 3.1.3.5. General Entity Categories @@ -350,9 +350,9 @@ General category identifiers are prefixed with `http://id.swedenconnect.se/gener | **URL** | **Object** | **Reference** | | :--- | :--- | :--- | -| `http://id.swedenconnect.se/general-ec/`
`1.0/secure-authenticator-binding` | Indicator that a secure authenticator binding is required, or supported. | \[[EidEntityCat](#eidentitycat)\] | -| `http://id.swedenconnect.se/general-ec/`
`1.0/accepts-coordination-number` | Category for opt-in for the acceptance of Swedish coordination numbers in the personalIdentityNumber attribute. | \[[EidEntityCat](#eidentitycat)\] | -| `http://id.swedenconnect.se/general-ec/`
`1.0/supports-user-message` | Indicator that an Identity Provider supports the `UserMessage` authentication request extension, see \[[UserMessageExt](#user-message-ext)\]. | \[[EidEntityCat](#eidentitycat)\] | +| `http://id.swedenconnect.se/general-ec/`
`1.0/secure-authenticator-binding` | Indicator that a secure authenticator binding is required, or supported. | \[[SC.SAML.EntCat](#sc-saml-entcat)\] | +| `http://id.swedenconnect.se/general-ec/`
`1.0/accepts-coordination-number` | Category for opt-in for the acceptance of Swedish coordination numbers in the personalIdentityNumber attribute. | \[[SC.SAML.EntCat](#sc-saml-entcat)\] | +| `http://id.swedenconnect.se/general-ec/`
`1.0/supports-user-message` | Indicator that an Identity Provider supports the `UserMessage` authentication request extension, see \[[SC.SAML.UMsg](#sc-saml-umsg)\]. | \[[SC.SAML.EntCat](#sc-saml-entcat)\] | @@ -364,9 +364,9 @@ below extends the list of second-level status codes defined in section | **URL** | **Object** | **Reference** | | :--- | :--- | :--- | -| `http://id.elegnamnden.se/status/1.0/cancel` | Status code representing a cancelled operation. | \[[EidDeploy](#eiddeploy)\] | -| `http://id.elegnamnden.se/status/1.0/fraud` | Status code indicating a fraudulent request. | \[[EidDeploy](#eiddeploy)\] | -| `http://id.elegnamnden.se/status/1.0/possibleFraud` | Status code indicating a possible fraudulent request. | \[[EidDeploy](#eiddeploy)\] | +| `http://id.elegnamnden.se/status/1.0/cancel` | Status code representing a cancelled operation. | \[[SC.SAML.Profile](#sc-saml-profile)\] | +| `http://id.elegnamnden.se/status/1.0/fraud` | Status code indicating a fraudulent request. | \[[SC.SAML.Profile](#sc-saml-profile)\] | +| `http://id.elegnamnden.se/status/1.0/possibleFraud` | Status code indicating a possible fraudulent request. | \[[SC.SAML.Profile](#sc-saml-profile)\] | #### 3.1.5. Central Signing @@ -377,9 +377,9 @@ Identifiers used in the protocol for requesting services form a central signing | :--- | :--- | :--- | | `http://id.elegnamnden.se/csig/1.0/dss-ext/ns` | **Deprecated**. XML schema name space for the protocol extensions to the OASIS DSS protocol (version 1.0). | | | `http://id.elegnamnden.se/csig/1.0/eid2-dss/profile` | **Deprecated**. Implementation profile identifier for the protocol extensions to the OASIS DSS protocol (version 1.0). | | -| `http://id.elegnamnden.se/csig/1.1/dss-ext/ns` | XML schema name space for the protocol extensions to the OASIS DSS protocol (version 1.1). | \[[EidDSSExt](#eiddssext)\] | -| `http://id.elegnamnden.se/csig/1.1/dss-ext/profile` | Implementation profile identifier for the protocol extensions to the OASIS DSS protocol (version 1.1). | \[[EidCSignProf](#eidcsignprof)\] | -| `http://id.elegnamnden.se/csig/1.1/sap/ns` | XML schema name space for the Signature Activation Protocol, extending version 1.1 of the DSS protocol extension | \[[EidSigSAP](#eidsigsap)\] | +| `http://id.elegnamnden.se/csig/1.1/dss-ext/ns` | XML schema name space for the protocol extensions to the OASIS DSS protocol (version 1.1). | \[[SC.DSS.Ext](#sc-dss-ext)\] | +| `http://id.elegnamnden.se/csig/1.1/dss-ext/profile` | Implementation profile identifier for the protocol extensions to the OASIS DSS protocol (version 1.1). | \[[SC.DSS.Profile](#sc-dss-profile)\] | +| `http://id.elegnamnden.se/csig/1.1/sap/ns` | XML schema name space for the Signature Activation Protocol, extending version 1.1 of the DSS protocol extension | \[[SC.SAP](#sc-sap)\] | #### 3.1.6. Authentication Context @@ -389,7 +389,7 @@ Identifiers associated with the Authentication Context X.509 extension | **URL** | **Object** | **Reference** | | :--- | :--- | :--- | | `http://id.elegnamnden.se/auth-cont/1.0/saci` | XML schema namespace for SAML Authentication Context Information in the Authentication Context X.509 certificate extension | \[[RFC7773](#rfc7773)\] | -| `http://id.swedenconnect.se/auth-cont/1.0/ext-auth-info` | XML schema namespace for Extended Authentication Information in the Authentication Context X.509 certificate extension | \[[CertProf](#certprof)\] | +| `http://id.swedenconnect.se/auth-cont/1.0/ext-auth-info` | XML schema namespace for Extended Authentication Information in the Authentication Context X.509 certificate extension | \[[SC.Cert.Profile](#sc-cert-profile)\] | #### 3.1.7. Sign Response Status Codes @@ -398,13 +398,13 @@ Status code identifiers for the DSS Extension for Central Signing services. The | **URL** | **Object** | **Reference** | | :--- | :--- | :--- | -| `http://id.elegnamnden.se/sig-status/1.0/req-expired` | The time window for the signature request has expired. | \[[EidCSignProf](#eidcsignprof)\] | -| `http://id.elegnamnden.se/sig-status/1.0/user-mismatch` | The authenticated user does not match the signer identity attributes in the request. | \[[EidCSignProf](#eidcsignprof)\] | -| `http://id.elegnamnden.se/sig-status/1.0/unsupported-loa` | The requested level of assurance for user authentication is not supported. | \[[EidCSignProf](#eidcsignprof)\] | -| `http://id.elegnamnden.se/sig-status/1.0/sigmessage-error` | A requirement to display sign message was included in the sign request, but the sign service could not establish that the sign message was displayed to the user. | \[[EidCSignProf](#eidcsignprof)\] | -| `http://id.elegnamnden.se/sig-status/1.0/user-cancel` | The end user cancelled the signature operation. | \[[EidCSignProf](#eidcsignprof)\] | -| `http://id.swedenconnect.se/sig-status/1.1/authn-failed` | The authentication during the signature operation failed. | \[[EidCSignProf](#eidcsignprof)\] | -| `http://id.swedenconnect.se/sig-status/1.1/security-violation` | The Signature Service, or Identity Provider authenticating the end user, has detected a security violation (such as a possible fraud). | \[[EidCSignProf](#eidcsignprof)\] | +| `http://id.elegnamnden.se/sig-status/1.0/req-expired` | The time window for the signature request has expired. | \[[SC.DSS.Profile](#sc-dss-profile)\] | +| `http://id.elegnamnden.se/sig-status/1.0/user-mismatch` | The authenticated user does not match the signer identity attributes in the request. | \[[SC.DSS.Profile](#sc-dss-profile)\] | +| `http://id.elegnamnden.se/sig-status/1.0/unsupported-loa` | The requested level of assurance for user authentication is not supported. | \[[SC.DSS.Profile](#sc-dss-profile)\] | +| `http://id.elegnamnden.se/sig-status/1.0/sigmessage-error` | A requirement to display sign message was included in the sign request, but the sign service could not establish that the sign message was displayed to the user. | \[[SC.DSS.Profile](#sc-dss-profile)\] | +| `http://id.elegnamnden.se/sig-status/1.0/user-cancel` | The end user cancelled the signature operation. | \[[SC.DSS.Profile](#sc-dss-profile)\] | +| `http://id.swedenconnect.se/sig-status/1.1/authn-failed` | The authentication during the signature operation failed. | \[[SC.DSS.Profile](#sc-dss-profile)\] | +| `http://id.swedenconnect.se/sig-status/1.1/security-violation` | The Signature Service, or Identity Provider authenticating the end user, has detected a security violation (such as a possible fraud). | \[[SC.DSS.Profile](#sc-dss-profile)\] | #### 3.1.8. Name Registration Authorities @@ -413,7 +413,7 @@ Some protocols require a URI identifier to uniquely identify the entity responsi | **URL** | **Object** | **Reference** | | :--- | :--- | :--- | -| `http://id.elegnamnden.se/eln/name-registration-authority` | Identifying the Swedish e-Identification Board* as name registration authority, responsible for a particular namespace. | \[[CertProf](#certprof)\] | +| `http://id.elegnamnden.se/eln/name-registration-authority` | Identifying the Swedish e-Identification Board* as name registration authority, responsible for a particular namespace. | \[[SC.Cert.Profile](#sc-cert-profile)\] | > \[*\]: This also covers the Swedish Agency for Digital Government (Digg) which has overtaken the Swedish E-identification Board's assignments. @@ -425,7 +425,7 @@ This section defines identifiers used within the Sweden Connect Framework to int ##### 3.1.9.1. eIDAS Proxy Service Aliases -Each country within the eIDAS federation provides an eIDAS Proxy Service that is a Proxy Identity Provider for the authentication services within that specific country. The entityID identifier for an eIDAS Proxy Service in another country is not known to a Swedish Service Provider, but there are cases in which the Swedish Service Provider needs to refer to a specific eIDAS Proxy Service. Therefore, this specification defines an URI identifier format for eIDAS Proxy Service aliases. The format is as follows: +Each country within the eIDAS federation provides an eIDAS Proxy Service that is a Proxy Identity Provider for the authentication services within that specific country. The entityID identifier for an eIDAS Proxy Service in another country is not known to a Swedish Service Provider, but there are cases in which the Swedish Service Provider needs to refer to a specific eIDAS Proxy Service. Therefore, this specification defines a URI identifier format for eIDAS Proxy Service aliases. The format is as follows: **`http://id.swedenconnect.se/eidas/1.0/proxy-service/{country-code}`** @@ -449,7 +449,7 @@ where `{country-code}` is the country identifier in ISO 3166-1 alpha-2 format \[ ##### 3.1.9.3. Identity Binding Processes -Section 3.3.2 of \[[EidAttributes](#eidattributes)\] describes how the `personalIdentityNumberBinding` attribute is assigned with one or more "Identity Binding Process URI:s" after an identity binding. The possible values are: +Section 3.3.2 of \[[SC.SAML.Attrs](#sc-saml-attrs)\] describes how the `personalIdentityNumberBinding` attribute is assigned with one or more "Identity Binding Process URI:s" after an identity binding. The possible values are: | **URI** | **Object** | **Reference** | | :--- | :--- | :--- | @@ -479,22 +479,22 @@ The following OIDs are defined in the ASN.1 declarations in [3.2.1](#asn1-declar | 1.2.752.201.5.1 | Authentication Context Extension | \[[RFC7773](#rfc7773)\] | | 1.2.752.201.5.2 | Signature Validation Token Extension | \[[SVT-PDF](#svt-pdf)\] | | 1.2.752.201.2.1 | Object identifier for the Signature Validation Token RFC 3161 timestamp policy | | -| 1.2.752.201.3.1 | Organization Affiliation Attribute | \[[EidAttributes](#eidattributes)\] | -| 1.2.752.201.3.2 | Transaction Identifier | \[[EidAttributes](#eidattributes)\] | -| 1.2.752.201.3.3 | Authentication Context Parameters | \[[EidAttributes](#eidattributes)\] | -| 1.2.752.201.3.4 | Provisional ID | \[[EidAttributes](#eidattributes)\] | -| 1.2.752.201.3.5 | Provisional ID Persistence Indicator | \[[EidAttributes](#eidattributes)\] | -| 1.2.752.201.3.6 | Personal Identity Number Binding URI | \[[EidAttributes](#eidattributes)\] | -| 1.2.752.201.3.7 | eIDAS Person Identifier | \[[EidAttributes](#eidattributes)\] | -| 1.2.752.201.3.8 | Birth name | \[[EidAttributes](#eidattributes)\] | -| 1.2.752.201.3.9 | eIDAS Natural Person Address | \[[EidAttributes](#eidattributes)\] | -| 1.2.752.201.3.10 | User Certificate | \[[EidAttributes](#eidattributes)\] | -| 1.2.752.201.3.11 | User Signature | \[[EidAttributes](#eidattributes)\] | -| 1.2.752.201.3.12 | Signature Activation Data | \[[EidAttributes](#eidattributes)\] | -| 1.2.752.201.3.13 | Authentication Server Signature | \[[EidAttributes](#eidattributes)\] | -| 1.2.752.201.3.14 | Sign Message Digest | \[[EidAttributes](#eidattributes)\] | -| 1.2.752.201.3.15 | Previous Personal Identity Number | \[[EidAttributes](#eidattributes)\] | -| 1.2.752.201.3.16 | Mapped Personal Identity Number | \[[EidAttributes](#eidattributes)\] | +| 1.2.752.201.3.1 | Organization Affiliation Attribute | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | +| 1.2.752.201.3.2 | Transaction Identifier | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | +| 1.2.752.201.3.3 | Authentication Context Parameters | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | +| 1.2.752.201.3.4 | Provisional ID | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | +| 1.2.752.201.3.5 | Provisional ID Persistence Indicator | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | +| 1.2.752.201.3.6 | Personal Identity Number Binding URI | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | +| 1.2.752.201.3.7 | eIDAS Person Identifier | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | +| 1.2.752.201.3.8 | Birth name | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | +| 1.2.752.201.3.9 | eIDAS Natural Person Address | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | +| 1.2.752.201.3.10 | User Certificate | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | +| 1.2.752.201.3.11 | User Signature | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | +| 1.2.752.201.3.12 | Signature Activation Data | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | +| 1.2.752.201.3.13 | Authentication Server Signature | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | +| 1.2.752.201.3.14 | Sign Message Digest | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | +| 1.2.752.201.3.15 | Previous Personal Identity Number | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | +| 1.2.752.201.3.16 | Mapped Personal Identity Number | \[[SC.SAML.Attrs](#sc-saml-attrs)\] | #### 3.2.1. ASN.1 Declarations @@ -561,49 +561,49 @@ Object Identifier Registry for Sweden Connect* > [Digital Signature Service Core Protocols, Elements, and Bindings > Version 1.0.](http://docs.oasis-open.org/dss/v1.0/oasis-dss-core-spec-v1.0-os.html) - -**\[TillitRamv\]** + +**\[SE.Trust\]** > [Tillitsramverket för Svensk e-legitimation](https://www.digg.se/digitala-tjanster/e-legitimering/tillitsnivaer-for-e-legitimering/tillitsramverk-for-svensk-e-legitimation). **\[RFC7773\]** > [RFC7773: Authentication Context Certificate Extension](https://tools.ietf.org/html/rfc7773). - -**\[EidDeploy\]** + +**\[SC.SAML.Profile\]** > [Deployment Profile for the Swedish eID Framework](https://docs.swedenconnect.se/technical-framework/latest/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html). - -**\[EidEntityCat\]** + +**\[SC.SAML.EntCat\]** > [Entity Categories for the Swedish eID Framework](https://docs.swedenconnect.se/technical-framework/latest/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html). - -**\[EidDSSExt\]** + +**\[SC.SAML.Attrs\]** +> [Attribute Specification for the Swedish eID Framework](https://docs.swedenconnect.se/technical-framework/latest/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html). + + +**\[SC.SAML.UMsg\]** +> [User Message Extension in SAML Authentication Requests](https://docs.swedenconnect.se/technical-framework/latest/18_-_User_Message_Extension_in_SAML_Authentication_Requests.html). + + +**\[SC.DSS.Ext\]** > [DSS Extension for Federated Central Signing Services](https://docs.swedenconnect.se/technical-framework/latest/09_-_DSS_Extension_for_Federated_Signing_Services.html). - -**\[EidSigSAP\]** + +**\[SC.SAP\]** > [Signature Activation Protocol for Federated Signing](https://docs.swedenconnect.se/technical-framework/latest/13_-_Signature_Activation_Protocol.html). - -**\[EidCSignProf\]** + +**\[SC.DSS.Profile\]** > [Implementation Profile for Using OASIS DSS in Central Signing Services](https://docs.swedenconnect.se/technical-framework/latest/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html). - -**\[CertProf\]** + +**\[SC.Cert.Profile\]** > [Certificate profile for certificates issued by Central Signing services](https://docs.swedenconnect.se/technical-framework/latest/08_-_Certificate_Profile_for_Central_Signing_Services.html) - -**\[EidAttributes\]** -> [Attribute Specification for the Swedish eID Framework](https://docs.swedenconnect.se/technical-framework/latest/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html). - - -**\[UserMessageExt\]** -> [User Message Extension in SAML Authentication Requests](https://docs.swedenconnect.se/technical-framework/updates/18_-_User_Message_Extension_in_SAML_Authentication_Requests.html). - **\[ID-Binding\]** -> [Binding eIDAS Identities to Records in the Swedish Population Register](https://docs.swedenconnect.se/technical-framework/Identity_Binding.html) +> [Binding eIDAS Identities to Records in the Swedish Population Register](https://docs.swedenconnect.se/technical-framework/Identity_Binding.html) **\[SVT-PDF\]** @@ -638,7 +638,7 @@ Object Identifier Registry for Sweden Connect* - Section, 3.1.3.5, "General Entity Categories", was introduced and `http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding` and `http://id.swedenconnect.se/general-ec/1.0/accepts-coordination-number` was added. -- In section 3.2, an object identifier (OID) for Signature Validation Token extension was added and one OID for a SVT timestamp policy. +- In section 3.2, an object identifier (OID) for Signature Validation Token extension was added and one OID for an SVT timestamp policy. - Added service entity categories `http://id.swedenconnect.se/ec/1.0/loa3-orgid` and `http://id.swedenconnect.se/ec/1.0/loa3-name` to section 3.1.3.1. diff --git a/04 - Attribute Specification for the Swedish eID Framework.md b/04 - Attribute Specification for the Swedish eID Framework.md index e19dcb8..6434e9e 100644 --- a/04 - Attribute Specification for the Swedish eID Framework.md +++ b/04 - Attribute Specification for the Swedish eID Framework.md @@ -1,21 +1,21 @@ -

- - -

-

- -

+

+ + +

+

+ +

# Attribute Specification for the Swedish eID Framework - -### Version 1.8 - 2024-12-04 - *Draft version* - -Registration number: **2019-310** - ---- - -

-Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All Rights Reserved. + +### Version 1.8 - 2024-12-04 + +Registration number: **2019-310** + +--- + +

+Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All Rights Reserved.

## Table of Contents @@ -24,7 +24,7 @@ Copyright © The Swedish Agency for Digital Go 1.1. [Terminology](#terminology) - 1.2. [Requirement key words](#requirement-key-words) + 1.2. [Requirement keywords](#requirement-keywords) 1.3. [Name space references](#name-space-references) @@ -40,19 +40,19 @@ Copyright © The Swedish Agency for Digital Go 2.4. [Organizational Identity for Natural Persons](#organizational-identity-for-natural-persons) - 2.5. [eIDAS Natural Person Attribute Set](#eidas-natural-person-attribute-set) - + 2.5. [eIDAS Natural Person Attribute Set](#eidas-natural-person-attribute-set) + 2.6. [Natural Person Identity with HSA-ID](#natural-person-identity-with-hsa-id) 3. [**Attribute Definitions**](#attribute-definitions) - 3.1. [Attributes](#attributes) - - 3.1.1. [Attribute String Values](#attribute-string-values) - - 3.1.2. [Multi-valued Attributes](#multi-valued-attributes) - - 3.1.3. [Scoped Attributes](#scoped-attributes) + 3.1. [Attributes](#attributes) + + 3.1.1. [Attribute String Values](#attribute-string-values) + + 3.1.2. [Multi-valued Attributes](#multi-valued-attributes) + + 3.1.3. [Scoped Attributes](#scoped-attributes) 3.2. [SAML Attribute Format](#saml-attribute-format) @@ -62,16 +62,16 @@ Copyright © The Swedish Agency for Digital Go 3.2.3. [The sad Attribute](#the-sad-attribute) - 3.2.4. [The signMessageDigest Attribute](#the-signmessagedigest-attribute) - - 3.2.5. [The orgAffiliation Attribute](#the-orgaffiliation-attribute) - + 3.2.4. [The signMessageDigest Attribute](#the-signmessagedigest-attribute) + + 3.2.5. [The orgAffiliation Attribute](#the-orgaffiliation-attribute) + 3.2.6. [The previousPersonalIdentityNumber Attribute](#the-previouspersonalidentitynumber-attribute) 3.3. [Attributes for the eIDAS Framework](#attributes-for-the-eidas-framework) 3.3.1. [The prid and pridPersistence Attributes](#the-prid-and-pridpersistence-attributes) - + 3.3.2. [The mappedPersonalIdentityNumber and personalIdentityNumberBinding Attributes](#the-mappedpersonalidentitynumber-and-personalidentitynumberbinding-attribute) 3.3.3. [Conversion of eIDAS Attributes](#conversion-of-eidas-attributes) @@ -105,10 +105,10 @@ release requirements. | **Natural person** | Natural person is legal term for a real human being, as opposed to a legal person, which may be a private (i.e., business entity) or public (i.e., government) organization. | | **Civic registration number** | A unique identifier assigned to each natural person in a national population register. Within the context of this specification this is a Swedish ”personnummer” or ”samordningsnummer” according to \[SKV704\] and \[SKV707\]. | - -### 1.2. Requirement key words + +### 1.2. Requirement keywords -The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, +The keywords “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” are to be interpreted as described in \[[RFC2119](#rfc2119)\]. @@ -122,7 +122,7 @@ not capitalized, they are meant in their natural-language sense. Conventional XML namespace prefixes are used throughout the listings in this specification to stand for their respective namespaces as follows, -whether or not a namespace declaration is present in the example: +whether a namespace declaration is present in the example: | Prefix | XML Namespace | Comments | | :---- | :---- | :---- | @@ -143,7 +143,7 @@ be present more than once. An attribute that has more than one value MUST be provided as one attribute with multiple `` sub-elements in accordance with [section 3.1](#attributes). -An identifier, named “Attribute Set Identifier”, and an URI, are defined +An identifier, named “Attribute Set Identifier”, and a URI, are defined for each attribute set as means for other documents to reference specific attribute sets. @@ -156,7 +156,7 @@ the provider. **Note**: An Attribute Provider may also release other attributes, not specified by the defined attribute sets it supports. See further section 6.2.1, “Attribute Release and Consuming Rules”, of “Deployment Profile for the Swedish -eID Framework” (\[[EidDeployProf](#eiddeployprof)\]). +eID Framework” (\[[SC.SAML.Profile](#sc-saml-profile)\]). In order to comply with a defined attribute set, the following attribute requirements apply: @@ -195,7 +195,7 @@ The “Personal Identity without Civic Registration Number” attribute set prov | :--- | :--- | | **REQUIRED** | `sn` (Surname)
`givenName` (Given name)
`displayName` (Display name) | -**Typical use**: In an attribute release policy that provides basic user name information together with a persistent `NameID` identifier in the assertion. +**Typical use**: In an attribute release policy that provides basic username information together with a persistent `NameID` identifier in the assertion. ### 2.3. Natural Personal Identity with Civic Registration Number @@ -210,7 +210,7 @@ The “Personal Identity with Civic Registration Number” attribute set provide | **REQUIRED** | `sn` (Surname)
`givenName` (Given name)
`displayName` (Display name)
`personalIdentityNumber` (National civic registration number) | | **RECOMMENDED** | `dateOfBirth` (Date of birth) | -**Typical use**: In an attribute release policy that provides basic user name information together with the person’s Swedish civic registration number. +**Typical use**: In an attribute release policy that provides basic username information together with the person’s Swedish civic registration number. ### 2.4. Organizational Identity for Natural Persons @@ -226,15 +226,15 @@ The “Organizational Identity for Natural Persons” attribute set provides bas | **REQUIRED** | `displayName` (Display name)\*
`orgAffiliation` (Personal identifier and organizational identifier code)\*\*
`o` (Organization name) | | **RECOMMENDED** | `organizationIdentifier` (Organizational identifier code)\*\*\* | -**Typical use**: In an attribute release policy that provides basic organizational identity information about a natural person. - -The "Organizational Identity for Natural Persons" attribute set defines a minimum set of attributes needed to provide organizational identity information about a person. Should an attribute consumer require additional attributes, such as surname and given name, the personal identity number or an organizational unit name, this can be achieved by either requesting other attribute sets or by explicitly requesting individual attributes. See further section 6.2.1, “Attribute Release and Consuming Rules”, of “Deployment Profile for the Swedish eID Framework” (\[[EidDeployProf](#eiddeployprof)\]). - -> \[*\]: The `displayName` attribute MAY contain personal information such as the given name or surname, but it MAY also be used as an anonymized display name, for example, "Administrator 123". This is decided by the issuing organization. - -> \[\*\*\]: See section [3.2.5](#the-orgaffiliation-attribute). - -> \[\*\*\*]: The organizational identifier can always be derived from the mandatory `orgAffiliation` attribute, but an attribute provider supporting the "Organizational Identity for Natural Persons" attribute set SHOULD also release the `organizationIdentifier` attribute individually. +**Typical use**: In an attribute release policy that provides basic organizational identity information about a natural person. + +The "Organizational Identity for Natural Persons" attribute set defines a minimum set of attributes needed to provide organizational identity information about a person. Should an attribute consumer require additional attributes, such as surname and given name, the personal identity number or an organizational unit name, this can be achieved by either requesting other attribute sets or by explicitly requesting individual attributes. See further section 6.2.1, “Attribute Release and Consuming Rules”, of “Deployment Profile for the Swedish eID Framework” (\[[SC.SAML.Profile](#sc-saml-profile)\]). + +> \[*\]: The `displayName` attribute MAY contain personal information such as the given name or surname, but it MAY also be used as an anonymized display name, for example, "Administrator 123". This is decided by the issuing organization. + +> \[\*\*\]: See section [3.2.5](#the-orgaffiliation-attribute). + +> \[\*\*\*]: The organizational identifier can always be derived from the mandatory `orgAffiliation` attribute, but an attribute provider supporting the "Organizational Identity for Natural Persons" attribute set SHOULD also release the `organizationIdentifier` attribute individually. ### 2.5. eIDAS Natural Person Attribute Set @@ -263,7 +263,7 @@ provider has access to enough information to provide a binding between eIDAS attributes and a Swedish identity number (see [section 3.3.2](#the-mappedpersonalidentitynumber-and-personalidentitynumberbinding-attribute)). -The eIDAS attribute set comprises of “added” and “converted” attributes. +The eIDAS attribute set consists of “added” and “converted” attributes. **Added attributes**: Attributes that are not provided by the member state node, but added by the @@ -289,23 +289,24 @@ examples of “converted attributes”. > \[\*\*\]: The transaction identifier attribute will contain the unique ID of the assertion that was issued by the member state node. This information together with the entityID of the member state node (found in the `` element of an assertion) give a reference to the original assertion and authentication process. -> \[\*\*\*\]: Converted attributes for the optional attributes of the eIDAS minimum data set for natural persons. - - -### 2.6. Natural Person Identity with HSA-ID - +> \[\*\*\*\]: Converted attributes for the optional attributes of the eIDAS minimum data set for natural persons. + + +### 2.6. Natural Person Identity with HSA-ID + Attribute set identifier: **DIGG-AP-HSAid-01** URI: `http://id.swedenconnect.se/ap/1.0/hsaid-01` -The “Natural Person Identity with HSA-ID” attribute set provides basic personal identity information including a HSA-ID of the subject (see \[[SambiAttr](#sambiattr)\]). +The “Natural Person Identity with HSA-ID” attribute set provides basic personal identity information including an HSA-ID of the subject (see \[[SambiAttr](#sambiattr)\]). | Attribute requirement | Attributes | | :--- | :--- | -| **REQUIRED** | `sn` (Surname)
`givenName` (Given name)
`displayName` (Display name)
`employeeHsaId` (HSA-ID) | +| **REQUIRED** | `sn` (Surname)
`givenName` (Given name)
`displayName` (Display name)
`employeeHsaId` (HSA-ID) | | **RECOMMENDED** | `dateOfBirth` (Date of birth) | -**Typical use**: In an attribute release policy that provides basic user name information together with the person’s HSA-ID. +**Typical use**: In an attribute release policy that provides basic username information together with the person’s HSA-ID. + ## 3. Attribute Definitions @@ -321,7 +322,7 @@ The following attributes are defined for use within the attribute profile for th | givenName | urn:oid:2.5.4.42 | Given Name | Registered given name. | No | No | Valfrid | | displayName | urn:oid:2.16.840.1.
113730.3.1.241 | Display Name | A name in any preferred presentation format. | No | No | Valfrid Lindeman | | gender | urn:oid:1.3.6.1.5.5.7.9.3 | Gender | A one letter representation (“M”/”F”/”U” or “m”/“f”/”u”) representing the subject’s gender, where “M” represents male, “F” represents female and “U” is used for unspecified, or unknown, gender. | No | No | M | -| personalIdentity-
Number | urn:oid:1.2.752.29.4.13 | National civic registration number/code | Swedish ”personnummer” or ”samordningsnummer” according to [SKV 704](#skv704) and [SKV 707](#skv707). 12 digits without hyphen. | No | No | 195006262546 | +| personalIdentity-
Number | urn:oid:1.2.752.29.4.13 | National civic registration number/code | Swedish ”personnummer” or ”samordningsnummer” according to [SKV 704](#skv704) and [SKV 707](#skv707). 12 digits without hyphen. | No | No | 195006262546 | | previousPersonal-
IdentityNumber | urn:oid:1.2.752.201.3.15 | A user's previous national civic registration number, see [section 3.2.6](#the-previouspersonalidentitynumber-attribute) below. | See `personalIdentityNumber` above. | No | No | 197010632391 | | dateOfBirth | urn:oid:1.3.6.1.5.5.7.9.1 | Date of birth | Date of birth expressed using the format YYYY-MM-DD. | No | No | 1950-06-26 | | birthName | urn:oid:1.2.752.201.3.8 | Name at the time of birth | Full name of a person at birth. | No | No | Valfrid Danielsson | @@ -349,36 +350,36 @@ The following attributes are defined for use within the attribute profile for th | signMessageDigest | urn:oid:1.2.752.201.3.14 | Sign message digest | Included in assertions as a proof that a user sign message was displayed. | No | No | See [section 3.2.4](#the-signmessagedigest-attribute) below. | | prid | urn:oid:1.2.752.201.3.4 | Provisional identifier | Unique identifier for an authentication performed against the eIDAS Framework. See [section 3.3.1](#the-prid-and-pridpersistence-attributes) below. | No | No | NO:5068907693 | | pridPersistence | urn:oid:1.2.752.201.3.5 | Provisional identifier persistence indicator | Indicator for the expected persistence of the prid attribute. See [section 3.3.1](#the-prid-and-pridpersistence-attributes) below. | No | No | A | -| personalIdentity-
NumberBinding | urn:oid:1.2.752.201.3.6 | National civic registration number/code binding URI | URI(s) identifying the binding process(es) performed of the `mappedPersonalIdentityNumber` attribute added by eIDAS connector. See [section 3.3.2](#the-mappedpersonalidentitynumber-and-personalidentitynumberbinding-attribute) below. | No | No | `http://id.swedenconnect.se/`
`id-binding/process/populationregister` | +| personalIdentity-
NumberBinding | urn:oid:1.2.752.201.3.6 | National civic registration number/code binding URI | URI(s) identifying the binding process(es) performed of the `mappedPersonalIdentityNumber` attribute added by eIDAS connector. See [section 3.3.2](#the-mappedpersonalidentitynumber-and-personalidentitynumberbinding-attribute) below. | No | No | `http://id.swedenconnect.se/`
`id-binding/process/populationregister` | | mappedPersonal-
IdentityNumber | urn:oid:1.2.752.201.3.16 | Mapped national civic registration number | A "mapped" personalIdentityNumber, see [section 3.3.2](#the-mappedpersonalidentitynumber-and-personalidentitynumberbinding-attribute). | No | No | 195006262546 | | eidasPersonIdentifier | urn:oid:1.2.752.201.3.7 | eIDAS uniqueness identifier for natural persons | Maps the eIDAS PersonIdentifier attribute to a string attribute within the scope of the Swedish eID Framework attribute set. | No | No | ES/AT/02635542Y (Spanish eID number for an Austrian SP) | -| eidasNatural-
PersonAddress | urn:oid:1.2.752.201.3.9 | eIDAS Natural Person Address | Attribute for converting the eIDAS CurrentAddress attribute into an attribute having a string type value. | No | No | See [section 3.3.3.1](#conversion-of-eidas-currentaddress) below. | -| employeeHsaId | urn:oid:1.2.752.29.6.2.1 | HSA-ID | Person identifier used by Swedish health care organizations. | No | No | See \[[SambiAttr](#sambiattr)\]. | - -> \[\*\]: The `mail` attribute should be regarded as a scoped attribute (see [3.1.3](#scoped-attributes) below) if the attribute release policy in use has stated it as scoped. Such a policy can for example be that the attribute is part of an attribute set (see [section 2](#attribute-sets)) that documents the attribute as scoped. In all other cases the attribute is regarded as non-scoped. - - -#### 3.1.1. Attribute String Values +| eidasNatural-
PersonAddress | urn:oid:1.2.752.201.3.9 | eIDAS Natural Person Address | Attribute for converting the eIDAS CurrentAddress attribute into an attribute having a string type value. | No | No | See [section 3.3.3.1](#conversion-of-eidas-currentaddress) below. | +| employeeHsaId | urn:oid:1.2.752.29.6.2.1 | HSA-ID | Person identifier used by Swedish health care organizations. | No | No | See \[[SambiAttr](#sambiattr)\]. | -All attributes, unless stated otherwise in this table, holds string values using the UTF-8 character set using the `xs:string` data type. Certain attributes such as `mail`, `personalIdentityNumber`, `organizationIdentifier`, `telephoneNumber` and `mobile` use a restricted character set according to its defined usage within this specification. +> \[\*\]: The `mail` attribute should be regarded as a scoped attribute (see [3.1.3](#scoped-attributes) below) if the attribute release policy in use has stated it as scoped. Such a policy can for example be that the attribute is part of an attribute set (see [section 2](#attribute-sets)) that documents the attribute as scoped. In all other cases the attribute is regarded as non-scoped. + + +#### 3.1.1. Attribute String Values + +All attributes, unless stated otherwise in this table, hold string values using the UTF-8 character set using the `xs:string` data type. Certain attributes such as `mail`, `personalIdentityNumber`, `organizationIdentifier`, `telephoneNumber` and `mobile` use a restricted character set according to its defined usage within this specification. All attributes use the “caseIgnoreMatch” matching rule as defined by X.520 \[[X.520](#x520)\]. That is, case-insensitive comparison where insignificant spaces are ignored. - - -#### 3.1.2. Multi-valued Attributes - -Attributes with a “No” value in the column "Multi-valued" MUST NOT have more than one `` sub-element. Attributes with a “Yes” value in the column "Multi-valued" MAY have one or more `` sub-elements. - - -#### 3.1.3. Scoped Attributes - -Attributes with a "Yes" value in the column "Scoped" are scoped attributes. A scoped attribute expresses values in a string-valued attribute of the form `value@scope`, where `scope` takes the form of a domain name or something similar such as an organizational identifier. - -An Identity Provider wishing to release scoped attributes must register the scopes with the federation operator. After the federation operator has authorized the Identity Provider for the given scopes, they are declared in the Identity Provider's metadata entry. See section 2.1.3.1 of \[[EidDeployProf](#eiddeployprof)\] for details. - -A Service Provider consuming a scoped attribute SHOULD assert that the issuing Identity Provider is authorized to issue attributes with the given scope by checking the Identity Provider's metadata entry as described in section 6.2.1 of \[[EidDeployProf](#eiddeployprof)\]. - -**Note:** The `value` part of a scoped attribute MAY contain a `@`-character, for example when the value part is an email address, or a User Principal Name (UPN). Therefore, consumers of scoped attributes MUST use the last `@`-character as a delimiting character when splitting a scoped attribute into its `value` and `scope` parts. + + +#### 3.1.2. Multi-valued Attributes + +Attributes with a “No” value in the column "Multi-valued" MUST NOT have more than one `` sub-element. Attributes with a “Yes” value in the column "Multi-valued" MAY have one or more `` sub-elements. + + +#### 3.1.3. Scoped Attributes + +Attributes with a "Yes" value in the column "Scoped" are scoped attributes. A scoped attribute expresses values in a string-valued attribute of the form `value@scope`, where `scope` takes the form of a domain name or something similar such as an organizational identifier. + +An Identity Provider wishing to release scoped attributes must register the scopes with the federation operator. After the federation operator has authorized the Identity Provider for the given scopes, they are declared in the Identity Provider's metadata entry. See section 2.1.3.1 of \[[SC.SAML.Profile](#sc-saml-profile)\] for details. + +A Service Provider consuming a scoped attribute SHOULD assert that the issuing Identity Provider is authorized to issue attributes with the given scope by checking the Identity Provider's metadata entry as described in section 6.2.1 of \[[SC.SAML.Profile](#sc-saml-profile)\]. + +**Note:** The `value` part of a scoped attribute MAY contain a `@`-character, for example when the value part is an email address, or a User Principal Name (UPN). Therefore, consumers of scoped attributes MUST use the last `@`-character as a delimiting character when splitting a scoped attribute into its `value` and `scope` parts. ### 3.2. SAML Attribute Format @@ -435,7 +436,7 @@ process. The `authServerSignature` may be included in assertions in cases where there are requirements to include a digitally signed proof from the authentication server at which the end user authenticated. This is mainly useful in cases where the SAML Identity Provider delegates end user authentication to a subordinate authentication server. -> \[*\]: Note that an authentication process, may be “authentication for signature” as specified in section 7 of \[[EidDeployProf](#eiddeployprof)\]. +> \[*\]: Note that an authentication process, may be “authentication for signature” as specified in section 7 of \[[SC.SAML.Profile](#sc-saml-profile)\]. #### 3.2.3. The sad Attribute @@ -444,7 +445,7 @@ The `sad` attribute holds Signature Activation Data that is required by a signature service in order to service a signature request in accordance with CEN EN 419 241-2. The `sad` attribute holds a single string attribute value. The format of the string value is defined in the "Signature Activation Protocol -for Federated Signing" specification \[[SigSAP](#sigsap)\]. +for Federated Signing" specification \[[SC.SAP](#sc-sap)\]. #### 3.2.4. The signMessageDigest Attribute @@ -452,15 +453,15 @@ for Federated Signing" specification \[[SigSAP](#sigsap)\]. The `signMessageDigest` attribute is included in an assertion as a proof that an Identity Provider displayed a sign message for the user and that the user actively confirmed acceptance of this sign message. This sign message is the `SignMessage` extension that may be included in an authentication request by Signature Service -Service Providers. See section 7 of \[[EidDeployProf](#eiddeployprof)\] for details. +SP:s. See section 7 of \[[SC.SAML.Profile](#sc-saml-profile)\] for details. The attribute value format for the `signMessageDigest` attribute is `digest-algorithm-identifier;sign-message-digest`, where `digest-algorithm-identifier` is the XML Security algorithm URI identifier of the selected digest algorithm and -`sign-message-digest` is `base64(digest(msg))`. The `msg` is the UTF-8 encoded bytes of the sign message that was displayed. It equals the `csig:Message` element value of the `csig:SignMessage` (\[[DSSExt](#dssext)\]). Thus, if the `csig:Message` element is encrypted into a `csig:EncryptedMessage`, the element value after decryption should be used. +`sign-message-digest` is `base64(digest(msg))`. The `msg` is the UTF-8 encoded bytes of the sign message that was displayed. It equals the `csig:Message` element value of the `csig:SignMessage` (\[[SC.DSS.Ext](#dssext)\]). Thus, if the `csig:Message` element is encrypted into a `csig:EncryptedMessage`, the element value after decryption should be used. Entities compliant with this specification MUST use `http://www.w3.org/2001/04/xmlenc#sha256` as the digest algorithm, unless the recipient of the `signMessageDigest` attribute has declared another digest algorithm as preferred in its -metadata entry (see section 2.1.1.3 of [[EidDeployProf](#eiddeployprof)\]). In those cases this algorithm MAY be used. +metadata entry (see section 2.1.1.3 of [[SC.SAML.Profile](#sc-saml-profile)\]). In those cases this algorithm MAY be used. **Example:** @@ -486,43 +487,43 @@ The `signMessageDigest` attribute for the above example will then be: ``` - - -#### 3.2.5. The orgAffiliation Attribute - -The `orgAffiliation` attribute is intended to be used as a primary identity attribute for personal organizational identities. It consists of a personal identifier **and** an organizational identifier code (`organizationIdentifier`). - -This specification does not impose any specific requirements concerning the personal identifier part of the attribute other than that it MUST be unique for the given organization. - -**Note**: In the general case, an attribute consumer MUST NOT assume a particular format or meaning of the personal identifier part since different organizations may use different formats. An attribute consumer should also be aware that a personal identifier separated from its organizational identifier code can not be regarded as unique. - -**Note**: The `orgAffiliation` is a [scoped attribute](#scoped-attributes) meaning that producing and consuming such an attribute MUST follow the rules given in sections 2.1.3.1 and 6.2.1 of \[[EidDeployProf](#eiddeployprof)\]. - - -#### 3.2.6. The previousPersonalIdentityNumber Attribute - -The `personalIdentityNumber` attribute can contain a Swedish personal identity number (personnummer), \[[SKV704](#skv704)\], or a Swedish coordination number (samordningsnummer), \[[SKV707](#skv707)\]. All individuals born in Sweden or moving to Sweden with the intention -of staying one year or longer is assigned a personal identity number and registered in the -population register. A coordination number may be assigned to a person that is not registered, -but has the need to communicate with various government authorities, healthcare institutions, -higher education and banks. - -In some cases a person may hold a coordination number during a period before he or she is -assigned a personal identity number. A typical use case is a person that seeks asylum and -later is given a residence permit. In this case the person first may hold a coordination number -and if a residence permit is given a personal identity number will be assigned. - -For a service provider this may lead to problems since the primary identifier for a person -has changed. A login with the newly assigned identifier will not match the user account -previously used by this individual. - -This profile defines the `previousPersonalIdentityNumber` attribute to enable matching a -previously held identity number to a newly assigned identity number. The `previousPersonalIdentityNumber` attribute is typically released together with the "new" -`personalIdentityNumber` attribute in order to facilitate account matching at a service provider. - -This attribute is not part of any attribute sets defined in the profile. Attribute consumers -wishing to receive the attribute should declare the these requirement in their metadata entries -(using a `` element). + + +#### 3.2.5. The orgAffiliation Attribute + +The `orgAffiliation` attribute is intended to be used as a primary identity attribute for personal organizational identities. It consists of a personal identifier **and** an organizational identifier code (`organizationIdentifier`). + +This specification does not impose any specific requirements concerning the personal identifier part of the attribute other than that it MUST be unique for the given organization. + +**Note**: In the general case, an attribute consumer MUST NOT assume a particular format or meaning of the personal identifier part since different organizations may use different formats. An attribute consumer should also be aware that a personal identifier separated from its organizational identifier code can not be regarded as unique. + +**Note**: The `orgAffiliation` is a [scoped attribute](#scoped-attributes) meaning that producing and consuming such an attribute MUST follow the rules given in sections 2.1.3.1 and 6.2.1 of \[[SC.SAML.Profile](#sc-saml-profile)\]. + + +#### 3.2.6. The previousPersonalIdentityNumber Attribute + +The `personalIdentityNumber` attribute can contain a Swedish personal identity number (personnummer), \[[SKV704](#skv704)\], or a Swedish coordination number (samordningsnummer), \[[SKV707](#skv707)\]. All individuals born in Sweden or moving to Sweden with the intention +of staying one year or longer is assigned a personal identity number and registered in the +population register. A coordination number may be assigned to a person that is not registered, +but has the need to communicate with various government authorities, healthcare institutions, +higher education and banks. + +In some cases a person may hold a coordination number during a period before he or she is +assigned a personal identity number. A typical use case is a person that seeks asylum and +later is given a residence permit. In this case the person first may hold a coordination number +and if a residence permit is given a personal identity number will be assigned. + +For a service provider this may lead to problems since the primary identifier for a person +has changed. A login with the newly assigned identifier will not match the user account +previously used by this individual. + +This profile defines the `previousPersonalIdentityNumber` attribute to enable matching a +previously held identity number to a newly assigned identity number. The `previousPersonalIdentityNumber` attribute is typically released together with the "new" +`personalIdentityNumber` attribute in order to facilitate account matching at a service provider. + +This attribute is not part of any attribute sets defined in the profile. Attribute consumers +wishing to receive the attribute should declare the these requirement in their metadata entries +(using a `` element). ### 3.3. Attributes for the eIDAS Framework @@ -533,7 +534,7 @@ wishing to receive the attribute should declare the these requirement in their m Assertions (with attribute statements) issued from a member state eIDAS node contain a set of attributes identifying the authenticated subject. Attributes obtained from other conformant eIDAS nodes will provide an -eIDAS unique identifier but it can not be ruled out that the Swedish +eIDAS unique identifier, but it can not be ruled out that the Swedish eIDAS node may be adopted to accept authentication from non eIDAS compliant nodes, such as when accepting authentication from countries outside of EU such as the USA. @@ -547,7 +548,7 @@ the user in a common format regardless of the composition of the original attributes received from the authenticating source. The `prid` attribute value is not stored in any registry, but derived from the received attributes at each authentication instant according to defined -algorithms specified in \[[ConstructedAttr](#constructedattr)\]. The algorithm ensures that +algorithms specified in \[[SC.Constructed](#sc-constructed)\]. The algorithm ensures that each `prid` is unique for each authenticated entity, but does not ensure persistence. If the attributes received for an entity changes over time, the `prid` attribute may also change dependent on the defined `prid` @@ -565,31 +566,35 @@ This may assist users with low persistence expectancy to regain control of their user account, should their `prid` change in the future. The specification “eIDAS Constructed Attributes Specification for the -Swedish eID Framework”, \[[ConstructedAttr](#constructedattr)\], declares the details for +Swedish eID Framework”, \[[SC.Constructed](#sc-constructed)\], declares the details for how the `prid` and `pridPersistence` attributes are generated and how they should be processed. #### 3.3.2. The mappedPersonalIdentityNumber and personalIdentityNumberBinding Attributes - -When an authentication for a natural person is performed against the eIDAS Framework, the Swedish eIDAS connector will query the Identity Binding Service -for a binding between the attributes found in the assertion received from the foreign -eIDAS-node and a Swedish personal identity number. If such a mapping exists, and the user consents to it being used, the assertion will be extended with a `mappedPersonalIdentityNumber` attribute holding the "mapped" Swedish civic registration number ("personnummer" or "samordningsnummer"). This mapping, or binding, can be performed using a number of different processes, each identified by a URI. Therefore, if the eIDAS connector extends an assertion with a -`mappedPersonalIdentityNumber` attribute, it MUST also include the `personalIdentityNumberBinding` attribute. This attribute contains a semicolon separated list of URI:s that identify the binding process applied to obtain the binding. See \[[ID-Binding](#id-binding)\] for the possible values. - -If these bindings are acceptable for a Service Provider processing an assertion (containing the `mappedPersonalIdentityNumber` attribute), the Service Provider MAY treat the contents of the `mappedPersonalIdentityNumber` attribute as it would have received the `personalIdentityNumber` attribute, otherwise the Service Provider SHOULD NOT use the identity found in the `mappedPersonalIdentityNumber` attribute to login the user. - -> **Note**: The reason that an ordinary `personalIdentityNumber` attribute is not -used to represent a mapped civic registration number is that it is essential that -the consuming entity always verifies that the binding process under which the -mapping was performed is acceptable, before proceeding with the authentication + +When an authentication for a natural person is performed against the +eIDAS Framework, the Swedish eIDAS connector will query the Identity Binding Service +for a binding between the attributes found in the assertion received from the foreign +eIDAS-node and a Swedish personal identity number. If such a mapping exists, and the user consents to it being used, the assertion will be extended with a `mappedPersonalIdentityNumber` attribute holding the "mapped" Swedish civic registration number ("personnummer" or "samordningsnummer"). + +This mapping, or binding, can be performed using a number of different processes, +each identified by a URI. Therefore, if the eIDAS connector extends an assertion with a +`mappedPersonalIdentityNumber` attribute, it MUST also include the `personalIdentityNumberBinding` attribute. This attribute contains a semicolon separated list of URI:s that identify the binding process applied to obtain the binding. See \[[ID-Binding](#id-binding)\] for the possible values. + +If these bindings are acceptable for a Service Provider processing an assertion (containing the `mappedPersonalIdentityNumber` attribute), the Service Provider MAY treat the contents of the `mappedPersonalIdentityNumber` attribute as it would have received the `personalIdentityNumber` attribute, otherwise the Service Provider SHOULD NOT use the identity found in the `mappedPersonalIdentityNumber` attribute to log in the user. + +> **Note**: The reason that an ordinary `personalIdentityNumber` attribute is not +used to represent a mapped civic registration number is that it is essential that +the consuming entity always verifies that the binding process under which the +mapping was performed is acceptable, before proceeding with the authentication process. #### 3.3.3. Conversion of eIDAS Attributes -The attributes specified within eIDAS (\[[eIDAS\_Attr](#eidas-attr)\]) does not use -simple string type values. Instead each attribute is represented using +The attributes specified within eIDAS (\[[eIDAS.Attributes](#eidas-attr)\]) does not use +simple string type values, instead each attribute is represented using its own dedicated XML data type. This affects interoperability in a negative way since most standard SAML software need to be modified to support these attributes. Therefore, the Swedish eID Framework defines @@ -609,16 +614,16 @@ Swedish eID Framework. | BirthName
`http://eidas.europa.eu/attributes/naturalperson/BirthName` | birthName
urn:oid:1.2.752.201.3.8 | | PlaceOfBirth
`http://eidas.europa.eu/attributes/naturalperson/PlaceOfBirth` | placeOfBirth
urn:oid:1.3.6.1.5.5.7.9.2 | | CurrentAddress
`http://eidas.europa.eu/attributes/naturalperson/CurrentAddress` | eidasNaturalPersonAddress
urn:oid:1.2.752.201.3.9
See [section 3.3.3.1](#conversion-of-eidas-currentaddress) below. | -| Gender
`http://eidas.europa.eu/attributes/naturalperson/Gender` | gender
urn:oid:1.3.6.1.5.5.7.9.3 | -| Nationality
`http://eidas.europa.eu/attributes/naturalperson/Nationality` | countryOfCitizenship
urn:oid:1.3.6.1.5.5.7.9.4 | -| CountryOfBirth
`http://eidas.europa.eu/attributes/naturalperson/CountryOfBirth` | Will be added as the last element of placeOfBirth (see above) | -| TownOfBirth
`http://eidas.europa.eu/attributes/naturalperson/TownOfBirth` | Ignored if the eIDAS attribute PlaceOfBirth is assigned. Otherwise placed as first element of placeOfBirth. | -| CountryOfResidence
`http://eidas.europa.eu/attributes/naturalperson/CountryOfResidence` | countryOfResidence
urn:oid:1.3.6.1.5.5.7.9.5 | -| PhoneNumber
`http://eidas.europa.eu/attributes/naturalperson/PhoneNumber` | telephoneNumber
urn:oid:2.5.4.20 | +| Gender
`http://eidas.europa.eu/attributes/naturalperson/Gender` | gender
urn:oid:1.3.6.1.5.5.7.9.3 | +| Nationality
`http://eidas.europa.eu/attributes/naturalperson/Nationality` | countryOfCitizenship
urn:oid:1.3.6.1.5.5.7.9.4 | +| CountryOfBirth
`http://eidas.europa.eu/attributes/naturalperson/CountryOfBirth` | Will be added as the last element of placeOfBirth (see above) | +| TownOfBirth
`http://eidas.europa.eu/attributes/naturalperson/TownOfBirth` | Ignored if the eIDAS attribute PlaceOfBirth is assigned. Otherwise placed as first element of placeOfBirth. | +| CountryOfResidence
`http://eidas.europa.eu/attributes/naturalperson/CountryOfResidence` | countryOfResidence
urn:oid:1.3.6.1.5.5.7.9.5 | +| PhoneNumber
`http://eidas.europa.eu/attributes/naturalperson/PhoneNumber` | telephoneNumber
urn:oid:2.5.4.20 | | EmailAddress
`http://eidas.europa.eu/attributes/naturalperson/EmailAddress` | mail
urn:oid:0.9.2342.19200300.100.1.3 | **Note**: When converting an eIDAS attribute that makes use of -“transliteration” (as described in section 2.4 of \[[eIDAS\_Attr](#eidas-attr)\]) +“transliteration” (as described in section 2.4 of \[[eIDAS.Attributes](#eidas-attr)\]) attribute values having the `LatinScript` attribute set to `false` will not be part of the resulting attribute. @@ -626,7 +631,7 @@ be part of the resulting attribute. ##### 3.3.3.1. Conversion of eIDAS CurrentAddress The eIDAS attribute `CurrentAddress` is defined in section 2.2.9 of -\[[eIDAS\_Attr](#eidas-attr)\]. Its value is a Base64-encoding of an XML-structure of +\[[eIDAS.Attributes](#eidas-attr)\]. Its value is a Base64-encoding of an XML-structure of the type CurrentAddressStructuredType. @@ -707,10 +712,10 @@ following attribute: **\[SAML2Core\]** > [OASIS Standard, Assertions and Protocols for the OASIS Security > Assertion Markup Language (SAML) V2.0, March -> 2005](http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf). - - -**\[SAML2SubjAttr\]** +> 2005](http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf). + + +**\[SAML2SubjAttr\]** > [OASIS Standard, SAML V2.0 Subject Identifier Attributes Profile Version 1.0, January 2019](https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.pdf). @@ -725,11 +730,11 @@ following attribute: **\[SKV709\]** -> [Skatteverket, SKV 709, Utgåva 8, Organisationsnummer](https://docs.swedenconnect.se/technical-framework/mirror/skv/skv709-8.pdf). - - -**\[ID-Binding\]** -> [Binding of eIDAS Attributes to Swedish Personal Identity Numbers](https://docs.swedenconnect.se/technical-framework/Identity_Binding.html) +> [Skatteverket, SKV 709, Utgåva 8, Organisationsnummer](https://docs.swedenconnect.se/technical-framework/mirror/skv/skv709-8.pdf). + + +**\[ID-Binding\]** +> [Binding eIDAS Identities to Records in the Swedish Population Register](https://docs.swedenconnect.se/technical-framework/Identity_Binding.html) **\[X.520\]** @@ -749,64 +754,60 @@ following attribute: **\[ISO3166\]** > Codes for the representation of names of countries and their -> subdivisions Part 1: Country codes, ISO standard, ISO 3166-1. - - -**\[SambiAttr\]** -> [Sambi Attributspecifikation](https://wiki.federationer.internetstiftelsen.se/pages/viewpage.action?pageId=46465316). - - -**\[TillitRamv\]** -> [Tillitsramverket för Svensk e-legitimation](https://www.digg.se/digitala-tjanster/e-legitimering/tillitsnivaer-for-e-legitimering/tillitsramverk-for-svensk-e-legitimation). - - -**\[EidDeployProf\]** +> subdivisions Part 1: Country codes, ISO standard, ISO 3166-1. + + +**\[SambiAttr\]** +> [Sambi Attributspecifikation](https://wiki.federationer.internetstiftelsen.se/pages/viewpage.action?pageId=46465316). + + +**\[SC.SAML.Profile\]** > [Deployment Profile for the Swedish eID Framework](https://docs.swedenconnect.se/technical-framework/latest/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html). - -**\[ConstructedAttr\]** + +**\[SC.Constructed\]** > [eIDAS Constructed Attributes Specification for the Swedish eID Framework](https://docs.swedenconnect.se/technical-framework/latest/11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html). -**\[eIDAS\_Attr\]** -> [eIDAS SAML Attribute Profile, version 1.2, 21 May 2019](https://docs.swedenconnect.se/technical-framework/mirror/eidas/eIDAS_SAML_Attribute_Profile_v1.2-FINAL.pdf). +**\[eIDAS.Attributes\]** +> [eIDAS SAML Attribute Profile, version 1.4, 31 October 2023](https://docs.swedenconnect.se/technical-framework/mirror/eidas/eIDAS_SAML_Attribute_Profile_v1.4_final.pdf). - -**\[SigSAP\]** + +**\[SC.SAP\]** > [Signature Activation Protocol for Federated Signing](https://docs.swedenconnect.se/technical-framework/latest/13_-_Signature_Activation_Protocol.html). -**\[DSSExt\]** +**\[SC.DSS.Ext\]** > [DSS Extension for Federated Central Signing Services](https://docs.swedenconnect.se/technical-framework/latest/09_-_DSS_Extension_for_Federated_Signing_Services.html). ## 5. Changes between versions - -**Changes between version 1.7 and version 1.8:** - -- In section 3.1.3, "Scoped Attributes", a note about `@`-characters in scoped values was added. - -- Updated link to Sambi attribute specification. - -- Section 3.3.2, "The mappedPersonalIdentityNumber and personalIdentityNumberBinding Attributes", was updated. - -- Section 3.3.3, "Conversion of eIDAS Attributes", was extended to contain mappings for the optional eIDAS attributes: Nationality, CountryOfBirth, TownOfBirth, CountryOfResidence, PhoneNumber and EmailAddress. - -**Changes between version 1.6 and version 1.7:** - -- Section 2.4, "Organizational Identity for Natural Persons", was updated to define a minimum set of attributes for providing personal orgazational identity information. - -- Section 3.2.5, "The orgAffiliation Attribute", was introduced. - -- The concept of "scoped attributes" was introduced, see section 3.1.3. - -- The `previousPersonalIdentityNumber` attribute was added, see section 3.2.6. - -- The `mappedPersonalIdentityNumber` attribute was added (see section 3.3.2), and the - attribute set "eIDAS Natural Person Attribute Set" (section 2.5) was changed so that - a `mappedPersonalIdentityNumber` attribute is delivered instead of a - `personalIdentityNumber` attribute if the eIDAS identity can be mapped to a Swedish - identity number. + +**Changes between version 1.7 and version 1.8:** + +- In section 3.1.3, "Scoped Attributes", a note about `@`-characters in scoped values was added. + +- Updated link to Sambi attribute specification. + +- Section 3.3.2, "The mappedPersonalIdentityNumber and personalIdentityNumberBinding Attributes", was updated. + +- Section 3.3.3, "Conversion of eIDAS Attributes", was extended to contain mappings for the optional eIDAS attributes: Nationality, CountryOfBirth, TownOfBirth, CountryOfResidence, PhoneNumber and EmailAddress. + +**Changes between version 1.6 and version 1.7:** + +- Section 2.4, "Organizational Identity for Natural Persons", was updated to define a minimum set of attributes for providing personal orgazational identity information. + +- Section 3.2.5, "The orgAffiliation Attribute", was introduced. + +- The concept of "scoped attributes" was introduced, see section 3.1.3. + +- The `previousPersonalIdentityNumber` attribute was added, see section 3.2.6. + +- The `mappedPersonalIdentityNumber` attribute was added (see section 3.3.2), and the + attribute set "eIDAS Natural Person Attribute Set" (section 2.5) was changed so that + a `mappedPersonalIdentityNumber` attribute is delivered instead of a + `personalIdentityNumber` attribute if the eIDAS identity can be mapped to a Swedish + identity number. **Changes between version 1.5 and version 1.6:** @@ -814,9 +815,9 @@ following attribute: - Section 2.5, "eIDAS Natural Person Attribute Set", was updated so that the `c` (country) attribute is a required attribute for this attribute set. -- The attribute `signMessageDigest` was introduced (see section 3.2.4). - -- The HSA-ID attribute was specified. +- The attribute `signMessageDigest` was introduced (see section 3.2.4). + +- The HSA-ID attribute was specified. **Changes between version 1.4 and version 1.5:** @@ -845,7 +846,7 @@ following attribute: **Changes between version 1.2 and version 1.3:** - This specification no longer uses the term “attribute profile” for - named collections of attributes for different scenarios. Instead the + named collections of attributes for different scenarios, instead the term “attribute set” is used. - Definitions of attribute sets (profiles) have been changed to be @@ -885,4 +886,3 @@ following attribute: - In chapter 3.4, “Organizational Identity for Natural Persons”, some attributes were listed as both prohibited and allowed. This has been fixed. - diff --git a/06 - Entity Categories for the Swedish eID Framework.md b/06 - Entity Categories for the Swedish eID Framework.md index cc88561..c6c5e65 100644 --- a/06 - Entity Categories for the Swedish eID Framework.md +++ b/06 - Entity Categories for the Swedish eID Framework.md @@ -8,7 +8,7 @@ # Entity Categories for the Swedish eID Framework -### Version 1.9 - 2024-12-04 - *Draft version* +### Version 1.9 - 2024-12-04 Registration number: **2019-311** @@ -144,7 +144,7 @@ Five types of Entity Categories are used within the federation: ### 1.1. Requirements Notation -The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", +The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in \[[RFC2119](#rfc2119)\]. @@ -225,7 +225,7 @@ a plausible choice, if and only if, the following conditions apply; - if the Identity Provider declares at least one Service Contract identifier, the Service Provider must declare at least one of declared identifiers, and, -- all of the Service Property identifiers declared by the Service +- all the Service Property identifiers declared by the Service Provider must be declared by the Identity Provider. @@ -270,7 +270,7 @@ may define additional categories. All service entity category identifiers are prefixed with `http://id.elegnamnden.se/ec` or `http://id.swedenconnect.se/ec` (defined after Aug. 2018). -A service entity category identifies an arbitrary set of requirements and conditions that is required by the consuming service and provided by the providing service. Each service entity category specifies its own set of requirements and conditions. Typically such requirements and conditions include requirements on level of assurance (LoA) and requirements on mandatory attributes. For contract- or business agreement requirements [Service Contract Categories](#service-contract-categories) should be used. +A service entity category identifies an arbitrary set of requirements and conditions that is required by the consuming service and provided by the providing service. Each service entity category specifies its own set of requirements and conditions. Typically, such requirements and conditions include requirements on level of assurance (LoA) and requirements on mandatory attributes. For contract or business agreement requirements [Service Contract Categories](#service-contract-categories) should be used. A providing service declaring a service entity category that consists of both a level of assurance requirement and an attribute set MUST guarantee that the release of the given attributes are consistent with the level of assurance requirement. @@ -284,7 +284,7 @@ This specification does not impose any other limitations on what requirements or This section define Service Entity Categories that has attribute requirements according to the "Natural Personal Identity with Civic Registration Number" (`http://id.elegnamnden.se/ap/1.0/pnr-01`) attribute set as defined in section 2.3 -of \[[EidAttributes](#eidattributes)\]. +of \[[SC.SAML.Attrs](#sc-saml-attrs)\]. **Note**: The `http://id.elegnamnden.se/ap/1.0/pnr-01` attribute set includes the `personalIdentityNumber` attribute. See section [6.2](#accepts-coordination-number), "[accepts-coordination-number](#accepts-coordination-number)", for specific requirements concerning delivering a coordination number in this attribute. @@ -293,10 +293,10 @@ of \[[EidAttributes](#eidattributes)\]. **URL**: `http://id.elegnamnden.se/ec/1.0/loa2-pnr` -**Description**: User authentication according to assurance level 2 \[[EidTillit](#eidtillit)\] and attribute release according to the attribute set “Natural Personal Identity with Civic Registration Number”. +**Description**: User authentication according to assurance level 2 \[[SE.Trust](#se-trust)\] and attribute release according to the attribute set “Natural Personal Identity with Civic Registration Number”. **LoA-identifier**: `http://id.elegnamnden.se/loa/1.0/loa2` -> Or a corresponding LoA 2 URI (see section 3.1.1 of \[[SC.Registry](#sc-registry)\]. +> Or a corresponding LoA 2 URI (see section 3.1.1 of \[[SC.Registry](#sc-registry)\]). **Attribute requirements**: `http://id.elegnamnden.se/ap/1.0/pnr-01` @@ -305,10 +305,10 @@ of \[[EidAttributes](#eidattributes)\]. **URL**: `http://id.elegnamnden.se/ec/1.0/loa3-pnr` -**Description**: User authentication according to assurance level 3 \[[EidTillit](#eidtillit)\] and attribute release according to the attribute set “Natural Personal Identity with Civic Registration Number”. +**Description**: User authentication according to assurance level 3 \[[SE.Trust](#se-trust)\] and attribute release according to the attribute set “Natural Personal Identity with Civic Registration Number”. **LoA-identifier**: `http://id.elegnamnden.se/loa/1.0/loa3` -> Or a corresponding LoA 3 URI (see section 3.1.1 of \[[SC.Registry](#sc-registry)\]. +> Or a corresponding LoA 3 URI (see section 3.1.1 of \[[SC.Registry](#sc-registry)\]). **Attribute requirements**: `http://id.elegnamnden.se/ap/1.0/pnr-01` @@ -317,7 +317,7 @@ of \[[EidAttributes](#eidattributes)\]. **URL**: `http://id.elegnamnden.se/ec/1.0/loa4-pnr` -**Description**: User authentication according to assurance level 4 \[[EidTillit](#eidtillit)\] and attribute release according to the attribute set “Natural Personal Identity with Civic Registration Number”. +**Description**: User authentication according to assurance level 4 \[[SE.Trust](#se-trust)\] and attribute release according to the attribute set “Natural Personal Identity with Civic Registration Number”. **LoA-identifier**: `http://id.elegnamnden.se/loa/1.0/loa4` @@ -335,7 +335,7 @@ Attribute release is based on the "Natural Personal Identity with Civic Registra It is the responsibility of the Swedish eIDAS Proxy Service to transform these attributes into eIDAS attributes. **LoA-identifier**: Not applicable -> An Identity Provider delivering assertions to the eIDAS framework is obliged to announce which levels that it supports by including the corresponding eIDAS authentication context URIs defined in section 3.1.1 of \[[SC.Registry](#sc-registry)\] as assurance certification attributes in its metadata as described in section 2.1.3 of \[[EidDeploy](#eiddeploy)\]. +> An Identity Provider delivering assertions to the eIDAS framework is obliged to announce which levels that it supports by including the corresponding eIDAS authentication context URIs defined in section 3.1.1 of \[[SC.Registry](#sc-registry)\] as assurance certification attributes in its metadata as described in section 2.1.3 of \[[SC.SAML.Profile](#sc-saml-profile)\]. **Attribute requirements**: `http://id.elegnamnden.se/ap/1.0/pnr-01` where the `dateOfBirth` attribute (`urn:oid:1.3.6.1.5.5.7.9.1`) is mandatory. @@ -347,7 +347,7 @@ It is the responsibility of the Swedish eIDAS Proxy Service to transform these a **URL**: `http://id.elegnamnden.se/ec/1.0/eidas-naturalperson` -**Description**: User authentication according to any of the eIDAS assurance levels and attribute release according to “eIDAS Natural Person Attribute Set” (see section 2.5 of \[[EidAttributes](#eidattributes)\]). +**Description**: User authentication according to any of the eIDAS assurance levels and attribute release according to “eIDAS Natural Person Attribute Set” (see section 2.5 of \[[SC.SAML.Attrs](#sc-saml-attrs)\]). **LoA-identifier**: Not applicable > It does not make sense to specify the level of assurance for a Service @@ -364,17 +364,17 @@ It is the responsibility of the Swedish eIDAS Proxy Service to transform these a This section define Service Entity Categories that has attribute requirements according to the "Organizational Identity for Natural Persons" (`http://id.elegnamnden.se/ap/1.0/org-person-01`) attribute set as defined in section 2.4 -of \[[EidAttributes](#eidattributes)\]. +of \[[SC.SAML.Attrs](#sc-saml-attrs)\]. #### 2.3.1. loa2-orgid **URL**: `http://id.swedenconnect.se/ec/1.0/loa2-orgid` -**Description**: User authentication according to assurance level 2 \[[EidTillit](#eidtillit)\] and attribute release according to the attribute set “Organizational Identity for Natural Persons”. +**Description**: User authentication according to assurance level 2 \[[SE.Trust](#se-trust)\] and attribute release according to the attribute set “Organizational Identity for Natural Persons”. **LoA-identifier**: `http://id.elegnamnden.se/loa/1.0/loa2` -> Or a corresponding LoA 2 URI (see section 3.1.1 of \[[SC.Registry](#sc-registry)\]. +> Or a corresponding LoA 2 URI (see section 3.1.1 of \[[SC.Registry](#sc-registry)\]). **Attribute requirements**: `http://id.elegnamnden.se/ap/1.0/org-person-01` @@ -383,10 +383,10 @@ of \[[EidAttributes](#eidattributes)\]. **URL**: `http://id.swedenconnect.se/ec/1.0/loa3-orgid` -**Description**: User authentication according to assurance level 3 \[[EidTillit](#eidtillit)\] and attribute release according to the attribute set “Organizational Identity for Natural Persons”. +**Description**: User authentication according to assurance level 3 \[[SE.Trust](#se-trust)\] and attribute release according to the attribute set “Organizational Identity for Natural Persons”. **LoA-identifier**: `http://id.elegnamnden.se/loa/1.0/loa3` -> Or a corresponding LoA 3 URI (see section 3.1.1 of \[[SC.Registry](#sc-registry)\]. +> Or a corresponding LoA 3 URI (see section 3.1.1 of \[[SC.Registry](#sc-registry)\]). **Attribute requirements**: `http://id.elegnamnden.se/ap/1.0/org-person-01` @@ -395,10 +395,10 @@ of \[[EidAttributes](#eidattributes)\]. **URL**: `http://id.swedenconnect.se/ec/1.0/loa4-orgid` -**Description**: User authentication according to assurance level 4 \[[EidTillit](#eidtillit)\] and attribute release according to the attribute set “Organizational Identity for Natural Persons”. +**Description**: User authentication according to assurance level 4 \[[SE.Trust](#se-trust)\] and attribute release according to the attribute set “Organizational Identity for Natural Persons”. **LoA-identifier**: `http://id.elegnamnden.se/loa/1.0/loa4` -> Or a corresponding LoA 4 URI (see section 3.1.1 of \[[SC.Registry](#sc-registry)\]. +> Or a corresponding LoA 4 URI (see section 3.1.1 of \[[SC.Registry](#sc-registry)\]). **Attribute requirements**: `http://id.elegnamnden.se/ap/1.0/org-person-01` @@ -408,39 +408,45 @@ of \[[EidAttributes](#eidattributes)\]. This section define Service Entity Categories that has attribute requirements according to the "Natural Personal Identity without Civic Registration Number" (`http://id.elegnamnden.se/ap/1.0/natural-person-01`) attribute set as defined in section 2.2 -of \[[EidAttributes](#eidattributes)\]. +of \[[SC.SAML.Attrs](#sc-saml-attrs)\]. ### 2.4.1. loa2-name -**URL**: `http://id.swedenconnect.se/ec/1.0/loa2-name` **Description**: User authentication according to assurance level 2 \[[EidTillit](#eidtillit)\] and attribute release according to the attribute set “Natural Personal Identity without Civic Registration Number”. +**URL**: `http://id.swedenconnect.se/ec/1.0/loa2-name` + +**Description**: User authentication according to assurance level 2 \[[SE.Trust](#se-trust)\] and attribute release according to the attribute set “Natural Personal Identity without Civic Registration Number”. **LoA-identifier**: `http://id.elegnamnden.se/loa/1.0/loa2` -> Or a corresponding LoA 2 URI (see section 3.1.1 of \[[SC.Registry](#sc-registry)\]. +> Or a corresponding LoA 2 URI (see section 3.1.1 of \[[SC.Registry](#sc-registry)\]). -**Attribute requirements**: `http://id.elegnamnden.se/ap/1.0/natural-person-01` +**Attribute requirements**: `http://id.elegnamnden.se/ap/1.0/natural-person-01` ### 2.4.2. loa3-name -**URL**: `http://id.swedenconnect.se/ec/1.0/loa3-name` **Description**: User authentication according to assurance level 3 \[[EidTillit](#eidtillit)\] and attribute release according to the attribute set “Natural Personal Identity without Civic Registration Number”. +**URL**: `http://id.swedenconnect.se/ec/1.0/loa3-name` + +**Description**: User authentication according to assurance level 3 \[[SE.Trust](#se-trust)\] and attribute release according to the attribute set “Natural Personal Identity without Civic Registration Number”. **LoA-identifier**: `http://id.elegnamnden.se/loa/1.0/loa3` -> Or a corresponding LoA 3 URI (see section 3.1.1 of \[[SC.Registry](#sc-registry)\]. +> Or a corresponding LoA 3 URI (see section 3.1.1 of \[[SC.Registry](#sc-registry)\]). -**Attribute requirements**: `http://id.elegnamnden.se/ap/1.0/natural-person-01` +**Attribute requirements**: `http://id.elegnamnden.se/ap/1.0/natural-person-01` ### 2.4.3. loa4-name -**URL**: `http://id.swedenconnect.se/ec/1.0/loa4-name` **Description**: User authentication according to assurance level 4 \[[EidTillit](#eidtillit)\] and attribute release according to the attribute set “Natural Personal Identity without Civic Registration Number”. +**URL**: `http://id.swedenconnect.se/ec/1.0/loa4-name` + +**Description**: User authentication according to assurance level 4 \[[SE.Trust](#se-trust)\] and attribute release according to the attribute set “Natural Personal Identity without Civic Registration Number”. **LoA-identifier**: `http://id.elegnamnden.se/loa/1.0/loa4` -> Or a corresponding LoA 4 URI (see section 3.1.1 of \[[SC.Registry](#sc-registry)\]. +> Or a corresponding LoA 4 URI (see section 3.1.1 of \[[SC.Registry](#sc-registry)\]). **Attribute requirements**: `http://id.elegnamnden.se/ap/1.0/natural-person-01` - + ## 3. Definitions for Service Property Categories @@ -480,7 +486,7 @@ authentication using mobile devices. **URL**: `http://id.elegnamnden.se/sprop/1.0/scal2` -**Description**: A service property declaring that the service is adapted to support Sole Control Assurance Level 2 (SCAL2) in accordance with \[[SigSAP](#sigsap)\]. +**Description**: A service property declaring that the service is adapted to support Sole Control Assurance Level 2 (SCAL2) in accordance with \[[SC.SAP](#sc-sap)\]. For a providing service, i.e. an Identity Provider, inclusion of the scal2 service property states that the Identity Provider will return a "SAD" in response to a `SADRequest` in an authentication requests from a signing service. @@ -527,7 +533,7 @@ Service Contract Entity Category identifiers are indented for performing service All Service Contract identifiers are prefixed with `http://id.swedenconnect.se/contract/`, where `org` is identifier for the defining organization. -The meaning of different contracts and business agreements are out of scope for this specification. Instead the federation operator, or other parties, may define identifiers suitable for representing how consuming and providing services should be matched based on their respective agreements. +The meaning of different contracts and business agreements are out of scope for this specification, instead the federation operator, or other parties, may define identifiers suitable for representing how consuming and providing services should be matched based on their respective agreements. @@ -557,7 +563,7 @@ person who opens, and performs the authentication in the app. In order to prevent attacks of this type many authentication schemes offer alternative ways of initiating authentication (or signature) sessions, where some sort of binding between the -user agent and the authentication device is performed. An good example of this is when +user agent and the authentication device is performed. A good example of this is when Identity Providers prompt the user to scan a QR-code displayed in the web browser using the authentication app instead of prompting for the user identity. This effectively binds the user agent to the same physical location as the authentication device, and in practice @@ -583,7 +589,7 @@ from Service Providers that have declared this entity category in their metadata **Description**: A special purpose entity category that is declared by Service Providers to announce that they accept a Swedish coordination number (samordningsnummer), \[[SKV707](#skv707)\], being delivered in the `personalIdentityNumber` (`urn:oid:1.2.752.29.4.13`) attribute. -The `personalIdentityNumber` is defined in section 3.1 of \[[EidAttributes](#eidattributes)\] to contain either a Swedish personal identity number, \[[SKV704](#skv704)\], or a Swedish coordination number, \[[SKV707](#skv707)\]. However, how to utilize coordination numbers in +The `personalIdentityNumber` is defined in section 3.1 of \[[SC.SAML.Attrs](#sc-saml-attrs)\] to contain either a Swedish personal identity number, \[[SKV704](#skv704)\], or a Swedish coordination number, \[[SKV707](#skv707)\]. However, how to utilize coordination numbers in electronic services is, or has been, unclear. Not all Service Providers want, or are able to, use these types of identifiers. Therefore, this specification defines the "accepts coordination number" category as an opt-in feature for those Service Providers that can accept a `personalIdentityNumber` attribute to contain a coordination number as well as a personal identity number. @@ -593,7 +599,7 @@ the `http://id.swedenconnect.se/general-ec/1.0/accepts-coordination-number` enti in its metadata. **Note**: This entity category does **not** apply to the eIDAS specific attribute -`mappedPersonalIdentityNumber`, see section 3.3.2 of \[[EidAttributes](#eidattributes)\]. +`mappedPersonalIdentityNumber`, see section 3.3.2 of \[[SC.SAML.Attrs](#sc-saml-attrs)\]. Thus, a coordination number may be included in this attribute even if the Service Provider has not declared the entity category. @@ -602,7 +608,7 @@ has not declared the entity category. **URL**: `http://id.swedenconnect.se/general-ec/1.0/supports-user-message` -**Description**: Service Providers may include the `` extension in authentication requests for the purpose of displaying a custom "user message" for the authentication users, see \[[UserMessageExt](#user-message-ext)\]. An Identity Provider announces support for this extension by declaring the `http://id.swedenconnect.se/general-ec/1.0/supports-user-message` entity category. +**Description**: Service Providers may include the `` extension in authentication requests for the purpose of displaying a custom "user message" for the authentication users, see \[[SC.SAML.UMsg](#sc-saml-umsg)\]. An Identity Provider announces support for this extension by declaring the `http://id.swedenconnect.se/general-ec/1.0/supports-user-message` entity category. @@ -645,29 +651,29 @@ has not declared the entity category. > [Skatteverket, SKV 707, Utgåva 2, > Samordningsnummer](https://docs.swedenconnect.se/technical-framework/mirror/skv/skv707-2.pdf). - -**\[EidTillit\]** + +**\[SE.Trust\]** > [Tillitsramverket för Svensk e-legitimation](https://www.digg.se/digitala-tjanster/e-legitimering/tillitsnivaer-for-e-legitimering/tillitsramverk-for-svensk-e-legitimation). - -**\[EidDeploy\]** + +**\[SC.SAML.Profile\]** > [Deployment Profile for the Swedish eID Framework](https://docs.swedenconnect.se/technical-framework/latest/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html). **\[SC.Registry\]** > [Sweden Connect - Registry for identifiers](https://docs.swedenconnect.se/technical-framework/latest/03_-_Registry_for_Identifiers.html). - -**\[EidAttributes\]** + +**\[SC.SAML.Attrs\]** > [Attribute Specification for the Swedish eID Framework](https://docs.swedenconnect.se/technical-framework/latest/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html). - -**\[SigSAP\]** + +**\[SC.SAP\]** > [Signature Activation Protocol for Federated Signing](https://docs.swedenconnect.se/technical-framework/latest/13_-_Signature_Activation_Protocol.html). - -**\[UserMessageExt\]** -> [User Message Extension in SAML Authentication Requests](https://docs.swedenconnect.se/technical-framework/updates/18_-_User_Message_Extension_in_SAML_Authentication_Requests.html). + +**\[SC.SAML.UMsg\]** +> [User Message Extension in SAML Authentication Requests](https://docs.swedenconnect.se/technical-framework/latest/18_-_User_Message_Extension_in_SAML_Authentication_Requests.html). ## 8. Changes between versions diff --git a/07 - Implementation Profile for using DSS in Central Signing Services.md b/07 - Implementation Profile for using DSS in Central Signing Services.md index 41bf041..9fae671 100644 --- a/07 - Implementation Profile for using DSS in Central Signing Services.md +++ b/07 - Implementation Profile for using DSS in Central Signing Services.md @@ -8,7 +8,7 @@ # Implementation Profile for using OASIS DSS in Central Signing Services -### Version 1.6 - 2024-12-04 - *Draft version* +### Version 1.6 - 2024-12-04 Registration number: **2019-312** @@ -24,7 +24,7 @@ Copyright © The Swedish Agency for Digital Go 1.1. [Terminology](#terminology) - 1.2. [Requirement key words](#requirement-key-words) + 1.2. [Requirements Notation](#requirements-notation) 1.3. [Namespace references](#namespace-references) @@ -123,10 +123,10 @@ Term | Defined meaning **Requesting Service** | The service requesting the signature on a particular document by a particular user. **Signing Service** | A centralized service that manages the process to authenticate the user that has been requested to sign a document, and the process to obtain the user’s signature on the requested document. - -### 1.2. Requirement key words + +### 1.2. Requirements Notation -The key words **MUST**, **MUST** **NOT**, **REQUIRED**, **SHALL**, +The keywords **MUST**, **MUST** **NOT**, **REQUIRED**, **SHALL**, **SHALL** **NOT**, **SHOULD**, **SHOULD** **NOT**, **RECOMMENDED**, **MAY**, and **OPTIONAL** are to be interpreted as described in \[[RFC2119](#rfc2119)\]. @@ -321,7 +321,7 @@ attributes for each tag other than those listed in the following table: Allowed HTML entities for character replacement SHALL be restricted to `amp`, `gt`, `lt`, `quot` and `nbsp` (in the form `&entity-name;`). -HTML messages MUST NOT contain any URI references to data outside of the +HTML messages MUST NOT contain any URI references to data outside the message and MUST NOT contain any JavaScript in any form. @@ -329,9 +329,9 @@ message and MUST NOT contain any JavaScript in any form. The means through which the Service Provider requests the Identity Provider to display a sign message is defined in section 7.1.1 of “Deployment Profile -for the Swedish eID Framework” \[[Eid-Profile](#eid-profile)\]. +for the Swedish eID Framework” \[[SC.SAML.Profile](#sc-saml-profile)\]. -In addition to the requirements in section 7.1.1 of \[[Eid-Profile](#eid-profile)\] the +In addition to the requirements in section 7.1.1 of \[[SC.SAML.Profile](#sc-saml-profile)\] the Signature Service MUST apply the following process regarding the inclusion of the `AuthnContextClassRef` URI to include in the `AuthnRequest` sent to the Identity Provider when authenticating the user for signing: @@ -349,9 +349,9 @@ when authenticating the user for signing: ##### 2.1.3.9. CertRequestProperties This element MAY be present to provide requested properties of generated -signature certificates according with section 3.1.1 of \[[DSS-Ext](#dss-ext)\]. +signature certificates according to section 3.1.1 of \[[DSS-Ext](#dss-ext)\]. -When the `CertType` attribute is present with a value of `QC/SSCD` the signature service MUST request authentication in accordance with section 7.1.2 of “Deployment Profile for the Swedish eID Framework” \[[Eid-Profile](#eid-profile)\], or reject the request. +When the `CertType` attribute is present with a value of `QC/SSCD` the signature service MUST request authentication in accordance with section 7.1.2 of “Deployment Profile for the Swedish eID Framework” \[[SC.SAML.Profile](#sc-saml-profile)\], or reject the request. ###### 2.1.3.9.1. AuthnContextClassRef @@ -467,7 +467,7 @@ request was processed and response was constructed. This version MUST be the sam version as given in the `SignRequestExtension` (see section [2.1.3.1](#version), "[Version](#version))". For backwards compatibility reasons that attribute MAY be absent if version "1.1" was requested. -Otherwise it MUST be set. +Otherwise, it MUST be set. ##### 2.2.4.2. ResponseTime @@ -478,7 +478,7 @@ The `` element MUST be present in the response. ##### 2.2.4.3. Request The `` element MAY be present in a response. However, it is RECOMMENDED not to include this -element since it makes the response message unnecessary large. Instead the requester of a sign operation +element since it makes the response message unnecessary large, instead the requester of a sign operation is expected to save the request message in its session for later use when processing a response message. @@ -658,14 +658,14 @@ EidSignResponse | Base64 encoded sign response. **[XMLSig-XSD]** > XML Signature Schema. World Wide Web Consortium. See . - -**[Eid-Profile]** -> [Deployment Profile for the Swedish eID Framework](https://docs.swedenconnect.se/technical-framework/latest/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html). - **[DSS-Ext]** > [DSS Extension for Federated Central Signing Services](https://docs.swedenconnect.se/technical-framework/latest/09_-_DSS_Extension_for_Federated_Signing_Services.html). + +**[SC.SAML.Profile]** +> [Deployment Profile for the Swedish eID Framework](https://docs.swedenconnect.se/technical-framework/latest/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html). + **[SC.Registry]** > [Sweden Connect - Registry for identifiers](https://docs.swedenconnect.se/technical-framework/latest/03_-_Registry_for_Identifiers.html). @@ -703,7 +703,7 @@ EidSignResponse | Base64 encoded sign response. **Changes between version 1.2 and version 1.3:** -- In section 2.1.3.9, "CertRequestProperties", an requirement to adapt authentication request procedures when the requested signature is a qualified electronic signature was added. +- In section 2.1.3.9, "CertRequestProperties", a requirement to adapt authentication request procedures when the requested signature is a qualified electronic signature was added. **Changes between version 1.1 and version 1.2:** diff --git a/09 - DSS Extension for Federated Signing Services.md b/09 - DSS Extension for Federated Signing Services.md index 8465fde..311f147 100644 --- a/09 - DSS Extension for Federated Signing Services.md +++ b/09 - DSS Extension for Federated Signing Services.md @@ -8,7 +8,7 @@ # DSS Extension for Federated Central Signing Services -### Version 1.5 - 2024-11-25 - *Draft version* +### Version 1.5 - 2024-12-04 Registration number: **2019-314** @@ -24,7 +24,7 @@ Copyright © The Swedish Agency for Digital Go 1.1. [Terminology](#terminology) - 1.1.1. [Key words](#key-words) + 1.1.1. [Keywords](#keywords) 1.1.2. [Structure](#structure) @@ -85,7 +85,7 @@ Appendix A. [**XML Schema**](#appendix-a.xml-schema) ## 1. Introduction -This specifications defines elements that extend the +This specification defines elements that extend the `` and `` elements of \[[OASIS-DSS](#dss)\]. @@ -126,10 +126,10 @@ request. ### 1.1. Terminology - -#### 1.1.1.  Key words + +#### 1.1.1.  Keywords -The key words *MUST*, *MUST NOT*, *REQUIRED*, *SHALL*, *SHALL NOT*, +The keywords *MUST*, *MUST NOT*, *REQUIRED*, *SHALL*, *SHALL NOT*, *SHOULD*, *SHOULD NOT*, *RECOMMENDED*, *MAY*, and *OPTIONAL* are to be interpreted as described in \[[RFC 2119](#rfc2119)\]. @@ -150,7 +150,7 @@ This specification uses the following typographical conventions in text: Listings of DSS schemas appear like this. -#### 1.1.3.  Definitions +#### 1.1.3. Definitions **Identity Provider** @@ -187,7 +187,7 @@ different namespace. Conventional XML namespace prefixes are used in the schema: -- The prefix `csig`: stands for the this specification's XML schema +- The prefix `csig`: stands for this specification's XML schema namespace \[[Csig-XSD](#csig-xsd)\]. - The prefix `dss`: stands for the DSS core namespace @@ -245,7 +245,7 @@ Recommendation \[[XML](#xml)\] Section 2.3). Unless otherwise noted in this specification, all elements that have the XML Schema **xs:string** type, or a type derived from that, MUST be compared using an exact binary comparison. In particular, -implementations MUST NOT depend on case insensitive string comparisons, +implementations MUST NOT depend on case-insensitive string comparisons, normalization or trimming of whitespace, or conversion of locale-specific formats such as numbers or currency. This requirement is intended to conform to the W3C working group note "Requirements for String @@ -716,7 +716,7 @@ attributes and elements: > The MIME type defining the message format. This is an enumeration of > the valid attribute values `text` (plain text), `text/html` (html) or > `text/markdown` (markdown). This specification does not specify any -> particular restrictions on the provided message but it is RECOMMENDED +> particular restrictions on the provided message, but it is RECOMMENDED > that sign message content is restricted to a limited set of valid tags > and attributes, and that the display entity performs filtering to > enforce these restrictions before displaying the message. The means @@ -966,7 +966,7 @@ This complex type can be used to hold a sequence of X.509 certificates. Certificates MUST be provided in sequence with the end-entity certificate first in the sequence followed by any CA certificates that can be used to verify the previous certificate in the sequence, ending -with a self signed root certificate. +with a self-signed root certificate. The **CertificateChainType** complex type has the following elements: @@ -1224,7 +1224,7 @@ be signed to the signer. Implementers of this specification MUST sign requests and responses for signature creation to protect against spoofing and substitution attacks. If a hash of the document to be signed is replaced in a sign request, the signer may end up signing -something completely different than what the requesting service +something completely different from what the requesting service presented to the signer. When a `` is signed, the signature of that request @@ -1244,7 +1244,7 @@ signature and MUST check that the signature covers all data in the **\[Csig-XSD\]** -> This specification's DSS Extensions schema Version 1.1.3, https://docs.swedenconnect.se/schemas/csig/1.1/EidCentralSigDssExt-1.1.3.xsd, November, 2024. +> This specification's DSS Extensions schema Version 1.1.3, https://docs.swedenconnect.se/schemas/csig/1.1/EidCentralSigDssExt-1.1.3.xsd, November 2024. **\[OASIS-DSS\]** diff --git a/12 - BankID Profile for the Swedish eID Framework.md b/12 - BankID Profile for the Swedish eID Framework.md index f27f758..1a02b1c 100644 --- a/12 - BankID Profile for the Swedish eID Framework.md +++ b/12 - BankID Profile for the Swedish eID Framework.md @@ -166,7 +166,7 @@ For Identity Providers implementing BankID support in **one** Identity Provider ### 1.4. Relying Party Configuration -When a Relying Party uses the BankID Relying Party API directly in order to implement BankID services, it has a set of configuration settings to choose from (see `requirements` object under the [Auth](https://developers.bankid.com/api-references/auth--sign/auth) and [Sign API](https://developers.bankid.com/api-references/auth--sign/sign). Examples are: +When a Relying Party uses the BankID Relying Party API directly in order to implement BankID services, it has a set of configuration settings to choose from (see `requirements` object under the [Auth](https://developers.bankid.com/api-references/auth--sign/auth) and [Sign API](https://developers.bankid.com/api-references/auth--sign/sign)). Examples are: - Should fingerprints be allowed instead of the user entering his or hers security code? @@ -174,9 +174,9 @@ When a Relying Party uses the BankID Relying Party API directly in order to impl - Smart card reader preferences. -However, the services of a BankID Identity Provider are used by several parties within the federation and it is thus harder to maintain a per Service Provider configuration. Therefore, a BankID Identity Provider compliant with this profile SHOULD use the same configuration defaults as stated in [Auth](https://developers.bankid.com/api-references/auth--sign/auth) and [Sign API](https://developers.bankid.com/api-references/auth--sign/sign). +However, the services of a BankID Identity Provider are used by several parties within the federation, and it is thus harder to maintain a per-Service Provider configuration. Therefore, a BankID Identity Provider compliant with this profile SHOULD use the same configuration defaults as stated in [Auth](https://developers.bankid.com/api-references/auth--sign/auth) and [Sign API](https://developers.bankid.com/api-references/auth--sign/sign). -> **Note:** It is of course allowed for a BankID Identity Provider to maintain specific Service Provider configurations, but this is outside of the scope for this profile, and there will be no specification support to accomplish this. +> **Note:** It is of course allowed for a BankID Identity Provider to maintain specific Service Provider configurations, but this is outside the scope for this profile, and there will be no specification support to accomplish this. ## 2. Attributes @@ -222,7 +222,7 @@ The attribute is used by attribute providers to release data from an authenticat ## 3. Identity Provider User Interface -This profile does not state any requirements on how the user interface for an Identity Provider implementing BankID services should be implemented other than the statements listed in the sub sections below. +This profile does not state any requirements on how the user interface for an Identity Provider implementing BankID services should be implemented other than the statements listed in the subsections below. ### 3.1. General Requirements @@ -266,14 +266,16 @@ An Identity Provider conformant with this profile MUST require ` ### 4.2. Handling of Principal Selection -An Identity Provider that has declared support for the `` extension (see see section [6](#metadata)) MUST assign the `requirement.personalNumber` field of [/auth](https://developers.bankid.com/api-references/auth--sign/auth) or [/sign](https://developers.bankid.com/api-references/auth--sign/sign) if a Swedish personal identity number is received in the `` extension. +An Identity Provider that has declared support for the `` extension (see section [6](#metadata)) MUST assign the `requirement.personalNumber` field of [/auth](https://developers.bankid.com/api-references/auth--sign/auth) or [/sign](https://developers.bankid.com/api-references/auth--sign/sign) if a Swedish personal identity number is received in the `` extension. See \[[SC.SAML.Principal](#sc-saml-principal)\] for further requirements concerning the principal selection extension. ### 4.3. Authentication for Signature -An Identity Provider conforming to the Sweden Connect Framework is obliged to handle requests received from Signature Services as described in section 7, “Authentication for Signature”, of \[[SC.SAML.Profile](#sc-saml-profile)\]. This section further specifies how a BankID Identity Provider should support “authentication for signature”. A BankID Identity Provider that receives an `` message from a Signature Service MUST initiate a BankID **signature** operation. It MUST NOT initiate a BankID authentication operation for several reasons: +An Identity Provider conforming to the Sweden Connect Framework is obliged to handle requests received from Signature Services as described in section 7, “Authentication for Signature”, of \[[SC.SAML.Profile](#sc-saml-profile)\]. This section further specifies how a BankID Identity Provider should support “authentication for signature”. + +A BankID Identity Provider that receives an `` message from a Signature Service MUST initiate a BankID **signature** operation. It MUST NOT initiate a BankID authentication operation for several reasons: * the user interface in the BankID client (app or Desktop program) during authentication indicates that the user is logging on (and not signing which is the case when a request from a Signature Service is being processed), * the user expects to be displayed a text describing what he or she is signing, @@ -286,19 +288,22 @@ The BankID client (app or desktop program) comprises a text box in which the sig An Identity Provider that processes an `` from a Signature Service is not given the actual data that is being signed by the user via the Signature Service. However, in order to invoke the BankID signature function, the Identity Provider must supply the BankID-server with data to be signed. This section specifies the input to the BankID signature operation. -The "To-be-signed" data that is passed as input the the BankID Sign-method (`/sign`) is a combination of the data from the `userVisibleData` and `userNonVisibleData` parameters (). +The "To-be-signed" data that is passed as input the BankID Sign-method (`/sign`) is a combination of the data from the `userVisibleData` and `userNonVisibleData` parameters (). ##### 4.3.1.1. userVisibleData - Signature Message -The Sign-method parameter `userVisibleData` holds data that will be signed by the user but it is also displayed in the BankID application text box. +The Sign-method parameter `userVisibleData` holds data that will be signed by the user, but it is also displayed in the BankID application text box. If the `` message contains a `SignMessage` extension, the contents of this message MUST be assigned to the `userVisibleData` parameter (after necessary encoding). -A BankID Identity Provider MUST support `SignMessage` elements having their `MimeType` attribute set to `text`, and SHOULD support Markdown (`text/markdown`) according to [BankID - Guidelines for Formatted Text](#bankid-md), \[[BankID.MD](#bankid-md)\]. For other values (`text/html`), the Identity Provider MUST respond with an error. If the `` message does not contain a `SignMessage` extension, the Identity Provider MUST assign a sensible default signature message to the `userVisibleData` parameter. How this message is constructed is the responsibility of the Identity Provider, but it must be obvious for the user who is the requesting party, i.e., the Service Provider that has ordered the signature operation2. - > \[1\]: If the `MimeType` attribute is not set, `text` is the default value. +A BankID Identity Provider MUST support `SignMessage` elements having their `MimeType` attribute set to `text`, and SHOULD support Markdown (`text/markdown`) according to [BankID - Guidelines for Formatted Text](#bankid-md), \[[BankID.MD](#bankid-md)\]. For other values (`text/html`), the Identity Provider MUST respond with an error. + +If the `` message does not contain a `SignMessage` extension, the Identity Provider MUST assign a sensible default signature message to the `userVisibleData` parameter. How this message is constructed is the responsibility of the Identity Provider, but it must be obvious for the user who is the requesting party, i.e., the Service Provider that has ordered the signature operation2. + +> \[1\]: If the `MimeType` attribute is not set, `text` is the default value. > -> \[2\]: For this purpose, the `` element of the Signature Service’s metadata entry, is a good and generic choice. +> \[2\]: For this purpose, the `` element of the Signature Service’s metadata entry, is a good and generic choice. ##### 4.3.1.2. userNonVisibleData @@ -343,7 +348,7 @@ If the user cancels a BankID operation, either by clicking the Cancel-button in In cases where the Identity Provider receives the BankID error code `ALREADY_IN_PROGRESS` in response to an Auth- or Sign-call the Identity Provider MAY display a warning to the user that someone may have initiated a BankID operation using their personal identity number1. If this warning is displayed, it is RECOMMENDED that the second level status code `http://id.elegnamnden.se/status/1.0/possibleFraud` is included in the error response message posted back to the Service Provider. -> \[1\]: There have been reports where fraudsters remotely try to convince people of using their Mobile BankID to log in to a service. In these cases, the fraudster initiates a BankID authentication prior to the person he tries to trick into logging in to the service, and is waiting for the user to enter his or hers personal code, thus authenticating the fraudsters session. +> \[1\]: There have been reports where fraudsters remotely try to convince people of using their Mobile BankID to log in to a service. In these cases, the fraudster initiates a BankID authentication prior to the person he tries to trick into logging in to the service, and is waiting for the user to enter his or hers personal code, thus authenticating the fraudster's session. ## 6. Metadata @@ -508,4 +513,4 @@ using the `secure-authenticator-binding` entity category, may request that QR co **Changes between version 1.0 and 1.1:** - Section 3.4, "Cancelling an Operation" was extended with a suggestion of how to avoid dangling sessions after user cancel. -- The profile now references the BankID Relying Party Guidelines that makes use of JSON. \ No newline at end of file +- The profile now references the BankID Relying Party Guidelines that makes use of JSON. diff --git a/13 - Signature Activation Protocol.md b/13 - Signature Activation Protocol.md index b047f41..4227c76 100644 --- a/13 - Signature Activation Protocol.md +++ b/13 - Signature Activation Protocol.md @@ -8,21 +8,21 @@ # Signature Activation Protocol for Federated Signing -### Version 1.2 - 2022-12-20 - *Draft version* +### Version 1.2 - 2024-12-04 Registration number: **2019-317** ---

-Copyright © The Swedish Agency for Digital Government (DIGG), 2015-2022. All Rights Reserved. +Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All Rights Reserved.

## Table of Contents 1. [**Introduction**](#introduction) - 1.1. [Requirement key words](#requirement-key-words) + 1.1. [Requirement keywords](#requirement-keywords) 1.2. [XML namespace references](#xml-namespace-references) @@ -72,10 +72,10 @@ The Signature Activation Protocol (SAP) defined in this document is used to exch The SAP specified in this document is specifically designed to be used with a signing service operating in accordance with the federated signing specification \[[DSS-Ext](#dss-ext)\]. - -### 1.1. Requirement key words + +### 1.1. Requirement keywords -The key words **MUST**, **MUST** **NOT**, **REQUIRED**, **SHALL**, +The keywords **MUST**, **MUST** **NOT**, **REQUIRED**, **SHALL**, **SHALL** **NOT**, **SHOULD**, **SHOULD** **NOT**, **RECOMMENDED**, **MAY**, and **OPTIONAL** are to be interpreted as described in \[[RFC2119](#rfc2119)\]. @@ -127,7 +127,7 @@ This document specifies exchange of two data elements: - `SADRequest` - `SAD` -The `SADRequest` SHALL have the format defined in section [3.1](#sadrequest). When a Remote Signing Service request a SAD from the Identity Provider, it MUST include the `SADRequest` element as an request extension by including it as a child element to a `` element in the ``. +The `SADRequest` SHALL have the format defined in section [3.1](#sadrequest). When a Remote Signing Service request a SAD from the Identity Provider, it MUST include the `SADRequest` element as a request extension by including it as a child element to a `` element in the ``. When an Identity Provider returns a SAD, as defined in section [3.2](#signature-activation-data), in a SAML Assertion, it MUST be included as a single string value of a `sad` attribute identified by the attribute name `urn:oid:1.2.752.201.3.12` as defined in the attribute specification [[EidAttributes](#eidattributes)]. @@ -174,7 +174,7 @@ The SAD Request is provided in a `` element. The element has the `ID` \[Required\] -> Attribute holding an unique identifier for the `SADRequest`. +> Attribute holding a unique identifier for the `SADRequest`. The following schema fragment defines the `` element: @@ -426,7 +426,7 @@ Protection profile for QSCD for Server Signing **Changes between version 1.1 and 1.2:** -- The protocol logic was clarified by removing references to sign message (which was never present in the actual protocol) and replacing this with a clarification of the semantics of including the the Sign Request ID in SAD to assert the acceptance to sign the documents referenced in that Sign Request. +- The protocol logic was clarified by removing references to sign message (which was never present in the actual protocol) and replacing this with a clarification of the semantics of including the Sign Request ID in SAD to assert the acceptance to sign the documents referenced in that Sign Request. - Updated examples where the use of "signmessage" LoA URI:s was removed. diff --git a/18 - User Message Extension in SAML Authentication Requests.md b/18 - User Message Extension in SAML Authentication Requests.md index 01ae508..3775f74 100644 --- a/18 - User Message Extension in SAML Authentication Requests.md +++ b/18 - User Message Extension in SAML Authentication Requests.md @@ -8,14 +8,14 @@ # User Message Extension in SAML Authentication Requests -### Version 1.0 - 2024-04-15 - *Draft version* +### Version 1.0 - 2024-12-04 -Registration number: TBD +Registration number: **2024-7673** ---

-Copyright © The Swedish Agency for Digital Government (DIGG), 2024. All Rights Reserved. +Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All Rights Reserved.

## Table of Contents @@ -56,7 +56,7 @@ This specification defines the `` element that may be included ### 1.1. Requirements Notation -The key words **MUST**, **MUST** **NOT**, **REQUIRED**, **SHALL**, +The keywords **MUST**, **MUST** **NOT**, **REQUIRED**, **SHALL**, **SHALL** **NOT**, **SHOULD**, **SHOULD** **NOT**, **RECOMMENDED**, **MAY**, and **OPTIONAL** are to be interpreted as described in \[[RFC2119](#rfc2119)\]. @@ -86,7 +86,7 @@ This specification uses the following typographical conventions in text: This specification defines the element `` to be included in the `` element of an `AuthnRequest`. -This element MAY included by a Service Provider asking the Identity Provider to display a given message for the user during the authentication phase. The element has the following elements and attributes: +This element MAY be included by a Service Provider asking the Identity Provider to display a given message for the user during the authentication phase. The element has the following elements and attributes: `` \[One or more\] > Element that holds the user message for a specific language. See below. @@ -137,7 +137,7 @@ The required `xml:lang` attribute contains the language tag for the message's la ### 3.1. Identity Provider Requirements -An Identity Provider that supports the `` extension MUST declare this support in its metadata entry by declaring the `http://id.swedenconnect.se/general-ec/1.0/supports-user-message` entity category (see section 6.3 of \[[EidEntCat](#eidentcat)\]). +An Identity Provider that supports the `` extension MUST declare this support in its metadata entry by declaring the `http://id.swedenconnect.se/general-ec/1.0/supports-user-message` entity category (see section 6.3 of \[[SC.SAML.EntCat](#sc-saml-entcat)\]). Identity Providers compliant with this specification MUST support the `text/plain` and `text/markdown` MIME types. @@ -162,7 +162,7 @@ A Service Provider MUST NOT supply user messages that contains integrity sensiti ## 4. Examples Example of supplying a user message in Swedish ("Jag vill logga in till example.com") and in -English ("I wish to login to example.com"): +English ("I wish to log in to example.com"): ``` ... @@ -251,9 +251,9 @@ The following XML schema defines the `http://id.swedenconnect.se/authn/1.0/user- > Assertion Markup Language (SAML) V2.0, March > 2005](http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf). - -**\[EidEntCat\]** -> [Entity Categories for the Swedish eID Framework](https://docs.swedenconnect.se/technical-framework/updates/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html). + +**\[SC.SAML.EntCat\]** +> [Entity Categories for the Swedish eID Framework](https://docs.swedenconnect.se/technical-framework/latest/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html). ## 7. Changes between versions diff --git a/Identity Binding.md b/Identity Binding.md index 9cbdd95..a8569d3 100644 --- a/Identity Binding.md +++ b/Identity Binding.md @@ -11,6 +11,8 @@ ### 2024-11-22 +Registration number: **2024-7672** + This document outlines the process for binding an eIDAS-notified electronic identity (eID) to an individual's personal identification number in the Swedish Population Register. --- @@ -81,7 +83,7 @@ See also sections 2.5, "eIDAS Natural Person Attribute Set", and 3.3.2, "The map ## 3. Identity Binding Processes -This section contains a detailed description of the binding processes that are used by the Identity Binding Service. Each process is identified with an URI. +This section contains a detailed description of the binding processes that are used by the Identity Binding Service. Each process is identified with a URI. To perform the identity binding process, a user must meet the following requirements: @@ -95,7 +97,7 @@ To perform the identity binding process, a user must meet the following requirem - The user must accept the terms of use and consent to creation of a private storage area that belongs to the user. -**Note:** If the above steps uniquely corresponds to exactly one record in the Swedish population register, the binding `http://id.swedenconnect.se/id-binding/process/populationregister` ([3.1](#population-register)) will be created, but, if the birth date and name information from the eIDAS assertion matches more than one record from the population register, other processes (as described below) need to be applied for a binding to be completed. +**Note:** If the above steps uniquely corresponds to exactly one record in the Swedish population register, the binding `http://id.swedenconnect.se/id-binding/process/populationregister` ([3.1](#population-register)) will be created, but, if the birthdate and name information from the eIDAS assertion matches more than one record from the population register, other processes (as described below) need to be applied for a binding to be completed. ### 3.1. Unique Record in the Population Register @@ -111,7 +113,7 @@ A detailed search in the population register confirms that there is a low risk o **URI:** `http://id.swedenconnect.se/id-binding/process/swedish-eid` -**Description:** The user has digitally signed an attestation connecting an eIDAS identity number to a record retrieved from the Swedish population register using a Swedish eID. Using this process the user proves the he or she holds both the eIDAS identity (received from the eIDAS-notified eID) and the Swedish identity number (received from the digital signature). +**Description:** The user has digitally signed an attestation connecting an eIDAS identity number to a record retrieved from the Swedish population register using a Swedish eID. Using this process the user proves that he or she holds both the eIDAS identity (received from the eIDAS-notified eID) and the Swedish identity number (received from the digital signature). **Additional requirements:** Assurance level for the Swedish eID must be minimum at level 3 in accordance of the [Swedish Trust Framework](https://www.digg.se/digitala-tjanster/e-legitimering/tillitsnivaer-for-e-legitimering/tillitsramverk-for-svensk-e-legitimation) (a.k.a. [Tillitsramverk för Svensk e-legitimation](https://www.digg.se/digitala-tjanster/e-legitimering/tillitsnivaer-for-e-legitimering/tillitsramverk-for-svensk-e-legitimation)). Using the eID for this purpose must also be approved by the eID provider. @@ -120,7 +122,6 @@ A detailed search in the population register confirms that there is a low risk o - 2024-11-22: Updated version where the bindings for Nordic eID:s and relative confirmation were removed due to legal reasons. -- 2024-05-08: Updated according to the latest legal agreements. The binding level is no longer used. Instead a set of identity binding process URL:s represent the binding. +- 2024-05-08: Updated according to the latest legal agreements. The binding level is no longer used, instead a set of identity binding process URL:s represent the binding. - 2023-06-09: First version. - diff --git a/OpenID Connect Claims and Scopes Specification.md b/OpenID Connect Claims and Scopes Specification.md index 419626b..ea83171 100644 --- a/OpenID Connect Claims and Scopes Specification.md +++ b/OpenID Connect Claims and Scopes Specification.md @@ -8,9 +8,9 @@ # OpenID Connect Claims and Scopes Specification for Sweden Connect -### Version 1.0 - 2024-11-28 - *Draft version* +### Version 1.0 - 2024-12-04 -Registration number: **TBD** +Registration number: **2024-7704** --- @@ -54,6 +54,8 @@ Copyright © The Swedish Agency for Digital Go 4. [**References**](#references) +5. [**Changes between versions**](#changes-between-versions) + Appendix A: [**Conversion of eIDAS Attributes**](#conversion-of-eidas-attributes) --- @@ -82,7 +84,7 @@ The claims defined in this specification are named in a collision-resistant mann This section defines how identity attributes received from, or in conjunction with, an eIDAS authentication is represented as OpenID claims within the Sweden Connect federation. -[Appendix A: Conversion of eIDAS Attributes](#conversion-of-eidas-attributes) presents a full listing of all eIDAS attributes and how they map to OpenID Connect claims. The sub-sections below define additional claims that may be added by the Swedish eIDAS-node. +[Appendix A: Conversion of eIDAS Attributes](#conversion-of-eidas-attributes) presents a full listing of all eIDAS attributes and how they map to OpenID Connect claims. The subsections below define additional claims that may be added by the Swedish eIDAS-node. #### 2.1.1. Provisional Identifier @@ -180,7 +182,7 @@ The scopes defined in this specification are named in a collision-resistant mann Section 3 of \[[OIDC.Sweden.Claims](#oidc-sweden-claims)\] states the following: -> Many Relying Parties that use OpenID Connect to authenticate users cannot solely depend on the user's session at the OpenID Provider and the `sub` claim to log in the user to the RP application. In the context of Swedish eID there are some obvious claims that are regarded to be "primary" identity claims by Relying Parties, for example, a Swedish personal identity number. Such claims are needed by the Relying Party in order to log in a user to its application. Therefore, this specification's scope definitions will define that some claims are to be delivered in the ID Token so that a Relying Party can fully log in a user without having to make a, potentially, unnecessary call to the UserInfo endpoint. +> Many Relying Parties that use OpenID Connect to authenticate users cannot solely depend on the user's session at the OpenID Provider and the `sub` claim to log in the user to the RP application. In the context of Swedish eID there are some obvious claims that are regarded to be "primary" identity claims by Relying Parties, for example, a Swedish personal identity number. Such claims are needed by the Relying Party in order to log in a user to its application. Therefore, this specification's scope definitions will define that some claims are to be delivered in the ID Token so that a Relying Party can fully log in a user without having to make a potentially unnecessary call to the UserInfo endpoint. The above is true also for Relying Parties authenticating users against the Swedish eIDAS Connector. @@ -259,7 +261,7 @@ Not all eIDAS attributes/claims listed in [Appendix A](#conversion-of-eidas-attr - For all other optional eIDAS attributes (see [Appendix A](#conversion-of-eidas-attributes)), an explicit claim request should be included. These claims SHOULD NOT be marked as "essential" since they are not mandatory according to \[[eIDAS.Attributes](#eidas-attr)\]. -> Section 2.2.1 of \[[eIDAS.Attributes](#eidas-attr)\] defines the eIDAS Minimum Dataset for Natural Persons. This set comprises of the eIDAS attributes FamilyName, FirstName, DateOfBirth and PersonIdentifier. In order for a Relying Party to obtain the corresponding OpenID Connect claims from an eIDAS authentication it should specify the `https://id.oidc.se/scope/naturalPersonInfo` and `https://id.swedenconnect.se/scope/eidasNaturalPersonIdentity` scopes in an authentication request sent to the Swedish eIDAS Connector. +> Section 2.2.1 of \[[eIDAS.Attributes](#eidas-attr)\] defines the eIDAS Minimum Dataset for Natural Persons. This set consists of the eIDAS attributes FamilyName, FirstName, DateOfBirth and PersonIdentifier. In order for a Relying Party to obtain the corresponding OpenID Connect claims from an eIDAS authentication it should specify the `https://id.oidc.se/scope/naturalPersonInfo` and `https://id.swedenconnect.se/scope/eidasNaturalPersonIdentity` scopes in an authentication request sent to the Swedish eIDAS Connector. @@ -317,6 +319,11 @@ Not all eIDAS attributes/claims listed in [Appendix A](#conversion-of-eidas-attr **\[ISO3166-3\]** > [ISO, "ISO 3166-3:2020. Codes for the representation of names of countries and their subdivisions -- Part 3: Code for formerly used names of countries", 2020](https://www.iso.org/standard/72482.html). + +## 5. Changes between versions + +This is the first version of this specification. + ## Appendix A: Conversion of eIDAS Attributes diff --git a/OpenID Connect Profile for Sweden Connect.md b/OpenID Connect Profile for Sweden Connect.md index 5edc35a..ebe6757 100644 --- a/OpenID Connect Profile for Sweden Connect.md +++ b/OpenID Connect Profile for Sweden Connect.md @@ -8,9 +8,9 @@ # OpenID Connect Profile for Sweden Connect -### Version 1.0 - 2024-12-02 - *Draft version* +### Version 1.0 - 2024-12-04 -Registration number: **TBD** +Registration number: **2024-7674** --- @@ -54,6 +54,8 @@ Copyright © The Swedish Agency for Digital Go 4. [**References**](#references) +5. [**Changes between versions**](#changes-between-versions) + --- @@ -271,3 +273,8 @@ See further requirements concerning client metadata in section 2 of \[[OpenID.Re **\[SC.SAML.Profile\]** > [Deployment Profile for the Swedish eID Framework](https://docs.swedenconnect.se/technical-framework/latest/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html). + + +## 5. Changes between versions + +This is the first version of this specification. diff --git a/docs/december-2024/00_-_Swedish_eID_Framework_-_Introduction.html b/docs/december-2024/00_-_Swedish_eID_Framework_-_Introduction.html new file mode 100644 index 0000000..8f73e60 --- /dev/null +++ b/docs/december-2024/00_-_Swedish_eID_Framework_-_Introduction.html @@ -0,0 +1,569 @@ + + + + + + Introduction to the Sweden Connect Technical Framework + + + + + + +

+ + +

+

+ +

+ +

Introduction to the Sweden Connect Technical Framework

+

2024-12-04

+

Registration number: 2019-267

+
+

+Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All Rights Reserved. +

+ +

Table of Contents

+
    +

  1. Introduction

    +

    1.1. Overview

    +

    1.2. The Assurance Framework and Levels of Assurance

    +

    1.3. Service for Collection, Administration and Publishing of Metadata

    +

    1.4. Discovery Service

    +

    1.5. Relying Party Integration

    +

    1.6. Signatures

    +

    1.7. The Technical Framework and eIDAS

    +

    1.7.1. Foreign eID Authentication

    +

    1.7.2. Signing using a Foreign eID

    +

    1.7.3. Handling of Identities

    +

    1.7.4. Swedish eID:s in Foreign Services

    +
    2. +

  2. Technical Specifications

    +

    2.1. Profiles and Specifications for SAML

    +

    2.1.1. Deployment Profile for the Swedish eID Framework

    +

    2.1.2. Swedish eID Framework - Registry for identifiers

    +

    2.1.3. Attribute Specification for the Swedish eID Framework

    +

    2.1.4. Entity Categories for the Swedish eID Framework

    +

    2.1.5. eIDAS Constructed Attributes Specification for the Swedish eID Framework

    +

    2.1.6. Implementation Profile for BankID Identity Providers within the Swedish eID Framework

    +

    2.1.7. Principal Selection in SAML Authentication Requests

    +

    2.1.8. User Message Extension in SAML Authentication Requests

    +

    2.2. Profiles and Specifications for OpenID Connect

    +

    2.2.1. OpenID Connect Profile for Sweden Connect

    +

    2.2.2. OpenID Connect Claims and Scopes Specification for Sweden Connect

    +

    2.3. Signature Specifications

    +

    2.3.1. Implementation Profile for using OASIS DSS in Central Signing Services

    +

    2.3.2. DSS Extension for Federated Central Signing Services

    +

    2.3.3. Certificate Profile for Certificates Issued by Central Signing Services

    +

    2.3.4. Signature Activation Protocol for Federated Signing

    +
    3. +

  3. References

    +

    3.1. DIGG

    +

    3.2. Other References

    +
    4. +
+

+

1. Introduction

+

+

1.1. Overview

+

The Swedish eID Framework (Sweden Connect Technical Framework) is adapted for identity federations based on SAML 2.0.

+
+

In the latest version of the framework, specifications for OpenID Connect have been introduced. Currently, there is no federation support for OpenID Connect. This will be introduced during 2025.

+
+
+

Currently, the document only describes the Sweden Connect SAML-federation. When support for an OpenID Connect-federation has been fully implemented, this document will be updated to describe this technique as well.

+
+

Relying parties receive identity assertions in a standardized format +from an identity provider.

+

Service providers that require electronic signatures do not need to be adapted to different +signature techniques based on different types of eID:s. Instead, a service provider makes +use of a signature service where users with the support of authenticating at an identity +provider are given the possibility to sign digital documents.

+

Within the federation, e-services and relying parties are taking the roles of +Service Providers (SP), and authenticating services issuing identity assertions assume +the roles of Identity Providers (IdP).

+

In cases where the service provider needs more information about the user, for example its +legal authority, an attribute service (Attribute Authority) within the federation can be queried, if such a service exists. Through an attribute +request a service provider can obtain the necessary supplementary information in order to +authorize the user and provide access to its service.

+

As both personal identity information and other attributes linked to +users are provided through identity assertions, all types of eID:s that have +an identity provider within the federation can be used by a service provider +that requires specific identity attributes, even if a particular eID does not +hold this information.

+

+

Figure 1: Illustration of the communication between the different services within an identity federation.

+

+

1.2. The Assurance Framework and Levels of Assurance

+

The basis for the level of security applied when a user authenticates is the +level of assurance for the eID required by the service provider. In order for +these levels to be comparable within the federation, four assurance levels are defined (1 to + 4) in the Swedish eID Assurance Framework [TrustFramework] and three +assurance levels (low, substantial, high) are defined by the EU regulation eIDAS. +Any service issuing identity assertions must prove that the process of issuing +identity assertions meets the requirements of a given level. This includes:

+
    +

  • Requirements for the creation of an identity assertion.

    +
    • +

  • Requirements for electronic authentication.

    +
    • +

  • Requirements for the issuing process.

    +
    • +

  • Requirements for the actual eID and its use.

    +
    • +

  • Requirements on the issuer of the eID.

    +
    • +

  • Requirements for establishing the identity of the eID applicant.

    +
    • +
+

+

1.3. Service for Collection, Administration and Publishing of Metadata

+

A SAML federation provides information about the federation +participants through SAML metadata. Participants of a federation comprises of +services providing identity and attributes assertions and relying parties, i.e., +service providers that consume these services.

+

Through the federation's metadata, participants obtain information about others +participants' services, including the information required for a safe +exchange of information between services. Metadata needs to be updated +by each party and conform to agreed conditions.

+

The main purpose of metadata is to provide the keys/certificates +required for secure communication and information exchange between services. +In addition to keys, metadata also contain other important information +for collaboration between services, for example, addresses of required functions, +information on assurance levels, service categories, user interface information, etc.

+

An identity federation is defined by a register in XML format that is +signed with the federation operator certificate. The file contains +information on identity federation members including their +certificates. Because the metadata file is signed, it is sufficient to +compare a certificate with its equivalent in metadata. An +infrastructure based on a central federation register requires +that the register is constantly updated and that the members of the federation +always use the latest version of the file.

+

+

1.4. Discovery Service

+

Within an identity federation, it is possible to offer and consume a common +Discovery Service, that lists which identity providers (or eID:s) that are +available for a user to choose from to authenticate. The purpose of such a +service is to relieve the individual service providers that are part of the +identity federation from implementing support for how users choose how to +authenticate.

+

By making the discovery service available within the identity federation, +service providers may direct its users there for the choice of how to authenticate. +The discovery service interacts with the user who makes the choice and is +directed back to the service provider, along with the selected authentication choice. +The service provider now knows to which identity provider the user should be directed +to for authentication.

+
+

Currently, there is no common discovery service available within the Sweden Connect federation.

+
+

+

1.5. Relying Party Integration

+

Relying parties, e.g., service providers, integrate towards identity providers using +standardized messages and consume identity assertions that also have a standardized +format.

+

The Swedish eID Framework is influenced by the interoperability profile +”SAML V2.0 Deployment Profile for Federation Interoperability” +[SAML2Int]. This profile is supported by several commercial +products and vendors as well as open source libraries. This facilitates +the integration at the relying party side.

+

Most relying parties use stand-alone authentication servers which means that +the integration adaptation for supporting the Swedish eID Framework usually +is limited to the authentication solution used.

+

+

1.6. Signatures

+

The Swedish eID Framework enables digital signatures using any type of eID, even +those not based on certificates, as long as there is an identity provider for +the particular eID. The reason for this is that the identity assertion that is +used during authentication for signature is standardized.

+

A Signature Service has as its purpose to offer digital signature services +within identity federations that follows the Swedish eID Framework.

+

By procuring1 and introducing a signature service, a relying party within the +federation can offer users to sign electronic documents with the support +of the signature service. The user signature, and associated signature certificate, +is created by the signature service after the user has accepted to sign the +document by authenticating for the signature service2.

+
+

[1]: It is also possible for a relying party to implement a signature service based on the specifications.

+
+
+

[2]: It is important to point out that it is of the utmost importance that the user +experiences that he or she is signing a document. Therefore, a signature flow should be +used for the eID types that support this during "authentication for signature".

+
+

+

1.7. The Technical Framework and eIDAS

+

The EU regulation (910/2014) +on electronic identification and trust services, eIDAS, places demands on Swedish +public bodies to recognize the eID:s that other eIDAS countries have notified. +This means that a public Swedish e-service based on certain rules must be able +to accept a login that is performed with an eID issued in another country.

+

+

1.7.1. Foreign eID Authentication

+

The eIDAS technical specifications is built, as for the Swedish eID +Framework, upon SAML standards and profiles, and even though the +similarities are many, there are also differences between the specifications. +However, a Swedish service provider does not have top directly relate to +the eIDAS specifications. The figure below illustrates how the Swedish +eIDAS node (eIDAS connector) acts as a proxy between other countries +and the Swedish federation when a person is authenticated using a foreign +eID at a Swedish service provider.

+

+

The flow is as follows:

+
    +

  1. A user with a foreign eID requests access to a Swedish service provider (i.e., wants to log in).

    +
    2. +

  2. The service provider lets the user select the login method using a + discovery service. In this case the user chooses the "Foreign eID" option.

    +
    3. +

  3. The service provider creates an authentication request according to + the Swedish eID Framework and directs the user to the Swedish eIDAS + node (connector). The eIDAS node acts as an identity provider within + the federation, which implies that the interaction with this service is + performed in the same way as for other identity providers that comply + with the Swedish eID Framework.

    +
    4. +

  4. The received request is processes and the eIDAS node displays a page + where the user chooses his or hers country1. The Swedish + eIDAS node now transforms the received authentication request into an + authentication request according to the eIDAS format, and directs the + user to the selected country's eIDAS Proxy Service.

    +
    5. +

  5. When the authentication request is processed by the eIDAS proxy service + of the selected country, this country's technique for authentication will + be used. Not all countries within eIDAS use SAML for authentication, but + if that was the case in our example, the user would be directed to a + national identity provider, and before that, maybe also a discovery service + where the eID to use would be selected.

    +
    6. +

  6. When the user has authenticated an identity assertion, according to the + eIDAS specifications, is created. This assertion contains eIDAS specific + attribute that identify the user. This assertion is now posted back to the + Swedish eIDAS node.

    +
    7. +

  7. The node receives the assertion and validates its validity. The assertion is + transformed from eIDAS format to an assertion according to the Swedish eID Framework + and is posted back to the service provider.

    +
    8. +

  8. The service provider may now complement the data with additional information + in order to decide whether the user should be granted access to the service.

    +
    9. +
+

Thus, Swedish services only have to implement support according to the Swedish eID +Framework also when authenticating foreign users. However, in order for the service +to fully accept the authenticated user it must also be able to handle the identity +presented, and this is most likely not a Swedish personal identity number. See further +section 1.7.3 below.

+
+

[1]: The correct way to describe this would be to ask the user to which eIDAS Proxy +Service to send the request to. This is dependent on the nationality of the user's +eID issuer.

+
+

+

1.7.2. Signing using a Foreign eID

+

As already described, a model for digital signatures named "federated signatures" +is used within the context of the Swedish eID Framework. A server based signature +service is associated with the e-service that is the requestor of signatures. +When a user signs a document the e-service directs the user along with a signature +request to the signature service. The signature service now requests that the +user authenticate (at an identity provider). In conjunction with the authentication +the user approves the signature. The signature service then sends the user back to +the e-service along with the signature data, and the e-service stores the signature +as a signed document.

+

This procedure makes it possible for Swedish e-services to offer signing för users +having foreign eID:s, since a signature service can choose to authenticate the user +having a foreign eID in accordance with the process described in section 1.7.1 above.

+

In this case, the Swedish eIDAS node is responsible of informing the user that +the purpose of the authentication is to approve the signature of a document, +and displays information about the requestor of the signature and information +about what is being signed. When the user has authenticated an identity assertion +is issued and sent back to the signature service who now generates the signature.

+

+

1.7.3. Handling of Identities

+

Identity assertions from other countries follow common technical +specifications within the framework of the eIDAS regulations. These +specifications define a Minimum Dataset (MDS) which is the a set of +attributes that every country must supply for authenticated users and +legal entities. Each country must provide an unique identifier per eID +that represents a natural person. For some countries, these identifiers +will be unique and persistent per person in the same way as a Swedish +personal identity number is, but identifiers may have different compositions +and properties. A property that may vary is the persistence of an +person identifier, i.e., whether such an identifier is unchanged during +a person's lifetime, or whether it is changed because the user moves to +another region, changes name, or simply obtains a new eID. For some +countries (for example, Great Britain) the identifier will be different +depending on which of the country's eID:s that user is currently using.

+

In order to simplify the handling of users and identities in Swedish services +the Swedish eIDAS node generates a standardized identity attribute for +users that have been authenticated using a foreign eID, a so called +Provisional ID (PRID). The eIDAS node will also create an attribute +that declares which persistence, or lifetime, the PRID attribute has. +The PRID attribute is generated based on attributes values received from +the foreign authentication according to specific methods for each country. +Every combination of country and method a graded based on expected persistence, +i.e., how likely it is that an identity for a person is changed over time. +This makes it possible for Swedish services to customize the communication +with the user and to proactively provide features for a user whose identity +has changed, and make it possible for this user to access his or hers account.

+

In some cases, a person that has been authenticated using a foreign eID may +hold a Swedish personal identity number. It can, for example, be a Swedish +citizen that has moved abroad and obtained a foreign eID, or a foreign +citizen that is, or has been, registered (folkbokförd) in Sweden and has been +assigned a Swedish personal identity number.

+

The fact that a person holding a foreign eID possesses a Swedish personal identity +number is normally not known to the foreign identity provider, and this information +will not be part of the identity assertion from the foreign country. However, the +Swedish eIDAS node has the possibility to query an attribute authority in Sweden1 +whether there exists a registered Swedish personal identity number for the person +being authenticated, and may, if this is the case, add this information to the identity +assertion that is sent back to the Swedish service provider.

+
+

[1]: At the time of writing there is no attribute authority available +providing Swedish personal identity numbers based on eIDAS attributes.

+
+

+

1.7.4. Swedish eID:s in Foreign Services

+

Sweden has notified Swedish eID:s according to the assurance levels substantial and high.

+

A request for authentication from a foreign service provider is sent to the Swedish +eIDAS node (eIDAS proxy service) via an eIDAS connector in the service provider country. +At the Swedish eIDAS node, the user chooses which Swedish eID he or she wants to use +to authenticate, and an authentication request is sent to the identity provider that +offers authentication for the selected eID. This request is according to the Swedish +eID Framework which means that a Swedish identity provider does not have to conform to +the eIDAS technical specifications.

+

The user is authenticated by the Swedish identity provider and an identity assertion +is issued (according to the Swedish eID Framework). This assertion is received by the +Swedish eIDAS node (proxy service), and transformed to an assertion according to the +eIDAS specifications before being sent to the foreign eIDAS connector, and then to the +initiating foreign service provider.

+

+

2. Technical Specifications

+

This chapter contains specifications and profiles for identity federations and +related services that conforms to the Swedish eID Framework (Sweden Connect +Technical Framework). These documents are normative for the delivery of services +within identity federations that implement the Swedish eID Framework, unless +otherwise stated.

+

+

2.1. Profiles and Specifications for SAML

+

Identity federations conforming to the Swedish eID Framework are built around +”Deployment Profile for the Swedish eID Framework”, [SAML.Profile]. +This profile is influenced by, but not normatively dependent on, ”SAML V2.0 Deployment Profile for Federation Interoperability” [SAML2Int]. [SAML.Profile] also contains rules and guidelines specific for the Swedish eID Framework.

+

+

2.1.1. Deployment Profile for the Swedish eID Framework

+

The ”Deployment Profile for the Swedish eID Framework” specification, [SAML.Profile], +is the main specification of the eID Framework and comprises of:

+
    +

  • How SAML metadata is constructed and interpreted.

    +
    • +

  • How the format of an authentication request should be compiled.

    +
    • +

  • How an authentication request should be processed, and how an identity assertion should be constructed, verified and processed.

    +
    • +

  • Security requirements.

    +
    • +

  • Specific SAML requirements for signature services and "authentication for signature".

    +
    • +
+

+

2.1.2. Swedish eID Framework - Registry for identifiers

+

The implementation of an infrastructure for Swedish eID:s demand different forms +of identifiers to represent objects in data structures. The document +”Sweden Connect - Registry for identifiers”, [SC.Registry], +defines the structure for identifiers that are assigned within the scope of +the Swedish eID Framework, and contains a registry of defined identifiers.

+

+

2.1.3. Attribute Specification for the Swedish eID Framework

+

The specification ”Attribute Specification for the Swedish eID Framework”, +[SAML.Attributes], declares the SAML attribute profiles +that are used within identity federations that follow the Swedish eID +Framework, including services that connect to eIDAS using the Swedish eID +node.

+

+

2.1.4. Entity Categories for the Swedish eID Framework

+

Entity Categories are used within the federation for different purposes:

+
    +

  • Service Entity Categories – Are used in metadata to represent service + provider requirements regarding assurance levels and attributes, + and identity provider declarations for supported assurance levels + and attribute release capabilities.

    +
    • +

  • Service Property Categories – Are used to represent certain properties + of services within the federation.

    +
    • +

  • Service Type Entity Categories – Represents different service types + within the federation.

    +
    • +

  • Service Contract Entity Categories - Are used by services to declare + legal and business agreements.

    +
    • +

  • General Entity Categories - Entity categories that do not fall within + the scope of any of the other types.

    +
    • +
+

The specification ”Entity Categories for the Swedish eID Framework” +[SAML.EntCat] specifies the entity categories that are defined in +the Swedish eID Framework and describes their meaning.

+

+

2.1.5. eIDAS Constructed Attributes Specification for the Swedish eID Framework

+

The specification ”eIDAS Constructed Attributes Specification for the Swedish +eID Framework”, [SC.eIDAS.Attrs], defines processes and +rules for how an identity attribute are constructed based on the attributes that are +received during an eIDAS authentication.

+

+

2.1.6. Implementation Profile for BankID Identity Providers within the Swedish eID Framework

+

The specification "Implementation Profile for BankID Identity Providers within the Swedish eID Framework", [SAML.BankID], defines rules for identity providers that implement +support for the Swedish BankID eID.

+
+

Note: This specification is not normative for conformance to the Swedish eID Framework. +It is only relevant for identity providers implementing support for BankID and for service +providers using those identity providers. However, an identity provider that implements BankID and wants to join the Sweden Connect federation must follow this specification.

+
+

+

2.1.7. Principal Selection in SAML Authentication Requests

+

The specification "Principal Selection in SAML Authentication Requests", [SAML.Principal], defines an extension to SAML making it possible for a relying party +to inform an identity provider about the identity of the user that it wishes to be authenticated.

+

+

2.1.8. User Message Extension in SAML Authentication Requests

+

The specification "User Message Extension in SAML Authentication Requests", [SAML.UMessage], defines an extension to SAML making it possible for a relying party to pass along a display message in the authentication request being sent to the identity provider. The identity provider can then display a custom message for the user during the authentication phase.

+

+

2.2. Profiles and Specifications for OpenID Connect

+

+

2.2.1. OpenID Connect Profile for Sweden Connect

+

The specification "OpenID Connect Profile for Sweden Connect", [OIDC.Profile], extends the The Swedish OpenID Connect Profile which is an OpenID Connect-profile published by OIDC Sweden in order to facilitate interoperability and security for Swedish OIDC-deployments.

+

[OIDC.Profile] adds additional requirements for the Sweden Connect federation.

+

+

2.2.2. OpenID Connect Claims and Scopes Specification for Sweden Connect

+

The specification "OpenID Connect Claims and Scopes Specification for Sweden Connect", [OIDC.Claims], extends the Claims and Scopes Specification for the Swedish OpenID Connect Profile specification published by OIDC Sweden. Specifically, the [OIDC.Claims] add claims and scopes definitions for eIDAS.

+

+

2.3. Signature Specifications

+

This section contains references to the documents that define signature services +within federations conformant to the Swedish eID Framework.

+

+

2.3.1. Implementation Profile for using OASIS DSS in Central Signing Services

+

The implementation profile ”Implementation Profile for Using OASIS DSS in +Central Signing Services”, [Sign.DSS.Profile], specifies a profile +for signature requests and responses according to the OASIS standard +”Digital Signature Service Core Protocols, Elements, and Bindings”, +[DSS].

+

+

2.3.2. DSS Extension for Federated Central Signing Services

+

”DSS Extension for Federated Central Signing Services”, [Sign.DSS.Ext], is an +extension to the OASIS standard ”Digital Signature Service Core Protocols, Elements, and Bindings”, [DSS], where definitions required for signatures according to the Swedish +eID Framework are specified.

+

+

2.3.3. Certificate Profile for Certificates Issued by Central Signing Services

+

The certificate profile ”Certificate profile for certificates issued by Central Signing services”, [Sign.Cert.Profile], specifies the contents of a signature certificate. This profile +defines a certificate extension for use by signature services.

+

This profile refers to "Authentication Context Certificate Extension", [AuthContext], +that describes how an ”Authentication Context” is represented in X.509 certificates.

+

+

2.3.4. Signature Activation Protocol for Federated Signing

+

The specification "Signature Activation Protocol for Federated Signing", [Sign.Activation], +defines a "Signature Activation Protocol" (SAP) for implementation of "Sole Control Assurance Level 2" (SCAL2) according to the standard "prEN 419241 - Trustworthy Systems Supporting Server Signing".

+

+

3. References

+

+

3.1. DIGG

+

+[TrustFramework]

+
+

Tillitsramverk för Svensk e-legitimation.

+
+

+[SC.Registry]

+
+

Sweden Connect - Registry for identifiers.

+
+

+[SAML.Profile]

+
+

Deployment Profile for the Swedish eID Framework.

+
+

+[SAML.Attributes]

+
+

Attribute Specification for the Swedish eID Framework.

+
+

+[SAML.EntCat]

+
+

Entity Categories for the Swedish eID Framework.

+
+

+[SC.eIDAS.Attrs]

+
+

eIDAS Constructed Attributes Specification for the Swedish eID +Framework.

+
+

+[SAML.BankID]

+
+

Implementation Profile for BankID Identity Providers within the Swedish eID Framework.

+
+

+[SAML.Principal]

+
+

Principal Selection in SAML Authentication Requests.

+
+

+[SAML.UMessage]

+
+

User Message Extension in SAML Authentication Requests.

+
+

+[OIDC.Profile]

+
+

OpenID Connect Profile for Sweden Connect.

+
+

+[OIDC.Claims]

+
+

OpenID Connect Claims and Scopes Specification for Sweden Connect.

+
+

+[Sign.DSS.Profile]

+
+

Implementation Profile for Using OASIS DSS in Central Signing +Services.

+
+

+[Sign.DSS.Ext]

+
+

DSS Extension for Federated Central Signing Services.

+
+

+[Sign.Cert.Profile]

+
+

Certificate profile for certificates issued by Central Signing +services.

+
+

+[Sign.Activation]

+
+

Signature Activation Protocol for Federated Signing.

+
+

+

3.2. Other references

+

+[SAML2Int]

+
+

SAML V2.0 Deployment Profile for Federation Interoperability.

+
+

+[DSS]

+
+

OASIS Standard – Digital Signature Service Core Protocols, Elements, +and Bindings Version 1.0, April 11, +2007.

+
+

+[AuthContext]

+
+

RFC-7773: Authentication Context Certificate Extension.

+
+
+ + diff --git a/docs/december-2024/00_-_Tekniskt_ramverk_-_Introduktion.html b/docs/december-2024/00_-_Tekniskt_ramverk_-_Introduktion.html new file mode 100644 index 0000000..ad1944b --- /dev/null +++ b/docs/december-2024/00_-_Tekniskt_ramverk_-_Introduktion.html @@ -0,0 +1,587 @@ + + + + + + En introduktion till Sweden Connect Tekniskt ramverk + + + + + + +

+ + +

+

+ +

+ +

En introduktion till Sweden Connect Tekniskt ramverk

+

2024-12-04

+

Diarienummer: 2019-267

+
+

+Copyright © Myndigheten för digital förvaltning (Digg), 2015-2024. +

+ +

Innehållsförteckning

+
    +

  1. Introduktion

    +

    1.1. Översikt

    +

    1.2. Tillitsramverk och säkerhetsnivåer

    +

    1.3. Tjänst för insamling, administration och publicering av metadata

    +

    1.4. Anvisningstjänst

    +

    1.5. Integration hos förlitande part

    +

    1.6. Underskrift

    +

    1.7. Tekniskt ramverk och eIDAS

    +

    1.7.1. Autentiseringar med utländska e-legitimationer

    +

    1.7.2. Underskrifter med utländska e-legitimationer

    +

    1.7.3. Hantering av identiteter

    +

    1.7.4. Svenska e-legitimationer i utländska e-tjänster

    +
    2. +

  2. Tekniska specifikationer

    +

    2.1. Profiler och specifikationer för SAML

    +

    2.1.1. Deployment Profile for the Swedish eID Framework

    +

    2.1.2. Swedish eID Framework - Registry for identifiers

    +

    2.1.3. Attribute Specification for the Swedish eID Framework

    +

    2.1.4. Entity Categories for the Swedish eID Framework

    +

    2.1.5. eIDAS Constructed Attributes Specification for the Swedish eID Framework

    +

    2.1.6. Implementation Profile for BankID Identity Providers within the Swedish eID Framework

    +

    2.1.7. Principal Selection in SAML Authentication Requests

    +

    2.1.8. User Message Extension in SAML Authentication Requests

    +

    2.2. Profiler och specifikationer för OpenID Connect

    +

    2.2.1. OpenID Connect Profile for Sweden Connect

    +

    2.2.2. OpenID Connect Claims and Scopes Specification for Sweden Connect

    +

    2.3. Specifikationer för Underskrift

    +

    2.3.1. Implementation Profile for using OASIS DSS in Central Signing Services

    +

    2.3.2. DSS Extension for Federated Central Signing Services

    +

    2.3.3. Certificate Profile for Certificates Issued by Central Signing Services +

    +

    2.3.4. Signature Activation Protocol for Federated Signing

    +
    3. +

  3. Referenslista

    +

    3.1. DIGG

    +

    3.2. Övriga referenser

    +
    4. +
+

+

1. Introduktion

+

+

1.1. Översikt

+

Sweden Connect Tekniskt Ramverk är anpassat för +identitetsfederationer som baseras på SAML 2.0.

+
+

I den senaste versionen av Tekniskt ramverk har även specifikationer för OpenID Connect introducerats. För närvarande finns inget federationsstöd för OpenID Connect. Detta kommer att introduceras under 2025.

+
+
+

Resterande delar av detta dokument beskriver endast SAML-federationen. Då OpenID Connect introduceras fullt ut kommer även detta dokument att beskriva denna teknik.

+
+

Förlitande parter erhåller identitetsintyg i ett standardiserat format +från en legitimeringstjänst1.

+

E-tjänster som kräver underskrift behöver inte anpassas efter olika +användares e-legitimationer för att skapa elektroniska underskrifter. +Istället överlåter e-tjänsten detta till en underskriftstjänst där användare +med stöd av legitimering via en legitimeringstjänst ges möjlighet att underteckna +elektroniska handlingar.

+

Inom federationen intar e-tjänster och motsvarande förlitande parter +rollen som Service Provider (SP) medan legitimeringstjänster som +utfärdar identitetsintyg intar rollen som Identity Provider (IdP) och +därmed den som autentiserar användaren, oavsett mot vilken e-tjänst som +användaren legitimerar sig.

+

För de fall där e-tjänsten behöver mer information om användaren t ex. +uppgift om juridisk behörighet, kan en fråga ställas till en +attributtjänst, Attribute Authority (AA), inom federationen, om sådan +relevant attributtjänst finns. Genom en attributsförfrågan kan +e-tjänsten erhålla nödvändig kompletterande information för att kunna +auktorisera användaren och ge tillgång till e-tjänsten eller +motsvarande.

+

Då såväl personidentitetsuppgifter som andra attribut kopplat till +användare tillhandahålls genom identitetsintyg och attributsintyg, kan +alla typer av e-legitimationer som förlitande part har avtal om och som +ingår i federationen användas för legitimering mot en e-tjänst som +kräver såväl personnummer som ytterligare information, även om +e-legitimationen inte innehåller några specifika personuppgifter +(t.ex. koddosor för generering av engångslösenord).

+

+

Figur 1: Illustration av kommunikationen mellan de olika tjänsterna inom +en identitetsfederation.

+
+

[1]: Legitimeringstjänst benämns i annan dokumentation från Digg också som identitetstjänst och intygstjänst. I detta dokument används dock uteslutande benämningen legitimeringstjänst.

+
+

+

1.2. Tillitsramverk och säkerhetsnivåer

+

Grunden för vilken säkerhetsnivå som tillämpas när en användare +legitimerar sig är den tillitsnivå avseende e-legitimationen som +e-tjänsten kräver. För att dessa säkerhetsnivåer ska kunna vara +jämförbara inom ramen för federationen definieras fyra tillitsnivåer (1 +– 4) i Tillitsramverket för Svensk e-legitimation [Digg.Tillit] och tre +tillitsnivåer (låg, väsentlig, hög) i EU-förordningen eIDAS. Alla som +utfärdar identitetsintyg måste visa att hela den process som ligger till +grund för utfärdandet av identitetsintyg uppfyller kraven i den +efterfrågade tillitsnivån, detta innefattar bl.a.

+
    +

  • Krav på skapandet av identitetsintyget.

    +
    • +

  • Krav på den elektroniska legitimeringen (autentiseringen).

    +
    • +

  • Krav på utfärdandeprocessen.

    +
    • +

  • Krav på själva e-legitimationen och dess användning.

    +
    • +

  • Krav på utfärdaren av e-legitimationen.

    +
    • +

  • Krav på fastställande av den e-legitimationssökandens identitet.

    +
    • +
+

+

1.3. Tjänst för insamling, administration och publicering av metadata

+

En SAML-federation tillhandahåller information om federationens +deltagare genom SAML metadata. Som deltagare i en federation räknas +såväl aktörer som levererar legitimerings- och attributtjänster i +federationen som förlitande parter, d.v.s. aktörer som konsumerar dessa +tjänster, t ex. e-tjänster.

+

Genom federationens metadata kan deltagare inhämta information om andra +deltagares tjänster, inklusive de uppgifter som krävs för ett säkert +informationsutbyte mellan deltagarna. Metadata måste hållas uppdaterat +av respektive part och överensstämma med avtalade förhållanden.

+

Det viktigaste syftet med metadata är att tillhandahålla de nycklar/certifikat +som krävs för säker kommunikation och informationsutväxling mellan tjänster. +Utöver nycklar innehåller metadata även annan information som är viktig +för samverkan mellan tjänster t ex. adresser till funktioner som krävs, +information om tillitsnivåer, tjänstekategorier, +användargränssnittsinformation mm.

+

En identitetsfederation definieras av ett register i XML-format som är +signerat med federationsoperatörens certifikat. Filen innehåller +information om identitetsfederationens medlemmar inklusive deras +certifikat. Eftersom filen med metadata är signerad räcker det med att +jämföra ett certifikat med dess motsvarighet i metadata. En +infrastruktur baserad på ett centralt federationsregister förutsätter +att registret uppdateras kontinuerligt samt att federationsmedlemmarna +alltid använder den senaste versionen av filen.

+

+

1.4. Anvisningstjänst

+

I en identitetsfederation är det möjligt att erbjuda och konsumera en +gemensam anvisningstjänst (Discovery Service), som listar vilka +legitimeringstjänster som är möjliga för användaren att välja mellan. +Syftet med en sådan anvisningstjänst är att avlasta de enskilda +e-tjänsterna som ingår i identitetsfederationen från att själva +implementera stöd för hur användare väljer legitimeringstjänst (eller +inloggningsmetod).

+

Genom att anvisningstjänsten finns tillgänglig inom +identitetsfederationen kan e-tjänster styra sina användare dit för val +av legitimeringstjänst. Anvisningstjänsten interagerar med användaren +som gör sitt val och användaren, tillsammans med dennes val, styrs +tillbaka till e-tjänsten som nu vet till vilken legitimeringstjänst +användaren ska skickas för legitimering.

+
+

För närvarande finns ingen gemensam anvisningstjänst för Sweden Connect-federationen.

+
+

+

1.5. Integration hos förlitande part

+

Förlitandeparter, t.ex. e-tjänster, integrerar mot legitimeringstjänster +genom standardiserade meddelanden och konsumerar identitetsintyg vilka +också har standardiserade format.

+

Sweden Connect tekniskt ramverk är influerad av interoperabilitetsprofilen +”SAML V2.0 Deployment Profile for Federation Interoperability” +[SAML2Int]. Profilen stöds av ett flertal kommersiella +produkter och Open Source-lösningar, vilket underlättar integrationsarbetet +hos e-tjänster.

+

Många e-tjänster använder fristående autentiseringslösningar vilket +innebär att en anpassning av integrationen för att följa +tekniskt ramverk får en begränsad påverkan på e-tjänsten som sådan.

+

+

1.6. Underskrift

+

Vid underskrift blir det med Sweden Connect tekniskt ramverk +möjligt att använda olika typer av e-legitimationer, även sådana som +inte är certifikatbaserade, utan att speciella anpassningar i e-tjänsten +behövs. Anledningen är att det är det elektroniskt utställda +identitetsintyget (som används för identifiering av användare vid +underskrift) har samma format oavsett vilken typ av e-legitimation som +användaren använder.

+

En underskriftstjänst har som syfte att möjliggöra underskrift inom +identitetsfederationer som följer tekniskt ramverk med stöd av alla +typer av e-legitimationer som erbjuder tillräcklig grad av säkerhet.

+

Genom att upphandla1 och införa en underskriftstjänst kan en förlitande +part som ingår i federationen låta en användare skriva under en +elektronisk handling med stöd av underskriftstjänsten. +Användarens elektroniska signatur och tillhörande signeringscertifikat +skapas av underskriftstjänsten efter det att användaren accepterat att +skriva under genom att legitimera sig mot underskriftstjänsten2.

+
+

[1]: Det är också möjligt att själv implementera en underskriftstjänst baserat på specifikationerna i tekniskt ramverk, eller på annat sätt införskaffa en underskriftstjänst.

+
+
+

[2]: Viktigt att påpeka är att det är av största vikt att användaren upplever det som att denne skriver under en handling. Därför ska ett underskriftsflöde användas för de e-legitimationer som stödjer detta i samband med "legitimering för underskrift".

+
+

+

1.7. Tekniskt ramverk och eIDAS

+

EU-förordningen (910/2014) om elektronisk identifiering och betrodda +tjänster, eIDAS, ställer krav på svenska offentliga organ att erkänna de +e-legitimationer som andra eIDAS-länder har anmält. Detta innebär att en +offentlig svensk e-tjänst baserat på vissa regler skall kunna acceptera +en inloggning som utförs med en e-legitimation utställd i ett annat +land.

+

+

1.7.1. Autentiseringar med utländska e-legitimationer

+

De tekniska specifikationerna för eIDAS bygger, såsom +tekniskt ramverk, på SAML-standarder, och även +om likheterna är många finns även skillnader i dessa specifikationer. En +svensk e-tjänst ska dock inte förhålla sig direkt till eIDAS tekniska +specifikationer. Nedanstående bild illustrerar hur +den svenska eIDAS-noden (eIDAS-connector) agerar som en brygga +mellan andra länder och den svenska federationen då en person autentiseras +med en utländsk e-legitimation mot en svensk e-tjänst. +Den svenska eIDAS-noden följer tekniskt ramverk.

+

+

Flödet är enligt följande:

+
    +

  1. En användare med en utländsk e-legitimation begär åtkomst till en + svensk e-tjänst (d.v.s., loggar in).

    +
    2. +

  2. E-tjänsten låter användaren välja inloggningssätt med hjälp av en + anvisningstjänst. Ett val ”Foreign eID” visas upp, vilket användaren + i eIDAS-fallet väljer.

    +
    3. +

  3. E-tjänsten skapar en legitimeringsbegäran enligt detta tekniska + ramverk och styr användaren till den svenska eIDAS-noden (connector) + som DIGG ansvarar för. eIDAS-noden uppträder som + en legitimeringstjänst (Identity Provider) i federationen in + mot svenska förlitande parter vilket innebär att kommunikation med + denna tjänst utförs på samma sätt som mot övriga + legitimeringstjänster inom federationer som följer tekniskt ramverk.

    +
    4. +

  4. Den mottagna begäran behandlas och eIDAS-noden visar upp en valsida + där användaren väljer ”sitt land”1. Den svenska eIDAS-noden + omvandlar nu den mottagna legitimeringsbegäran till en + legitimeringsbegäran enligt eIDAS och användaren styrs till det + valda landets ”eIDAS Proxy-tjänst”.

    +
    5. +

  5. Då legitimeringsbegäran mottas av den eIDAS-Proxy-tjänst för valt + land tar detta lands teknik för autentisering över. Inte alla länder + inom eIDAS använder SAML för autentisering, men om så var fallet i + vårt exempel skulle användaren styras vidare till en + legitimeringstjänst (Identity Provider), och innan dess kanske även + en anvisningstjänst för val av legitimeringstjänst.

    +
    6. +

  6. Då en autentisering utförts skapas ett intyg (Assertion) enligt + eIDAS specifikationer. Detta intyg innehåller bl.a. eIDAS-specifika + attribut som identifierar användaren. Detta intyg styrs nu vidare till + den svenska eIDAS-noden.

    +
    7. +

  7. Noden tar emot intyget och validerar dess korrekthet. Detta intyg + transformeras från eIDAS-format till ett intyg utformat + enligt tekniskt ramverk och postas till e-tjänsten.

    +
    8. +

  8. Förlitande part kompletterar eventuellt med ytterligare information + och avgör om användaren ska ges till åtkomst till tjänsten.

    +
    9. +
+

Svenska e-tjänster behöver således endast stödja +tekniskt ramverk för att kunna hantera en autentisering utförd med en +europeisk e-legitimation. Dock måste e-tjänsten kunna hantera den +identitet som presenteras, vilket inte nödvändigtvis är ett personnummer. +Det kan alltså hända att en e-tjänst autentiserar en användare via +eIDAS-ramverket, men att användarens +presenterade identitet inte går att använda hos e-tjänsten. Mer om detta +i kapitlet 1.7.3 nedan.

+
+

[1]: Egentligen väljer användaren till vilken ”eIDAS Proxy-tjänst” som begäran ska skickas vidare till. Detta är beroende landstillhörigheten för användarens e-legitimationsutfärdare.

+
+

+

1.7.2. Underskrifter med utländska e-legitimationer

+

Som redan beskrivits tillämpas en modell för +elektronisk underskrift inom ramen för detta tekniska ramverk +som kallas federerad underskrift. En +serverbaserad underskriftstjänst knyts till e-tjänsten som i sin tur +begär underskrift. När en användare skriver under ett dokument skickar +e-tjänsten en underskriftsbegäran till underskriftstjänsten. +Underskriftstjänsten begär därefter att användaren legitimerar sig. I +samband med legitimeringen godkänner användaren underskriften. +Underskriftstjänsten skickar tillbaka uppgifter till e-tjänsten och +därefter lagras underskriftsuppgifterna kopplade till den handling som +har skrivits under.

+

Detta förfarande möjliggör att skriva under även med utländsk +e-legitimation då underskriftstjänsten kan välja att legitimera +användaren med utländsk e-legitimation i enlighet med förfarandet som +beskrivs ovan i avsnitt 1.7.1.

+

Vid en underskrift ansvarar i det fallet den svenska eIDAS-noden för att +användaren upplyses om att syftet med legitimeringen är att skriva under +ett dokument, vem som begärt underskrift samt med eventuell information +om vad som undertecknas. Först när användaren genom att legitimera sig +(för underskrift) utfärdas ett identitetsintyg, som skickas till +underskriftstjänsten och som i sin tur genererar underskriften.

+

+

1.7.3. Hantering av identiteter

+

Identitetsintyg från andra länder följer EU-gemensamma tekniska +specifikationer framtagna inom ramen för eIDAS-regelverket. Här +specificeras de attribut som varje land alltid måste skicka med för +fysiska personer såväl som för organisationer (”Minimum Dataset”, MDS). +Varje land måste skicka med en unik identifierare per e-legitimation som +representerar endast en fysisk person. Från vissa länder kommer dessa +identifierare vara unika och beständiga per person på motsvarande sätt +som t.ex. svenska personnummer, men dessa identifierare kan ha vitt +skilda sammansättningar och ha väldigt olika egenskaper. En egenskap som +kan variera är hur persistent en sådan identifierare är, d.v.s., om en +sådan identifierare är oförändrad under en persons livstid eller om den +ändras om personen exempelvis flyttar till en annan region, byter namn +eller bara byter e-legitimation. Från några länder (t.ex. +Storbritannien) kommer identifieraren att vara olika beroende på vilken +av landets e-legitimationer en användare för tillfället väljer att +använda.

+

För att förenkla hanteringen av användare i svenska e-tjänster +genererar den svenska eIDAS-noden ett standardiserat ID-attribut för +användare som legitimerats med utländsk e-legitimation, ett s.k. +provisional ID (förkortat PRID). Dessutom skapas ett tillhörande +attribut som deklarerar vilken förväntad persistens, eller livslängd, +detta ID-attribut har. PRID-attributet genereras utifrån de +attributvärden som erhålls från den utländska legitimeringen enligt +specificerade metoder för respektive land. Varje kombination av land och +metod klassas med avseende på förväntad persistens, d.v.s., hur +sannolikt det är att en identitet ändras över tiden för samma person. +Detta gör det möjligt för svenska e-tjänster att anpassa kommunikationen +med användaren och proaktivt tillhandahålla funktioner som underlättar +för en användare vars identitet har ändrats, att återfå kontrollen över +sin information i e-tjänsten.

+

I vissa fall kan en person som legitimeras med en utländsk +e-legitimation även inneha ett svenskt personnummer. Det kan till exempel +röra sig om en svensk medborgare som flyttat utomlands och skaffat utländsk e-legitimation +eller en utländsk medborgare som är folkbokförd i Sverige och har tilldelats ett +personnummer.

+

Det faktum att en person med utländsk e-legitimation innehar ett svenskt +personnummer är normalt sett inte känt för den +utländska legitimeringstjänsten och denna information ingår därför inte +i identitetsintyg från landet där personen legitimeras. Den svenska +noden har däremot möjlighet att fråga en attributtjänst i Sverige1 om +det finns ett registrerat personnummer för den +legitimerade personen och kan, om så är fallet, påföra sådan information +i det identitetsintyg som skickas till e-tjänsten.

+
+

[1]: I skrivande stund finns ingen attributtjänst som utför koppling mellan eIDAS-identiteter och svenska personnummer.

+
+

+

1.7.4. Svenska e-legitimationer i utländska e-tjänster

+

Sverige har anmält svenska e-legitimationer på tillitsnivå väsentlig (substantial) och hög (high) enligt eIDAS.

+

En begäran om legitimering från en utländsk e-tjänst ställs till den svenska eIDAS-noden (proxy-tjänst) via en s.k. eIDAS-connector i e-tjänstens land. +I den svenska eIDAS-noden väljer användaren med vilken svensk e-legitimation denne önskar autentisera sig, varpå en legitimeringsbegäran till den legitimeringstjänst (Identity Provider) som hanterar vald e-legitimation skickas. Denna begäran är utformad enligt tekniskt ramverk vilket innebär att en svensk legitimeringstjänst inte behöver förhålla sig till eIDAS tekniska specifikationer.

+

Användaren autentiseras hos den svenska legitimeringstjänsten och ett identitetsintyg ställs ut (enligt tekniskt ramverk). Detta intyg mottas av den svenska eIDAS Proxy-tjänsten och omvandlas till ett intyg enligt eIDAS specifikationer innan det skickas vidare till den utländska eIDAS-connectorn och därpå till den anropande e-tjänsten (Service Provider).

+

+

2. Tekniska specifikationer

+

Detta kapitel innehåller specifikationer och profiler för +identitetsfederationer som följer Sweden Connect tekniskt +ramverk, och vissa kringliggande tjänster. Där inget annat nämns är +dessa dokument normativa för leverans av tjänster inom +identitetsfederationer som implementerar +tekniskt ramverk.

+

+

2.1. Profiler och specifikationer för SAML

+

Identitetsfederationer som följer Sweden Connect tekniska ramverk är uppbyggda +kring ”Deployment Profile for the Swedish eID Framework”, [SAML.Profile]. Denna profil är influerad av, men inte normativt beroende på, ”SAML V2.0 Deployment Profile for Federation Interoperability” [SAML2Int]. [SAML.Profile] innehåller också regler och riktlinjer specifika för Sweden Connect tekniskt ramverk.

+

+

2.1.1. Deployment Profile for the Swedish eID Framework

+

”Deployment Profile for the Swedish eID Framework”, [SAML.Profile], är huvuddokumentet för tekniskt ramverk och specificerar bland annat:

+
    +

  • Hur SAML metadata ska byggas upp och tolkas.

    +
    • +

  • Hur formatet av en legitimeringsbegäran ska se ut.

    +
    • +

  • Hur en legitimeringsbegäran ska behandlas, och hur ett identitetsintyg ska konstrueras, verifieras och behandlas.

    +
    • +

  • Krav på säkerhet.

    +
    • +

  • Specifika SAML-krav för underskriftstjänster och "legitimering för underskrift".

    +
    • +
+

+

2.1.2. Swedish eID Framework - Registry for identifiers

+

Implementering av en infrastruktur för Svensk e-legitimation kräver +olika former av identifierare för att representera objekt i +datastrukturer. Dokumentet ”Sweden Connect - Registry for identifiers”, [SC.Registry], definierar strukturen +för identifierare som tilldelats inom ramen för tekniskt ramverk, samt ett +register över definierade identifierare.

+

+

2.1.3. Attribute Specification for the Swedish eID Framework

+

Specifikationen ”Attribute Specification for the Swedish eID Framework”, +[SAML.Attributes], deklarerar de SAML attributprofiler som används inom +identitetsfederationer som följer tekniskt ramverk inklusive de som +ansluter till eIDAS via den svenska eIDAS-noden.

+

+

2.1.4. Entity Categories for the Swedish eID Framework

+

Entitetskategorier (Entity Categories) används inom federationen för ett antal olika +syften:

+
    +

  • Service Entity Categories – Används i metadata för att + representera e-tjänsters krav på tillitsnivåer och begärda attribut, + samt legitimeringstjänsters uppfyllande av tillitsnivåer och + leverans av attribut.

    +
    • +

  • Service Property Categories – Används för att representera en viss + egenskap hos en tjänst.

    +
    • +

  • Service Type Entity Categories – Används för att representera olika + tjänstetyper inom federationen.

    +
    • +

  • Service Contract Entity Categories - Används av tjänster för att annonsera + avtalsformer och liknande.

    +
    • +

  • General Entity Categories - Entitetskategorier som inte faller inom ramen + för någon av de ovanstående typerna.

    +
    • +
+

Specifikationen ”Entity Categories for the Swedish eID Framework” +[SAML.EntCat] specificerar de entitetskategorier som definieras av tekniskt ramverk och beskriver dess betydelse.

+

+

2.1.5. eIDAS Constructed Attributes Specification for the Swedish eID Framework

+

Specifikationen ”eIDAS Constructed Attributes Specification for the Swedish +eID Framework”, [SC.eIDAS.Attrs], specificerar processer och regler +för hur ID-attribut konstrueras baserat på attribut som tas emot vid +legitimering mot eIDAS.

+

+

2.1.6. Implementation Profile for BankID Identity Providers within the Swedish eID Framework

+

Specifikationen "Implementation Profile for BankID Identity Providers within the Swedish eID Framework", [SAML.BankID], definierar regler för hur en legitimeringstjänst som implementerar stöd för BankID skall utformas.

+
+

Notera: Denna specifikation är inte normativ för uppfyllande av tekniskt ramverk. Den är endast relevant för legitimeringstjänster som implementerar stöd för BankID samt e-tjänster som använder dessa. Dock så skall legitimeringstjänster som implementerar stöd för BankID och vill ansluta till Sweden Connect-federationen uppfylla denna specifikation.

+
+

+

2.1.7. Principal Selection in SAML Authentication Requests

+

Specifikationen "Principal Selection in SAML Authentication Requests", [SAML.Principal], definierar en utökning till SAML som möjliggör för en förlitande part att informera en legitimeringstjänst vilken identitet den önskar ska legitimeras.

+

+

2.1.8. User Message Extension in SAML Authentication Requests

+

Specifikationen "User Message Extension in SAML Authentication Requests", [SAML.UMessage], definierar en utökning till SAML som möjliggör för en förlitande part att inkludera ett visningsmeddelande i den legitimeringsbegäran som skickas till legitimeringstjänsten. Legitimeringstjänsten kan då visa upp detta meddelande för använderen under legitimeringssteget.

+

+

2.2. Profiler och specifikationer för OpenID Connect

+

+

2.2.1. OpenID Connect Profile for Sweden Connect

+

Profilen "OpenID Connect Profile for Sweden Connect", [OIDC.Profile], bygger vidare på The Swedish OpenID Connect Profile som är en OpenID Connect-profil framtagen av OIDC Sweden för att främja interoperabilitet och säkerhet inom svenska OIDC-lösningar.

+

[OIDC.Profile] tillför ytterligare krav gällande Sweden Connect-federationen.

+

+

2.2.2. OpenID Connect Claims and Scopes Specification for Sweden Connect

+

Specifikationen "OpenID Connect Claims and Scopes Specification for Sweden Connect", [OIDC.Claims], bygger vidare på specifikationen Claims and Scopes Specification for the Swedish OpenID Connect Profile från OIDC Sweden.

+

+

2.3. Specifikationer för Underskrift

+

Detta stycke innehåller referenser till de dokument vilka definierar +underskriftstjänster inom federationer som följer Sweden Connect tekniskt +ramverk.

+

+

2.3.1. Implementation Profile for using OASIS DSS in Central Signing Services

+

Implementationsprofilen ”Implementation Profile for Using OASIS DSS in +Central Signing Services”, [Sign.DSS.Profile], specificerar en profil för +underskriftsbegäran och respons enligt OASIS standarden "Digital +Signature Service Core Protocols, Elements, and Bindings", +[DSS].

+

+

2.3.2. DSS Extension for Federated Central Signing Services

+

”DSS Extension for Federated Central Signing Services”, [Sign.DSS.Ext], är en påbyggnad av +OASIS standarden ”Digital Signature Service Core Protocols, Elements, and Bindings”, [DSS], där definitioner som behövs för underskrift enligt tekniskt ramverk specificeras.

+

+

2.3.3. Certificate Profile for Certificates Issued by Central Signing Services

+

Certifikatprofilen ”Certificate profile for certificates issued by Central Signing services”, [Sign.Cert.Profile], specificerar innehåll i signeringscertifikat. Denna profil tillämpar en +ny certifikatextension till stöd för underskriftstjänster.

+

Denna profil refererar till "Authentication Context Certificate Extension", [AuthContext], vilken beskriver hur ”Authentication Context” representeras i X.509 certifikat.

+

+

2.3.4. Signature Activation Protocol for Federated Signing

+

Specifikationen "Signature Activation Protocol for Federated Signing", [Sign.Activation], definierar ett "Signature Activation Protocol" (SAP) för implementation av "Sole Control Assurance Level 2" (SCAL2) enligt standarden "prEN 419241 - Trustworthy Systems Supporting Server Signing".

+

+

3. Referenslista

+

+

3.1. DIGG

+

+[Digg.Tillit]

+
+

Tillitsramverk för Svensk e-legitimation.

+
+

+[SC.Registry]

+
+

Sweden Connect - Registry for identifiers.

+
+

+[SAML.Profile]

+
+

Deployment Profile for the Swedish eID Framework.

+
+

+[SAML.Attributes]

+
+

Attribute Specification for the Swedish eID Framework.

+
+

+[SAML.EntCat]

+
+

Entity Categories for the Swedish eID Framework.

+
+

+[SC.eIDAS.Attrs]

+
+

eIDAS Constructed Attributes Specification for the Swedish eID +Framework.

+
+

+[SAML.BankID]

+
+

Implementation Profile for BankID Identity Providers within the Swedish eID Framework.

+
+

+[SAML.Principal]

+
+

Principal Selection in SAML Authentication Requests.

+
+

+[SAML.UMessage]

+
+

User Message Extension in SAML Authentication Requests.

+
+

+[OIDC.Profile]

+
+

OpenID Connect Profile for Sweden Connect.

+
+

+[OIDC.Claims]

+
+

OpenID Connect Claims and Scopes Specification for Sweden Connect.

+
+

+[Sign.DSS.Profile]

+
+

Implementation Profile for Using OASIS DSS in Central Signing Services.

+
+

+[Sign.DSS.Ext]

+
+

DSS Extension for Federated Central Signing Services.

+
+

+[Sign.Cert.Profile]

+
+

Certificate profile for certificates issued by Central Signing +services.

+
+

+[Sign.Activation]

+
+

Signature Activation Protocol for Federated Signing.

+
+

+

3.2. Övriga referenser

+

+[SAML2Int]

+
+

SAML V2.0 Deployment Profile for Federation Interoperability.

+
+

+[DSS]

+
+

OASIS Standard – Digital Signature Service Core Protocols, Elements, +and Bindings Version 1.0, April 11, +2007.

+
+

+[AuthContext]

+
+

RFC-7773: Authentication Context Certificate Extension.

+
+
+ + diff --git a/docs/december-2024/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html b/docs/december-2024/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html new file mode 100644 index 0000000..7252968 --- /dev/null +++ b/docs/december-2024/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html @@ -0,0 +1,1594 @@ + + + + + + Deployment Profile for the Swedish eID Framework + + + + + + +

+ + +

+

+ +

+ +

Deployment Profile for the Swedish eID Framework

+

Version 1.8 - 2024-12-04

+

Registration number: 2019-308

+
+

+Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All Rights Reserved. +

+ +

Table of Contents

+
    +

  1. Introduction

    +

    1.1. Requirements Notation

    +

    1.2. References to SAML 2.0 Standards and Profiles

    +
    2. +

  2. Metadata and Trust Management

    +

    2.1. Requirements for Metadata Content

    +

    2.1.1. Generic

    +

    2.1.2. Service Providers

    +

    2.1.3. Identity Providers

    +

    2.1.4. Signature Service

    +
    3. +

  3. Name Identifiers

    +
    4. +

  4. Attributes

    +
    5. +

  5. Authentication Requests

    +

    5.1. Discovery

    +

    5.2. Binding and Security Requirements

    +

    5.3. Message Content

    +

    5.3.1. Requested Authentication Context

    +

    5.3.2. Scoping

    +

    5.3.3. Principal Selection

    +

    5.4. Processing Requirements

    +

    5.4.1. Validation of Destination

    +

    5.4.2. Validation of Assertion Consumer Addresses

    +

    5.4.3. Identity Provider User Interface

    +

    5.4.4. Authentication Context and Level of Assurance Handling

    +

    5.4.5. Single Sign On Processing

    +
    6. +

  6. Authentication Responses

    +

    6.1. Security Requirements

    +

    6.2. Message Content

    +

    6.2.1. Attribute Release and Consuming Rules

    +

    6.2.2. Message Content Requirements for Holder-of-key

    +

    6.3. Processing Requirements

    +

    6.3.1. Signature Validation

    +

    6.3.2. Subject Confirmation

    +

    6.3.3. Conditions

    +

    6.3.4. The Authentication Statement

    +

    6.3.5. General Security Validation

    +

    6.4. Error Responses

    +
    7. +

  7. Authentication for Signature

    +

    7.1. Authentication Requests

    +

    7.1.1. Requesting Display of Signature Message

    +

    7.1.2. Requesting SCAL2 Signature Activation Data

    +

    7.2. Authentication Responses

    +
    8. +

  8. Cryptographic Algorithms

    +

    8.1. Digest Algorithms

    +

    8.2. Signature Algorithms

    +

    8.3. Block Encryption Algorithms

    +

    8.4. Key Transport Algorithms

    +
    9. +

  9. Normative References

    +
    10. +

  10. Changes between versions

    +
    11. +
+
+

+

1. Introduction

+

This profile specifies behaviour and options that deployments of the SAML +V2.0 Web Browser SSO Profile, [SAML2Prof], and the SAML V2.0 Holder-of-key +Web Browser SSO Profile, [SAML2HokProf], +are required or permitted to rely on. The requirements specified in this profile +are in addition to the underlying normative requirements of [SAML2Prof] +and [SAML2HokProf] (including updates to these specifications provided by [SAML v2.0 Errata 05]).

+
+

Note: The profile is influenced by, but not normatively dependent on, SAML2Int.

+
+

Readers should be familiar with all relevant reference documents, and +any requirements stated are not repeated unless where deemed necessary +to clarify or highlight a certain issue.

+

Any SAML features specified in referenced SAML documents that are +optional are out of scope of this profile, unless explicitly specified +by this profile.

+

+

1.1. Requirements Notation

+

The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", +"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this +document are to be interpreted as described in +[RFC2119].

+

The use of SHOULD, SHOULD NOT, and RECOMMENDED reflects broad consensus +on deployment practices intended to foster both interoperability and +guarantees of security and confidentiality needed to satisfy the +requirements of many organizations that engage in the use of federated +identity. Deviating may limit a deployment's ability to technically +interoperate without additional negotiation, and should be undertaken +with caution.

+

+

1.2. References to SAML 2.0 Standards and Profiles

+

When referring to elements from the SAML 2.0 core specification +[SAML2Core], the following syntax is used:

+
    +

  • <saml2p:Protocolelement> – for elements from the SAML 2.0 + Protocol namespace.

    +
    • +

  • <saml2:Assertionelement> – for elements from the SAML 2.0 + Assertion namespace.

    +
    • +
+

When referring to elements from the SAML 2.0 metadata specifications, +the following syntax is used:

+
    +

  • <md:Metadataelement> – for elements defined in [SAML2Meta].

    +
    • +

  • <mdui:Element> – for elements defined in [SAML2MetaUI].

    +
    • +

  • <mdattr:Element> – for elements defined in [SAML2MetaAttr].

    +
    • +

  • <alg:Element> – for elements defined in [SAML2MetaAlgSupport].

    +
    • +
+

When referring to elements from the SAML V2.0 Holder-of-key Web Browser SSO Profile, [SAML2HokProf], the following syntax is used:

+
    +
  • <hoksso:ProtocolBinding> - for elements from the SAML V2.0 Web Browser Holder-of-key namespace.
    • +
+

When referring to elements from the "Identity Provider Discovery Service Protocol and Profile" specification [IdpDisco], the following syntax is used:

+
    +
  • <idpdisc:DiscoveryResponse>
    • +
+

When referring to the Scope element defined in the "Subject Identifier Attributes Profile" specification, [SAML2SubjIdAttr], the following syntax is used:

+
    +
  • <shibmd:Scope>
    • +
+

When referring to elements from the W3C XML Signature namespace +(http://www.w3.org/2000/09/xmldsig\#) the following syntax is used:

+
    +
  • <ds:Signature>
    • +
+

Note: For all references to core SAML specifications, direct or indirect, the [SAML v2.0 Errata 05] MUST always be considered.

+

+

2. Metadata and Trust Management

+

Identity Providers and Service Providers conformant with this profile MUST provide a SAML 2.0 Metadata document representing its entity. The provided metadata MUST conform to "Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0", [SAML2Meta], and SHOULD follow "SAML v2.0 Metadata Profile for Algorithm Support Version 1.0", [SAML2MetaAlgSupport].

+

Services conforming to this profile MUST be able to consume SAML metadata on an automated and periodic basis using the processing rules defined by "SAML V2.0 Metadata Interoperability Profile Version 1.0" [SAML2MetaIOP]. Automatic consumption of metadata MUST be followed by a successful signature verification of the downloaded metadata before it is trusted and used.

+

+

2.1. Requirements for Metadata Content

+

+

2.1.1. Generic

+

+
2.1.1.1. Display Information
+

All services that are represented in the Metadata SHALL include a +<md:Organization> element with mandatory child elements, which +includes at least one of each of the elements +<md:OrganizationName>, <md:OrganizationDisplayName> and +<md:OrganizationURL>.

+

The <md:OrganizationName> element SHALL hold a registered name of +the organization, which matches the agreement with the federation +operator.

+

The <md:OrganizationDisplayName> element SHALL contain a display +name of the organization and SHALL NOT contain a service name that is +unrelated to the name of the organization.

+

Metadata for an entity SHALL contain an <mdui:UIInfo> +extension, extending the <md:SPSSODescriptor> or <md:IDPSSODescriptor> element +(depending on the type of the entity). This <mdui:UIInfo> element SHALL at least contain a +<mdui:DisplayName> element with the language attribute sv +(Swedish), representing the entity name that has been approved +by the federation operator. The <mdui:UIInfo> element SHALL also +contain a reference to one, or more, logotype images (<mdui:Logo>) as described in section 2.1.5 +of [SAML2MetaUI] and SHOULD +contain a <mdui:Description> element with the language attribute +sv (Swedish).

+

It is RECOMMENDED that the above elements represented in Swedish also be +represented with the language attribute en (English).

+

A federation operator may impose further requirements regarding the <mdui:UIInfo> extension.

+

+
2.1.1.2. Certificates in Metadata
+

Public keys used for signature validation and encryption MUST be expressed via X.509 +certificates included in metadata as <ds:X509Certificate> child elements to +<md:KeyDescriptor> elements. These certificates merely acts as containers for the public keys +needed for signature validation and encryption and the consumer of a metadata entry cannot +expect to be able to execute a successful certificate path validation of such certificates. +A metadata consumer MUST NOT reject a metadata entry due to that certificate trust is missing, +the certificate is expired, or certificate revocation information is missing.

+

However, for interoperability reasons it is RECOMMENDED that:

+
    +
  • self-signed certificates are used,
    • +
  • non-expired certificates (with a long validity time) are used,
    • +
  • certificates are not signed with MD5- och SHA1-based signature algorithms.
    • +
+

All services represented in metadata SHOULD include at least one <md:KeyDescriptor> +element holding a certificate to be used for signature validation (with the use-attribute +set to signing), and one <md:KeyDescriptor> element containing a certificate +to be used for message encryption (with the use-attribute set to encryption). +It is allowed to use the same key and certificate for both usages, but in order to enable +a future key rollover it is RECOMMENDED to avoid using only one <md:KeyDescriptor> element +for both usages (i.e., with an absent use-attribute).

+

In order to facilitate key rollover of a signing key, a service MUST support multiple signing +certificates found in peer metadata and MUST support signature validation using a key from +any of the available peer signature certificates.

+

For key rollover of encryption keys, the service that is performing the key rollover MUST only +publish the latest key (in a certificate) to its metadata entry. Until all peers have consumed +the service's metadata entry containing the new certificate, the service MUST support decrypting +messages using both the old and new key.

+

+
2.1.1.3. Declaring Algorithm Support
+

Services MAY declare encryption and signature capabilities as defined in [SAML2MetaAlgSupport]. The declared algorithms MUST meet the algorithm requirements defined by the Sweden Connect Framework or by the federation operator . Thus, it is not allowed to declare an algorithm, or key size, that is prohibited from use.

+

All services conformant with this specification MUST support the mandatory algorithms defined by the Sweden Connect Framework, meaning that a service has no possibility to opt-out from a certain mandatory algorithm by excluding it from the declared capabilities. The main purpose of declaring an algorithm using any of the elements <md:EncryptionMethod>, <alg:SigningMethod> or <alg:DigestMethod> is to declare which algorithm the service prefers.

+

+

2.1.2. Service Providers

+

The <mdattr:EntityAttributes> element of a Service Provider’s +entity descriptor SHOULD contain one entity category attribute +[EntCat] that holds at least +one attribute value representing a service entity category as defined in +[SC.EntCat], identifying the Service Provider requirements in relation to +identity services concerning attribute release and level of assurance.

+

The example below illustrates how an entity declares the service entity +category identifier http://id.elegnamnden.se/ec/1.0/loa3-pnr in its +metadata.

+
<md:Extensions>
+  <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
+    <saml2:Attribute Name="http://macedir.org/entity-category"
+                     NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                     xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
+      <saml2:AttributeValue xsi:type="xs:string">
+        http://id.elegnamnden.se/ec/1.0/loa3-pnr
+      </saml2:AttributeValue>
+    </saml2:Attribute>
+  </mdattr:EntityAttributes>
+</md:Extensions>

If a Service Provider does not have any attribute requirements other than those +implicitly requested by inclusion of one or more service entity categories, the +metadata entry of the Service Provider SHOULD NOT include a +<md:AttributeConsumingService> element (with <md:RequestedAttribute> +elements).

+

Any needs for particular attributes from Identify Providers, when +present, MUST be expressed through present service entity categories in +combination with <md:RequestedAttribute> elements under the +<md:AttributeConsumingService> element in the Service +Provider metadata. The <md:RequestedAttribute> elements in the +Service Provider metadata, when present, hold a list of requested and/or +required attributes. This list of attributes MUST be interpreted in the +context of present service entity categories defined in [SC.EntCat].

+
+

Note: Only the requirements for attributes that are not implicitly requested through a declared +service entity category need to be expressed as <md:RequestedAttribute> elements.

+
+

A Service Provider MAY sign authentication request messages sent to +Identity Providers. A Service Provider that signs authentication +requests messages MAY also ensure that a receiving Identity Provider +will only accept valid signed requests from this Service Provider by +assigning the AuthnRequestsSigned attribute of the +<md:SPSSODescriptor> to a value of true.

+

Section E7, “Metadata for Agreeing to Sign Authentication Requests”, of +[SAML v2.0 Errata 05] +specifies the following concerning the AuthnRequestsSigned attribute:

+
+

Optional attribute that indicates whether the +<saml2p:AuthnRequest> messages sent by this Service Provider +will be signed. If omitted, the value is assumed to be false. A value +of false (or omission of this attribute) does not imply that the +Service Provider will never sign its requests or that a signed request +should be considered an error. However, an Identity Provider that +receives an unsigned <saml2p:AuthnRequest> message from a +Service Provider whose metadata contains this attribute with a value +of true MUST return a SAML error response and MUST NOT fulfill the +request.

+
+

Furthermore, a Service Provider MAY require assertions that are issued +to it, to be signed. This is done by assigning the WantAssertionsSigned +attribute of the <md:SPSSODescriptor> to a value of true.

+

Note that the response message that carries the assertion will always be +signed, so the Service Provider should only require signed assertions in +case that it wants to preserve the proof of authenticity of an assertion +separate from the response.

+

A Service Provider wishing to make use of a central discovery service as specified in the "Identity Provider Discovery Service Protocol Profile" [IdPDisco] MUST include at least one <idpdisc:DiscoveryResponse> element as an extension under the <md:SPSSODescriptor> element.

+

+
2.1.2.1. Holder of Key Support
+

A Service Provider that sends authentication requests using the Holder-of-key Web Browser SSO Profile MUST include a <md:AssertionConsumerService> element in its metadata according to section 2.8 of [SAML2HokProf].

+

If the Service Provider also makes use of the ordinary Web Browser SSO Profile at least one <md:AssertionConsumerService> element according to section 2.4.4 of [SAML2Meta] MUST also be included in the Service Provider metadata.

+

In those cases, where a Service Provider supports both profiles, it is RECOMMENDED that the a <md:AssertionConsumerService> element for ordinary Web Browser SSO Profile is marked as default.

+
<md:AssertionConsumerService index="0" isDefault="true"
+  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+  Location="https://sp.example.org/path1" />
+
+<md:AssertionConsumerService index="1" isDefault="false"   
+  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"   
+  xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" 
+  hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
+  Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" 
+  Location="https://sp.example.org/path2" />

Example of a Service Provider's declared AssertionConsumerService elements; one for receiving assertions according the Web Browser SSO Profile and one for receiving assertions according to the Holder-of-key Web Browser SSO Profile.

+

+

2.1.3. Identity Providers

+

The <mdattr:EntityAttributes> element of an Identity Provider’s +entity descriptor SHOULD contain one entity category attribute +[EntCat] that holds at least +one attribute value representing a service entity category as defined in +[SC.EntCat], defining the Identity Provider ability to deliver +assertions (defining the level of assurance and attribute release).

+

If an Identity Provider has the ability to release attributes, other than those +implicitly given by the declared service entity categories, it is RECOMMENDED that +those attributes are declared as <saml:Attribute> elements under the +<md:IDPSSODescriptor> element.

+

The <mdattr:EntityAttributes> element of an Identity Provider’s +metadata SHALL contain an attribute according to +[SAML2IAP] with its Name attribute set to +urn:oasis:names:tc:SAML:attribute:assurance-certification +and holding at least one attribute value identifying a Level of Assurance +(LoA) for which the Identity Provider has been approved. +The Sweden Connect Framework defines such identifier values in section 3.1.1 of +[SC.Registry] and their meanings are defined in [SE.Trust].

+
<md:Extensions>
+  <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
+    <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification"
+                    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+      <saml:AttributeValue xsi:type="xsd:string">http://id.elegnamnden.se/loa/1.0/loa3</saml:AttributeValue>
+    </saml:Attribute>
+    ...
+  </mdattr:EntityAttributes>
+</md:Extensions>

Example of how an Identity Provider advertises that the service delivers authentication according to +the http://id.elegnamnden.se/loa/1.0/loa3 level of assurance.

+

An Identity Provider MAY require authentication request messages to be +signed. This is indicated by assigning the +WantAuthnRequestsSigned attribute of the <md:IDPSSPDescriptor> +element to a value of true. See further section E7, “Metadata for +Agreeing to Sign Authentication Requests”, of [SAML v2.0 Errata +05].

+

Identity Providers SHALL advertise support for the SAP protocol according to [SC.SAP], by including the service property entity category URI +http://id.elegnamnden.se/sprop/1.0/scal2 in its metadata. An Identity Provider that does not advertise support for SAP MAY ignore requests for SAD.

+
<md:Extensions>
+  <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
+    <saml:Attribute Name="http://macedir.org/entity-category" 
+                    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+      <saml:AttributeValue xsi:type="xs:string">http://id.elegnamnden.se/sprop/1.0/scal2</saml:AttributeValue>
+    </saml:Attribute>
+    ...
+  </mdattr:EntityAttributes>
+</md:Extensions>

Example of how an Identity Provider advertises its support for SCAL2 authentication.

+

An Identity Provider that wishes to receive the <psc:PrincipalSelection> extension in authentication requests SHOULD include the <psc:RequestedPrincipalSelection> extension extending the <md:IDPSSODescriptor> element. In this extension the Identity Provider declares which attribute value(s) it wants to receive in authentication requests from requestors using the <psc:PrincipalSelection> authentication request extension. See section 5.3.3 and [SC.Principal].

+

+
2.1.3.1. Declaring Authorized Scopes
+

An Identity Provider that releases "scoped attributes", see section 3.1.3 of [SC.Attributes], +MUST be authorized to do so by the federation operator. Each authorized scope MUST be declared in the Identity Provider metadata entry using a <shibmd:Scope> element, see section 3.5.2, "Scope Filtering", in [SAML2SubjIdAttr]. The <shibmd:Scope> elements MUST appear within the <md:Extensions> element of the <md:IDPSSODescriptor>.

+
<md:IDPSSODescriptor ...>
+  <md:Extensions>
+    <shibmd:Scope regexp="false" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0>2021006883</shibmd:Scope>
+    <shibmd:Scope regexp="false" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0>2021006255</shibmd:Scope>
+    <shibmd:Scope regexp="false" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0>example.com</shibmd:Scope>
+    ...

Example of how an Identity Provider declares that it is authorized to deliver scoped attributes for three different scopes; two organizational numbers and one domain.

+

+
2.1.3.2. Holder of Key Support
+

An Identity Provider that supports the Holder-of-key Web Browser SSO Profile MUST declare <md:SingleSignOnService> elements* in its metadata according to section 2.8 of [SAML2HokProf].

+

If the Identity Provider also supports authentication according the ordinary Web Browser SSO Profile <md:SingleSignOnService> elements* according to section 2.4.3 of [SAML2Meta] MUST also be included in the Identity Provider metadata.

+
<md:SingleSignOnService
+  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+  Location="https://idp.example.org/path1" />
+  
+<md:SingleSignOnService
+  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+  Location="https://idp.example.org/path2" />
+  
+<md:SingleSignOnService
+  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+  xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
+  hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
+  Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
+  Location="https://idp.example.org/path2" />
+  
+<md:SingleSignOnService
+  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+  xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
+  hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
+  Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
+  Location="https://idp.example.org/path2" />

Example of an Identity Provider's declared SingleSignOnService elements; two for receiving requests according to the Web Browser SSO Profile and two for receiving requests according to the Holder-of-key Web Browser SSO Profile.

+
+

[*]: This profile requires an Identity Provider to support both the POST and Redirect bindings, see section 5.2 below.

+
+

+

2.1.4. Signature Service

+

A Signature Service within the Sweden Connect Framework is a Service +Provider with specific requirements concerning its representation in +metadata.

+

The <mdattr:EntityAttributes> element of a Signature Service SP +entity descriptor SHALL include the service type entity category +identifier http://id.elegnamnden.se/st/1.0/sigservice ([SC.EntCat]) +as a value to the entity category attribute [EntCat].

+
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">`
+  <saml2:Attribute Name="http://macedir.org/entity-category"
+                   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                   xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
+    <saml2:AttributeValue xsi:type="xs:string">http://id.elegnamnden.se/ec/1.0/loa3-pnr</saml2:AttributeValue>
+    <saml2:AttributeValue xsi:type="xs:string">http://id.elegnamnden.se/st/1.0/sigservice</saml2:AttributeValue>
+  </saml2:Attribute>
+</mdattr:EntityAttributes>

Entity attributes for a Signature Service SP.

+

A Signature Service MUST assign the AuthnRequestsSigned attribute of the +<md:SPSSODescriptor> element to true. This requirement ensures +that the Signature Service always signs its authentication requests in +order for the request to be accepted by the Identity Provider. The +federation operator will enforce that all Service Providers that operate +as Signature Services have this attribute set.

+

+

3. Name Identifiers

+

Identity Providers and Service Providers MUST support both the +urn:oasis:names:tc:SAML:2.0:nameid-format:persistent and the +urn:oasis:names:tc:SAML:2.0:nameid-format:transient name identifier +formats as specified in [SAML2Core].

+

Identity Providers SHALL default to use the +urn:oasis:names:tc:SAML:2.0:nameid-format:persistent name identifier +format in cases where a Service Provider has not specified the name +identifier to use (via the <md:NameIDFormat> element of the +Service Provider metadata entry, or via the Format attribute of the +<saml2p:NameIDPolicy> element of the authentication request +message).

+

+

4. Attributes

+

Attribute specifications for the Sweden Connect Framework are defined in +[SC.Attributes].

+

The content of <saml2:AttributeValue> elements exchanged via any +SAML 2.0 messages or assertions SHOULD be limited to a single child text +node.

+

For requirements regarding attribute inclusion in SAML assertions, see +section 6.2.1, “Attribute Release and Consuming Rules”, below.

+

+

5. Authentication Requests

+

This profile supports two different SSO profiles; the Web Browser SSO Profile, [SAML2Prof], and the Holder-of-key Web Browser Profile, [SAML2HokProf].

+

The profile in use is determined by how an authentication process is initiated, meaning to which Identity Provider endpoint an <saml2p:AuthnRequest> message is sent, see 2.1.3.2.

+

+

5.1. Discovery

+

This profile does not impose any requirements of +how the process of discovery is implemented by Service Providers wishing +to display user interfaces for selection of Identity Providers for end +users. However, Service Providers making use of a centralized +discovery service as defined in [IdpDisco] MUST follow the requirements +stated for discovery responses in +section 2.1.2, "Service Providers".

+

+

5.2. Binding and Security Requirements

+

The endpoints, at which an Identity Provider receives a +<saml2p:AuthnRequest> message, and all subsequent exchanges with +the user agent, MUST be protected by TLS.

+

If the Identity Provider supports the Holder-of-key Web Browser SSO Profile, the +dedicated endpoints for this profile (see section 2.1.3.2) +MUST be configured to require a +client X.509 certificate being presented as part of the TLS handshake (mTLS, mutual TLS), +see section 2.4 of [SAML2HokProf]. If the Identity Provider receives +a request on a Holder-of-key endpoint and is unable to retrieve the client X.509 +certificate it MUST respond with an error, see section 2.6.4 of [SAML2HokProf].

+

A Service Provider sending an <saml2p:AuthnRequest> message to an Identity Provider +may do so using either the HTTP-Redirect or HTTP-POST binding [SAML2Bind]*, +meaning that Identity Providers conformant with this profile MUST support the +HTTP-Redirect and the HTTP-POST binding.

+

An Identity Provider that requires <saml2p:AuthnRequest> messages +to be signed MUST not accept messages that are not signed, or where the +verification of the signature fails. In these cases the Identity +Provider MUST respond with an error.

+

An Identity Provider that itself does not require authentication +messages to be signed MUST still accept and verify signed request +messages from Service Providers that indicate, in their metadata, that +they sign request messages (see 2.1.2 above). If this signature +verification fails, the Identity Provider MUST return a SAML error +response and MUST NOT fulfil the request.

+

An Identity Provider that receives a request message that is not signed +from a Service Provider that has indicated, in its metadata, that it +will only send signed request messages (see 2.1.2 above) MUST respond +with an error.

+

The signature for authentication request messages is applied differently +depending on the binding. The HTTP-Redirect binding requires the +signature to be applied to the URL-encoded value rather than being +placed within the XML-message (see section 3.4.4.1 of +[SAML2Bind]). +For the HTTP-POST binding the <saml2p:AuthnRequest> element MUST +be signed using a <ds:Signature> element within the +<saml2:AuthnRequest>.

+

Before signing the authentication request, the Service Provider SHOULD consult the Identity Provider's metadata (<alg:SigningMethod> and <alg:DigestMethod> elements) to determine the intersection of algorithms, key sizes and other parameters as defined by particular algorithms that it supports and that the Identity Provider prefers. If the intersection is empty, or if the Identity Provider has not declared any algorithms, the Service Provider MUST use one of the mandatory signing and digest algorithms defined in the Sweden Connect Framework during the signature operation.

+
+

[*]: A Service Provider should be aware of web browser, or web server, size limitations +of URL:s, and it is RECOMMENDED that a Service Provider use the HTTP-POST binding in cases where +the <saml2p:AuthnRequest> message becomes very large. This may be the case when a SignMessage +extension containing much data is used, or when a complete certificate chain is attached to the signature +of the message.

+
+

+

5.3. Message Content

+

An <saml2p:AuthnRequest> message MUST NOT contain a Document Type Definition (DTD).

+

The <saml2p:AuthnRequest> message SHOULD contain an +AssertionConsumerServiceURL* attribute identifying the desired response +location. The Service Provider MUST NOT use any other values for this +attribute than those listed in its metadata record as +<md:AssertionConsumerService> elements for the HTTP-POST binding +(see section 4.1.6 of [SAML2Prof]), and URL +canonicalization or normalization MUST NOT be required.

+

The Destination attribute of the <saml2p:AuthnRequest> message +MUST contain the URL to which the Service Provider has instructed the +user agent to deliver the request. This is useful to prevent malicious +forwarding of signed requests from being accepted by unintended Identity +Providers.

+

Identity Providers conformant with this profile MUST support the +ForceAuthn and IsPassive attributes received in +<saml2p:AuthnRequest> messages.

+

Service Providers SHOULD include the ForceAuthn attribute in all +<saml2p:AuthnRequest> messages and explicitly set its value to +true or false, and not rely on its default value. The reason for this is +to avoid accidental SSO.

+

If the Service Provider has included more than one <md:AttributeConsumingService> element in its metadata it is RECOMMENDED that the <saml2p:AuthnRequest> message contains the AttributeConsumingServiceIndex attribute holding the index of the <md:AttributeConsumingService> element that the Identity Provider should consider during attribute release.

+
+

[*]: The AssertionConsumerServiceURL attribute is mutually exclusive with the AssertionConsumerServiceIndex attribute, meaning that a <saml2p:AuthnRequest> message MUST NOT contain both attributes.

+
+

+

5.3.1. Requested Authentication Context

+

A Service Provider SHOULD explicitly specify a requested +authentication context element (<saml2p:RequestedAuthnContext>), +containing <saml2:AuthnContextClassRef> elements each holding +a Level of Assurance authentication context URI (see section 3.1.1 of [SC.Registry]) +that the Service Provider considers acceptable for the authentication process.

+

A present <saml2p:RequestedAuthnContext> element MUST specify +exact matching by means of either an absent Comparison attribute or a +Comparison attribute with the value set to exact. This means that the +Identity Provider is forced to return an assertion with exactly one of +the requested <saml2:AuthnContextClassRef> in the request as the +declared <saml2:AuthnContext>, or return an error response. If the +Service Provider requires the Identity Provider to return specifically +one out of a selection of acceptable authentication context URIs, then +all of these URIs MUST be included in the request.

+

The requested authentication context SHOULD be consistent with at least +one of the service entity categories [SC.EntCat] declared in the +Service Provider’s metadata entry. See further section 5.4.4 below.

+
<saml2p:RequestedAuthnContext Comparison="exact">
+  <saml2:AuthnContextClassRef>http://id.elegnamnden.se/loa/1.0/loa3</saml2:AuthnContextClassRef>
+</saml2p:RequestedAuthnContext>

Example of how an Authentication Context URI identifier representing a +requested Level of Assurance is included in an authentication request +message.

+
<saml2p:RequestedAuthnContext Comparison="exact">
+  <saml2:AuthnContextClassRef>http://id.elegnamnden.se/loa/1.0/loa3</saml2:AuthnContextClassRef>
+  <saml2:AuthnContextClassRef>http://id.elegnamnden.se/loa/1.0/eidas-nf-sub</saml2:AuthnContextClassRef>
+</saml2p:RequestedAuthnContext>

Example of how several Authentication Context URIs are included in an +authentication request message. In this case, the Service Provider +states that it requests the authentication to be performed according to +either the LoA3 URI defined within the Sweden Connect Framework or the +substantial level for notified eIDs defined within the eIDAS Framework.

+

+

5.3.2. Scoping

+

An Identity Provider that acts as a proxy for other Identity Providers SHOULD support the <saml2p:Scoping> element holding one, or more, entries signalling to the Proxy Identity Provider which Identity Provider(s) that may be used to authenticate the user. A Service Provider that sends authentication requests to a Proxy +IdP MAY include the <saml2p:Scoping> element. See section 3.4.1.5 of [SAML2Core].

+
<saml2p:Scoping>
+  <saml2p:IDPList>
+    <saml2p:IDPEntry ProviderID="http://idp.example.com" />
+  </saml2p:IDPList>
+</saml2p:Scoping>

Example of how an AuthnRequest contains a Scoping-element where the requester (Service Provider) signals to the Proxy IdP which Identity Provider that should perform the authentication of the user.

+

The Swedish eIDAS Connector is a Proxy IdP that proxies requests to foreign eIDAS Proxy Services. Normally, the eIDAS connector presents a country selection dialogue to the user, prompting for the country where the user should be directed to for authentication. However, a Service Provider MAY include an eIDAS Proxy Service alias URI for a specific country's Proxy Service under the <saml2p:Scoping> element of the <saml2p:AuthnRequest> in order to bypass the country selection dialogue. See section 3.1.9.1 of [SC.Registry].

+
<saml2p:Scoping>
+  <saml2p:IDPList>
+    <saml2p:IDPEntry ProviderID="http://id.swedenconnect.se/eidas/1.0/proxy-service/no" />
+  </saml2p:IDPList>
+</saml2p:Scoping>

Example of how an AuthnRequest sent to the eIDAS Connector requests that the eIDAS Connector should +proxy the request to the Norwegian eIDAS Proxy Service for authentication.

+
+

Note: A Service Provider may list more than one country in the <saml2p:IDPList> of a <saml2p:Scoping> element. The eIDAS Connector will then present a country selection dialogue containing only the listed countries.

+
+

Note: Another method of bypassing the country selection dialogue is to include the c (urn:oid:2.5.4.6) +attribute with the country code for the requested country as its value in a <psc:PrincipalSelection> +extension of the AuthnRequest message, see section 5.3.3 below.

+

+

5.3.3. Principal Selection

+

The specification "Principal Selection in SAML Authentication Requests", [SC.Principal], defines the <psc:PrincipalSelection> extension that enables a requestor to inform the Identity Provider about known attributes for the principal that is about to be authenticated.

+

This may be relevant for Identity Provider services who prompt users for an identifier in order initiate an authentication process with the user's eID. In such cases, this extension can be used to avoid unnecessary prompting when the user's identity is known in advance to the service requesting authentication, such as when a previously authenticated user is requested to sign a document.

+

An Identity Provider that wishes to receive the <psc:PrincipalSelection> extension SHOULD advertise this in its metadata according to section 2.1.3.

+

A Service Provider that sends an authentication request to an Identity Provider that has declared that it wishes to receive certain attribute values MAY include the <psc:PrincipalSelection> extension in the <saml2p:AuthnRequest> message, provided that the Service Provider has knowledge about this information.

+

A Service Provider that is a Signature Service SHOULD include the extension for the case described above.

+

+

5.4. Processing Requirements

+

+

5.4.1. Validation of Destination

+

An Identity Provider receiving a <saml2p:AuthnRequest> message +MUST verify that the Destination attribute is present, and that it is +consistent with URLs configured in the Identity Provider’s metadata.

+

+

5.4.2. Validation of Assertion Consumer Addresses

+

If the AssertionConsumerServiceURL attribute is present in the +<saml2p:AuthnRequest> message, its value MUST be verified to be +consistent with one of the <md:AssertionConsumerService> elements +having the HTTP-POST binding* found in the Service Provider’s metadata +entry and matching the SSO profile** in use +(see section 2.1.2.1). If this is not the case, +the request must be rejected.

+

If the AssertionConsumerServiceIndex attribute is present in the +<saml2p:AuthnRequest> message, a <md:AssertionConsumerService> matching this +index MUST be present in the Service Provider’s metadata. This +<md:AssertionConsumerService> element MUST also match the binding and SSO +profile in use as defined above. If this is not the case, +the request must be rejected.

+
+

This means that an Identity Provider that services an authentication request +received on an SingleSignOnService endpoint dedicated for the Holder-of-key +Web Browser Profile MUST NOT allow an <md:AssertionConsumerService> element +that is not intended for the Holder-of-key profile, see section 2.8 of +[SAML2HokProf].

+
+

If the attribute is not present in the <saml2p:AuthnRequest> +message, the Identity Provider MUST obtain the desired response location +from the Service Provider’s metadata entry. This location is determined by first +finding all the <md:AssertionConsumerService> +elements that matches the SSO profile** in use (see +section 2.1.2.1) and the binding* (HTTP-POST), +and then selecting the element that is marked as default (has the isDefault attribute set), +or if no matching element is marked as default, the one with the lowest index value (see +section 2.4.4.1 of [SAML2Meta] and section 2.8 of +[SAML2HokProf]). If no matching <md:AssertionConsumerService> +element is found the request must be rejected.

+
+

[*]: For Holder-of-key <md:AssertionConsumerService> elements the actual binding +is given by the hoksso:ProtocolBinding attribute, see section 2.8 of [SAML2HokProf].

+
+
+

[**]: The Web Browser SSO Profile or the Holder-of-key Web Browser SSO Profile are possible profiles.

+
+

+

5.4.3. Identity Provider User Interface

+

An Identity Provider presenting information related to a Service Provider +in its user interface during processing of an <saml2p:AuthnRequest> message +MUST obtain this information from the +<mdui:UIInfo> element of the Service Provider’s metadata entry. +Implementers of this profile MUST be capable of handling display +information stored in the <mdui:DisplayName>, <mdui:Logo> +and the <mdui:Description> elements.

+

An Identity Provider displaying logotypes found in a Service Provider's +metadata MUST be able to handle embedded in-line images, as well as +vector-based images where the height and width given in metadata should +be interpreted as image dimensions and not the actual size.

+

+

5.4.4. Authentication Context and Level of Assurance Handling

+

This framework defines a number of authentication context identifiers +(URI), where each such identifier specifies a defined Level of Assertion +and may define specific requirements on the authentication process. +There can be multiple authentication context URIs representing the same +Level of Assertion, but one authentication context URI always identifies +one defined Level of Assurance.

+

Identity Providers SHALL exclusively use one of the requested +authentication contexts in <saml2p:AuthnRequest> in the +<saml2:AuthnContextClassRef> element under the +<saml2p:RequestedAuthnContext> element, when present, to determine +the requested authentication process and Level of Assurance. The +Identity Provider SHALL respond with an error <saml2p:StatusCode> +with the value urn:oasis:names:tc:SAML:2.0:status:Requester +[SAML2Core] +if no requested authentication context is supported. If no requested +authentication context is present in the <saml2p:AuthnRequest>, +the Identity Provider MAY return the result of a default authentication +process that is consistent with the Identity Providers metadata.

+

Note: The Identity Provider does not have to consider the service +entity categories ([SC.EntCat]) declared in the Service Provider’s +metadata entry when determining the requested authentication context +under which the authentication should be performed. The purpose of the +service entity categories is primarily to support service matching in +discovery services and attribute release policies in Identity Providers. +Significant Identity Provider products and software are not equipped to +use service entity category information to determine the requested +authentication context.

+

+

5.4.5. Single Sign On Processing

+

An Identity Provider conformant to this profile MAY issue an assertion +relying on a previously established security context (active session) +instead of authenticating the user. However, the Identity Provider MUST +NOT re-use an already existing security context in the following cases:

+
    +

  • When the security context has expired, i.e., the time elapsed since + the security context was established is too long given the + SSO-policy stipulated by the federation or Identity Provider itself.

    +
    • +

  • When the <saml2p:AuthnRequest> contains a ForceAuthn attribute + with the value of true.

    +
    • +

  • If the original authentication process, which led to the + establishment of the security context, was performed using another + Level of Assurance that what is requested in the current + <saml2p:AuthnRequest> message.

    +
    • +

  • If the original authentication was performed according to the Holder-of-key + Web Browser SSO Profile, [SAML2HokProf], and + no certificate, or a certificate not matching the certificate included + in the <saml2:SubjectConfirmation> element of the original assertion, + is presented in along with the current <saml2p:AuthnRequest> message.

    +
    • +

  • If the original authentication was performed according to the Web Browser SSO + Profile, [SAML2Prof] and the current request is made + according to the Holder-of-key Web Browser SSO Profile, + [SAML2HokProf].

    +
    • +
+

If the Identity Provider user interface contains some sort of user +consent, or information, concerning which attributes, or any other +information, that is included in an assertion being issued, the Identity +Provider SHOULD preserve this functionality if a +<saml2p:AuthnRequest> message requesting a different set of +attributes (or any other information) compared to what was delivered in +the assertion at the time of establishing the security context. The +Identity Provider may require re-authentication or display a user +interface for consent/information in these cases.

+

+

6. Authentication Responses

+

+

6.1. Security Requirements

+

The endpoint(s) at which a Service Provider receives a +<saml2p:Response> message MUST be protected by TLS.

+

If a Service Provider wants to make use of the Holder-of-key Web Browser SSO Profile +it needs to provide a dedicated endpoint for this purpose, see section 2.1.2.1. This endpoint MUST be configured to require a client X.509 certificate +being presented as part of the TLS handshake (mTLS, mutual TLS), see section 2.4 of +[SAML2HokProf]. If the Service Provider receives a <saml2p:Response> +on a Holder-of-key endpoint and is unable to retrieve the client X.509 certificate it MUST +reject the message and not create a security context for the principal, see section 2.6.6 of [SAML2HokProf].

+

The <saml2p:Response> message issued by the Identity Provider MUST +be signed using a <ds:Signature> element within the +<saml2p:Response> element.

+

The <saml2:Assertion> element issued by the Identity Provider MAY +be signed using a <ds:Signature> element within the +<saml2:Assertion>. If a Service Provider requires signed +assertions, by assigning the WantAssertionsSigned attribute of its +metadata record (see chapter 2.1.2), the Identity Provider MUST sign +assertions issued to this Service Provider (as well as the response +message as stated above).

+

Identity Providers SHALL utilize XML Encryption and return a +<saml2:EncryptedAssertion> element in the <saml2p:Response> +message. The elements <saml2:EncryptedID> and +<saml2:EncryptedAttribute> MUST NOT be used; instead the entire +assertion MUST be encrypted.

+

Before performing encryption and signing, the Identity Provider SHOULD consult the Service Provider's metadata (<md:EncryptionMethod>, <alg:SigningMethod> and <alg:DigestMethod> elements) to determine the intersection of algorithms, key sizes and other parameters as defined by particular algorithms that it supports and that the Service Provider prefers. If the intersection is empty, or if the Service Provider has not declared any algorithms, the Identity Provider MUST use algorithms listed as mandatory by the Sweden Connect Framework. For encryption, the chosen algorithm MUST also be compatible with the Service Provider's encryption key +declared in metadata.

+

Service Providers SHOULD NOT accept unsolicited <saml2p:Response> +messages (i.e., responses that are not the result of an earlier +<saml2p:AuthnRequest> message). Service Providers that do accept +unsolicited response messages MUST ensure, by other means, that the +security and processing requirements of this profile (section 6.3) can be fully satisfied.

+

+

6.2. Message Content

+

The <saml2:Response> message MUST NOT contain a Document Type Definition (DTD).

+

Successful response messages MUST contain exactly one <saml2:AuthnStatement> element +and exactly one <saml2:AttributeStatement> element.

+

The <saml2:Response> message MUST contain an <saml2:Issuer> +element containing the unique identifier (entityID) of the issuing +Identity Provider.

+

The AuthnInstant attribute of the <saml2:AuthnStatement> element +MUST be assigned the time when the actual authentication took place. +This time may differ from the IssueInstant attribute of the assertion +itself, which holds the time when the assertion was issued. This is +especially important in cases of re-use of already established security +contexts at the Identity Provider side (Single Sign On).

+

Each identity assertion MUST have a <saml:Subject> element that +specifies the principal that is the subject of all the statements in +the assertion.

+

The value of the <saml:NameID> element under the +<saml:Subject> element MUST hold a pseudonym identifier of the +subject, which SHALL be:

+
    +

  • Unique for the IdP – SP combination being the issuer and recipient + for the assertion.

    +
    • +

  • Constructed in a manner that does not reveal the registered identity + of the subject.

    +
    • +
+

The <saml2:Subject> element MUST contain one +<saml2:SubjectConfirmation> element containing a Method attribute having the value +of urn:oasis:names:tc:SAML:2.0:cm:bearer if the Web Browser SSO Profile was used, +and urn:oasis:names:tc:SAML:2.0:cm:holder-of-key if the Holder-of-key Web Browser +SSO Profile was used. This element MUST contain a <saml2:SubjectConfirmationData> +element that contains at least the following:

+
    +

  • An InResponseTo attribute matching the request’s ID.

    +
    • +

  • A Recipient attribute containing the Service Provider’s assertion + consumer service URL (see sections 5.3 and + 5.4.1).

    +
    • +

  • A NotOnOrAfter attribute containing a time instant at which the + subject no longer can be confirmed.

    +
    • +

  • An Address attribute containing the network address from which an attesting entity + (user) can present the assertion.

    +
    • +

  • If the Holder-of-key Web Browser SSO Profile was used to authenticate the + principal a <ds:KeyInfo> element identifying the X.509 certificate presented + to the Identity Provider. See section 6.2.2 below.

    +
    • +
+

The assertion MUST contain a <saml2:Conditions> element containing +the following attributes and elements:

+
    +

  • A <saml2:AudienceRestriction> element including the requesting + Service Provider’s unique identifier (entityID) as an + <saml2:Audience> value.

    +
    • +

  • A NotBefore attribute specifying the earliest time instant at which + the assertion is valid.

    +
    • +

  • A NotOnOrAfter attribute specifying the time instant when the + assertion expires.

    +
    • +
+

An Identity Provider conformant to this profile MUST, in its issued +assertions, include an authentication context URI indicating under which +Level of Assurance the assertion was issued. This identifier MUST be +placed under the <saml2:AuthnStatement> element as the value of an +<saml2:AuthnContextClassRef> element that is part of the +<saml2:AuthnContext> element.

+
<saml2:AuthnStatement AuthnInstant="2013-03-15T09:22:00" SessionIndex="b07b804c-7c29-ea16-7300-4f3d6f7928ac">
+  <saml2:AuthnContext>
+    <saml2:AuthnContextClassRef>http://id.elegnamnden.se/loa/1.0/loa3</saml2:AuthnContextClassRef>
+    ...
+  </saml2:AuthnContext>
+</saml2:AuthnStatement>

Example of how an Authentication Context URI identifier representing a +Level of Assurance is included in an authentication statement.

+

An Identity Provider that acts as a proxy for other Identity Providers SHOULD include the <saml2:AuthenticatingAuthority> element under the <saml2:AuthnContext> element. This element will contain the entityID of the Identity Provider that authenticated the principal.

+
<saml2:AuthnStatement AuthnInstant="2013-03-15T09:22:00" SessionIndex="b07b804c-7c29-ea16-7300-4f3d6f7928ac">
+  <saml2:AuthnContext>
+    ...
+    <saml2:AuthenticatingAuthority>http://idp.example.com/auth</saml2:AuthenticatingAuthority>
+  </saml2:AuthnContext>
+</saml2:AuthnStatement>

Example of how the entityID of an Identity Provider that provided the authentication for the principal is included in an authentication statement.

+

+

6.2.1. Attribute Release and Consuming Rules

+

An Identity Provider determines which attributes to include in the +<saml2:AttributeStatement> element of an assertion based on the +Service Provider requirements and its agreements with the user being +authenticated. Service Provider attribute preferences and requirements +are specified by the service entity categories [SC.EntCat] and +requested attributes in the <md:AttributeConsumingService> element +declared in the Service Provider metadata. A service entity category +specifies the attribute set (as defined in [SC.Attributes]) that is +requested for the attribute release process.

+

An Identity Provider declares service entity categories in order to +publish its ability to deliver attributes according to certain attribute +sets. For all declared service entity categories, the Identity Provider +MUST possess the ability to deliver the mandatory attributes of the +underlying attribute set. See [SC.EntCat] and [SC.Attributes] for details.

+

An Identity Provider releasing scoped attributes, see section 3.1.3 of [SC.Attributes], MUST be authorized to release attributes with given scopes by the federation operator. An Identity Provider's authorized scopes are published in its metadata according to section 2.1.3.1, "Declaring Authorized Scopes".

+

Consequently, a Service Provider consuming a scoped attribute SHOULD verify that the issuing Identity Provider has been authorized to release attributes for the given scope by asserting its presence in the Identity Provider's metadata, see section 2.1.3.1 and section 3.5.2 of [SAML2SubjIdAttr]. A scoped attribute that fails this check MUST NOT be accepted by the Service Provider.

+

The Service Provider is responsible for checking that an Identity +Provider is capable of providing necessary attributes before sending a +request and to verify that it received all attributes necessary for +providing a requested service. Checks whether an Identity Provider is +capable of fulfilling the needs of a Service Provider can be done either +by relying on a discovery process to filter out non-conformant Identity +Providers, and/or by examining the metadata of Identity providers.

+

An Identity Provider receiving a request for more attributes than it can +provide SHOULD return an assertion with the attributes it can provide +according to its defined attribute release policy if the user has been successfully +authenticated, leaving it up to the Service Provider to decide how to proceed, +e.g., by denying service to the authenticated user, provide limited services or to use other +resources to collect necessary attributes. However, if a Service Provider +has expressed a specific attribute requirement using the <md:RequestedAttribute> +element of a matching <md:AttributeConsumingService> element in its metadata +and assigned the isRequired-attribute to true, and the Identity Provider knows that it will not be able to provide this attribute, then the Identity Provider SHOULD reject any request for authentication from that Service Provider and respond with an error.

+

For privacy reasons, an Identity Provider SHOULD NOT release identity attributes* that are not requested by the Service Provider via its metadata declarations + (service entity categories or <md:RequestedAttribute> elements).

+
+

[*]: This requirement does not apply to attributes that are not "identity" attributes, for example transaction identifiers or any other attribute that does not directly belong to a user's identity.

+
+

+

6.2.2. Message Content Requirements for Holder-of-key

+

When the Holder-of-key Web Browser SSO Profile has been used during the authentication +of the user, information about the X.509 certificate presented by the user MUST be +included in a <ds:KeyInfo> element placed in the <saml2:SubjectConfirmationData> element. Section 2.4 of [SAML2HokAP] defines the requirements for this.

+

This profile adds the following requirements to what is specified in [SAML2HokAP]:

+

The user X.509 certificate SHOULD be represented using a <ds:X509Certificate> element +in all cases, except for the cases when this certificate contains identity information +about the subject that is not represented as SAML attributes in the +<saml2:AttributeStatement> element. +The reason for this is to ensure the privacy of the user and not release identity information that is not requested by the Service Provider (see section 6.2.1 above).

+

In these cases the <ds:X509Certificate> MUST NOT be used, and the Identity Provider +SHOULD include a <ds:KeyValue> representing the public key of the user certificate.

+

+

6.3. Processing Requirements

+

This profile mandates a correct processing of a <saml2p:Response> +message in order to ensure proper protection from the security threats +described in [SAML2Sec]. +Processing requirements are listed in [SAML2Core], +[SAML2Prof] and [SAML2Sec]. +This document will list the necessary requirements that apply to this +profile.

+

After the Service Provider has encrypted the assertion from the received +response message the following requirements apply. Any verification that +fails MUST lead to that the Service Provider rejects the response +message and does not use the assertion.

+

Some of the processing requirements below are defined in order to +protect from MITM- or MITB-attacks* were unsigned authentication +requests may be changed before being sent to the Identity Provider. +However, a Service Provider MUST implement all of the specified +processing requirements even if it sends signed authentication request +messages.

+
+

[*]: MITM stands for ”man in the middle” and MITB stands for ”man in the browser”.

+
+

+

6.3.1. Signature Validation

+

The signature present on the <saml2p:Response> message, and +optionally on the <saml2:Assertion>, MUST be successfully +verified.

+

The public key being used to verify the signature MUST appear in the +issuing Identity Provider’s metadata record (as a +<ds:X509Certificate> under the <ds:KeyInfo> element).

+

+

6.3.2. Subject Confirmation

+

Based on the InResponseTo attribute of the +<saml2:SubjectConfirmationData> the Service Provider MUST be able +to obtain the corresponding <saml2p:AuthnRequest> message, or a +secure context containing corresponding information from the request +(for future processing of the assertion).

+

The Recipient attribute from the <saml2:SubjectConfirmationData> element +MUST match the location to which the <saml2p:Response> message was delivered +and match the value the AssertionConsumerServiceURL attribute included in the +request message, or if this attribute was not provided in the request +message, the default response location specified in the Service +Provider’s metadata entry, as described in section 5.4.2.

+

The time from the NotOnOrAfter attribute from the +<saml2:SubjectConfirmationData> MUST NOT have passed compared with +the time instant at which the subject is confirmed (i.e., when the +assertion is validated). A reasonable allowable clock skew between the +providers should be taken in account.

+

If the Address attribute is assigned to the +<saml2:SubjectConfirmationData> element, the Service Provider MAY +choose to check the user agent’s client address against it. Practical +issues regarding the Service Provider’s network setup and the risk of +introducing false negatives makes this an optional step in the +validation phase.

+

If the <saml2:SubjectConfirmation> element has a Method set to +urn:oasis:names:tc:SAML:2.0:cm:holder-of-key its containing +<saml2:SubjectConfirmationData> element MUST be processed according to +section 2.5 of [SAML2HokAP]. The Service Provider MUST also +be able to verify the holder-of-key assertion if the <saml2:SubjectConfirmationData> +element contains a <ds:KeyValue> element, see 6.2.2.

+

+

6.3.3. Conditions

+

The Service Provider MUST assert that the value of the +<saml2:Audience> element under the +<saml2:AudienceRestriction> element matches the unique entityID of +the Service Provider.

+

The Service Provider MUST verify that the time instant at which the +assertion is validated is within the range given by the NotBefore and +NotOnOrAfter attributes of the <saml2:Conditions> element +(allowing for a reasonable clock skew). See also the processing of the +NotOnOrAfter attribute in section 6.3.2.

+

+

6.3.4. The Authentication Statement

+

The Service Provider MUST assert that the <saml2:AuthnStatement> +contains a <saml2:AuthnContext> element that holds a +<saml2:AuthnContextClassRef> element having as its value the +authentication context URI indicating under which Level of Assurance the +authentication was performed. If the Service Provider declared one, or more, +<saml2:AuthnContextClassRef> elements under the <saml2p:RequestedAuthnContext> +element of the authentication request (see section 5.4), +the received authentication context URI MUST match one of the declared +authentication context URI:s from the request. If not, the Service Provider +MUST reject the assertion*.

+
+

[*]: If the Service Provider does not declare an authentication context URI +in the authentication request it should be prepared to receive any of the +authentication context URI:s declared by the Identity Provider in its metadata +record (see section 2.1.3).

+
+

+

6.3.5. General Security Validation

+

In order to protect itself from replay attacks, the Service Provider +MUST ensure that the same assertion is not processed more than once +within the time it is valid (with respect to the NotOnOrAfter attribute +of the <saml2:Conditions> element).

+

In order to prevent stolen assertions and user impersonation, the +Service Provider SHOULD implement a validation that rejects an assertion +if the time given it its IssueInstant attribute compared to the time +when the response message is received is too great. This time is +typically on the order of seconds, and limits the time window when a +stolen assertion could be used.

+

If the Service Provider included the attribute ForceAuthn with a value +of true in the authentication request, the Service Provider SHOULD +ensure that the AuthnInstant attribute of the +<saml2:AuthnStatement> element is greater than the time when the +request was sent (allowing for a reasonable clock skew).

+

A reasonable clock skew according to this profile is between 3 and 5 minutes in either direction.

+

+

6.4. Error Responses

+

If the Identity Provider returns an error, it MUST NOT include any +assertions in the <saml2p:Response> message.

+

An Identity Provider conformant with this profile SHOULD NOT make use of +any other <saml2p:StatusCode> values than those specified in +section 3.2.2.2 of +[SAML2Core] or in section 3.1.4 of [SC.Registry]. +The top-level <saml2p:StatusCode> value may only be one of the following error +identifiers:

+
    +

  • urn:oasis:names:tc:SAML:2.0:status:Requester – The request could not + be performed due to an error on the part of the Service Provider.

    +
    • +

  • urn:oasis:names:tc:SAML:2.0:status:Responder – The request could not + be performed due to an error on the part of the Identity Provider.

    +
    • +

  • urn:oasis:names:tc:SAML:2.0:status:VersionMismatch – The Identity + Provider could not process the request because the version of the + request message was incorrect.

    +
    • +
+

If the user cancels an authentication process the Identity Provider +SHOULD indicate this by assigning the second-level status code to +http://id.elegnamnden.se/status/1.0/cancel.

+

If an Identity Provider displays information describing an error in its +user interface it MUST also offer ways for the end user to confirm this +information (for example, by including an OK-button). When the end user +acknowledges taking part of the information (i.e., clicks on the OK-button), +the <saml2p:Response> message is posted back to the Service +Provider according to the HTTP POST binding [SAML2Bind].

+

If an Identity Provider detects suspicious fraudulent behaviour or if any of its security checks alerts a (possible) fraud, the Identity Provider MUST NOT issue an assertion but instead display an error message. After the end user confirms this error message, the error message posted back to the Service Provider SHOULD contain a second-level status code set to http://id.elegnamnden.se/status/1.0/fraud or http://id.elegnamnden.se/status/1.0/possibleFraud (depending on whether the Identity Provider aborted the authentication due to a determined or suspected fraud).

+

+

7. Authentication for Signature

+

“DSS Extension for Federated Central Signing Services”, [SC.DSS.Ext], +defines an extension to the OASIS DSS protocol for providing centralized +Signature Services within the Sweden Connect Framework. This specification +defines the communication between a Signature Requestor* and a +Signature Service, but does not cover SAML specific requirements +regarding the user authentication phase that is part of the signature +process.

+

This section defines requirements on the SAML authentication process +when authentication is requested by a Signature Service, acting as a +SAML Service Provider. All requirements regarding user authentication +specified earlier in this profile are still valid. This section extends +these requirements for the “authentication for signature” process.

+
+

[*]: A Signature Requestor is a Service Provider within the federation to which the user previously has logged in to and from where the user initiates a signature operation.

+
+

+

7.1. Authentication Requests

+

Authentication requests from a Signature Service SHALL meet the +following requirements:

+
    +

  • The ForceAuthn attribute of the <saml2p:AuthnRequest> element + MUST be set to true.

    +
    • +

  • The <saml2p:AuthnRequest> element MUST be signed. This MUST + also be indicated in the Signature Service metadata record using the + AuthnRequestsSigned attribute (see section 2.1.4).

    +
    • +
+

If the receiving Identity Provider has declared that it wishes to receive principal selection information about the signer (see section 5.3.3), and the Signature Service has received any of the requested attribute values in the Signer element of the SignRequest ([SC.DSS.Ext]), the Signature Service SHOULD include those attribute values in a <psc:PrincipalSelection> extension of the authentication request.

+

It is RECOMMENDED that the <saml2p:Scoping> element containing a <saml2p:RequesterID> element holding the entityID of the Service Requestor is included in <saml2p:AuthnRequest> messages generated by a Signature Service.

+
<saml2p:Scoping>
+  <saml2p:RequesterID>http://www.origsp.com/sp</saml2:RequesterID>
+</saml2p:Scoping>

Example when the <saml2p:RequesterID> element is used to inform the Identity Provider about which Service Provider that requested the signature associated with this request for authentication.

+
+

The reason for this recommendation is that an Identity Provider may adapt user interfaces or authentication procedures to different Service Providers based on either static configuration or on information found in the Service Provider's metadata. It can therefore be useful for an Identity Provider to know which Service Provider that requested the signature (Signature Requestor) that caused a Signature Service to request authentication. The Identity Provider may use this information to maintain the same user experience and procedures regardless of whether authentication is requested directly by the Service Provider, or by a Signature Service as a result of a signature request from the same Service Provider.

+
+

An Identity Provider that accepts an <saml2p:AuthnRequest> message +from a Service Provider that has indicated that it is a Signature +Service* MUST provide a user interface that is indicating that the +end user is performing a signature.

+
+

[*]: An Identity Provider identifies a Service Provider as a Signature Service if it declares the http://id.elegnamnden.se/st/1.0/sigservice URI as a service type entity category in its metadata (see 2.1.4).

+
+

+

7.1.1. Requesting Display of Signature Message

+

[SC.DSS.Profile] specifies that a Signature Requestor may include a +SignMessage element (as defined by [SC.DSS.Ext]) in a signature request. +This element holds a message that the Identity Provider, which is +responsible for “authentication for signature”, should present to the +user that is performing the signature.

+

A Signature Service MAY request the Identity Provider to show a sign +message to the user by including the SignMessage element from the +signature request as a child element to an <saml2p:Extensions> +element in the <saml2p:AuthnRequest> message (see section 3.2.1 of +[SAML2Core]).

+

All Identity Providers compliant with this profile MUST be able to parse and understand +the SignMessage extension.

+

If the Message-element of the SignMessage is to be encrypted, the Service Provider SHOULD consult the Identity Provider's metadata (<md:EncryptionMethod> elements) to determine the intersection of algorithms, key sizes and other parameters as defined by particular algorithms that it supports and that the Identity Provider prefers. If the intersection is empty, or if the Identity Provider has not declared any algorithms, the Service Provider MUST use one of the mandatory algorithms defined in the Sweden Connect Framework during the encryption operation, which is compatible with the Identity Provider's encryption key declared in metadata.

+

If an Identity Provider that has ways of determining the principal's identity before displaying +a sign message receives a <psc:PrincipalSelection> extension in the authentication request +it SHOULD ensure that the contents of the <psc:PrincipalSelection> extension matches the +principal identity. If there is a mismatch, the Identity Provider MUST NOT display the +sign message, and if the request states that the sign message must be displayed, fail with +an error response where the second-level status code is set to +urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal ([SAML2Core]).

+
+

Typical scenarios where the above requirement apply is for the Swedish eIDAS connector that first authenticates a principal and then displays the sign message, and for Identity Providers that prompt the user for its user identity as part of its authentication scheme. In those scenarios the Identity Providers must compare the principal identity with the contents of <psc:PrincipalSelection>, if received in the authentication request.

+
+

Identity Providers processing a request containing a SignMessage extension SHALL meet +the following requirements (in addition to other general requirements associated with requests +from signature services):

+
    +

  • If the MustShow attribute of the SignMessage extension is set, the Identity Provider +MUST fail with an error response if the message, for some reason, can not be displayed +to the user.

    +
    • +

  • The Identity Provider MUST display the sign message to the user in a manner that is consistent +with the data format of the sign message. If necessary, the Identity Provider MUST process +defined filtering rules on the message. If the present message format is not supported or the +sign message for any reason cannot be displayed in a proper manner, the Identity Provider must +return an error response.

    +
    • +

  • If authentication and sign message confirmation by the user was successful, the Identity Provider +MUST include the signMessageDigest attribute (see section 3.2.4 of [SC.Attributes]) +in the assertion that is issued.

    +
    • +

  • The Identity Provider MUST NOT return an assertion without performing an authentication process +consistent with the requested authentication context which includes display of a sign message, +even if the request has no present ForceAuthn attribute or includes a ForceAuthn attribute set +to the value false.

    +
    • +
+

+

7.1.2. Requesting SCAL2 Signature Activation Data

+

The type of signature requested in a signature request is, according to [SC.DSS.Profile], specified by the CertType attribute of the <CertRequestProperties> element. When the value of this attribute is set to QC/SSCD, the requested signature is a Qualified Signature created in a Qualified Signature Creation Device (QSCD). To achieve this level of signature the Authentication Request MUST include a request for Signature Activation Data (SAD) for Sole Control Assurance Level 2 (SCAL2) in accordance with the "Signature Activation Protocol for Federated Signing" [SC.SAP], and MUST include the SignMessage extension (as described above).

+

As pointed out in section 2.1.3 an Identity Provider that supports processing of SAD requests and issuance of SAD-attributes SHALL advertise this by declaring the service property entity category http://id.elegnamnden.se/sprop/1.0/scal2 in its metadata. An Identity Provider that has declared this entity category MUST return a SAD attribute in an issued assertion if the corresponding <saml2p:AuthnRequest> message contains the <sap:SADRequest> extension.

+

A SAD returned from the Identity Provider MUST have a signature which can be verified using a certificate from the Identity Provider's metadata entry. The signature algorithm used to sign the SAD MUST be equivalent to the algorithm used to sign the responses and assertions from the Identity Provider.

+

Verification of a received SAD-attribute MUST follow the verification rules specified in section 3.2.3 of [SC.SAP].

+

+

7.2. Authentication Responses

+

By including the signMessageDigest attribute (see section 3.2.4 of [SC.Attributes]) +in the SAML assertion, the Identity Provider asserts that it has successfully displayed the sign message +received in the request for the user and that the user has accepted to sign under the context of this sign message. This attribute MUST be included in the issued assertion if a sign message was displayed for, and accepted by, the user.

+

+

8. Cryptographic Algorithms

+

This section lists the requirements for crypto algorithm support for being compliant with this profile.

+

For signature and encryption keys the following requirements apply:

+
    +
  • RSA public keys MUST be at least 2048 bits in length. 3072 bits or more is RECOMMENDED.
    • +
  • EC public keys MUST be at least 256 bits in length (signature only).
      +
    • The curves NIST Curve P-256, NIST Curve P-384 and NIST Curve P-521 MUST be supported ([RFC5480]).
      • +
    +
    • +
+

Services conforming to this profile MUST support the mandatory algorithms below, and SHOULD support the algorithms listed as optional.

+

The sender of a secure message MUST NOT use an algorithm that is not listed as mandatory in the sections below, unless it is explicitly declared by the peer in its metadata (see [SAML2MetaAlgSupport]).

+

A service processing a message in which an algorithm not listed below has been used MUST refuse to accept the message and respond with an error, unless this algorithm has been declared as preferred or supported by the service in its metadata entry.

+
+

This profile does not specify a complete list of blacklisted algorithms. However, there is a need to explicitly point out that the commonly used algorithms SHA-1 for digests and RSA PKCS#1 v1.5 for key transport are considered broken and SHOULD not be used or accepted.

+
+

The algorithms below are defined in [XMLEnc], [XMLDSig] and [RFC4051].

+

+

8.1. Digest Algorithms

+

Mandatory:

+
    +
  • SHA-256, http://www.w3.org/2001/04/xmlenc#sha256
    • +
+

Optional:

+
    +
  • SHA-384, http://www.w3.org/2001/04/xmldsig-more#sha384
    • +
  • SHA-512, http://www.w3.org/2001/04/xmlenc#sha512
    • +
+

+

8.2. Signature Algorithms

+

Mandatory:

+
    +
  • RSA-SHA256, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    • +
  • ECDSA-SHA256, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256
    • +
+

Optional:

+
    +
  • RSA-SHA384, http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
    • +
  • RSA-SHA512, http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
    • +
  • ECDSA-SHA384, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384
    • +
  • ECDSA-SHA512, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512
    • +
+

+

8.3. Block Encryption Algorithms

+

Mandatory:

+
    +
  • AES128-CBC, http://www.w3.org/2001/04/xmlenc#aes128-cbc
    • +
  • AES192-CBC, http://www.w3.org/2001/04/xmlenc#aes192-cbc
    • +
  • AES256-CBC, http://www.w3.org/2001/04/xmlenc#aes256-cbc
    • +
+

Optional:

+
    +
  • AES128-GCM, http://www.w3.org/2009/xmlenc11#aes128-gcm
    • +
  • AES192-GCM, http://www.w3.org/2009/xmlenc11#aes192-gcm
    • +
  • AES256-GCM, http://www.w3.org/2009/xmlenc11#aes256-gcm
    • +
+

Note: The AES-CBC algorithm has been reported to have vulnerabilities, but these weaknesses can not be exploited when using signed SAML messages. Also, the support for AES-GCM in SAML software is not sufficiently spread at the time of writing. Therefore, the current version of this profile specifies AES-CBC as the default block encryption algorithm.

+

Services supporting the AES-GCM algorithm SHOULD indicate this in its metadata.

+
...
+<md:KeyDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" use="encryption">
+  <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:X509Data>
+      <ds:X509Certificate>MIIE+DC...SpWg==</ds:X509Certificate>
+    </ds:X509Data>
+  </ds:KeyInfo>
+  <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
+  <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
+  ...
+</md:KeyDescriptor>

Example of how a service announces that it has support for AES-GCM and wishes peers to use these algorithms when encrypting for the service.

+

+

8.4. Key Transport Algorithms

+

Mandatory:

+
    +
  • RSA-OAEP-MGF1P, http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
      +
    • Key transport digest: SHA-1 (http://www.w3.org/2000/09/xmldsig#sha1)
      • +
    +
    • +
+

For interoperability reasons the current version of this profile specifies the RSA-OAEP-MGF1P algorithm as the default key transport algorithms. This algorithm's padding method defaults to the use of SHA-1 as a digest algorithm and also uses the "MGF1 with SHA-1" mask generation function*.

+

Optional:

+
    +
  • RSA-OAEP-MGF1P, http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
      +
    • Key transport digest: Any of the digest methods listed as mandatory or optional in section 8.1.
      • +
    +
    • +
+

A service wishing to receive encrypted messages where SHA-1 is not used as the key transport digest SHOULD indicate this in its metadata using the <md:EncryptionMethod> element as the example below.

+
...
+<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
+  <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+</md:EncryptionMethod>
+...

Example of how a service announces that it wishes that the peer uses SHA-256 as the key transport digest when encrypting using RSA-OAEP-MGF1P.

+
+

[*]: Note that the use if SHA-1 in this context (both as digest algoritm and as mask generation function) is limited to providing randomness of padding data and as a hash over optional OAEP parameter data which typically is an empty string. It is not used as a hash function to assert the integrity of the encrypted data. No weaknesses of SHA-1 are known to be relevant to its use in this context.

+
+

+

9. Normative References

+

+[RFC2119]

+
+

Bradner, S., Key words for use in RFCs to Indicate Requirement +Levels, March 1997.

+
+

+[XMLEnc]

+
+

D. Eastlake et al. XML Encryption Syntax and Processing. W3C Recommendation, April 2013.

+
+

+[XMLDSig]

+
+

D. Eastlake et al. XML-Signature Syntax and Processing, Version 1.1. W3C Recommendation, April 2013.

+
+

+[SAML2Core]

+
+

OASIS Standard, Assertions and Protocols for the OASIS Security +Assertion Markup Language (SAML) V2.0, March +2005.

+
+

+[SAML v2.0 Errata 05]

+
+

SAML Version 2.0 Errata 05. 01 May 2012. OASIS Approved +Errata.

+
+

+[SAML2Bind]

+
+

OASIS Standard, Bindings for the OASIS Security Assertion Markup +Language (SAML) V2.0, March +2005.

+
+

+[SAML2Prof]

+
+

OASIS Standard, Profiles for the OASIS Security Assertion Markup +Language (SAML) V2.0, March +2005.

+
+

+[SAML2Meta]

+
+

OASIS Standard, Metadata for the OASIS Security Assertion Markup +Language (SAML) V2.0, March +2005.

+
+

+[SAML2Sec]

+
+

Security and Privacy Considerations for the OASIS Security Assertion +Markup Language (SAML) V2.0, March +2005.

+
+

+[SAML2IAP]

+
+

SAML V2.0 Identity Assurance Profiles Version 1.0, 05 November +2010.

+
+

+[SAML2MetaIOP]

+
+

OASIS Standard, SAML V2.0 Metadata Interoperability Profile Version 1.0, October 2019.

+
+

+[SAML2MetaUI]

+
+

OASIS Draft, SAML V2.0 Metadata Extensions for Login and Discovery +User Interface Version 1.0, April 2012

+
+

+[SAML2MetaAttr]

+
+

OASIS Committee Specification, SAML V2.0 Metadata Extension for +Entity Attributes Version 1.0, August +2009.

+
+

+[SAML2MetaAlgSupport]

+
+

SAML v2.0 Metadata Profile for Algorithm Support Version 1.0, 21 February 2011.

+
+

+[EntCat]

+
+

RFC8409 - The Entity Category Security Assertion Markup Language (SAML) Attribute Types.

+
+

+[IdpDisco]

+
+

OASIS Committee Specification, Identity Provider Discovery Service +Protocol and Profile, March +2008.

+
+

+[SAML2SubjIdAttr]

+
+

OASIS Committee Specification, SAML V2.0 Subject Identifier Attributes Profile Version 1.0, January 2019.

+
+

+[SAML2HokProf]

+
+

OASIS Committee Specification, SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 1.0, August 2010.

+
+

+[SAML2HokAP]

+
+

OASIS Committee Specification, SAML V2.0 Holder-of-Key Assertion Profile Version 1.0, January 2010.

+
+

+[SE.Trust]

+
+

Tillitsramverket för Svensk e-legitimation.

+
+

+[SC.Registry]

+
+

Sweden Connect - Registry for identifiers.

+
+

+[SC.Attributes]

+
+

Attribute Specification for the Swedish eID Framework.

+
+

+[SC.EntCat]

+
+

Entity Categories for the Swedish eID Framework.

+
+

+[SC.Principal]

+
+

Principal Selection in SAML Authentication Requests.

+
+

+[SC.DSS.Ext]

+
+

DSS Extension for Federated Central Signing Services.

+
+

+[SC.DSS.Profile]

+
+

Implementation Profile for Using OASIS DSS in Central Signing Services.

+
+

+[SC.SAP]

+
+

Signature Activation Protocol for Federated Signing.

+
+

+[RFC4051]

+
+

IETF RFC 4051, Additional XML Security Uniform Resource Identifiers, April 2005.

+
+

+[RFC5480]

+
+

IETF RFC 5480, Elliptic Curve Cryptography Subject Public Key Information, March 2009.

+
+

+

10. Changes between versions

+

Changes between version 1.7 and 1.8:

+
    +
  • Section 7.1.2 was updated to state that the requirement to include both a SAD and a SignMessage extension only applies when the requested CertType is "QC/SSCD". Voluntary use of SAD for other types of signatures (e.g., nonqualified signatures) does not automatically trigger a requirement to include SignMessage.
    • +
+

Changes between version 1.6 and 1.7:

+
    +

  • Sections 2.1.2 and 2.1.3 were updated with clarifications for how a Service Provider declares requested attributes and how an Identity Provider declares its ability to deliver attributes.

    +
    • +

  • Section 6.2.1, "Attribute Release and Consuming Rules", was updated with a privacy requirement that tells that an Identity Provider must not release identity attributes not requested by the Service Provider.

    +
    • +

  • Section 2.1.3.1, "Declaring Authorized Scopes", was introduced in order to define how an Identity Provider declares authorized scopes. Section 6.2.1, "Attribute Release and Consuming Rules", was updated with release and consumption rules for scoped attributes.

    +
    • +

  • Support for the Holder-of-key Web Browser SSO Profile has been added.

    +
    • +

  • Removed text in section 7, "Authentication for Signature", regarding the use of the deprecated sigmessage URI:s.

    +
    • +
+

Changes between version 1.5 and 1.6:

+
    +

  • In order to facilitate algorithm interoperability between peers additions concerning "Metadata Profile for Algorithm Support" [SAML2MetaAlgSupport] was added. Section 2.1.1 was updated with a section defining how preferred algorithms are declared in metadata, and sections 5.2, 6.1 and 7.2.1 was updated with requirements for algorithm selection during signing and encryption.

    +
    • +

  • Section 5.3, "Message Content", was re-structured with subchapters for requested authentication contexts, scoping and principal selection.

    +
    • +

  • The PrincipalSelection and RequestedPrincipalSelection extensions were introduced to sections 2.1.3, 5.3.3 and 7.2.

    +
    • +

  • The link for the "Tillitsramverk för Svensk e-legitimation" specification was updated.

    +
    • +

  • This profile is no longer normatively dependent upon SAML2Int. Therefore, the profile has been updated with requirements that previously was implicit (due to the normative dependency to SAML2Int).

    +
    • +

  • Section 8, "Cryptographic Algorithms", was introduced in order to clearly define the algorithm requirements for services that are conformant to this profile.

    +
    • +

  • Section 2.1.1 was updated with elaborations concerning certificates in metadata.

    +
    • +

  • Section 7.2.1 was updated with a requirement that ensures that a sign message is only displayed to the intended user.

    +
    • +

  • Section 7, "Authentication for Signature", was updated where "Sign Message Authentication Context URI" were deprecated +and the use of the signMessageDigest attribute was introduced.

    +
    • +
+

Changes between version 1.4 and 1.5:

+
    +
  • Section 2.1.3 "Identity Providers", was extended to include requirements on metadata to signal support for the SAP (Signature Activation Protocol).
    • +
  • Section 7.2, "Authentication Requests", was extended to recommend the usage of the <saml2p:RequesterID> element within <saml2p:Scoping>. The reason for this recommendation is that Identity Providers may need information about the "Signature Requestor", i.e., the Service Provider that requested the signature that caused a Signature Service to request authentication.
    • +
  • Section 6.3.4, "The Authentication Statement", contained a requirement about how to process a received authentication context URI that was incorrect. This has been corrected.
    • +
  • A new section, 7.2.2, "Requesting SCAL2 Signature Activation Data", was added. This amendment describes how and when to request Signature Activation Data from an Identity Provider in order to enable a signature service to operate as a Qualified Signature Creation Device (QSCD).
    • +
  • Attribute release rules have been clarified in sections 2.1.2, "Service Providers" and 6.2.1, "Attribute Release Rules".
    • +
  • Section 2.1.2, "Service Providers", was updated to include a requirement for Service Providers communicating with a centralized discovery service.
    • +
  • Section 5.3, "Message Content", was updated to describe the use of <saml2p:IDPEntry> elements under the <samp2p:Scoping> elements for requests sent to Identity Providers acting as proxies for other Identity Providers.
    • +
  • The reference to [SAML2MetaUI] was updated to the latest official version: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-ui/v1.0/sstc-saml-metadata-ui-v1.0.html.
    • +
  • The reference to [EntCat] was updated to the latest version.
    • +
+

Changes between version 1.3 and version 1.4:

+
    +

  • Version 1.3 of this profile stated that a + <saml2p:AuthnRequest> message MUST contain an + AssertionConsumerServiceURL attribute identifying the desired + response location. It has shown that this requirement aggravates + interoperability since some of the major providers of Service + Provider software do not fully support this attribute. Furthermore, + the requirement does increase security since an Identity Provider + may only post response messages to locations registered in the + <md:AssertionConsumerService> elements of the Service Provider + metadata entry. Therefore, chapter 5.3, “Message Content”, has been + changed to state that the <saml2p:AuthnRequest> message SHOULD + contain an AssertionConsumerServiceURL attribute. Changes have also + been made to sections 5.4.2 and 6.3.2 where processing requirements + were updated.

    +
    • +

  • In section 5.3, a clarification regarding specifying more than one + authentication context URI was made.

    +
    • +

  • In section 7.1, a set of authentication context URIs for the eIDAS + Framework was added.

    +
    • +

  • In section 6.4, the requirement to use the sublevel status code + http://id.elegnamnden.se/status/1.0/cancel was added. This status + should be used to indicate a cancelled operation.

    +
    • +

  • In section 6.4, the status codes http://id.elegnamnden.se/status/1.0/fraud and http://id.elegnamnden.se/status/1.0/possibleFraud were introduced. Their purpose is to alert (suspected) fraudulent behaviour.

    +
    • +

  • The specification for “Discovery within the Swedish eID Framework” + has been deprecated and requirements referring to this document have + been updated.

    +
    • +

  • A clarification to section 5.2 was made stating that conformant +Identity Providers MUST support the HTTP-POST binding.

    +
    • +

  • Section 6.2 was updated with requirements for proxy-IdP:s that are expected to include the <saml2:AuthenticatingAuthority> element holding the entityID of the Identity Provider that provided the authentication of the principal.

    +
    • +
+

Changes between version 1.2 and version 1.3:

+
    +

  • This profile now extends a newer version of the SAML2Int Deployment + Profile (see http://saml2int.org/profile/current/).

    +
    • +

  • Clarifications on how entity categories are represented in metadata + were made to chapters: 2.1.2, 2.1.3, and 2.1.4.

    +
    • +

  • Changes were made to chapter 6.1, “Security Requirements”, where the + profile now requires the entire <saml2p:Response> message to + be signed, as compared to the previous version where the signature + requirement was put on <saml2:Assertion> elements.

    +
    • +

  • In chapter 6.2, it is now specified that an Address attribute MUST + be part of the <saml2:SubjectConfirmationData> element. The + previous version stated SHOULD.

    +
    • +

  • Chapter 6.2.1, “Attribute Release Rules”, was introduced to clarify + how the attribute release process should be handled by an issuing + entity.

    +
    • +

  • A Service Provider is now obliged to explicitly specify the required + Level of Assurance under which a specific authentication should be + performed. This is specified in chapter 5.3, “Message Content”, and + 5.4.4, “Authentication Context and Level of Assurance Handling”.

    +
    • +

  • The specification “Authentication Context Classes for Levels of + Assurance for the Swedish eID Framework” has been removed from the + Swedish eID Framework. The reason for this is that it was proven + difficult to make use of the <saml2:AuthnContextDecl> element + to store authentication context parameters, and that no commercial, + or open source, Identity Provider software had support for this + feature. [SC.Attributes] now describe how the authContextParams + attribute may be used for the same purpose, and the examples where + this information was stored under the <saml2:AuthnContextDecl> + element was removed from chapter 6.2, “Message Content”.

    +
    • +

  • Chapter 7, “Authentication for Signature”, was introduced to specify + requirements regarding the process of “authentication for signature” + where a Signature Service requests that a user performing a + signature authenticates.

    +
    • +
+

Changes between version 1.1 and version 1.2:

+
    +

  • This profile now explicitly defines requirements for the use of + signed authentication request messages, see sections 2.1and 5.2.

    +
    • +

  • This profile now allows the HTTP-POST binding to be used for sending + authentication request messages (see chapter 5.2, “Binding and + Security Requirements”). The main reason for this is to facilitate + the use of signed authentication request messages.

    +
    • +

  • In chapter 5.4, additional processing requirements for received + authentication requests were added or changed. These include:

    +
    • +

  • Validation of assertion consumer addresses (5.4.1).

    +
    • +

  • Clarifications to chapter 5.4.4.

    +
    • +

  • Single Sign On processing (5.4.5).

    +
    • +

  • This profile now states that “Unsolicited response” messages are not + accepted by Service Providers due to security reasons, see chapter + 6.1, “Security Requirements”.

    +
    • +

  • Changes and additions in chapter 6.2, “Message Content”, for + responses including:

    +
    • +

  • Clarifications about the usage of the AuthnInstant attribute of the + <saml2:AuthnStatement> element.

    +
    • +

  • Specifications of the use of <saml2:SubjectConfirmation> in + assertions.

    +
    • +

  • Clarifications on the use of audience restrictions and assertion + validity.

    +
    • +

  • Chapter 6.3, “Processing Requirements”, was added. This chapter + contains specifications and requirements of how a response message + should be processed in order to maintain security.

    +
    • +
+

Changes between version 1.0 and version 1.1:

+
    +

  • In chapter 5.1, “Discovery”, a reference to the specification + “Discovery within the Swedish eID Framework” [Eid2Disco] was + added.

    +
    • +

  • In chapter 5.4.4, a note was added that informs about the need to + ensure IdP-capabilities regarding level of assurance before issuing + a request.

    +
    • +

  • In chapter 6.2, “Message Content”, an example of how an Identity + Provider may include an authentication context class declaration was + provided.

    +
    • +

  • Some faulty references were corrected.

    +
    • +
+
+ + diff --git a/docs/december-2024/03_-_Registry_for_Identifiers.html b/docs/december-2024/03_-_Registry_for_Identifiers.html new file mode 100644 index 0000000..3140dbb --- /dev/null +++ b/docs/december-2024/03_-_Registry_for_Identifiers.html @@ -0,0 +1,1204 @@ + + + + + + Sweden Connect - Registry for identifiers + + + + + + +

+ + +

+

+ +

+ +

Sweden Connect - Registry for identifiers

+

Version 1.8 - 2024-12-04

+

Registration number: 2019-309

+
+

+Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All Rights Reserved. +

+ +

Table of Contents

+
    +

  1. Background

    +
    2. +

  2. Structure

    +

    2.1. URI Identifiers

    +

    2.2. OID Identifiers

    +
    3. +

  3. Assigned Identifiers

    +

    3.1. URL Identifiers

    +

    3.1.1. Authentication Context URIs

    +

    3.1.1.1. Authentication Context URIs for Swedish Non-residents

    +

    3.1.1.2. Authentication Context URIs for Uncertified Providers

    +

    3.1.2. Attribute Sets

    +

    3.1.3. Entity Category Identifiers

    +

    3.1.3.1. Service Entity Categories

    +

    3.1.3.2. Entity Categories for Service Properties

    +

    3.1.3.3. Entity Categories for Service Type

    +

    3.1.3.4. Entity Categories for Service Contract

    +

    3.1.3.5. General Entity Categories

    +

    3.1.4. SAML Protocol Status Codes

    +

    3.1.5. Central Signing

    +

    3.1.6. Authentication Context

    +

    3.1.7. Sign Response Status Codes

    +

    3.1.8. Name Registration Authorities

    +

    3.1.9. eIDAS Identifiers

    +

    3.1.9.1. eIDAS Proxy Service Aliases

    +

    3.1.9.2. eIDAS Connector Aliases

    +

    3.1.9.3. Identity Binding Processes

    +

    3.2. OID Identifiers

    +

    3.2.1. ASN.1 Declarations

    +
    4. +

  4. References

    +
    5. +

  5. Changes between versions

    +
    6. +
+

+

1. Background

+

The implementation of a Swedish infrastructure for electronic +identification and electronic signature requires various types of +identifiers to represent objects in protocols and data structures.

+

This document defines the structure for identifiers assigned by the Sweden Connect Framework and provides a registry for assigned identifiers.

+

The following types of identifiers are assigned in this document:

+
    +

  • URI (Uniform Resource Identifier)

    +
    • +

  • OID (Object Identifier)

    +
    • +
+

This registry is limited to registering assigned identifiers. +Identifiers in this registry are typically defined within the context of +a separate specification, which defines the semantic meaning of the +identifier within the context of a particular protocol and/or data +structure. Where applicable, this registry provides references to the +documents where the exact meaning of each identifier is defined.

+

+

2. Structure

+

The basic structure of identifiers assigned by the Sweden Connect Framework is based on the following components:

+ + + + + + + + + + + + + + + + + + + + + + + +
ParameterDescription
PrefixThe leading portion of the identifier that associates the identifier with this registry and identifies the Swedish e-identification board or Sweden Connect as the assigner of the identifier.
CategoryA code for the category of an identifier. Each category is a defined context for a collection of identifiers within the scope of a protocol, service or object type.
Version (optional)An indicator of the version of the object represented by this identifier. The exact semantic of the version indicator, if present, is defined within each category.
IdentifierA sequence of characters or numbers (according to the syntax of the identifier type), which distinguish this identifier among all other identifiers within a particular prefix, category and version.
+

+

2.1. URI Identifiers

+

All URI identifiers in this registry are of URL type (Uniform Resource +Locator), assigned under the prefixes http://id.elegnamnden.se and http://id.swedenconnect.se.

+

These URL identifiers are defined using the following structure:

+
    +
  • http://id.elegnamnden.se/{category}[/{version}]/{identifier}, or,
    • +
  • http://id.swedenconnect.se/{category}[/{version}]/{identifier}.
    • +
+

+

2.2. OID Identifiers

+

An object identifier consists of a node in a hierarchically-assigned +namespace, formally defined using the ITU-T's ASN.1 standard, X.690. +Successive numbers of the nodes, starting at the root of the tree, +identify each node in the tree. Designers set up new nodes by +registering them under the node's registration authority. The root of +the tree contains the following three arcs:

+
    +
  • 0: ITU-T
    • +
  • 1: ISO
    • +
  • 2: joint-iso-itu-t
    • +
+

Object identifiers are in this document represented as a string +containing a sequence of integers separated by a dot (“.”), e.g. +2.3.4.25, where each integer represents a node in the hierarchy.

+

The node assigned to the Swedish E-identification Board/Sweden Connect is: 1.2.752.201.

+

This represents a hierarchical structure of nodes in the following +sequence:

+
    +
  • 1 = ISO
    • +
  • 2 = ISO member body
    • +
  • 752 = The Swedish Standardization Institute (SIS-ITS)
    • +
  • 201 = Swedish E-identification Board (see note below)
    • +
+

This node is used as the Prefix (root node) for all OID identifiers in +this registry, using the following structure:

+

1.2.752.201.{category}.{identifier}

+

OID identifiers according to this structure assign a node for each +category and an identifier node under this category node. No node in +this structure is assigned as version node. Version is handled, when +necessary, within the identifier portion of the OID, typically by +assigning a new identifier.

+

Note: The OID 1.2.752.201 was assigned to the Swedish E-identification Board, but +this organisation has been overtaken by the Swedish Agency for Digital Government (Digg) who +now uses this OID arc for the Sweden Connect Framework.

+

+

3. Assigned Identifiers

+

+

3.1. URL Identifiers

+

The following category codes are defined:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
CodeCategory
loaLevel of Assurance. Identifiers representing level of assurance for federated identity (Tillitsnivå).
acAttribute profile.
ecEntity Category. Generic service type declarations for service matching.
spropService Property. Specific entity category identifiers for specific service property.
stService Type. Specific entity category identifiers for defined types of services in the federation.
contractService contract. Specific entity category identifiers for declaring contract, or business agreement, affiliation within a federation.
csigCentral Signing Service – Identifiers used by the central signing service infrastructure.
auth-contAuthentication context information schema.
statusSAML Protocol status codes.
sig-statusSign response status codes.
eidasIdentifiers used for integration with the eIDAS Framework.
nsXML Schema namespaces.
+

+

3.1.1. Authentication Context URIs

+

Authentication Context URIs representing assurance levels (Tillitsnivåer) relevant to +[SE.Trust] and [SC.SAML.Profile].

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
URLObjectReference
http://id.elegnamnden.se/loa/1.0/loa1Assurance level 1.[SE.Trust]
http://id.elegnamnden.se/loa/1.0/loa2Assurance level 2.[SE.Trust]
http://id.elegnamnden.se/loa/1.0/loa3Assurance level 3.[SE.Trust]
http://id.elegnamnden.se/loa/1.0/loa4Assurance level 4.[SE.Trust]
http://id.elegnamnden.se/loa/1.0/eidas-low*Authentication accordance to eIDAS assurance level low for non-notified and notified eID schemes.[eIDAS]
http://id.elegnamnden.se/loa/1.0/eidas-sub*Authentication accordance to eIDAS assurance level substantial for non-notified and notified eID schemes.[eIDAS]
http://id.elegnamnden.se/loa/1.0/eidas-high*Authentication accordance to eIDAS assurance level high for non-notified and notified eID schemes.[eIDAS]
http://id.elegnamnden.se/loa/1.0/eidas-nf-low*Authentication accordance to eIDAS assurance level low using an eID scheme that MUST be notified.[eIDAS]
http://id.elegnamnden.se/loa/1.0/eidas-nf-sub*Authentication accordance to eIDAS assurance level substantial using an eID scheme that MUST be notified.[eIDAS]
http://id.elegnamnden.se/loa/1.0/eidas-nf-high*Authentication accordance to eIDAS assurance level high using an eID scheme that MUST be notified.[eIDAS]
+

NOTE: eIDAS assurance levels low, substantial and high have the +following AuthnContextClassRef URI:s defined by the EU commission:

+
    +

  • http://eidas.europa.eu/LoA/low

    +
    • +

  • http://eidas.europa.eu/NotNotified/LoA/low (for non-notified eID schemes)

    +
    • +

  • http://eidas.europa.eu/LoA/substantial

    +
    • +

  • http://eidas.europa.eu/NotNotified/LoA/substantial (for non-notified eID schemes)

    +
    • +

  • http://eidas.europa.eu/LoA/high

    +
    • +

  • http://eidas.europa.eu/NotNotified/LoA/high (for non-notified eID schemes)

    +
    • +
+
+

[*]: The authentication context URI:s are intended to be used to represent authentication +over the eIDAS authentication framework using an official eIDAS-connector. Authorization to +issue assertions using these authentication context URI:s is determined by declaration of the +"assurance certification" for the connector (see section 2.1.3 of [SC.SAML.Profile]).

+
+

+
3.1.1.1. Authentication Context URIs for Swedish Non-residents
+

The Swedish assurance framework, [SE.Trust], states that a Swedish eID +according to any of the defined assurance levels must only be issued to an individual holding +a Swedish personal identity number (personnummer) or a Swedish coordination number +(samordningsnummer).

+

In some cases, a certified eID-issuer may also issue eIDs to persons that do not hold +a Swedish identity number (non-residents). If this is the case, and the original +identification of the person has a strength that corresponds to the requirements +put in [SE.Trust], a certified Identity Provider or OpenID Provider MAY use the URIs +defined below:

+ + + + + + + + + + + + + + + + + + + + + + + +
URLObjectReference
http://id.swedenconnect.se/loa/1.0/
loa2-nonresident		A URI that is indented to be used by a level 2-certified providers that authenticate a non-resident eID holder according to assurance level 2 - http://id.elegnamnden.se/loa/1.0/loa2.This document
http://id.swedenconnect.se/loa/1.0/
loa3-nonresident		A URI that is indented to be used by a level 3-certified providers that authenticate a non-resident eID holder according to assurance level 3 - http://id.elegnamnden.se/loa/1.0/loa3.This document
http://id.swedenconnect.se/loa/1.0/
loa4-nonresident		A URI that is indented to be used by a level 4-certified providers that authenticate a non-resident eID holder according to assurance level 4 - http://id.elegnamnden.se/loa/1.0/loa4.This document
+

Note: An Identity Provider, or OpenID Provider, that includes any of the above URIs in an issued assertion/ID Token, MUST NOT provide the Swedish personal identity number as an identity attribute/claim. +This is per definition since these URIs are intended to be used for non-residents (i.e., they do not hold a Swedish identity number).

+

+
3.1.1.2. Authentication Context URIs for Uncertified Providers
+

The assurance levels defined in section 3.1.1 may only be used by Identity Providers, or OpenID Providers, that have been reviewed and approved by the Swedish Agency for Digital Government (Digg) according to [SE.Trust]. For providers that have not undergone a review process but make a self declaration to be compliant with [SE.Trust] this specification defines the following authentication context URIs:

+ + + + + + + + + + + + + + + + + + +
URLObjectReference
http://id.swedenconnect.se/loa/1.0/
uncertified-loa2		URI that is indented to be used by uncertified providers that make a self declaration of providing an assurance level comparable to Assurance level 2 - http://id.elegnamnden.se/loa/1.0/loa2.This document
http://id.swedenconnect.se/loa/1.0/
uncertified-loa3		URI that is indented to be used by uncertified providers that make a self declaration of providing an assurance level comparable to Assurance level 3 - http://id.elegnamnden.se/loa/1.0/loa3.This document
+

Proxy providers that have eIDAS authentication as an option MUST NOT use the eIDAS authentication context URIs defined in section 3.1.1, instead they should use:

+ + + + + + + + + + + + + + + + + + + + + + + +
URLObjectReference
http://id.swedenconnect.se/loa/1.0/
uncertified-eidas-low		Should be used if a proxy IdP receives http://id.elegnamnden.se/loa/1.0/eidas-low or http://id.elegnamnden.se/loa/1.0/eidas-nf-low in an assertion from the official Swedish eIDAS-connector.This document
http://id.swedenconnect.se/loa/1.0/
uncertified-eidas-sub		Should be used if a proxy IdP receives http://id.elegnamnden.se/loa/1.0/eidas-sub or http://id.elegnamnden.se/loa/1.0/eidas-nf-sub in an assertion from the official Swedish eIDAS-connector.This document
http://id.swedenconnect.se/loa/1.0/
uncertified-eidas-high		Should be used if a proxy IdP receives http://id.elegnamnden.se/loa/1.0/eidas-high or http://id.elegnamnden.se/loa/1.0/eidas-nf-high in an assertion from the official Swedish eIDAS-connector.This document
+

+

3.1.2. Attribute Sets

+

Identifiers for attribute sets defined in the Sweden Connect SAML Attribute Specification.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
IdentifierURLObjectReference
ELN-AP-Pseudonym-01http://id.elegnamnden.se/ap/1.0/pseudonym-01Pseudonym identity attribute set.[SC.SAML.Attrs]
ELN-AP-NaturalPerson-01http://id.elegnamnden.se/ap/1.0/natural-person-01Personal identity without civic registration number attribute set.[SC.SAML.Attrs]
ELN-AP-Pnr-01http://id.elegnamnden.se/ap/1.0/pnr-01Personal identity with civic registration number attribute set.[SC.SAML.Attrs]
ELN-AP-OrgPerson-01http://id.elegnamnden.se/ap/1.0/org-person-01Organizational identity attribute set.[SC.SAML.Attrs]
ELN-AP-eIDAS-NatPer-01http://id.elegnamnden.se/ap/1.0/eidas-natural-person-01Natural person identity for the eIDAS Framework.[SC.SAML.Attrs]
DIGG-AP-HSAid-01http://id.swedenconnect.se/ap/1.0/hsaid-01Natural Person Identity with HSA-ID[SC.SAML.Attrs]
+

+

3.1.3. Entity Category Identifiers

+

Identifiers for categories of service entities, specified as an “Entity Attribute” in the SAML federation metadata.

+

+
3.1.3.1. Service Entity Categories
+

Identifiers for entity categories representing alternative sets of requirements.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
URLObjectReference
http://id.elegnamnden.se/
ec/1.0/loa2-pnr		Service consuming/providing assertions based on assurance level 2, implementing the attribute set http://id.elegnamnden.se/ap/1.0/pnr-01.[SC.SAML.EntCat]
http://id.elegnamnden.se/
ec/1.0/loa3-pnr		Service consuming/providing assertions based on assurance level 3, implementing the attribute set http://id.elegnamnden.se/ap/1.0/pnr-01.[SC.SAML.EntCat]
http://id.swedenconnect.se/
ec/sc/uncertified-loa3-pnr		Service consuming/providing assertions based on uncertified-loa3, as defined above, implementing the attribute set http://id.elegnamnden.se/ap/1.0/pnr-01.
http://id.elegnamnden.se/
ec/1.0/loa4-pnr		Service consuming/providing assertions based on assurance level 4, implementing the attribute set http://id.elegnamnden.se/ap/1.0/pnr-01.[SC.SAML.EntCat]
http://id.elegnamnden.se/
ec/1.0/eidas-naturalperson		Service consuming/providing assertions based on any eIDAS assurance level, implementing the attribute set http://id.elegnamnden.se/ap/1.0/eidas-natural-person-01.[SC.SAML.EntCat]
http://id.elegnamnden.se/
ec/1.0/eidas-pnr-delivery		Service providing assertions to eIDAS services via Swedish eIDAS-node[SC.SAML.EntCat]
http://id.swedenconnect.se/
ec/1.0/loa3-hsaid		Service consuming/providing assertions based on assurance level 3, implementing the attribute set http://id.swedenconnect.se/ap/1.0/hsaid-01.
http://id.swedenconnect.se/
ec/sc/uncertified-loa3-hsaid		Service consuming/providing assertions based on uncertified-loa3, as defined above, implementing the attribute set http://id.swedenconnect.se/ap/1.0/hsaid-01.
http://id.swedenconnect.se/
ec/1.0/loa2-orgid		Service consuming/providing assertions based on assurance level 2, implementing the attribute set http://id.elegnamnden.se/ap/1.0/org-person-01.[SC.SAML.EntCat]
http://id.swedenconnect.se/
ec/1.0/loa3-orgid		Service consuming/providing assertions based on assurance level 3, implementing the attribute set http://id.elegnamnden.se/ap/1.0/org-person-01.[SC.SAML.EntCat]
http://id.swedenconnect.se/
ec/1.0/loa4-orgid		Service consuming/providing assertions based on assurance level 4, implementing the attribute set http://id.elegnamnden.se/ap/1.0/org-person-01.[SC.SAML.EntCat]
http://id.swedenconnect.se/
ec/1.0/loa2-name		Service consuming/providing assertions based on assurance level 2, implementing the attribute set http://id.elegnamnden.se/ap/1.0/natural-person-01.[SC.SAML.EntCat]
http://id.swedenconnect.se/
ec/1.0/loa3-name		Service consuming/providing assertions based on assurance level 3, implementing the attribute set http://id.elegnamnden.se/ap/1.0/natural-person-01.[SC.SAML.EntCat]
http://id.swedenconnect.se/
ec/1.0/loa4-name		Service consuming/providing assertions based on assurance level 4, implementing the attribute set http://id.elegnamnden.se/ap/1.0/natural-person-01.[SC.SAML.EntCat]
+

+
3.1.3.2. Entity Categories for Service Properties
+

Identifiers for defined service properties.

+ + + + + + + + + + + + + + + + + + +
URLObjectReference
http://id.elegnamnden.se/sprop/1.0/mobile-authService adapted to require/provide user authentication based on mobile devices.[SC.SAML.EntCat]
http://id.elegnamnden.se/sprop/1.0/scal2Service adapted to support authentication requests from signature services supporting Sole Control Assurance Level 2 (SCAL2).[SC.SAML.EntCat]
+

+
3.1.3.3. Entity Categories for Service Type
+

Identifiers for defined service types.

+ + + + + + + + + + + + + + + + + + + + + + + +
URLObjectReference
http://id.elegnamnden.se/st/1.0/sigserviceElectronic signature service[SC.SAML.EntCat]
http://id.elegnamnden.se/st/1.0/public-sector-spPublic sector Service Provider[SC.SAML.EntCat]
http://id.elegnamnden.se/st/1.0/private-sector-spPrivate sector Service Provider[SC.SAML.EntCat]
+

+
3.1.3.4. Entity Categories for Service Contract
+

Service Contract Entity Category identifiers are indented for performing service matching based on contracts, or business agreements, between providing and consuming services.

+

All Service Contract identifiers are prefixed with http://id.swedenconnect.se/contract/<org>, where org is the identifier for the defining organization.

+

The Sweden Connect Framework specifications do not define any Service Contract identifiers, instead the federation operator, or other parties, may define identifiers suitable for representing how consuming and providing services should be matched based on their respective agreements.

+

+
3.1.3.5. General Entity Categories
+

An entity category of the General Entity Category type is a category that does not fit into any of the other category types regarding definitions and matching rules.

+

General category identifiers are prefixed with http://id.swedenconnect.se/general-ec.

+ + + + + + + + + + + + + + + + + + + + + + + +
URLObjectReference
http://id.swedenconnect.se/general-ec/
1.0/secure-authenticator-binding		Indicator that a secure authenticator binding is required, or supported.[SC.SAML.EntCat]
http://id.swedenconnect.se/general-ec/
1.0/accepts-coordination-number		Category for opt-in for the acceptance of Swedish coordination numbers in the personalIdentityNumber attribute.[SC.SAML.EntCat]
http://id.swedenconnect.se/general-ec/
1.0/supports-user-message		Indicator that an Identity Provider supports the UserMessage authentication request extension, see [SC.SAML.UMsg].[SC.SAML.EntCat]
+

+

3.1.4. SAML Protocol Status Codes

+

Status code identifiers for use in SAML Response messages. The list +below extends the list of second-level status codes defined in section +3.2.2.2 of [SAML2Core].

+ + + + + + + + + + + + + + + + + + + + + + + +
URLObjectReference
http://id.elegnamnden.se/status/1.0/cancelStatus code representing a cancelled operation.[SC.SAML.Profile]
http://id.elegnamnden.se/status/1.0/fraudStatus code indicating a fraudulent request.[SC.SAML.Profile]
http://id.elegnamnden.se/status/1.0/possibleFraudStatus code indicating a possible fraudulent request.[SC.SAML.Profile]
+

+

3.1.5. Central Signing

+

Identifiers used in the protocol for requesting services form a central signing service.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
URLObjectReference
http://id.elegnamnden.se/csig/1.0/dss-ext/nsDeprecated. XML schema name space for the protocol extensions to the OASIS DSS protocol (version 1.0).
http://id.elegnamnden.se/csig/1.0/eid2-dss/profileDeprecated. Implementation profile identifier for the protocol extensions to the OASIS DSS protocol (version 1.0).
http://id.elegnamnden.se/csig/1.1/dss-ext/nsXML schema name space for the protocol extensions to the OASIS DSS protocol (version 1.1).[SC.DSS.Ext]
http://id.elegnamnden.se/csig/1.1/dss-ext/profileImplementation profile identifier for the protocol extensions to the OASIS DSS protocol (version 1.1).[SC.DSS.Profile]
http://id.elegnamnden.se/csig/1.1/sap/nsXML schema name space for the Signature Activation Protocol, extending version 1.1 of the DSS protocol extension[SC.SAP]
+

+

3.1.6. Authentication Context

+

Identifiers associated with the Authentication Context X.509 extension

+ + + + + + + + + + + + + + + + + + +
URLObjectReference
http://id.elegnamnden.se/auth-cont/1.0/saciXML schema namespace for SAML Authentication Context Information in the Authentication Context X.509 certificate extension[RFC7773]
http://id.swedenconnect.se/auth-cont/1.0/ext-auth-infoXML schema namespace for Extended Authentication Information in the Authentication Context X.509 certificate extension[SC.Cert.Profile]
+

+

3.1.7. Sign Response Status Codes

+

Status code identifiers for the DSS Extension for Central Signing services. The following identifiers provide defined status codes for inclusion in a <ResultMinor> element of the <Result> element of a sign response message according to the OASIS standard “Digital Signature Service Core Protocols, Elements, and Bindings Version 1.0” [OASIS-DSS].

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
URLObjectReference
http://id.elegnamnden.se/sig-status/1.0/req-expiredThe time window for the signature request has expired.[SC.DSS.Profile]
http://id.elegnamnden.se/sig-status/1.0/user-mismatchThe authenticated user does not match the signer identity attributes in the request.[SC.DSS.Profile]
http://id.elegnamnden.se/sig-status/1.0/unsupported-loaThe requested level of assurance for user authentication is not supported.[SC.DSS.Profile]
http://id.elegnamnden.se/sig-status/1.0/sigmessage-errorA requirement to display sign message was included in the sign request, but the sign service could not establish that the sign message was displayed to the user.[SC.DSS.Profile]
http://id.elegnamnden.se/sig-status/1.0/user-cancelThe end user cancelled the signature operation.[SC.DSS.Profile]
http://id.swedenconnect.se/sig-status/1.1/authn-failedThe authentication during the signature operation failed.[SC.DSS.Profile]
http://id.swedenconnect.se/sig-status/1.1/security-violationThe Signature Service, or Identity Provider authenticating the end user, has detected a security violation (such as a possible fraud).[SC.DSS.Profile]
+

+

3.1.8. Name Registration Authorities

+

Some protocols require a URI identifier to uniquely identify the entity responsible for a particular namespace.

+ + + + + + + + + + + + + +
URLObjectReference
http://id.elegnamnden.se/eln/name-registration-authorityIdentifying the Swedish e-Identification Board* as name registration authority, responsible for a particular namespace.[SC.Cert.Profile]
+
+

[*]: This also covers the Swedish Agency for Digital Government (Digg) which has overtaken the Swedish E-identification Board's assignments.

+
+

+

3.1.9. eIDAS Identifiers

+

This section defines identifiers used within the Sweden Connect Framework to integrate with the eIDAS Framework.

+

+
3.1.9.1. eIDAS Proxy Service Aliases
+

Each country within the eIDAS federation provides an eIDAS Proxy Service that is a Proxy Identity Provider for the authentication services within that specific country. The entityID identifier for an eIDAS Proxy Service in another country is not known to a Swedish Service Provider, but there are cases in which the Swedish Service Provider needs to refer to a specific eIDAS Proxy Service. Therefore, this specification defines a URI identifier format for eIDAS Proxy Service aliases. The format is as follows:

+

http://id.swedenconnect.se/eidas/1.0/proxy-service/{country-code}

+

where {country-code} is the country identifier in ISO 3166-1 alpha-2 format [ISO 3166].

+
+

A consumer of an eIDAS Proxy Service alias URI MUST accept the country code part of the URI in both lower and upper case letters.

+
+

+
3.1.9.2. eIDAS Connector Aliases
+

A Swedish Identity Provider that delivers authentication services to eIDAS, via the Swedish eIDAS Proxy Service, will receive the entityID of the Service Provider from another country that has requested user authentication in a <saml2p:RequesterID> element of the authentication request. Along with this information, the Swedish Proxy Service will also include another RequesterID element that holds the "eIDAS Connector alias" URI, telling from which country the requesting Service Provider resides.

+

The format of this alias is as follows:

+

http://id.swedenconnect.se/eidas/1.0/connector/{country-code}

+

where {country-code} is the country identifier in ISO 3166-1 alpha-2 format [ISO 3166].

+
+

A consumer of an eIDAS Connector alias URI MUST accept the country code part of the URI in both lower and upper case letters.

+
+

+
3.1.9.3. Identity Binding Processes
+

Section 3.3.2 of [SC.SAML.Attrs] describes how the personalIdentityNumberBinding attribute is assigned with one or more "Identity Binding Process URI:s" after an identity binding. The possible values are:

+ + + + + + + + + + + + + + + + + + +
URIObjectReference
http://id.swedenconnect.se/
id-binding/process/populationregister		Unique match of name and birth date between eIDAS identity and the Swedish Population register.[ID-Binding]
http://id.swedenconnect.se/
id-binding/process/swedish-eid		Digitally signed attestation using a Swedish eID.[ID-Binding]
+

The Binding eIDAS Identities to Records in the Swedish Population Register ([ID-Binding]) document defines the above processes in detail.

+

+

3.2. OID Identifiers

+

Defined categories:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
CodeCategory
0ASN.1 modules
1Test identifiers
2Policy identifiers
3Attribute identifiers
4”Qualified Certificate” Statement identifiers (RFC 3739)
5X.509 certificate extension identifiers
+

The following OIDs are defined in the ASN.1 declarations in 3.2.1:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
OIDObjectReference
1.2.752.201.5.1Authentication Context Extension[RFC7773]
1.2.752.201.5.2Signature Validation Token Extension[SVT-PDF]
1.2.752.201.2.1Object identifier for the Signature Validation Token RFC 3161 timestamp policy
1.2.752.201.3.1Organization Affiliation Attribute[SC.SAML.Attrs]
1.2.752.201.3.2Transaction Identifier[SC.SAML.Attrs]
1.2.752.201.3.3Authentication Context Parameters[SC.SAML.Attrs]
1.2.752.201.3.4Provisional ID[SC.SAML.Attrs]
1.2.752.201.3.5Provisional ID Persistence Indicator[SC.SAML.Attrs]
1.2.752.201.3.6Personal Identity Number Binding URI[SC.SAML.Attrs]
1.2.752.201.3.7eIDAS Person Identifier[SC.SAML.Attrs]
1.2.752.201.3.8Birth name[SC.SAML.Attrs]
1.2.752.201.3.9eIDAS Natural Person Address[SC.SAML.Attrs]
1.2.752.201.3.10User Certificate[SC.SAML.Attrs]
1.2.752.201.3.11User Signature[SC.SAML.Attrs]
1.2.752.201.3.12Signature Activation Data[SC.SAML.Attrs]
1.2.752.201.3.13Authentication Server Signature[SC.SAML.Attrs]
1.2.752.201.3.14Sign Message Digest[SC.SAML.Attrs]
1.2.752.201.3.15Previous Personal Identity Number[SC.SAML.Attrs]
1.2.752.201.3.16Mapped Personal Identity Number[SC.SAML.Attrs]
+

+

3.2.1. ASN.1 Declarations

+

Object Identifier Registry for Sweden Connect*

+
id-eleg OBJECT IDENTIFIER ::= {iso(1) member-body(2) se(752) e-legitimationsnamnden(201)}
+
+-- Sweden Connect arcs
+id-mod    OBJECT IDENTIFIER ::= { id-eleg 0 }    -- ASN.1 modules
+id-test   OBJECT IDENTIFIER ::= { id-eleg 1 }    -- OIDs for test
+id-pol    OBJECT IDENTIFIER ::= { id-eleg 2 }    -- Policy
+id-attr   OBJECT IDENTIFIER ::= { id-eleg 3 }    -- Attributes
+id-qcs    OBJECT IDENTIFIER ::= { id-eleg 4 }    -- QC Statement
+id-ce     OBJECT IDENTIFIER ::= { id-eleg 5 }    -- Cert Extensions
+
+-- Sweden Connect Modules
+id-mod-auth-context-88 OBJECT IDENTIFIER ::= { id-mod 1 }    -- Used in RFC 7773
+id-mod-auth-context-08 OBJECT IDENTIFIER ::= { id-mod 2 }    -- Used in RFC 7773
+
+-- Sweden Connect OIDs for test
+
+-- Sweden Connect Policies
+id-pol-svt-ts-policy         OBJECT IDENTIFIER ::= { id-pol 1 }     -- SVT RFC 3161 timestamp policy
+
+-- Sweden Connect Attributes
+id-attr-org-affiliation      OBJECT IDENTIFIER ::= { id-attr 1 }    -- Organizational affiliation
+id-attr-transaction-id       OBJECT IDENTIFIER ::= { id-attr 2 }    -- Transaction identifier
+id-attr-auth-context-params  OBJECT IDENTIFIER ::= { id-attr 3 }    -- Authentication context parameters
+id-attr-prid                 OBJECT IDENTIFIER ::= { id-attr 4 }    -- Provisional ID
+id-attr-prid-persistence     OBJECT IDENTIFIER ::= { id-attr 5 }    -- Provisional ID persistence indicator
+id-attr-pnr-binding          OBJECT IDENTIFIER ::= { id-attr 6 }    -- Personal Identity Number binding URI
+id-attr-eidas-pid            OBJECT IDENTIFIER ::= { id-attr 7 }    -- eIDAS Person Identifier
+id-attr-birth-name           OBJECT IDENTIFIER ::= { id-attr 8 }    -- Birth name
+id-attr-eidas-np-address     OBJECT IDENTIFIER ::= { id-attr 9 }    -- eIDAS Natural Person Address
+id-attr-user-certificate     OBJECT IDENTIFIER ::= { id-attr 10 }   -- User certificate
+id-attr-user-signature       OBJECT IDENTIFIER ::= { id-attr 11 }   -- User signature
+id-attr-sad                  OBJECT IDENTIFIER ::= { id-attr 12 }   -- Signature activation data
+id-attr-auth-srv-signature   OBJECT IDENTIFIER ::= { id-attr 13 }   -- Authentication server signature
+id-attr-sign-message-digest  OBJECT IDENTIFIER ::= { id-attr 14 }   -- Sign message digest
+id-attr-previous-pid-number  OBJECT IDENTIFIER ::= { id-attr 15 }   -- Previous personal identity number
+id-attr-mapped-pid-number    OBJECT IDENTIFIER ::= { id-attr 16 }   -- Mapped personal identity number
+
+-- Sweden Connect QC Statement extension
+id-qcs-sid         OBJECT IDENTIFIER ::= { id-qcs 1 }   -- Semantics Identifiers
+id-qcs-statement   OBJECT IDENTIFIER ::= { id-qcs 2 }   -- QC statements
+
+-- Sweden Connect Certificate Extensions
+id-ce-authContext  OBJECT IDENTIFIER ::= { id-ce 1 }    -- Auth context extension used in RFC 7773
+id-ce-svt          OBJECT IDENTIFIER ::= { id-ce 2 }    -- Signature Validation Token extension
+

[*]: The OID 1.2.752.201 was assigned to the Swedish E-identification Board, but this organisation has been overtaken by the Swedish Agency for Digital Government (Digg) who now uses this OID arc for the Sweden Connect Framework.

+
+

+

4. References

+

+[SAML2Core]

+
+

OASIS Standard, Assertions and Protocols for the OASIS Security +Assertion Markup Language (SAML) V2.0, March 2005

+
+

+[OASIS-DSS]

+
+

Digital Signature Service Core Protocols, Elements, and Bindings +Version 1.0.

+
+

+[SE.Trust]

+
+

Tillitsramverket för Svensk e-legitimation.

+
+

+[RFC7773]

+
+

RFC7773: Authentication Context Certificate Extension.

+
+

+[SC.SAML.Profile]

+
+

Deployment Profile for the Swedish eID Framework.

+
+

+[SC.SAML.EntCat]

+
+

Entity Categories for the Swedish eID Framework.

+
+

+[SC.SAML.Attrs]

+
+

Attribute Specification for the Swedish eID Framework.

+
+

+[SC.SAML.UMsg]

+
+

User Message Extension in SAML Authentication Requests.

+
+

+[SC.DSS.Ext]

+
+

DSS Extension for Federated Central Signing Services.

+
+

+[SC.SAP]

+
+

Signature Activation Protocol for Federated Signing.

+
+

+[SC.DSS.Profile]

+
+

Implementation Profile for Using OASIS DSS in Central Signing Services.

+
+

+[SC.Cert.Profile]

+
+

Certificate profile for certificates issued by Central Signing services

+
+

+[ID-Binding]

+
+

Binding eIDAS Identities to Records in the Swedish Population Register

+
+

+[SVT-PDF]

+
+

PDF Signature Validation Token.

+
+

+[eIDAS]

+
+

REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE +COUNCIL of 23 July 2014 on electronic identification and trust +services for electronic transactions in the internal market and +repealing Directive 1999/93/EC. Including implementation acts of the +regulation and associated technical specifications.

+
+

+[ISO 3166]

+
+

Country Codes - ISO 3166, https://www.iso.org/iso-3166-country-codes.html.

+
+

+

5. Changes between versions

+

Changes between version 1.7 and version 1.8:

+
    +

  • The document name was changed to "Sweden Connect - Registry for identifiers" from "Swedish eID Framework - Registry for identifiers".

    +
    • +

  • Section 3.1.7, "Sign Response Status Codes", were extended with error codes for authn-failed and security-violation.

    +
    • +

  • Section 3.1.9.3, "Identity Binding Processes", was introduced where binding process URI:s for matching eIDAS identities to Swedish identity numbers are listed.

    +
    • +

  • The http://id.swedenconnect.se/general-ec/1.0/supports-user-message entity category was added to section, 3.1.3.5, "General Entity Categories".

    +
    • +
+

Changes between version 1.6 and version 1.7:

+
    +

  • Section, 3.1.3.5, "General Entity Categories", was introduced and http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding and http://id.swedenconnect.se/general-ec/1.0/accepts-coordination-number was added.

    +
    • +

  • In section 3.2, an object identifier (OID) for Signature Validation Token extension was added and one OID for an SVT timestamp policy.

    +
    • +

  • Added service entity categories http://id.swedenconnect.se/ec/1.0/loa3-orgid and http://id.swedenconnect.se/ec/1.0/loa3-name to section 3.1.3.1.

    +
    • +

  • In section 3.2, the attributes for "previous personal identity number" (1.2.752.201.3.15) and "mapped personal identity number" (1.2.752.201.3.16) were added.

    +
    • +

  • Section 3.1.3.1, "Service Entity Categories", was updated with categories for loaX-name and loaX-orgid.

    +
    • +

  • Authentication context URIs for non-residents and uncertified providers were added to sections 3.1.1.1 and 3.1.1.2.

    +
    • +
+

Changes between version 1.5 and version 1.6:

+
    +

  • The specification was renamed from "Registry for identifiers assigned by the Swedish e-identification board" to "Swedish eID Framework - Registry for identifiers".

    +
    • +

  • The authentication context URIs http://id.swedenconnect.se/loa/1.0/uncertified-loa3 and http://id.swedenconnect.se/loa/1.0/uncertified-loa3-sigmessage were introduced in sections 3.1.1 and 3.1.1.1, and the service entity category http://id.swedenconnect.se/ec/sc/uncertified-loa3-pnr was added to section 3.1.3.1.

    +
    • +

  • A description of Service Contract Entity Categories was added to section 3.1.3.4.

    +
    • +

  • In section 3.1.1, the EU commission AuthnContextClassRef URI:s for non-notified schemes were changed.

    +
    • +

  • Section 3.1.9.2, "eIDAS Connector Aliases", defining the URI format for representing country affiliation of eIDAS connector services, was added.

    +
    • +

  • The link for the "Tillitsramverk för Svensk e-legitimation" specification was updated.

    +
    • +

  • Added the attribute SignMessageDigest (1.2.752.201.3.14) to section 3.2.

    +
    • +

  • The Sign Message Authentication Context URIs defined in section 3.1.1.1 are deprecated.

    +
    • +

  • The XML Schema namespace identifier http://id.swedenconnect.se/auth-cont/1.0/ext-auth-info was added. This XML Schema defines an XML extension for the Authentication Context Extension to provide extended authentication information.

    +
    • +

  • Associating the OID registry with Sweden Connect.

    +
    • +

  • Aligned registered module OID:s with RFC 7773.

    +
    • +

  • Adding a new extension OID for Signature Validation Tokens in timestamp extensions.

    +
    • +

  • Added attribute set and service entity categories for HSA-ID.

    +
    • +
+

Changes between version 1.4 and version 1.5:

+
    +

  • Added identifier for the service property entity category http://id.elegnamnden.se/sprop/1.0/scal2

    +
    • +

  • Added XML Schema name space identifier http://id.elegnamnden.se/csig/1.1/sap/ns. This XML Schema defines XML elements related to the Signature Activation Protocol.

    +
    • +

  • Added Semantics Identifiers section 3.1.8 to define a name registration authority URI necessary to express a provisional ID attribute in an X.509 certificate according to ETSI EN 319 412-1.

    +
    • +

  • Added Authentication Context URI:s http://id.elegnamnden.se/loa/1.0/eidas-nf-low and http://id.elegnamnden.se/loa/1.0/eidas-nf-low-sigm to section 3.1.1.

    +
    • +

  • Added section 3.1.9, "eIDAS Identifiers", that describes the format for eIDAS Proxy Service Alias URI identifiers.

    +
    • +
+

Changes between version 1.3 and version 1.4:

+
    +

  • Attributes and URI:s for the eIDAS Framework was added.

    +
    • +

  • The SAML status code identifier + http://id.elegnamnden.se/status/1.0/cancel was added to be used in SAML + Response messages to indicate a cancelled operation.

    +
    • +

  • Added the SAML status code identifiers http://id.elegnamnden.se/status/1.0/fraud and http://id.elegnamnden.se/status/1.0/possibleFraud were added to be used in SAML Response messages to alert fraudulent requests.

    +
    • +

  • Added attribute definitions for “Birth name”, “User certificate”, + “User signature”, "Authentication Server Signature" and “Signature activation data”. See chapter 3.2.

    +
    • +

  • Added the Service Type Entity Categories http://id.elegnamnden.se/st/1.0/public-sector-sp and http://id.elegnamnden.se/st/1.0/private-sector-sp to section 3.1.3.3.

    +
    • +
+

Changes between version 1.2 and version 1.3:

+
    +

  • Object identifiers for the attributes “Transaction identifier”, + “Authentication Context Parameters”, “Provisional ID” and + “Provisional ID quality indicator” were defined and added to section + 3.2.

    +
    • +

  • Chapter 3.1.7, “XML Schema namespaces”, was removed since the “Level + of Assurance context class declarations” are deprecated and thus, + the namespace http://id.elegnamnden.se/ns/1.0/loa-context-params + is no longer part of the Swedish eID Framework.

    +
    • +

  • Authentication Context URIs for use by signature services during + authentication was added to section 3.1.1.

    +
    • +

  • Service entity categories for future use within the eIDAS Framework + were added to section 3.1.3.1.

    +
    • +

  • The status code identifier + http://id.elegnamnden.se/sig-status/1.0/sigmessage-error was added + to section 3.1.6 and the signature response status code http://id.elegnamnden.se/sig-status/1.0/user-cancel was added to section 3.1.7.

    +
    • +
+

Changes between version 1.1 and version 1.2:

+
    +
  • URI identifiers for Attribute Profiles as specified in [AttrProf] + were introduced.
    • +
+

Changes between version 1.0 and version 1.1:

+
    +

  • In chapter 3.1.3.1, “Service Entity Categories”, service entity + categories for Level of Assurance 2 and 4 were introduced.

    +
    • +

  • Chapter 3.1.7, “XML Schema namespaces”, was added.

    +
    • +

  • Typos were fixed.

    +
    • +
+
+ + diff --git a/docs/december-2024/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html b/docs/december-2024/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html new file mode 100644 index 0000000..f19b1fa --- /dev/null +++ b/docs/december-2024/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html @@ -0,0 +1,1222 @@ + + + + + + Attribute Specification for the Swedish eID Framework + + + + + + +

+ + +

+

+ +

+ +

Attribute Specification for the Swedish eID Framework

+

Version 1.8 - 2024-12-04

+

Registration number: 2019-310

+
+

+Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All Rights Reserved. +

+ +

Table of Contents

+
    +

  1. Introduction

    +

    1.1. Terminology

    +

    1.2. Requirement keywords

    +

    1.3. Name space references

    +

    1.4. Structure

    +
    2. +

  2. Attribute Sets

    +

    2.1. Pseudonym Identity

    +

    2.2. Natural Personal Identity without Civic Registration Number

    +

    2.3. Natural Personal Identity with Civic Registration Number

    +

    2.4. Organizational Identity for Natural Persons

    +

    2.5. eIDAS Natural Person Attribute Set

    +

    2.6. Natural Person Identity with HSA-ID

    +
    3. +

  3. Attribute Definitions

    +

    3.1. Attributes

    +

    3.1.1. Attribute String Values

    +

    3.1.2. Multi-valued Attributes

    +

    3.1.3. Scoped Attributes

    +

    3.2. SAML Attribute Format

    +

    3.2.1. The authContextParams Attribute

    +

    3.2.2. The userCertificate, userSignature and authServerSignature Attributes

    +

    3.2.3. The sad Attribute

    +

    3.2.4. The signMessageDigest Attribute

    +

    3.2.5. The orgAffiliation Attribute

    +

    3.2.6. The previousPersonalIdentityNumber Attribute

    +

    3.3. Attributes for the eIDAS Framework

    +

    3.3.1. The prid and pridPersistence Attributes

    +

    3.3.2. The mappedPersonalIdentityNumber and personalIdentityNumberBinding Attributes

    +

    3.3.3. Conversion of eIDAS Attributes

    +

    3.3.3.1. Conversion of eIDAS CurrentAddress

    +
    4. +

  4. References

    +
    5. +

  5. Changes between versions

    +
    6. +
+
+

+

1. Introduction

+

This document specifies an attribute profile for the Swedish eID +Framework. The attribute profile defines attributes for use within the +Swedish eID Framework, and a number of defined attribute sets that may +be referenced by other documents as means to specify specific attribute +release requirements.

+

+

1.1. Terminology

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TermDefined meaning
AttributeA property, quality or characteristic of a person, thing or object. This term is used in general in this specification to denote an attribute of a person/entity that is represented by a set of attributes in a SAML attribute statement (see SAML Attribute). This term is also used in this specification when describing XML syntax to denote an attribute (property) of an XML element.
SAML attributeAn attribute of an entity represented by a set of attributes in a SAML attribute statement (<saml:AttributeStatement> element).
IDPIdentity Provider
SPService Provider
Natural personNatural person is legal term for a real human being, as opposed to a legal person, which may be a private (i.e., business entity) or public (i.e., government) organization.
Civic registration numberA unique identifier assigned to each natural person in a national population register. Within the context of this specification this is a Swedish ”personnummer” or ”samordningsnummer” according to [SKV704] and [SKV707].
+

+

1.2. Requirement keywords

+

The keywords “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, +“SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” are to be +interpreted as described in [RFC2119].

+

These keywords are capitalized when used to unambiguously specify +requirements over protocol features and behavior that affect the +interoperability and security of implementations. When these words are +not capitalized, they are meant in their natural-language sense.

+

+

1.3. Name space references

+

Conventional XML namespace prefixes are used throughout the listings in +this specification to stand for their respective namespaces as follows, +whether a namespace declaration is present in the example:

+ + + + + + + + + + + + + + + + + + +
PrefixXML NamespaceComments
samlurn:oasis:names:tc:SAML:2.0:assertionThe SAML V2.0 assertion namespace, defined in the schema [SAML-XSD].
xshttp://www.w3.org/2001/XMLSchemaThe XML Schema namespace, representing definitions of data types in [XML-Schema].
+

+

1.4. Structure

+

This specification uses the following typographical conventions in text: <ns:Element>, Attribute, Datatype, OtherCode.

+

+

2. Attribute Sets

+

This section defines attribute sets based on attribute definitions in +section 3. Common to all attribute sets is that each attribute MUST NOT +be present more than once. An attribute that has more than one value +MUST be provided as one attribute with multiple <AttributeValue> +sub-elements in accordance with section 3.1.

+

An identifier, named “Attribute Set Identifier”, and a URI, are defined +for each attribute set as means for other documents to reference +specific attribute sets.

+

Each attribute set defines a number of mandatory attributes that MUST be +released by an Attribute Provider* that provides attributes according +to the given attribute set, and optionally recommended attributes that +SHOULD be released as part of the attribute set if they are available to +the provider.

+

Note: An Attribute Provider may also release other attributes, not +specified by the defined attribute sets it supports. See further section +6.2.1, “Attribute Release and Consuming Rules”, of “Deployment Profile for the Swedish +eID Framework” ([SC.SAML.Profile]).

+

In order to comply with a defined attribute set, the following attribute +requirements apply:

+ + + + + + + + + + + + + + + +
Attribute requirementDefinition
REQUIREDAttributes that MUST be present.
RECOMMENDEDAttributes that SHOULD be present, if available.
+

A defined attribute set does not define any rules for attributes other +than those listed as required or recommended.

+
+

[*]: An Attribute Provider is an entity that releases attributes to a requesting entity. In all practical cases within the Swedish eID Framework this entity is an Identity Provider or an Attribute Authority. Within the eIDAS Framework, the Swedish eIDAS node acts as the Attribute Provider for the Service Providers.

+
+

+

2.1. Pseudonym Identity

+

Attribute set identifier: ELN-AP-Pseudonym-01

+

URI: http://id.elegnamnden.se/ap/1.0/pseudonym-01

+

This attribute set specifies the condition where there are no mandatory or recommended attributes.

+

Typical use: In a pseudonym attribute release policy that just provides a persistent NameID identifier in the assertion but no attributes.

+

+

2.2. Natural Personal Identity without Civic Registration Number

+

Attribute set identifier: ELN-AP-NaturalPerson-01

+

URI: http://id.elegnamnden.se/ap/1.0/natural-person-01

+

The “Personal Identity without Civic Registration Number” attribute set provides basic natural person information without revealing the civic registration number of the subject.

+ + + + + + + + + + + +
Attribute requirementAttributes
REQUIREDsn (Surname)
givenName (Given name)
displayName (Display name)
+

Typical use: In an attribute release policy that provides basic username information together with a persistent NameID identifier in the assertion.

+

+

2.3. Natural Personal Identity with Civic Registration Number

+

Attribute set identifier: ELN-AP-Pnr-01

+

URI: http://id.elegnamnden.se/ap/1.0/pnr-01

+

The “Personal Identity with Civic Registration Number” attribute set provides basic personal identity information including a Swedish civic registration number of the subject.

+ + + + + + + + + + + + + + + +
Attribute requirementAttributes
REQUIREDsn (Surname)
givenName (Given name)
displayName (Display name)
personalIdentityNumber (National civic registration number)
RECOMMENDEDdateOfBirth (Date of birth)
+

Typical use: In an attribute release policy that provides basic username information together with the person’s Swedish civic registration number.

+

+

2.4. Organizational Identity for Natural Persons

+

Attribute set identifier: ELN-AP-OrgPerson-01

+

URI: http://id.elegnamnden.se/ap/1.0/org-person-01

+

The “Organizational Identity for Natural Persons” attribute set provides basic organizational identity information about a person. The organizational identity does not necessarily imply that the subject has any particular relationship with or standing within the organization, but rather that this identity has been issued/provided by that organization for any particular reason (employee, customer, consultant, etc.).

+ + + + + + + + + + + + + + + +
Attribute requirementAttributes
REQUIREDdisplayName (Display name)*
orgAffiliation (Personal identifier and organizational identifier code)**
o (Organization name)
RECOMMENDEDorganizationIdentifier (Organizational identifier code)***
+

Typical use: In an attribute release policy that provides basic organizational identity information about a natural person.

+

The "Organizational Identity for Natural Persons" attribute set defines a minimum set of attributes needed to provide organizational identity information about a person. Should an attribute consumer require additional attributes, such as surname and given name, the personal identity number or an organizational unit name, this can be achieved by either requesting other attribute sets or by explicitly requesting individual attributes. See further section 6.2.1, “Attribute Release and Consuming Rules”, of “Deployment Profile for the Swedish eID Framework” ([SC.SAML.Profile]).

+
+

[*]: The displayName attribute MAY contain personal information such as the given name or surname, but it MAY also be used as an anonymized display name, for example, "Administrator 123". This is decided by the issuing organization.

+
+
+

[**]: See section 3.2.5.

+
+
+

[***]: The organizational identifier can always be derived from the mandatory orgAffiliation attribute, but an attribute provider supporting the "Organizational Identity for Natural Persons" attribute set SHOULD also release the organizationIdentifier attribute individually.

+
+

+

2.5. eIDAS Natural Person Attribute Set

+

Attribute set identifier: ELN-AP-eIDAS-NatPer-01

+

URI: http://id.elegnamnden.se/ap/1.0/eidas-natural-person-01

+

The “eIDAS Natural Person Attribute Set” provides personal identity +information for a subject that has been authenticated via the eIDAS +Framework.

+ + + + + + + + + + + + + + + + + + + +
Attribute requirementAttributes
REQUIRED*prid (Provisional ID)
pridPersistence (Provisional ID persistence indicator)
eidasPersonIdentifier (Mapping of the eIDAS PersonIdentifier attribute)
dateOfBirth (Date of birth)
sn (Surname)
givenName (Given name)
c (Country code for the eIDAS country that authenticated the subject)
transactionIdentifier (ID of assertion issued by the member state node)**
REQUIRED
(if available)***		birthName (Birth name)
placeOfBirth (Place of birth)
eidasNaturalPersonAddress (Address for natural person)
gender (Gender)
RECOMMENDEDmappedPersonalIdentityNumber (Mapped national civic registration number)
personalIdentityNumberBinding (National civic registration number Binding(s))
+

Typical use: In an attribute release policy implemented by an eIDAS +connector that provides a complete set of attributes to a requesting +Service Provider.

+

Note: The mappedPersonalIdentityNumber and personalIdentityNumberBinding +attributes will be part of the attribute release if the attribute +provider has access to enough information to provide a binding +between eIDAS attributes and a Swedish identity number (see section +3.3.2).

+

The eIDAS attribute set consists of “added” and “converted” attributes.

+

Added attributes: Attributes that are not provided by the member +state node, but added by the +Swedish eIDAS node in order to provide additional information about +the authenticated subject obtained from relevant domestic attribute +sources. The prid, pridPersistence and personalIdentityNumber +attributes are “added attributes”.

+

Converted attributes: Attributes that are the result of a +conversion process where an eIDAS attribute is converted into a +single-value string type attribute defined within the Swedish eID +Framework (see section 3.3.3, “Conversion of eIDAS Attributes”). The +reason for the conversion is to facilitate processing for attribute +consumers. The eIDAS attributes are not simple string types, and this +affects interoperability in a negative way since standard SAML +software need to be modified to support these attributes. Therefore, +the Swedish eID node will convert eIDAS attributes to their +corresponding string value-typed attributes. The +eidasPersonIdentifier, sn, givenName and dateOfBirth attributes are +examples of “converted attributes”.

+
+

[*]: Attributes “added” by the Swedish eID node and converted attributes for the mandatory attributes of the eIDAS minimum data set for natural persons.

+
+
+

[**]: The transaction identifier attribute will contain the unique ID of the assertion that was issued by the member state node. This information together with the entityID of the member state node (found in the <saml2:AuthenticatingAuthority> element of an assertion) give a reference to the original assertion and authentication process.

+
+
+

[***]: Converted attributes for the optional attributes of the eIDAS minimum data set for natural persons.

+
+

+

2.6. Natural Person Identity with HSA-ID

+

Attribute set identifier: DIGG-AP-HSAid-01

+

URI: http://id.swedenconnect.se/ap/1.0/hsaid-01

+

The “Natural Person Identity with HSA-ID” attribute set provides basic personal identity information including an HSA-ID of the subject (see [SambiAttr]).

+ + + + + + + + + + + + + + + +
Attribute requirementAttributes
REQUIREDsn (Surname)
givenName (Given name)
displayName (Display name)
employeeHsaId (HSA-ID)
RECOMMENDEDdateOfBirth (Date of birth)
+

Typical use: In an attribute release policy that provides basic username information together with the person’s HSA-ID.

+

+

3. Attribute Definitions

+

+

3.1. Attributes

+

The following attributes are defined for use within the attribute profile for the Swedish eID Framework:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Attribute abbreviationSAML attribute nameDescriptionUse within this specificationMulti-valuedScopedExample
snurn:oid:2.5.4.4SurnameRegistered surname.NoNoLindeman
givenNameurn:oid:2.5.4.42Given NameRegistered given name.NoNoValfrid
displayNameurn:oid:2.16.840.1.
113730.3.1.241		Display NameA name in any preferred presentation format.NoNoValfrid Lindeman
genderurn:oid:1.3.6.1.5.5.7.9.3GenderA one letter representation (“M”/”F”/”U” or “m”/“f”/”u”) representing the subject’s gender, where “M” represents male, “F” represents female and “U” is used for unspecified, or unknown, gender.NoNoM
personalIdentity-
Number		urn:oid:1.2.752.29.4.13National civic registration number/codeSwedish ”personnummer” or ”samordningsnummer” according to SKV 704 and SKV 707. 12 digits without hyphen.NoNo195006262546
previousPersonal-
IdentityNumber		urn:oid:1.2.752.201.3.15A user's previous national civic registration number, see section 3.2.6 below.See personalIdentityNumber above.NoNo197010632391
dateOfBirthurn:oid:1.3.6.1.5.5.7.9.1Date of birthDate of birth expressed using the format YYYY-MM-DD.NoNo1950-06-26
birthNameurn:oid:1.2.752.201.3.8Name at the time of birthFull name of a person at birth.NoNoValfrid Danielsson
streeturn:oid:2.5.4.9Street addressStreet address.NoNoMosebacke torg 3
postOfficeBoxurn:oid:2.5.4.18Post boxPost box.NoNoBox 1122
postalCodeurn:oid:2.5.4.17Postal codePostal code.NoNo11826
lurn:oid:2.5.4.7LocalityLocality.NoNoStockholm
curn:oid:2.5.4.6CountryISO 3166-1 alpha-2 [ISO3166] two letter country code.NoNoSE
placeOfBirthurn:oid:1.3.6.1.5.5.7.9.2Place of birthA string representing the place of birth.NoNoStockholm
countryOfCitizenshipurn:oid:1.3.6.1.5.5.7.9.4Country of citizenshipISO 3166-1 alpha-2 [ISO3166] two letter country code representing a country of citizenship.YesNoSE
countryOfResidenceurn:oid:1.3.6.1.5.5.7.9.5Country of ResidenceISO 3166-1 alpha-2 [ISO3166] two letter country code representing the country of residence.NoNoSE
telephoneNumberurn:oid:2.5.4.20Telephone numberTelephone number.YesNo+46890510
mobileurn:oid:0.9.2342.
19200300.100.1.41		Mobile numberMobile number.YesNo+46703419886
mailurn:oid:0.9.2342.
19200300.100.1.3		E-mail addressE-mail address.YesYes/No*vfl@mosebackemonarki.se
ourn:oid:2.5.4.10Organization nameRegistered organization name.NoNoSkatteverket
ouurn:oid:2.5.4.11Organizational unit nameOrganizational unit name.YesNoIT-Avdelningen
organizationIdentifierurn:oid:2.5.4.97Organizational identifier codeSwedish “organisationsnummer” according to SKV 709. 10 digits without hyphen.NoNo5562265719
orgAffiliationurn:oid:1.2.752.201.3.1<uid>@<orgnr>Personal ID @ Swedish ”organisationsnummer” according to SKV 709. 10 digits without hyphen.YesYesvlindman@5562265719
See section 3.2.5 below.
transactionIdentifierurn:oid:1.2.752.201.3.2Transaction identifierTransaction identifier for an event, e.g. an authentication process.NoNo9878HJ6687 (arbitrary string)
authContextParamsurn:oid:1.2.752.201.3.3Authentication Context Parameters.Key-value pairs from an authentication process. Defined by issuing entity.NoNoSee section 3.2.1 below.
userCertificateurn:oid:1.2.752.201.3.10User certificateBase64-encoding of a user certificate.NoNoSee section 3.2.2 below.
userSignatureurn:oid:1.2.752.201.3.11User signatureBase64-encoding of a signature object applied by the user.NoNoSee section 3.2.2 below.
authServerSignatureurn:oid:1.2.752.201.3.13Authentication server signatureBase64-encoding of a authentication server signature.NoNoSee section 3.2.2 below.
sadurn:oid:1.2.752.201.3.12Signature activation dataSignature activation data required by signature services.NoNoSee section 3.2.3 below.
signMessageDigesturn:oid:1.2.752.201.3.14Sign message digestIncluded in assertions as a proof that a user sign message was displayed.NoNoSee section 3.2.4 below.
pridurn:oid:1.2.752.201.3.4Provisional identifierUnique identifier for an authentication performed against the eIDAS Framework. See section 3.3.1 below.NoNoNO:5068907693
pridPersistenceurn:oid:1.2.752.201.3.5Provisional identifier persistence indicatorIndicator for the expected persistence of the prid attribute. See section 3.3.1 below.NoNoA
personalIdentity-
NumberBinding		urn:oid:1.2.752.201.3.6National civic registration number/code binding URIURI(s) identifying the binding process(es) performed of the mappedPersonalIdentityNumber attribute added by eIDAS connector. See section 3.3.2 below.NoNohttp://id.swedenconnect.se/
id-binding/process/populationregister
mappedPersonal-
IdentityNumber		urn:oid:1.2.752.201.3.16Mapped national civic registration numberA "mapped" personalIdentityNumber, see section 3.3.2.NoNo195006262546
eidasPersonIdentifierurn:oid:1.2.752.201.3.7eIDAS uniqueness identifier for natural personsMaps the eIDAS PersonIdentifier attribute to a string attribute within the scope of the Swedish eID Framework attribute set.NoNoES/AT/02635542Y (Spanish eID number for an Austrian SP)
eidasNatural-
PersonAddress		urn:oid:1.2.752.201.3.9eIDAS Natural Person AddressAttribute for converting the eIDAS CurrentAddress attribute into an attribute having a string type value.NoNoSee section 3.3.3.1 below.
employeeHsaIdurn:oid:1.2.752.29.6.2.1HSA-IDPerson identifier used by Swedish health care organizations.NoNoSee [SambiAttr].
+
+

[*]: The mail attribute should be regarded as a scoped attribute (see 3.1.3 below) if the attribute release policy in use has stated it as scoped. Such a policy can for example be that the attribute is part of an attribute set (see section 2) that documents the attribute as scoped. In all other cases the attribute is regarded as non-scoped.

+
+

+

3.1.1. Attribute String Values

+

All attributes, unless stated otherwise in this table, hold string values using the UTF-8 character set using the xs:string data type. Certain attributes such as mail, personalIdentityNumber, organizationIdentifier, telephoneNumber and mobile use a restricted character set according to its defined usage within this specification.

+

All attributes use the “caseIgnoreMatch” matching rule as defined by X.520 [X.520]. That is, case-insensitive comparison where insignificant spaces are ignored.

+

+

3.1.2. Multi-valued Attributes

+

Attributes with a “No” value in the column "Multi-valued" MUST NOT have more than one <AttributeValue> sub-element. Attributes with a “Yes” value in the column "Multi-valued" MAY have one or more <AttributeValue> sub-elements.

+

+

3.1.3. Scoped Attributes

+

Attributes with a "Yes" value in the column "Scoped" are scoped attributes. A scoped attribute expresses values in a string-valued attribute of the form value@scope, where scope takes the form of a domain name or something similar such as an organizational identifier.

+

An Identity Provider wishing to release scoped attributes must register the scopes with the federation operator. After the federation operator has authorized the Identity Provider for the given scopes, they are declared in the Identity Provider's metadata entry. See section 2.1.3.1 of [SC.SAML.Profile] for details.

+

A Service Provider consuming a scoped attribute SHOULD assert that the issuing Identity Provider is authorized to issue attributes with the given scope by checking the Identity Provider's metadata entry as described in section 6.2.1 of [SC.SAML.Profile].

+

Note: The value part of a scoped attribute MAY contain a @-character, for example when the value part is an email address, or a User Principal Name (UPN). Therefore, consumers of scoped attributes MUST use the last @-character as a delimiting character when splitting a scoped attribute into its value and scope parts.

+

+

3.2. SAML Attribute Format

+

The <saml:Attribute> element representing an attribute in 3.1 SHALL comply with the following requirements:

+
    +

  • The NameFormat attribute SHALL have the value urn:oasis:names:tc:SAML:2.0:attrname-format:uri.

    +
    • +

  • The Name attribute SHALL hold a URI according to the table in section 3.1.

    +
    • +

  • The FriendlyName attribute is OPTIONAL.

    +
    • +

  • All <AttributeValue> sub-elements SHALL, unless stated otherwise in the table in section 3.1, have an xsi:type attribute specifying the type "xs:string".

    +
    • +
+

The following is an example of the surname attribute. Its name is “urn:oid:2.5.4.4”, its friendly name is “sn” and the value is represented using a string type.

+
<saml2:Attribute xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                           FriendlyName="sn"
+                           Name="urn:oid:2.5.4.4"
+                           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+  <saml2:AttributeValue xsi:type="xs:string">Eriksson</saml2:AttributeValue>
+</saml2:Attribute>

+

3.2.1. The authContextParams Attribute

+

The attribute authContextParams holds key-value pairs. Its purpose is to store key-value pairs representing data from an authentication process. The data stored in this attribute is generally not defined by the Swedish eID Framework, but instead by the issuing party (i.e., the Identity Provider).

+

The authContextParams attribute is a non-empty single-value attribute where the attribute value contains the key-value pairs separated by semicolons. The key and value of each pair is separated by a ‘=’ character and both the key and value MUST be URL-encoded.

+

Below follows an example of how the authContextParams attribute is populated with two key-value pairs, "foo" that stores the value "ÅÄÖ", and "bar" that stores the value "123".

+
...
+<saml2:Attribute xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    
+                           FriendlyName="authContextParams"
+                           Name="urn:oid:1.2.752.201.3.3"
+                           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+  <saml2:AttributeValue xsi:type="xs:string">foo=%C3%85%C3%84%C3%96;bar=123</saml2:AttributeValue>
+</saml2:Attribute>
+...

+

3.2.2. The userCertificate, userSignature and authServerSignature Attributes

+

Identity Providers that implement a PKI-based authentication method may +make use of the userCertificate and userSignature attributes.

+

The userCertificate attribute holds, as its value, a base64-encoding of +the X.509 certificate presented by the subject during authentication.

+

The userSignature attribute contains a base64-encoding of a signature +object that was created by the subject during the authentication* +process.

+

The authServerSignature may be included in assertions in cases where there are requirements to include a digitally signed proof from the authentication server at which the end user authenticated. This is mainly useful in cases where the SAML Identity Provider delegates end user authentication to a subordinate authentication server.

+
+

[*]: Note that an authentication process, may be “authentication for signature” as specified in section 7 of [SC.SAML.Profile].

+
+

+

3.2.3. The sad Attribute

+

The sad attribute holds Signature Activation Data that is required by a +signature service in order to service a signature request in accordance +with CEN EN 419 241-2. The sad attribute holds a single string +attribute value. The format of the string value is defined in the "Signature Activation Protocol +for Federated Signing" specification [SC.SAP].

+

+

3.2.4. The signMessageDigest Attribute

+

The signMessageDigest attribute is included in an assertion as a proof that an Identity Provider displayed +a sign message for the user and that the user actively confirmed acceptance of this sign message. This sign +message is the SignMessage extension that may be included in an authentication request by Signature Service +SP:s. See section 7 of [SC.SAML.Profile] for details.

+

The attribute value format for the signMessageDigest attribute is digest-algorithm-identifier;sign-message-digest, where +digest-algorithm-identifier is the XML Security algorithm URI identifier of the selected digest algorithm and +sign-message-digest is base64(digest(msg)). The msg is the UTF-8 encoded bytes of the sign message that was displayed. It equals the csig:Message element value of the csig:SignMessage ([SC.DSS.Ext]). Thus, if the csig:Message element is encrypted into a csig:EncryptedMessage, the element value after decryption should be used.

+

Entities compliant with this specification MUST use http://www.w3.org/2001/04/xmlenc#sha256 as the digest algorithm, +unless the recipient of the signMessageDigest attribute has declared another digest algorithm as preferred in its +metadata entry (see section 2.1.1.3 of [SC.SAML.Profile]). In those cases this algorithm MAY be used.

+

Example:

+

Suppose that the unencrypted message is "I hereby confirm that I want to join example.com as a customer". This is +represented as:

+
<csig:Message>
+  SSBoZXJlYnkgY29uZmlybSB0aGF0IEkgd2FudCB0byBqb2luIGV4YW1wbGUuY29tIGFzIGEgY3VzdG9tZXI=
+</csig:Message>

The input to the digesting operation is the value bytes of the csig:Message element which is UTF-8 encoded bytes +of the actual sign message*.

+

The signMessageDigest attribute for the above example will then be:

+
<saml2:Attribute FriendlyName="signMessageDigest" Name="urn:oid:1.2.752.201.3.14"
+  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+  <saml2:AttributeValue xsi:type="xsd:string">
+    http://www.w3.org/2001/04/xmlenc#sha256;0yKaSVsYeh+PX2Q6diqO2w89+a3Dm303tp3AVjgxwj0=
+  </saml2:AttributeValue>
+</saml2:Attribute>

+

3.2.5. The orgAffiliation Attribute

+

The orgAffiliation attribute is intended to be used as a primary identity attribute for personal organizational identities. It consists of a personal identifier and an organizational identifier code (organizationIdentifier).

+

This specification does not impose any specific requirements concerning the personal identifier part of the attribute other than that it MUST be unique for the given organization.

+

Note: In the general case, an attribute consumer MUST NOT assume a particular format or meaning of the personal identifier part since different organizations may use different formats. An attribute consumer should also be aware that a personal identifier separated from its organizational identifier code can not be regarded as unique.

+

Note: The orgAffiliation is a scoped attribute meaning that producing and consuming such an attribute MUST follow the rules given in sections 2.1.3.1 and 6.2.1 of [SC.SAML.Profile].

+

+

3.2.6. The previousPersonalIdentityNumber Attribute

+

The personalIdentityNumber attribute can contain a Swedish personal identity number (personnummer), [SKV704], or a Swedish coordination number (samordningsnummer), [SKV707]. All individuals born in Sweden or moving to Sweden with the intention +of staying one year or longer is assigned a personal identity number and registered in the +population register. A coordination number may be assigned to a person that is not registered, +but has the need to communicate with various government authorities, healthcare institutions, +higher education and banks.

+

In some cases a person may hold a coordination number during a period before he or she is +assigned a personal identity number. A typical use case is a person that seeks asylum and +later is given a residence permit. In this case the person first may hold a coordination number +and if a residence permit is given a personal identity number will be assigned.

+

For a service provider this may lead to problems since the primary identifier for a person +has changed. A login with the newly assigned identifier will not match the user account +previously used by this individual.

+

This profile defines the previousPersonalIdentityNumber attribute to enable matching a +previously held identity number to a newly assigned identity number. The previousPersonalIdentityNumber attribute is typically released together with the "new" +personalIdentityNumber attribute in order to facilitate account matching at a service provider.

+

This attribute is not part of any attribute sets defined in the profile. Attribute consumers +wishing to receive the attribute should declare the these requirement in their metadata entries +(using a <md:RequestedAttribute> element).

+

+

3.3. Attributes for the eIDAS Framework

+

+

3.3.1. The prid and pridPersistence Attributes

+

Assertions (with attribute statements) issued from a member state eIDAS +node contain a set of attributes identifying the authenticated subject. +Attributes obtained from other conformant eIDAS nodes will provide an +eIDAS unique identifier, but it can not be ruled out that the Swedish +eIDAS node may be adopted to accept authentication from non eIDAS +compliant nodes, such as when accepting authentication from countries +outside of EU such as the USA.

+

Therefore, the Swedish eIDAS connector enriches attribute statements +with the provisional ID (prid) and provisional ID persistence +(pridPersistence) attributes.

+

The prid attribute is designed to provide one common unique attribute of +the user in a common format regardless of the composition of the +original attributes received from the authenticating source. The prid +attribute value is not stored in any registry, but derived from the +received attributes at each authentication instant according to defined +algorithms specified in [SC.Constructed]. The algorithm ensures that +each prid is unique for each authenticated entity, but does not ensure +persistence. If the attributes received for an entity changes over time, +the prid attribute may also change dependent on the defined prid +generation algorithm for that attribute source.

+

The pridPersistence attribute provides an indication of the expected +persistence over time for a present prid attribute value. The value of +this attribute is determined from the selected prid generation algorithm +in combination with the attribute source. For example, a prid derived +from a Norwegian eIDAS unique identifier has longer persistence +expectancy than a prid derived from the same attribute from the UK or +Germany. This attribute helps Service Providers to apply different UI +and service functions for users with different persistence expectancy. +This may assist users with low persistence expectancy to regain control +of their user account, should their prid change in the future.

+

The specification “eIDAS Constructed Attributes Specification for the +Swedish eID Framework”, [SC.Constructed], declares the details for +how the prid and pridPersistence attributes are generated and how they +should be processed.

+

+

3.3.2. The mappedPersonalIdentityNumber and personalIdentityNumberBinding Attributes

+

When an authentication for a natural person is performed against the +eIDAS Framework, the Swedish eIDAS connector will query the Identity Binding Service +for a binding between the attributes found in the assertion received from the foreign +eIDAS-node and a Swedish personal identity number. If such a mapping exists, and the user consents to it being used, the assertion will be extended with a mappedPersonalIdentityNumber attribute holding the "mapped" Swedish civic registration number ("personnummer" or "samordningsnummer").

+

This mapping, or binding, can be performed using a number of different processes, +each identified by a URI. Therefore, if the eIDAS connector extends an assertion with a +mappedPersonalIdentityNumber attribute, it MUST also include the personalIdentityNumberBinding attribute. This attribute contains a semicolon separated list of URI:s that identify the binding process applied to obtain the binding. See [ID-Binding] for the possible values.

+

If these bindings are acceptable for a Service Provider processing an assertion (containing the mappedPersonalIdentityNumber attribute), the Service Provider MAY treat the contents of the mappedPersonalIdentityNumber attribute as it would have received the personalIdentityNumber attribute, otherwise the Service Provider SHOULD NOT use the identity found in the mappedPersonalIdentityNumber attribute to log in the user.

+
+

Note: The reason that an ordinary personalIdentityNumber attribute is not +used to represent a mapped civic registration number is that it is essential that +the consuming entity always verifies that the binding process under which the +mapping was performed is acceptable, before proceeding with the authentication +process.

+
+

+

3.3.3. Conversion of eIDAS Attributes

+

The attributes specified within eIDAS ([eIDAS.Attributes]) does not use +simple string type values, instead each attribute is represented using +its own dedicated XML data type. This affects interoperability in a +negative way since most standard SAML software need to be modified to +support these attributes. Therefore, the Swedish eID Framework defines +mappings for all eIDAS attributes to attributes having definitions that +are more suitable for processing using standard SAML software.

+

Below follows a listing of how the attributes for the eIDAS minimum data +set for Natural Persons are converted into attributes supported by the +Swedish eID Framework.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
eIDAS attributeSwedish eID attribute
PersonIdentifier
http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier		eidasPersonIdentifier
urn:oid:1.2.752.201.3.7
FamilyName
http://eidas.europa.eu/attributes/naturalperson/CurrentFamilyName		sn
urn:oid:2.5.4.4
FirstName
http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName		givenName
urn:oid:2.5.4.42
DateOfBirth
http://eidas.europa.eu/attributes/naturalperson/DateOfBirth		dateOfBirth
urn:oid:1.3.6.1.5.5.7.9.1
BirthName
http://eidas.europa.eu/attributes/naturalperson/BirthName		birthName
urn:oid:1.2.752.201.3.8
PlaceOfBirth
http://eidas.europa.eu/attributes/naturalperson/PlaceOfBirth		placeOfBirth
urn:oid:1.3.6.1.5.5.7.9.2
CurrentAddress
http://eidas.europa.eu/attributes/naturalperson/CurrentAddress		eidasNaturalPersonAddress
urn:oid:1.2.752.201.3.9
See section 3.3.3.1 below.
Gender
http://eidas.europa.eu/attributes/naturalperson/Gender		gender
urn:oid:1.3.6.1.5.5.7.9.3
Nationality
http://eidas.europa.eu/attributes/naturalperson/Nationality		countryOfCitizenship
urn:oid:1.3.6.1.5.5.7.9.4
CountryOfBirth
http://eidas.europa.eu/attributes/naturalperson/CountryOfBirth		Will be added as the last element of placeOfBirth (see above)
TownOfBirth
http://eidas.europa.eu/attributes/naturalperson/TownOfBirth		Ignored if the eIDAS attribute PlaceOfBirth is assigned. Otherwise placed as first element of placeOfBirth.
CountryOfResidence
http://eidas.europa.eu/attributes/naturalperson/CountryOfResidence		countryOfResidence
urn:oid:1.3.6.1.5.5.7.9.5
PhoneNumber
http://eidas.europa.eu/attributes/naturalperson/PhoneNumber		telephoneNumber
urn:oid:2.5.4.20
EmailAddress
http://eidas.europa.eu/attributes/naturalperson/EmailAddress		mail
urn:oid:0.9.2342.19200300.100.1.3
+

Note: When converting an eIDAS attribute that makes use of +“transliteration” (as described in section 2.4 of [eIDAS.Attributes]) +attribute values having the LatinScript attribute set to false will not +be part of the resulting attribute.

+

+
3.3.3.1. Conversion of eIDAS CurrentAddress
+

The eIDAS attribute CurrentAddress is defined in section 2.2.9 of +[eIDAS.Attributes]. Its value is a Base64-encoding of an XML-structure of +the type CurrentAddressStructuredType.

+
<xsd:complexType name="CurrentAddressStructuredType">
+  <xsd:annotation>
+    <xsd:documentation>
+      Current address of the natural person.
+    </xsd:documentation>
+  </xsd:annotation>
+  <xsd:sequence>
+    <xsd:element name="PoBox" type="xsd:string" minOccurs="0" maxOccurs="1"/>
+    <xsd:element name="LocatorDesignator" type="xsd:string" minOccurs="0" maxOccurs="1"/>
+    <xsd:element name="LocatorName" type="xsd:string" minOccurs="0" maxOccurs="1"/>
+    <xsd:element name="CvaddressArea" type="xsd:string" minOccurs="0" maxOccurs="1"/>
+    <xsd:element name="Thoroughfare" type="xsd:string" minOccurs="0" maxOccurs="1"/>
+    <xsd:element name="PostName" type="xsd:string" minOccurs="0" maxOccurs="1"/>
+    <xsd:element name="AdminunitFirstline" type="xsd:string" minOccurs="0" maxOccurs="1"/>
+    <xsd:element name="AdminunitSecondline" type="xsd:string" minOccurs="0" maxOccurs="1"/>
+    <xsd:element name="PostCode" type="xsd:string" minOccurs="0" maxOccurs="1"/>
+  </xsd:sequence>
+</xsd:complexType>

An example of an instance of a CurrentAddress attribute would look as +follows:

+
<saml2:Attribute xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                           FriendlyName="CurrentAddress"
+                           Name="http://eidas.europa.eu/attributes/naturalperson/CurrentAddress"
+                           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+  <saml2:AttributeValue xsi:type="eidas:CurrentAddressType">
+    PGVpZGFzOkxvY2F0b3JEZXNpZ25hdG9yPjIyPC9laWRhczpMb2NhdG9yRGVzaWduYX
+    Rvcj48ZWlkYXM6VGhvcm91Z2hmYXJlPkFyY2FjaWEgQXZlbnVlPC9laWRhczpUaG9y
+    b3VnaGZhcmU+DQo8ZWlkYXM6UG9zdE5hbWU+TG9uZG9uPC9laWRhczpQb3N0TmFtZT
+    4NCjxlaWRhczpQb3N0Q29kZT5TVzFBIDFBQTwvZWlkYXM6UG9zdENvZGU+
+  </saml2:AttributeValue>
+</saml2:Attribute>

The value is the Base64-encoding of the following XML-snippet:

+
<eidas:LocatorDesignator>22</eidas:LocatorDesignator>
+<eidas:Thoroughfare>Arcacia Avenue</eidas:Thoroughfare>
+<eidas:PostName>London</eidas:PostName>
+<eidas:PostCode>SW1A 1AA</eidas:Postcode>

This is not easily processed by standard SAML-software, and requires +several steps including XML-decoding of an incomplete XML-snippet. +Therefore, the Swedish eID Framework defines the +eidasNaturalPersonAddress attribute to be used when the Swedish eIDAS +node converts the eIDAS CurrentAddress attribute.

+

The eidasNaturalPersonAddress attribute is defined to be a non-empty +single-value attribute containing key-value pairs separated by +semicolons. The keys are element names from the +CurrentAddressStructuredType type and the value-parts are their +corresponding values. The key and value of each pair is separated by a +‘=’ character and both the key and value MUST be URL-encoded.

+

The eIDAS-attribute CurrentAddress above will thus be converted to the +following attribute:

+
<saml2:Attribute xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                           FriendlyName="eidasNaturalPersonAddress"
+                           Name="urn:oid:1.2.752.201.3.9"
+                           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+  <saml2:AttributeValue xsi:type="xs:string">
+    LocatorDesignator=22;Thoroughfare=Arcacia%20Avenue;PostName=London;PostCode=SW1A%201AA
+  </saml2:AttributeValue>
+</saml2:Attribute>

+

4. References

+

+[RFC2119]

+
+

Bradner, S., Key words for use in RFCs to Indicate Requirement +Levels, March 1997.

+
+

+[SAML2Core]

+
+

OASIS Standard, Assertions and Protocols for the OASIS Security +Assertion Markup Language (SAML) V2.0, March +2005.

+
+

+[SAML2SubjAttr]

+
+

OASIS Standard, SAML V2.0 Subject Identifier Attributes Profile Version 1.0, January 2019.

+
+

+[SKV704]

+
+

Skatteverket, SKV 704 Utgåva 8, +Personnummer.

+
+

+[SKV707]

+
+

Skatteverket, SKV 707, Utgåva 2, +Samordningsnummer.

+
+

+[SKV709]

+
+

Skatteverket, SKV 709, Utgåva 8, Organisationsnummer.

+
+

+[ID-Binding]

+
+

Binding eIDAS Identities to Records in the Swedish Population Register

+
+

+[X.520]

+
+

ITU-T X.520 - Open Systems Interconnection – The Directory: Selected attribute types.

+
+

+[SAML-XSD]

+
+

S. Cantor et al., SAML assertions schema. OASIS SSTC, March 2005. +Document ID saml-schema-assertion-2.0. See +http://www.oasisopen.org/committees/security/.

+
+

+[XML-Schema]

+
+

XML Schema Part 2: Datatypes Second Edition, W3C Recommendation, 28 +October 2004. See http://www.w3.org/TR/xmlschema-2/.

+
+

+[ISO3166]

+
+

Codes for the representation of names of countries and their +subdivisions Part 1: Country codes, ISO standard, ISO 3166-1.

+
+

+[SambiAttr]

+
+

Sambi Attributspecifikation.

+
+

+[SC.SAML.Profile]

+
+

Deployment Profile for the Swedish eID Framework.

+
+

+[SC.Constructed]

+
+

eIDAS Constructed Attributes Specification for the Swedish eID Framework.

+
+

+[eIDAS.Attributes]

+
+

eIDAS SAML Attribute Profile, version 1.4, 31 October 2023.

+
+

+[SC.SAP]

+
+

Signature Activation Protocol for Federated Signing.

+
+

+[SC.DSS.Ext]

+
+

DSS Extension for Federated Central Signing Services.

+
+

+

5. Changes between versions

+

Changes between version 1.7 and version 1.8:

+
    +

  • In section 3.1.3, "Scoped Attributes", a note about @-characters in scoped values was added.

    +
    • +

  • Updated link to Sambi attribute specification.

    +
    • +

  • Section 3.3.2, "The mappedPersonalIdentityNumber and personalIdentityNumberBinding Attributes", was updated.

    +
    • +

  • Section 3.3.3, "Conversion of eIDAS Attributes", was extended to contain mappings for the optional eIDAS attributes: Nationality, CountryOfBirth, TownOfBirth, CountryOfResidence, PhoneNumber and EmailAddress.

    +
    • +
+

Changes between version 1.6 and version 1.7:

+
    +

  • Section 2.4, "Organizational Identity for Natural Persons", was updated to define a minimum set of attributes for providing personal orgazational identity information.

    +
    • +

  • Section 3.2.5, "The orgAffiliation Attribute", was introduced.

    +
    • +

  • The concept of "scoped attributes" was introduced, see section 3.1.3.

    +
    • +

  • The previousPersonalIdentityNumber attribute was added, see section 3.2.6.

    +
    • +

  • The mappedPersonalIdentityNumber attribute was added (see section 3.3.2), and the +attribute set "eIDAS Natural Person Attribute Set" (section 2.5) was changed so that +a mappedPersonalIdentityNumber attribute is delivered instead of a +personalIdentityNumber attribute if the eIDAS identity can be mapped to a Swedish +identity number.

    +
    • +
+

Changes between version 1.5 and version 1.6:

+
    +

  • References were updated to point at the latest versions of the "Tillitsramverk för Svensk e-legitimation" and "eIDAS SAML Attribute Profile" specifications.

    +
    • +

  • Section 2.5, "eIDAS Natural Person Attribute Set", was updated so that the c (country) attribute is a required attribute for this attribute set.

    +
    • +

  • The attribute signMessageDigest was introduced (see section 3.2.4).

    +
    • +

  • The HSA-ID attribute was specified.

    +
    • +
+

Changes between version 1.4 and version 1.5:

+
    +
  • Section 3.2.3 was updated with a reference to the SAP specification as source for defining the content of the sad attribute.
    • +
  • Fix of invalid links for SKV704 and SKV707.
    • +
  • Section 2.3, "Natural Personal Identity with Civic Registration Number (Personnummer)", was updated so that the dateOfBirth-attribute is listed as a recommended attribute for the attribute set http://id.elegnamnden.se/ap/1.0/pnr-01.
    • +
+

Changes between version 1.3 and version 1.4:

+
    +

  • Attributes for mapping eIDAS-attributes have been defined (section + 3.1 and 3.3).

    +
    • +

  • The eIDAS Natural Person Attribute Set has been defined (section + 2.5).

    +
    • +

  • The definition of the gender-attribute was extended to also include + “U” (for unspecified or unknown).

    +
    • +

  • For interoperability and implementations reasons, the definition of + the dateOfBirth-attribute has been changed so that it is represented + as an xs:string type on the format YYYY-MM-DD, instead of the + xs:date type.

    +
    • +

  • Attributes userCertificate, userSignature, authServerSignature and sad were added.

    +
    • +
+

Changes between version 1.2 and version 1.3:

+
    +

  • This specification no longer uses the term “attribute profile” for + named collections of attributes for different scenarios, instead the + term “attribute set” is used.

    +
    • +

  • Definitions of attribute sets (profiles) have been changed to be + more flexible and to focus only on which attributes that should be + included in an attribute release. Attribute set requirements now + include “required” and “recommended” attributes instead of + “required”, “allowed”, “if requested” and “prohibited”. See + section 2.

    +
    • +

  • The contents of the previous chapter 2, “NameID”, were moved to the + “Deployment Profile for the Swedish eID Framework” document.

    +
    • +

  • The attribute displayName is now specified as “required” for the + “Natural Personal Identity with Civic Registration Number + (Personnummer)” (ELN-AP-NaturalPerson-01) attribute set (profile). + See section 2.3.

    +
    • +

  • The attributes o (Organization) and displayName are now specified as + “required” for the “Organizational Identity for Natural Persons” + (ELN-AP-OrgPerson-01) attribute set (profile). See section 2.4.

    +
    • +

  • The attributes givenName and sn (surname) are now specified as + “required” for the “Natural Personal Identity without Civic + Registration Number” (ELN-AP-NaturalPerson-01) attribute set + (profile). See section 2.2.

    +
    • +

  • The attributes transactionIdentifier and authContextParams were + introduced (see sections 3.1 and 3.2.1).

    +
    • +
+

Changes between version 1.1 and version 1.2:

+
    +
  • Attribute Profiles are now also represented with valid URIs as well + as their textual identifiers.
    • +
+

Changes between version 1.0 and version 1.1:

+
    +
  • In chapter 3.4, “Organizational Identity for Natural Persons”, some + attributes were listed as both prohibited and allowed. This has been + fixed.
    • +
+
+ + diff --git a/docs/december-2024/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html b/docs/december-2024/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html new file mode 100644 index 0000000..9dcc9ff --- /dev/null +++ b/docs/december-2024/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html @@ -0,0 +1,689 @@ + + + + + + Entity Categories for the Swedish eID Framework + + + + + + +

+ + +

+

+ +

+ +

Entity Categories for the Swedish eID Framework

+

Version 1.9 - 2024-12-04

+

Registration number: 2019-311

+
+

+Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All Rights Reserved. +

+ +

Table of Contents

+
    +

  1. Introduction

    +

    1.1. Requirements Notation

    +

    1.2. References to SAML 2.0 Standards and Profiles

    +

    1.3. Consuming and Providing Services

    +

    1.4. Use in Discovery

    +

    1.5. Representation of Entity Categories in Metadata

    +
    2. +

  2. Definitions for Service Entity Categories

    +

    2.1. Natural Personal Identity with Civic Registration Number

    +

    2.1.1. loa2-pnr

    +

    2.1.2. loa3-pnr

    +

    2.1.3. loa4-pnr

    +

    2.1.4. eidas-pnr-delivery

    +

    2.2. eIDAS Natural Person Attribute Set

    +

    2.2.1. eidas-naturalperson

    +

    2.3. Organizational Identity for Natural Persons

    +

    2.3.1. loa2-orgid

    +

    2.3.2. loa3-orgid

    +

    2.3.3. loa4-orgid

    +

    2.4. Natural Personal Identity without Civic Registration Number

    +

    2.4.1. loa2-name

    +

    2.4.2. loa3-name

    +

    2.4.3. loa4-name

    +
    3. +

  3. Definitions for Service Property Categories

    +

    3.1. mobile-auth

    +

    3.2. scal2

    +
    4. +

  4. Definitions for Service Type Entity Categories

    +

    4.1. sigservice

    +

    4.2. public-sector-sp

    +

    4.3. private-sector-sp

    +
    5. +

  5. Service Contract Categories

    +
    6. +

  6. General Entity Categories

    +

    6.1. secure-authenticator-binding

    +

    6.2. accepts-coordination-number

    +

    6.3. supports-user-message

    +
    7. +

  7. References

    +
    8. +

  8. Changes between versions

    +
    9. +
+
+

+

1. Introduction

+

This specification contains the Entity Category definitions that are +defined for the Swedish eID Framework and that should be supported by +Service Providers and Identity Providers that are part of the +federation.

+

The use of Entity Categories for the Swedish eID Framework is restricted +to SAML metadata where Entity Categories are placed as SAML attributes +under the <mdattr:EntityAttributes> element +([SAML2MetaAttr]) for an <md:Extensions> element +([SAML2Meta]).

+
<md:EntityDescriptor entityID="https://eid.example.com/entityid">
+  <md:Extensions>
+    <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
+    ... 
+      <saml:Attribute Name="http://macedir.org/entity-category"
+                      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">
+          http://id.elegnamnden.se/ec/1.0/loa3-pnr
+        </saml:AttributeValue>    
+      </saml:Attribute>    
+    </mdattr:EntityAttributes>    
+  </md:Extensions>    
+  ...

The Entity Category identifier +http://id.elegnamnden.se/ec/1.0/loa3-pnr specified as an entity +attribute for a Service Provider or Identity Provider.

+

Five types of Entity Categories are used within the federation:

+
    +

  • Service entity category – Identifiers for entity categories + representing sets of requirements.

    +
    • +

  • Service property categories – Identifiers for defined service + properties.

    +
    • +

  • Service type categories – Identifiers for defined service types.

    +
    • +

  • Service contract categories - Identifiers for labelling entities based on contracts or business agreements.

    +
    • +

  • General categories - Identifiers defined within the Swedish eID Framework for miscellaneous purposes.

    +
    • +
+

+

1.1. Requirements Notation

+

The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", +"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this +document are to be interpreted as described in [RFC2119].

+

The use of SHOULD, SHOULD NOT, and RECOMMENDED reflects broad consensus +on deployment practices intended to foster both interoperability and +guarantees of security and confidentiality needed to satisfy the +requirements of many organizations that engage in the use of federated +identity. Deviating may limit a deployment's ability to technically +interoperate without additional negotiation, and should be undertaken +with caution.

+

+

1.2. References to SAML 2.0 Standards and Profiles

+

When referring to elements from the SAML 2.0 core specification +[SAML2Core], the following syntax is used:

+
    +

  • <saml2p:Element> – for elements from the SAML 2.0 Protocol + namespace.

    +
    • +

  • <saml2:Element> – for elements from the SAML 2.0 Assertion + namespace.

    +
    • +
+

When referring to elements from the SAML 2.0 metadata specifications, +the following syntax is used:

+
    +

  • <md:Element> – for elements defined in [SAML2Meta].

    +
    • +

  • <mdattr:Element> – for elements defined in [SAML2MetaAttr].

    +
    • +
+

+

1.3. Consuming and Providing Services

+

Entity categories are mainly used for service matching. This allows +matching of a consuming service with an appropriate providing service. A +consuming service in this context is an assertion or attribute consuming +service of a service provider (Service described through an +<md:SPSSODescriptor> element in the federation metadata). A +providing service in this context is a service, represented in the +federation metadata, providing assertions to a service provider.

+

The entity categories defined in this document have different meaning +depending on whether they are declared by a consuming or a providing +service. Further, different types of entity category identifiers defined +in this document have different matching rules to determine whether +particular providing service matches the requirements of a consuming +service.

+

These differences are outlined in the following table:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EC typeConsuming serviceProviding serviceService matching rule
Service Entity CategoryEach declared category represents a set of requirements for the service.Represents the ability to deliver assertions in accordance with each declared category.At least one of the service entity categories declared by the consuming service MUST be declared by the providing service.
Service PropertyRepresents a property of this service.Represents the ability to deliver assertions to a consuming service that has the declared property.All properties declared by the consuming service MUST be declared by the providing service.
Service TypeDeclares the type of service provided by this consuming service.Not applicable.No matching rule.
Service ContractEach declared category represents a contract, or business agreement, that the service is affiliated to.Represents the contracts, or business agreements, under which the providing service may deliver services.At least one of the service contract identifiers declared by a providing service must be declared by the consuming service. A providing service that does not declare any service contract identifiers match all consuming services regarding service contract matching.
GeneralAn entity category type for miscellaneous purposes.An entity category type for miscellaneous purposes.No general matching rule.
However, the meaning of a general entity category may be such that it affects matching.
+

+

1.4. Use in Discovery

+

Entity Categories in metadata are declarations of requirements and +capabilities of Service Providers and Identity Providers. A discovery +process may make use of these declared Entity Categories when performing +filtering, i.e., when deciding which Identity Providers to present for +the end-user. The filtering algorithm is very simple:

+

For a Service Provider requesting discovery its metadata entry is +scanned for Entity Category identifiers of the type Service Entity +Category, Service Contract and Service Property. The algorithm then iterates over all +Identity Providers found in the metadata repository for the +federation. The discovery process SHOULD display Identity Providers as +a plausible choice, if and only if, the following conditions apply;

+
    +

  • the Identity Provider declares at least of the Service Entity Category + identifiers declared by the Service Provider,

    +
    • +

  • if the Identity Provider declares at least one Service Contract identifier, + the Service Provider must declare at least one of declared identifiers, and,

    +
    • +

  • all the Service Property identifiers declared by the Service + Provider must be declared by the Identity Provider.

    +
    • +
+

+

1.5. Representation of Entity Categories in Metadata

+

Entity categories defined in this document are placed in an entity’s +metadata record as an attribute value within an entity category +attribute (SAML attribute with name http://macedir.org/entity-category). +If more than one entity category identifier is included in the metadata +of a service, it MUST be placed as multiple attribute values within a +single entity category attribute.

+
<md:EntityDescriptor entityID="https://eid2.example.com/entityid">    
+  <md:Extensions>    
+    <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">    
+    ...    
+      <saml:Attribute Name="http://macedir.org/entity-category"
+                      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">    
+        <saml:AttributeValue xsi:type="xs:string">
+          http://id.elegnamnden.se/ec/1.0/loa3-pnr
+        </saml:AttributeValue>
+        <saml:AttributeValue xsi:type="xs:string">
+          http://id.swedenconnect.se/contract/sc/1.0/eidas
+        </saml:AttributeValue>    
+        <saml:AttributeValue xsi:type="xs:string">
+          http://id.elegnamnden.se/sprop/1.0/mobile-auth
+        </saml:AttributeValue>    
+      </saml:Attribute>    
+    </mdattr:EntityAttributes>    
+  </md:Extensions>    
+  ...

Example of how entity categories are represented in metadata.

+

+

2. Definitions for Service Entity Categories

+

This section contains a listing of Service Entity Categories that are defined within +the Swedish eID Framework. This listing may not be complete, and the federation operator +may define additional categories.

+

All service entity category identifiers are prefixed with +http://id.elegnamnden.se/ec or http://id.swedenconnect.se/ec (defined after Aug. 2018).

+

A service entity category identifies an arbitrary set of requirements and conditions that is required by the consuming service and provided by the providing service. Each service entity category specifies its own set of requirements and conditions. Typically, such requirements and conditions include requirements on level of assurance (LoA) and requirements on mandatory attributes. For contract or business agreement requirements Service Contract Categories should be used.

+

A providing service declaring a service entity category that consists of both a level of assurance requirement and an attribute set MUST guarantee that the release of the given attributes are consistent with the level of assurance requirement.

+

This specification does not impose any other limitations on what requirements or conditions that can be identified by a service entity category and there are no defined technical mechanisms to ensure that any service correctly implement any of these requirements. The main purpose of the service entity category is service matching in accordance with section 1.3 and any requirements and conditions that serves this purpose are considered valid.

+

Note: A providing service that does not comply with any of the defined service entity categories may define its own service entity category identifier in order to utilize the entity category matching rules. Any service entity category identifier defined outside of this specification should use the prefix http://id.swedenconnect.se/ec/<org>, where org is the defining organization's identifier.

+

+

2.1. Natural Personal Identity with Civic Registration Number

+

This section define Service Entity Categories that has attribute requirements +according to the "Natural Personal Identity with Civic Registration Number" +(http://id.elegnamnden.se/ap/1.0/pnr-01) attribute set as defined in section 2.3 +of [SC.SAML.Attrs].

+

Note: The http://id.elegnamnden.se/ap/1.0/pnr-01 attribute set includes the personalIdentityNumber attribute. See section 6.2, "accepts-coordination-number", for specific requirements concerning delivering a coordination number in this attribute.

+

+

2.1.1. loa2-pnr

+

URL: http://id.elegnamnden.se/ec/1.0/loa2-pnr

+

Description: User authentication according to assurance level 2 [SE.Trust] and attribute release according to the attribute set “Natural Personal Identity with Civic Registration Number”.

+

LoA-identifier: http://id.elegnamnden.se/loa/1.0/loa2

+
+

Or a corresponding LoA 2 URI (see section 3.1.1 of [SC.Registry]).

+
+

Attribute requirements: http://id.elegnamnden.se/ap/1.0/pnr-01

+

+

2.1.2. loa3-pnr

+

URL: http://id.elegnamnden.se/ec/1.0/loa3-pnr

+

Description: User authentication according to assurance level 3 [SE.Trust] and attribute release according to the attribute set “Natural Personal Identity with Civic Registration Number”.

+

LoA-identifier: http://id.elegnamnden.se/loa/1.0/loa3

+
+

Or a corresponding LoA 3 URI (see section 3.1.1 of [SC.Registry]).

+
+

Attribute requirements: http://id.elegnamnden.se/ap/1.0/pnr-01

+

+

2.1.3. loa4-pnr

+

URL: http://id.elegnamnden.se/ec/1.0/loa4-pnr

+

Description: User authentication according to assurance level 4 [SE.Trust] and attribute release according to the attribute set “Natural Personal Identity with Civic Registration Number”.

+

LoA-identifier: http://id.elegnamnden.se/loa/1.0/loa4

+

Attribute requirements: http://id.elegnamnden.se/ap/1.0/pnr-01

+

+

2.1.4. eidas-pnr-delivery

+

URL: http://id.elegnamnden.se/ec/1.0/eidas-pnr-delivery

+

Description: For asserting a Swedish identity to a foreign service provider via the Swedish eIDAS Proxy Service. This entity category MUST NOT be set by any entities other than Identity Providers providing identity assertions to the Swedish eIDAS Proxy Service and by the Swedish eIDAS Proxy Service itself.

+

Attribute release is based on the "Natural Personal Identity with Civic Registration Number" attribute set with the addition of a mandatory dateOfBirth-attribute (urn:oid:1.3.6.1.5.5.7.9.1). The reason for the mandatory dateOfBirth-attribute is that this information is required by the eIDAS minimum dataset and therefore must be obtained by the receiving eIDAS Proxy Service. Date of birth can not always reliably be derived from the personalIdentityNumber attribute.

+

It is the responsibility of the Swedish eIDAS Proxy Service to transform these attributes into eIDAS attributes.

+

LoA-identifier: Not applicable

+
+

An Identity Provider delivering assertions to the eIDAS framework is obliged to announce which levels that it supports by including the corresponding eIDAS authentication context URIs defined in section 3.1.1 of [SC.Registry] as assurance certification attributes in its metadata as described in section 2.1.3 of [SC.SAML.Profile].

+
+

Attribute requirements: http://id.elegnamnden.se/ap/1.0/pnr-01 where the dateOfBirth attribute (urn:oid:1.3.6.1.5.5.7.9.1) is mandatory.

+

+

2.2. eIDAS Natural Person Attribute Set

+

+

2.2.1. eidas-naturalperson

+

URL: http://id.elegnamnden.se/ec/1.0/eidas-naturalperson

+

Description: User authentication according to any of the eIDAS assurance levels and attribute release according to “eIDAS Natural Person Attribute Set” (see section 2.5 of [SC.SAML.Attrs]).

+

LoA-identifier: Not applicable

+
+

It does not make sense to specify the level of assurance for a Service +Entity Categories intended for eIDAS since this information is not known +to the Swedish eIDAS-node.

+
+

Attribute requirements: http://id.elegnamnden.se/ap/1.0/eidas-natural-person-01

+

Note: Attribute release according to the http://id.elegnamnden.se/ap/1.0/eidas-natural-person-01 attribute set may include the mappedPersonalIdentityNumber attribute. See section 6.2, "accepts-coordination-number", for specific requirements concerning delivering a coordination number in this attribute.

+

+

2.3. Organizational Identity for Natural Persons

+

This section define Service Entity Categories that has attribute requirements +according to the "Organizational Identity for Natural Persons" +(http://id.elegnamnden.se/ap/1.0/org-person-01) attribute set as defined in section 2.4 +of [SC.SAML.Attrs].

+

+

2.3.1. loa2-orgid

+

URL: http://id.swedenconnect.se/ec/1.0/loa2-orgid

+

Description: User authentication according to assurance level 2 [SE.Trust] and attribute release according to the attribute set “Organizational Identity for Natural Persons”.

+

LoA-identifier: http://id.elegnamnden.se/loa/1.0/loa2

+
+

Or a corresponding LoA 2 URI (see section 3.1.1 of [SC.Registry]).

+
+

Attribute requirements: http://id.elegnamnden.se/ap/1.0/org-person-01

+

+

2.3.2. loa3-orgid

+

URL: http://id.swedenconnect.se/ec/1.0/loa3-orgid

+

Description: User authentication according to assurance level 3 [SE.Trust] and attribute release according to the attribute set “Organizational Identity for Natural Persons”.

+

LoA-identifier: http://id.elegnamnden.se/loa/1.0/loa3

+
+

Or a corresponding LoA 3 URI (see section 3.1.1 of [SC.Registry]).

+
+

Attribute requirements: http://id.elegnamnden.se/ap/1.0/org-person-01

+

+

2.3.3. loa4-orgid

+

URL: http://id.swedenconnect.se/ec/1.0/loa4-orgid

+

Description: User authentication according to assurance level 4 [SE.Trust] and attribute release according to the attribute set “Organizational Identity for Natural Persons”.

+

LoA-identifier: http://id.elegnamnden.se/loa/1.0/loa4

+
+

Or a corresponding LoA 4 URI (see section 3.1.1 of [SC.Registry]).

+
+

Attribute requirements: http://id.elegnamnden.se/ap/1.0/org-person-01

+

+

2.4. Natural Personal Identity without Civic Registration Number

+

This section define Service Entity Categories that has attribute requirements +according to the "Natural Personal Identity without Civic Registration Number" +(http://id.elegnamnden.se/ap/1.0/natural-person-01) attribute set as defined in section 2.2 +of [SC.SAML.Attrs].

+

+

2.4.1. loa2-name

+

URL: http://id.swedenconnect.se/ec/1.0/loa2-name

+

Description: User authentication according to assurance level 2 [SE.Trust] and attribute release according to the attribute set “Natural Personal Identity without Civic Registration Number”.

+

LoA-identifier: http://id.elegnamnden.se/loa/1.0/loa2

+
+

Or a corresponding LoA 2 URI (see section 3.1.1 of [SC.Registry]).

+
+

Attribute requirements: http://id.elegnamnden.se/ap/1.0/natural-person-01

+

+

2.4.2. loa3-name

+

URL: http://id.swedenconnect.se/ec/1.0/loa3-name

+

Description: User authentication according to assurance level 3 [SE.Trust] and attribute release according to the attribute set “Natural Personal Identity without Civic Registration Number”.

+

LoA-identifier: http://id.elegnamnden.se/loa/1.0/loa3

+
+

Or a corresponding LoA 3 URI (see section 3.1.1 of [SC.Registry]).

+
+

Attribute requirements: http://id.elegnamnden.se/ap/1.0/natural-person-01

+

+

2.4.3. loa4-name

+

URL: http://id.swedenconnect.se/ec/1.0/loa4-name

+

Description: User authentication according to assurance level 4 [SE.Trust] and attribute release according to the attribute set “Natural Personal Identity without Civic Registration Number”.

+

LoA-identifier: http://id.elegnamnden.se/loa/1.0/loa4

+
+

Or a corresponding LoA 4 URI (see section 3.1.1 of [SC.Registry]).

+
+

Attribute requirements: http://id.elegnamnden.se/ap/1.0/natural-person-01

+

+

3. Definitions for Service Property Categories

+

A Service Property Entity Category identifier is specified as an +attribute value in the entity category attribute in the federation +metadata and has the purpose of representing a particular service +property.

+

All Service Type identifiers are prefixed with +http://id.elegnamnden.se/sprop.

+

+

3.1. mobile-auth

+

URL: http://id.elegnamnden.se/sprop/1.0/mobile-auth

+

Description: A service property declaring that the service is adapted to mobile clients and MUST allow users to authenticate using a mobile device that is used to access such service.

+

For a providing service, i.e. an Identity Provider, inclusion of the +mobile-auth category states that the Identity Provider supports +authentication using mobile devices, and that the end-user interface +of the Identity Provider is adapted for mobile clients.

+

Note that an Identity Provider may of course support authentication for +both desktop and mobile users. In these cases the service must be able +to display end user interfaces for both types of clients.

+

A discovery process will use this Service Property when performing +filtering of possible Identity Providers, as described in 1.4, “Use in +Discovery”. This means that a consuming service may include the +mobile-auth category in its metadata in order to have the discovery +process especially displaying Identity Providers that offer +authentication using mobile devices.

+

+

3.2. scal2

+

URL: http://id.elegnamnden.se/sprop/1.0/scal2

+

Description: A service property declaring that the service is adapted to support Sole Control Assurance Level 2 (SCAL2) in accordance with [SC.SAP].

+

For a providing service, i.e. an Identity Provider, inclusion of the +scal2 service property states that the Identity Provider will return a "SAD" in response to a SADRequest in an authentication requests from a signing service.

+

For consuming services, Signature Services MAY include this service property if all authentication requests from the +particular Signature Service include a SADRequest extension. A Service Provider that is not declared as a Signature Service MUST NOT include this service property in its metadata.

+

+

4. Definitions for Service Type Entity Categories

+

A Service Type Entity Category identifier is specified as an entity +attribute in the federation metadata and has the purpose of representing +a particular service type.

+

All Service Type identifiers are prefixed with +http://id.elegnamnden.se/st.

+

+

4.1. sigservice

+

URL: http://id.elegnamnden.se/st/1.0/sigservice

+

Description: A service type for a Service Provider that provides electronic signature services within the Swedish eID framework.

+

+

4.2. public-sector-sp

+

URL: http://id.elegnamnden.se/st/1.0/public-sector-sp

+

Description: A service type that indicates that a Service Provider is a "public sector" SP. This category MUST be used by public sector Service Providers wishing to use eIDAS authentication so that the Swedish eIDAS connector may include this information in the eIDAS authentication request. For other types of Service Providers its use is determined by the federation policy.

+

+

4.3. private-sector-sp

+

URL: http://id.elegnamnden.se/st/1.0/private-sector-sp

+

Description: A service type that indicates that a Service Provider is a "private sector" SP. This category MUST be used by private sector Service Providers wishing to use eIDAS authentication so that the Swedish eIDAS connector may include this information in the eIDAS authentication request. For other types of Service Providers its use is determined by the federation policy.

+

+

5. Service Contract Categories

+

Service Contract Entity Category identifiers are indented for performing service matching based on contracts, or business agreements, between providing and consuming services.

+

All Service Contract identifiers are prefixed with http://id.swedenconnect.se/contract/<org>, where org is identifier for the defining organization.

+

The meaning of different contracts and business agreements are out of scope for this specification, instead the federation operator, or other parties, may define identifiers suitable for representing how consuming and providing services should be matched based on their respective agreements.

+

+

6. General Entity Categories

+

An entity category of the General Entity Category type is a category that does not fit into any of the other category types regarding definitions and matching rules.

+

General category identifiers are prefixed with http://id.swedenconnect.se/general-ec.

+

+

6.1. secure-authenticator-binding

+

URL: http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding

+

Description: Some authentication schemes use an authentication device (authenticator) that +is external, i.e., not bound to the user agent. These types of authentication schemes may be +vulnerable to certain types of phishing attacks where a fraudster who controls the user agent can +trick, or persuade, the user to initiate an operation on the authentication device.

+

A typical example of the threat described above is where an Identity Provider implements an +authentication scheme that uses a mobile app as the authenticator. In those cases the user +normally enters some input (often the user identity) in the web browser (user agent) that is +then used by the Identity Provider to initiate an authentication session against the app running +on the user's mobile device. The problem here is that there is no way we can now that the +person initiating the operation in the web browser by entering a user identity is the same +person who opens, and performs the authentication in the app.

+

In order to prevent attacks of this type many authentication schemes offer alternative ways +of initiating authentication (or signature) sessions, where some sort of binding between the +user agent and the authentication device is performed. A good example of this is when +Identity Providers prompt the user to scan a QR-code displayed in the web browser using the +authentication app instead of prompting for the user identity. This effectively binds the +user agent to the same physical location as the authentication device, and in practice +makes the attacks described above impossible.

+

This profile defines the http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding +entity category to be declared by Service Providers that require that a secure authenticator +binding is performed by the Identity Providers supporting this.

+

An Identity Provider that supports different methods of initiating authentication, or signature, +operations, and where at least one of these methods is a "secure authenticator binding" SHOULD +declare the http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding entity +category in its metadata.

+

An Identity Provider that has declared the http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding category in its metadata MUST perform a secure authenticator binding for requests sent +from Service Providers that have declared this entity category in their metadata entries.

+

+

6.2. accepts-coordination-number

+

URL: http://id.swedenconnect.se/general-ec/1.0/accepts-coordination-number

+

Description: A special purpose entity category that is declared by Service Providers +to announce that they accept a Swedish coordination number (samordningsnummer), [SKV707], being delivered in the personalIdentityNumber (urn:oid:1.2.752.29.4.13) attribute.

+

The personalIdentityNumber is defined in section 3.1 of [SC.SAML.Attrs] to contain either a Swedish personal identity number, [SKV704], or a Swedish coordination number, [SKV707]. However, how to utilize coordination numbers in +electronic services is, or has been, unclear. Not all Service Providers want, or are able to, use these types of identifiers. Therefore, this specification defines the "accepts coordination +number" category as an opt-in feature for those Service Providers that can accept a personalIdentityNumber attribute to contain a coordination number as well as a personal identity number.

+

An Identity Provider conformant with this specification MUST NOT deliver a coordination number +in the personalIdentityNumber attribute unless the receiving Service Provider has declared +the http://id.swedenconnect.se/general-ec/1.0/accepts-coordination-number entity category +in its metadata.

+

Note: This entity category does not apply to the eIDAS specific attribute +mappedPersonalIdentityNumber, see section 3.3.2 of [SC.SAML.Attrs]. +Thus, a coordination number may be included in this attribute even if the Service Provider +has not declared the entity category.

+

+

6.3. supports-user-message

+

URL: http://id.swedenconnect.se/general-ec/1.0/supports-user-message

+

Description: Service Providers may include the <umsg:UserMessage> extension in authentication requests for the purpose of displaying a custom "user message" for the authentication users, see [SC.SAML.UMsg]. An Identity Provider announces support for this extension by declaring the http://id.swedenconnect.se/general-ec/1.0/supports-user-message entity category.

+

+

7. References

+

+[RFC2119]

+
+

Bradner, S., Key words for use in RFCs to Indicate Requirement +Levels, March 1997.

+
+

+[SAML2Core]

+
+

OASIS Standard, Assertions and Protocols for the OASIS Security +Assertion Markup Language (SAML) V2.0, March +2005.

+
+

+[SAML2Meta]

+
+

OASIS Standard, Metadata for the OASIS Security Assertion Markup +Language (SAML) V2.0, March +2005.

+
+

+[SAML2MetaAttr]

+
+

OASIS Committee Specification, SAML V2.0 Metadata Extension for +Entity Attributes Version 1.0, August +2009.

+
+

+[EntCat]

+
+

RFC8409 - The Entity Category Security Assertion Markup Language (SAML) Attribute Types.

+
+

+[SKV704]

+
+

Skatteverket, SKV 704 Utgåva 8, +Personnummer.

+
+

+[SKV707]

+
+

Skatteverket, SKV 707, Utgåva 2, +Samordningsnummer.

+
+

+[SE.Trust]

+
+

Tillitsramverket för Svensk e-legitimation.

+
+

+[SC.SAML.Profile]

+
+

Deployment Profile for the Swedish eID Framework.

+
+

+[SC.Registry]

+
+

Sweden Connect - Registry for identifiers.

+
+

+[SC.SAML.Attrs]

+
+

Attribute Specification for the Swedish eID Framework.

+
+

+[SC.SAP]

+
+

Signature Activation Protocol for Federated Signing.

+
+

+[SC.SAML.UMsg]

+
+

User Message Extension in SAML Authentication Requests.

+
+

+

8. Changes between versions

+

Changes between version 1.8 and version 1.9:

+
    +

  • Fixed some broken links.

    +
    • +

  • Section 6.2, "accepts-coordination-number", was updated with changed logic for +the mappedPersonalIdentityNumber attribute.

    +
    • +

  • Added section 6.3, "supports-user-message", with a definition for the http://id.swedenconnect.se/general-ec/1.0/supports-user-message entity category.

    +
    • +
+

Changes between version 1.7 and version 1.8:

+
    +

  • Section 2 was re-structured where new entity categories for loaX-orgid and loaX-name.

    +
    • +

  • The Service Entity Category loa3-hsaid was removed. Its use is out of scope for +the Swedish eID Framework. However, it may be defined by the federation operator.

    +
    • +

  • Section 6.2, accepts-coordination-number, defining the general entity category +http://id.swedenconnect.se/general-ec/1.0/accepts-coordination-number was added. +This category introduces an opt-in feature for accepting Swedish coordination numbers +delivered in the personalIdentityNumber attribute.

    +
    • +

  • For many services entity categories we have added the following text under the "LoA-identifier" requirement: "Or a corresponding LoA X URI". This means that the service entity category +also applies to variants to the official LoA URI (defined in [SC.Registry]).

    +
    • +
+

Changes between version 1.6 and version 1.7:

+
    +

  • A new entity category type, Service Contract, was added to section 5.

    +
    • +

  • The reference [EntCat] now refers to RFC-8409 instead of +https://tools.ietf.org/html/draft-young-entity-category.

    +
    • +

  • Chapter 6, "General Entity Categories", introduced a general entity category type for miscellaneous purposes.

    +
    • +

  • Section 6.1, "secure-authenticator-binding", was added defining the http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding entity category.

    +
    • +

  • Section 2.6, "loa3-hsaid", was added. This section defines a service entity category for LoA3 where HSA-ID is the primary identity attribute.

    +
    • +
+

Changes between version 1.5 and version 1.6:

+
    +

  • The Service Property Category "scal2" was added to section 3.2.

    +
    • +

  • Section 2.5, "eidas-pnr-delivery", was updated to also require attribute release of the dateOfBirth-attribute.

    +
    • +

  • Section 2.1, "loa3-pnr", was updated with a restriction stating that the personalIdentityNumber only may contain a Swedish personal identity number ("personnummer") and not a coordination number ("samordningsnummer"), if attribute release is made in loa3-pnr scope.

    +
    • +

  • The loa3-hsaid Service Entity Category was defined in section 2.6.

    +
    • +
+

Changes between version 1.4 and version 1.5:

+
    +

  • Introduced the Service Entity Category “eidas-naturalperson” + (section 2.4) for support of authentication against the eIDAS + Framework.

    +
    • +

  • Introduced the Service Entity Category "eidas-pnr-delivery" (section 2.5) for use by Swedish Identity Providers delivering assertions to Service Providers within the eIDAS federation.

    +
    • +

  • Added the Service Type Entity Categories "public-sector-sp" and "private-sector-sp" to section 4.

    +
    • +

  • Minor changes regarding discovery.

    +
    • +

  • Updates to explanatory text in chapter 2 about usage of service entity categories.

    +
    • +
+

Changes between version 1.3 and version 1.4:

+
    +

  • Version 1.3 of [Eid2Attributes] changed the terms “attribute + profiles” to “attribute sets”. This specification has therefore been + updated to reflect these changes.

    +
    • +

  • Chapter 1.5, “Representation of Entity Categories in Metadata”, was + added to illustrate how entity categories are represented in + metadata.

    +
    • +

  • Clarifications regarding the definition of Service Entity Categories + were made to chapter 2.

    +
    • +
+

Changes between version 1.2 and version 1.3:

+
    +

  • In chapter 1.4, “Use in Discovery Services”, the text that referred + to the Discovery Service usage of Service Property Entity Categories + when rendering user interfaces was removed.

    +
    • +

  • In chapter 3.1, “mobile-auth”, changes were made to reflect that the + use of mobile-auth no longer governs which type of end user + interface the Discovery Service should render.

    +
    • +

  • In chapter 2, “Definitions for Service Entity Categories”, URIs for + attribute profiles were added in definitions of the service entity + categories.

    +
    • +
+

Changes between version 1.1 and version 1.2:

+
    +
  • In chapter 2, “Definitions for Service Entity Categories”, two new + service entity categories have been defined, loa2-pnr and loa4-pnr.
    • +
+

Changes between version 1.0 and version 1.1:

+
    +

  • The service property category mobile-auth was added.

    +
    • +

  • Changes was made to chapter 1.4, “Use in Discovery Services”, where + mobile-auth was referred.

    +
    • +
+
+ + diff --git a/docs/december-2024/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html b/docs/december-2024/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html new file mode 100644 index 0000000..882b1b6 --- /dev/null +++ b/docs/december-2024/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html @@ -0,0 +1,683 @@ + + + + + + Implementation Profile for using OASIS DSS in Central Signing Services + + + + + + +

+ + +

+

+ +

+ +

Implementation Profile for using OASIS DSS in Central Signing Services

+

Version 1.6 - 2024-12-04

+

Registration number: 2019-312

+
+

+Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All Rights Reserved. +

+ +

Table of Contents

+
    +

  1. Introduction

    +

    1.1. Terminology

    +

    1.2. Requirements Notation

    +

    1.3. Namespace references

    +

    1.4. Identification

    +

    1.5. Structure

    +
    2. +

  2. Sign request and response messages

    +

    2.1. Sign Requests

    +

    2.1.1. Signature on Sign Requests

    +

    2.1.2. Data To Be Signed

    +

    2.1.3. DSS Extension

    +

    2.1.3.1. Version

    +

    2.1.3.2. Conditions

    +

    2.1.3.3. Signer

    +

    2.1.3.4. IdentityProvider

    +

    2.1.3.5. SignRequester

    +

    2.1.3.6 SignService

    +

    2.1.3.7. RequestedSignatureAlgorithm

    +

    2.1.3.8. SignMessage

    +

    2.1.3.8.1. SignMessage Element

    +

    2.1.3.8.2. Requesting Identity Provider to Display SignMessage

    +

    2.1.3.9. CertRequestProperties

    +

    2.1.3.9.1. AuthnContextClassRef

    +

    2.1.3.9.2. RequestedCertAttributes

    +

    2.2. Sign Responses

    +

    2.2.1. Signature on Sign Responses

    +

    2.2.2. Sign Response Status Information

    +

    2.2.3. Generated Signature

    +

    2.2.4. DSS Extension

    +

    2.2.4.1. Version

    +

    2.2.4.2. ResponseTime

    +

    2.2.4.3. Request

    +

    2.2.4.4. SignerAssertionInfo

    +

    2.2.4.5. SignatureCertificateChain

    +
    3. +

  3. HTTP POST Binding

    +

    3.1. Message Exchange Model

    +

    3.1.1. Sign Request XHTML Form

    +

    3.1.2. Sign Response XHTML Form

    +
    4. +

  4. References

    +

    4.1. Normative References

    +

    4.2. Informative References

    +
    5. +

  5. Changes between versions

    +
    6. +
+

+

1. Introduction

+

This document specifies an implementation profile for exchange of sign +requests and responses using the OASIS DSS protocol [DSS], enhanced by +the DSS Extensions for Federated Central Signing Services [DSS-Ext].

+

Section 2 defines the sign request and response messages and section 3 +defines the transport of these messages using HTTP POST.

+

+

1.1. Terminology

+ + + + + + + + + + + + + + + + + + + +
TermDefined meaning
UserThe entity requested to sign a document.
Requesting ServiceThe service requesting the signature on a particular document by a particular user.
Signing ServiceA centralized service that manages the process to authenticate the user that has been requested to sign a document, and the process to obtain the user’s signature on the requested document.
+

+

1.2. Requirements Notation

+

The keywords MUST, MUST NOT, REQUIRED, SHALL, +SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, +MAY, and OPTIONAL are to be interpreted as described in +[RFC2119].

+

These keywords are capitalized when used to unambiguously specify +requirements over protocol features and behavior that affect the +interoperability and security of implementations. When these words are +not capitalized, they are meant in their natural-language sense.

+

+

1.3. Namespace references

+

Conventional XML namespace prefixes are used throughout the listings in +this specification to stand for their respective namespaces as follows, +whether or not a namespace declaration is present in the example:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PrefixXML NamespaceComments
csighttp://id.elegnamnden.se/csig/1.1/dss-ext/nsFor the DSS extension namespace [DSS-Ext] (default namespace).
dssurn:oasis:names:tc:dss:1.0:core:schemaThe DSS core namespace [DSS].
dshttp://www.w3.org/2000/09/xmldsig\#The XML Signature Syntax and Processing specification [XMLSig] and its governing schema [XMLSig-XSD].
samlurn:oasis:names:tc:SAML:2.0:assertionThe SAML V2.0 assertion namespace, defined in the schema [SAML-XSD].
+
+

+

1.4. Identification

+

The following URI identifier identifies this profile:

+
+

http://id.elegnamnden.se/csig/1.1/dss-ext/profile

+
+

+

1.5. Structure

+

This specification uses the following typographical conventions in text: +<EidElement>, <ns:ForeignElement>, Attribute, Datatype, +OtherCode.

+

+

2. Sign Request and Response Messages

+

This section defines a profile for sign requests and responses using the +OASIS DSS standard [DSS] in combination with “DSS extensions for +Federated Central Signing Services” [DSS-Ext].

+

In the following sections the OASIS DSS standard is referred to as “DSS” +and the DSS extensions are referred to as “DSS-Ext”.

+

Conformance with this implementation profile requires full conformance +with DSS and DSS-Ext. In case of conflict between DSS-Ext and DSS, +DSS-Ext is the normative one. In case of differences between this +implementation profile and DSS-Ext, this implementation profile is the +normative one.

+

+

2.1. Sign Requests

+

Sign requests are carried in a <dss:SignRequest> element according to requirements and conditions of the following subsections.

+

The <dss:SignRequest> element MUST have a Profile attribute with the value http://id.elegnamnden.se/csig/1.1/dss-ext/profile, which specifies conformance to this implementation profile.

+

The <dss:SignRequest> element MUST have a RequestID attribute with a value that uniquely identifies this request. The RequestID value MUST be a random generated value with at least 128 bit entropy and a length of at least 20 bytes.

+

+

2.1.1. Signature on Sign Requests

+

Sign requests MUST be signed. The signature MUST have a Same-Document URI-Reference (URI=””) to ensure that the signature covers the complete <dss:SignRequest> element.

+

The resulting <ds:Signature> element MUST be placed inside the <dss:OptionalInputs> element in accordance with section 5 of [DSS-Ext].

+

The Signature Service MUST NOT process the sign request unless the signature of the sign request can be authenticated as originating from a legitimate Requesting Service.

+

+

2.1.2. Data To Be Signed

+

A representation of the document to be signed MUST be provided in accordance with section 4.1 of [DSS-Ext].

+

Data to be signed MUST be provided in a <SignTaskData> element.

+

The <SignTasks> element MAY contain one or more <SignTaskData> elements, representing one or more requested signatures.

+

+

2.1.3. DSS Extension

+

The <dss:OptionalInput> element of the sign request MUST contain a +<SignRequestExtension> element according to requirements and +conditions of the following subsections.

+

+
2.1.3.1. Version
+

The Version attribute giving the version number of the [DSS-Ext] specification +SHOULD be set to the version number that is supported by the sender. +If absent, the default value "1.1" MUST be assumed.

+

+
2.1.3.2. Conditions
+

A <saml:Conditions> element MUST be present. This element MUST NOT +contain any information in addition to what is defined in section 3.1 of +[DSS-Ext].

+

If the <saml:Conditions> element contains the NotBefore and/or NotOnOrAfter attributes, the Signature Service consuming these values MAY consider them in its processing. However, a Signature Service MUST have a limitation on the maximum age of received messages, and if NotOnOrAfter exceeds this limitation, the NotOnOrAfter value MUST be ignored.

+

This specification does not state how long the message age limitation should be. However, it is RECOMMENDED that it does not exceed 3 minutes.

+

+
2.1.3.3. Signer
+

The Requesting Service MAY include a <Signer> element containing the SAML attributes that +are necessary in order to uniquely identify the signer. The present attributes MUST match the attributes +that are provided for this signer when authenticating the signer using the Identity Provider specified in the <IdentityProvider> element.

+

It is RECOMMENDED that a Signature Requester that has authenticated the user before sending a +signature request includes relevant SAML attributes in the <Signer> element. If this is not done, +the identity of the signer needs to be verified after the signature process has completed in order to ensure +that the authenticated user was the signer.

+

The Signing Service MUST match all attribute values provided in the +<Signer> element with SAML attributes provided for this signer +subject in a valid assertion obtained from the specified Identity +Provider.

+

If any of the attributes specified in the <Signer> element cannot +be found or matched with a corresponding attribute value from an +obtained assertion from the specified Identity Provider, the Signing +Service MUST reject the sign request.

+

+
2.1.3.4. IdentityProvider
+

This element MUST be present, specifying the SAML entityID of the +Identity Provider that MUST be used to authenticate the signer. The +Signing Service MUST NOT generate the requested signature unless the +signer is successfully authenticated through this Identity Provider.

+

+
2.1.3.5. SignRequester
+

This element MUST be present, specifying the identity of the Requesting +Service in the form of its SAML entityID.

+

+
2.1.3.6 SignService
+

This element MUST be present, specifying the SAML entityID of the +Signing Service that is the target of this sign request.

+

+
2.1.3.7. RequestedSignatureAlgorithm
+

This element MAY be present, specifying a URI that identifies a +signature algorithm that the Requesting Service prefers to be used when +generating the requested signature.

+

When this element is absent, the default signing algorithm is RSA with +SHA-256, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.

+

+
2.1.3.8. SignMessage
+

+
2.1.3.8.1. SignMessage Element
+

This element MAY be present to provide information that the Identity +Provider MAY display for the user before obtaining the user’s consent to +sign. The message MAY be provided in clear text or in encrypted form. +The attribute MustShow MUST be set to true if the Identity Provider is +required to show this message to the user. When the message is provided +in encrypted form, the DisplayEntity attribute MUST include the entityID +of the Identity Provider holding the private decryption key. The +encryption key included in the metadata of the identified Identity +Provider SHOULD be used to encrypt the message.

+

The message MUST be encoded using UTF-8 and MUST be using one of the +formats plain text, HTML or markdown. The appropriate MIME type must be +declared in the MimeType attribute.

+

For messages in HTML format, the message MUST NOT contain tags and +attributes for each tag other than those listed in the following table:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
HTML TagsTypeAllowed attributes
h1, h2, h3, h4Headingsstyle
div, span, pSectionstyle
table, tr, tdTablestyle
b, strongHighlightstyle
i, u, brFormat 
ol, ul, liList 
+

Allowed HTML entities for character replacement SHALL be restricted to +amp, gt, lt, quot and nbsp (in the form &entity-name;).

+

HTML messages MUST NOT contain any URI references to data outside the +message and MUST NOT contain any JavaScript in any form.

+

+
2.1.3.8.2. Requesting Identity Provider to Display SignMessage
+

The means through which the Service Provider requests the Identity +Provider to display a sign message is defined in section 7.1.1 of “Deployment Profile +for the Swedish eID Framework” [SC.SAML.Profile].

+

In addition to the requirements in section 7.1.1 of [SC.SAML.Profile] the +Signature Service MUST apply the following process regarding the inclusion of the +AuthnContextClassRef URI to include in the AuthnRequest sent to the Identity Provider +when authenticating the user for signing:

+
    +

  1. Determine requested LoA (Level of Assurance) by either:

    +
    2. +

  2. Get the LoA, or LoA:s, from the AuthnContextClassRef specified in the sign request as CertRequestProperties, or

    +
    3. +

  3. if the LoA reference from the sign request is absent then use the default LoA according to the governing policy.

    +
    4. +

  4. Include the LoA URI(s) from the step above as RequestedAuthnContext if supported by the Identity Provider. +If none of the LoA:s are supported by the Identity Provider, fail signing and return an error sign response, +indicating a request failure (the requested LoA(s) was inconsistent with the specified Identity Provider).

    +
    5. +
+

+
2.1.3.9. CertRequestProperties
+

This element MAY be present to provide requested properties of generated +signature certificates according to section 3.1.1 of [DSS-Ext].

+

When the CertType attribute is present with a value of QC/SSCD the signature service MUST request authentication in accordance with section 7.1.2 of “Deployment Profile for the Swedish eID Framework” [SC.SAML.Profile], or reject the request.

+

+
2.1.3.9.1. AuthnContextClassRef
+

This element MAY be present to specify the Level of Assurance(s) required +in order to issue the signing certificate.

+

+
2.1.3.9.2. RequestedCertAttributes
+

This element MAY be present to specify any number of attributes that the +Requesting Service requires or requests to be included as a +representation of the subject in the signature certificate that is +generated with the requested signature.

+

The Signature Service MUST NOT generate the requested signature unless +it can obtain attribute values from an authoritative source for all +requested attributes that is marked as "required". The Signature service +SHOULD attempt to provide all "requested" attributes.

+

The Signing Service MAY use an Attribute Authority as complementary +source to obtain requested attribute values, as long as the identity +assertion provided by the specified Identity Provider is sufficient to +uniquely identify the signer. The Sign Requester MAY provide one or more +SAML entityID identifiers of Attribute Authorities in +<AttributeAuthority> elements, which could be used to obtain an +attribute value for the requested attribute.

+

It is left to local policy of the Signature Service whether it accepts +any DefaultValue attribute value for any requested attributes as being +provided by an authoritative source. If a DefaultValue is accepted as +authoritative, it MUST NOT conflict with any attributes received by the +specified Identity Provider or Attribute Authority when authenticating +the signer. If the requested attribute is provided by the Identity +Provider or any Attribute Authority used by the Signing Service, then +these values MUST be used over the DefaultValue.

+

+

2.2. Sign Responses

+

Sign responses are carried in a <dss:SignResponse> element +according to requirements and conditions of the following subsections.

+

The <dss:SignResponse> element MUST have a Profile attribute with +the value http://id.elegnamnden.se/csig/1.1/dss-ext/profile, which +specifies conformance to this implementation profile.

+

The <dss:SignResponse> element MUST have a RequestID attribute +with a value that is identical to the sign request that is being +serviced through this sign response.

+

+

2.2.1. Signature on Sign Responses

+

Sign responses MUST be signed. The signature MUST have a Same-Document +URI-Reference (URI=””) to ensure that the signature covers the complete +<dss:SignResponse> element.

+

The resulting <ds:Signature> element MUST be placed inside the +<dss:OptionalOutputs> element in accordance with section 5 of +[DSS-Ext].

+

+

2.2.2. Sign Response Status Information

+

Implementations of this specification MUST return a +<dss:ResultMajor> value and MAY return a <dss:ResultMinor> +value. Implementations of this specification are released from the +requirement to return any of the listed values of +<dss:ResultMinor>, specified in the DSS standard, when returning +the <dss:ResultMajor> value +urn:oasis:names:tc:dss:1.0:resultmajor:Success, since all the listed +<dss:ResultMinor> values relates to signature validation and not +signature creation.

+

With the exception above, the response values defined in section 2.6 of the DSS standard, amended by status identifiers defined below* SHOULD be used.

+

| URL | Description | +| :--- | :--- | :--- | +| http://id.elegnamnden.se/sig-status/1.0/req-expired | The time window for the signature request has expired. | +| http://id.elegnamnden.se/sig-status/1.0/user-mismatch | The authenticated user does not match the signer identity attributes in the request. +| http://id.elegnamnden.se/sig-status/1.0/unsupported-loa | The requested level of assurance for user authentication is not supported. | +| http://id.elegnamnden.se/sig-status/1.0/sigmessage-error | A requirement to display sign message was included in the sign request, but the sign service could not establish that the sign message was displayed to the user. | +| http://id.elegnamnden.se/sig-status/1.0/user-cancel | The end user cancelled the signature operation. | +| http://id.swedenconnect.se/sig-status/1.1/authn-failed | The authentication during the signature operation failed. | +| http://id.swedenconnect.se/sig-status/1.1/security-violation | The Signature Service, or Identity Provider authenticating the end user, has detected a security violation (such as a possible fraud). |

+

Note: The authn-failed and security-violation codes were introduced for version 1.5 (of [DSS-Ext]), and a client not supporting this version will fail to understand these error codes. Whether a Signature Service checks the client version support or not before using these codes are out of scope for this profile.

+
+

[*]: Also listed in section 3.1.7 of [SC.Registry].

+
+

+

2.2.3. Generated Signature

+

The generated signature result data SHALL be provided in +<SignTaskData> element according to section 4.1.1 of [DSS-Ext].

+

One <SignTaskData> element shall be provided for each successfully +generated signature as a result of the corresponding request.

+

+

2.2.4. DSS Extension

+

The <dss:OptionalInput> element of the sign response MUST contain +a <SignResponseExtension> element according to requirements and +conditions of the following subsections.

+

+
2.2.4.1. Version
+

The version of the [DSS-Ext] specification under which the +request was processed and response was constructed. This version MUST be the same +version as given in the SignRequestExtension (see section 2.1.3.1, "Version)".

+

For backwards compatibility reasons that attribute MAY be absent if version "1.1" was requested. +Otherwise, it MUST be set.

+

+
2.2.4.2. ResponseTime
+

The <ResponseTime> element MUST be present in the response.

+

+
2.2.4.3. Request
+

The <Request> element MAY be present in a response. However, it is RECOMMENDED not to include this +element since it makes the response message unnecessary large, instead the requester of a sign operation +is expected to save the request message in its session for later use when processing a response message.

+

+
2.2.4.4. SignerAssertionInfo
+

The <SignerAssertionInfo> element MUST be present if the signer +has been successfully authenticated using the specified Identity +Provider. The present <ContextInfo> child element MUST include an +<AssertionRef> child element. The <AssertionRef> child +element MUST contain the value of the ID attribute of the root element +of the SAML assertion used to authenticate the signer.

+

+
2.2.4.5. SignatureCertificateChain
+

The <SignatureCertificateChain> element MUST be present if a +certificate was issued to the signer. This element MUST provide a +complete chain of certificates up to a self-signed root certificate.

+

All signature values according to section 2.2.3 MUST be verifiable using +the signer certificate provided in this element.

+

+

3. HTTP POST Binding

+

This section specifies the protocol binding +for transport of sign request and sign response messages using HTTP POST. This +protocol binding implements the message exchange model in section 3.1.

+

This process is technically equivalent to the procedures implemented by +SAML HTTP POST bindings [SAML2Bind], section 3.5.

+

+

3.1. Message Exchange Model

+

Sign request and response messages are exchanged between the Requesting +Service and the Signing Service with the user acting as an intermediary +through a user agent (typically a web browser) according to the +following message flow:

+

+
    +

  1. The user agent initiates the signing process by an HTTP request to + the Service Provider, for example caused by the user clicking a + button on a web page.

    +
    2. +

  2. The Service Provider responds to the user agent with an XHTML form, + containing a Base64 encoded sign request.

    +
    3. +

  3. A JavaScript in the XHTML form causes the user agent to send the + sign request to the Signing Service using HTTP POST.

    +
    4. +

  4. The user interacts with the Signing Service to complete the + requested signature.

    +
    5. +

  5. The Signing Service responds to the user agent with an XHTML form, + containing a Base64 encoded sign response.

    +
    6. +

  6. A JavaScript in the XHTML form causes the user agent to send the + sign response to the Service Provider using HTTP POST.

    +
    7. +

  7. The Service Provider processes the sign response and a confirmation + or status message is returned to the user agent.

    +
    8. +
+

The steps 1,4 and 7 are part of the service infrastructure and are +outside the scope of this HTTP POST binding specification.

+

+

3.1.1. Sign Request XHTML Form

+

The sign request XHTML form SHALL have functional properties that are +equivalent to the following implementation example:

+
<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.1//EN' 'http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd'>
+<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en'>
+<body onload='document.forms[0].submit()'>
+  <noscript>
+    <p><strong>Note:</strong> Since your browser does not support JavaScript,
+    you must press the Continue button once to proceed.</p>
+  </noscript>
+  <form action='https://csig.example.com/signrequest' method='post'>
+    <div>
+      <input type='hidden' name='Binding' value='POST/XML/1.0'/>
+      <input type='hidden' name='RelayState' value='56345145a482995d'/>
+      <input type='hidden' name='EidSignRequest' value='PD94bWw…WVzdD4='/>
+    </div>
+    <noscript>
+      <div>
+        <input type='submit' value='Continue'/>
+      </div>
+    </noscript>
+  </form>
+</body>

The form’s action attribute specifies the URL to the Signing Service and +the form MUST have a method attribute with the value “post”.

+

The form MUST provide the following parameters:

+ + + + + + + + + + + + + + + + + + + +
ParameterValue
Binding“POST/XML/1.0” Identifying implementation of this binding specification
RelayStateThis parameter MUST contain the value of the RequestID attribute of the <dss:SignRequest> element that is present in the base64 encoded sign request.
EidSignRequestBase64 encoded sign request.
+

+
3.1.2. Sign Response XHTML Form
+

The sign response XHTML form SHALL have functional properties that are +equivalent to the following implementation example:

+
<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.1//EN' 'http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd'>
+<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en'>
+<body onload='document.forms[0].submit()'>
+  <noscript>
+    <p><strong>Note:</strong> Since your browser does not support JavaScript,
+    you must press the Continue button once to proceed.</p>
+  </noscript>
+  <form action='https://sp.example.com/sigResponseHandler' method='post'>
+    <div>
+      <input type='hidden' name='Binding' value='POST/XML/1.0'/>
+      <input type='hidden' name='RelayState' value='56345145a482995d'/>
+      <input type='hidden' name='EidSignResponse' value='PD94bWw…WVzdD4='/>
+    </div>
+    <noscript>
+      <div>
+        <input type='submit' value='Continue'/>
+      </div>
+    </noscript>
+  </form>
+</body>

The form’s action attribute specifies the URL to the requesting Service +Provider. This URL MUST specify a URL from the +<saml:AudienceRestriction> element that was provided in the +corresponding sign request. The form MUST have a method attribute with +the value “post”.

+

The form MUST provide the following parameters:

+ + + + + + + + + + + + + + + + + + + +
ParameterValue
Binding“POST/XML/1.0” Identifying implementation of this binding specification
RelayStateThis parameter MUST contain the value of the RequestID attribute of the <dss:SignResponse> element that is present in the base64 encoded sign request.
EidSignResponseBase64 encoded sign response.
+

+

4. References

+

+

4.1. Normative References

+

+[RFC2119]

+
+

Bradner, S., Key words for use in RFCs to Indicate Requirement Levels, March 1997.

+
+

+[DSS]

+
+

OASIS Standard - Digital Signature Service Core Protocols, Elements, and Bindings Version 1.0, April 11, 2007.

+
+

+[SAML-XSD]

+
+

S. Cantor et al., SAML assertions schema. OASIS SSTC, March 2005. Document ID: saml-schema-assertion-2.0. See http://www.oasisopen.org/committees/security/.

+
+

+[XMLSig]

+
+

D. Eastlake et al, XML-Signature Syntax and Processing, W3C Recommendation, February 2002.

+
+

+[XMLSig-XSD]

+
+

XML Signature Schema. World Wide Web Consortium. See https://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd.

+
+

+[DSS-Ext]

+
+

DSS Extension for Federated Central Signing Services.

+
+

+[SC.SAML.Profile]

+
+

Deployment Profile for the Swedish eID Framework.

+
+

+[SC.Registry]

+
+

Sweden Connect - Registry for identifiers.

+
+

+

4.2. Informative References

+

+[SAML2Bind]

+
+

OASIS Standard, Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0, March 2005.

+
+

+

5. Changes between versions

+

Changes between version 1.5 and version 1.6:

+
    +

  • Section 2.2.2, "Sign Response Status Information", now defines the DSS status codes previously only appearing in [SC.Registry]. The status codes http://id.swedenconnect.se/sig-status/1.1/authn-failed and http://id.swedenconnect.se/sig-status/1.1/security-violation were also introduced.

    +
    • +

  • Section 2.1.3.2, "Conditions", was updated with requirements on how to interpret NotBefore and/or NotOnOrAfter values.

    +
    • +
+

Changes between version 1.4 and version 1.5:

+
    +

  • The requirements in section 2.2.4.3, "Request", were updated. The Request element is no longer mandatory to include in a response message.

    +
    • +

  • Sections 2.1.3.1 and 2.2.4.1 defining the requirements concerning the use of the Version attribute in SignRequestExtension and SignResponseExtension elements were updated in order to implement support for newer versions of the DSS extension specification.

    +
    • +

  • Section 2.1.3.3, "Signer", was updated so that it is no longer required to supply the <csig:Signer> element. This enables use cases where the user is not known at the time of signature initiation.

    +
    • +
+

Changes between version 1.3 and version 1.4:

+
    +

  • Updates of references and change of logotype.

    +
    • +

  • Updates to section 2.1.3.8.2, "Requesting Identity Provider to Display SignMessage", with a more simple +process of determining the Level of Assurance URI to include in requests.

    +
    • +
+

Changes between version 1.2 and version 1.3:

+
    +
  • In section 2.1.3.9, "CertRequestProperties", a requirement to adapt authentication request procedures when the requested signature is a qualified electronic signature was added.
    • +
+

Changes between version 1.1 and version 1.2:

+
    +
  • In section 2.2.2, a reference to section 3.1.5 in [SC.Registry] was changed to section 3.1.7.
    • +
+

Changes between version 1.0 and version 1.1:

+
    +

  • This profile now refers to version 1.1 of the “DSS Extensions for + Federated Central Signing Services” specification.

    +
    • +

  • Changes were made to section 2.1.3.8, “SignMessage”, in order to + define usage of the <SignMessage> element.

    +
    • +

  • The URI identifier that identifies this profile has been changed + from http://id.elegnamnden.se/csig/1.0/eid2-dss/profile to + http://id.elegnamnden.se/csig/1.1/dss-ext/profile.

    +
    • +
+
+ + diff --git a/docs/december-2024/08_-_Certificate_Profile_for_Central_Signing_Services.html b/docs/december-2024/08_-_Certificate_Profile_for_Central_Signing_Services.html new file mode 100644 index 0000000..8ee4f82 --- /dev/null +++ b/docs/december-2024/08_-_Certificate_Profile_for_Central_Signing_Services.html @@ -0,0 +1,350 @@ + + + + + + Certificate Profile for Certificates Issued by Central Signing Services + + + + + + +

+ + +

+

+ +

+ +

Certificate Profile for Certificates Issued by Central Signing Services

+

Version 1.2 - 2020-01-17

+

Registration number: 2019-313 (previously: ELN-0608)

+
+

Table of Contents

+
    +

  1. Introduction

    +

    1.1. Requirement key words

    +

    1.2. XML namespace references

    +

    1.3. Structure

    +
    2. +

  2. Certificate Profile

    +

    2.1. Standards

    +

    2.2. Qualified and PKC Certificates

    +

    2.3. Certificate Content

    +

    2.3.1. Subject Attributes and Name Forms

    +

    2.3.1.1. Person Identifier Attributes

    +

    2.3.1.1.1. Data Source

    +

    2.3.1.1.2. Data Format

    +

    2.3.1.2. Other Attribute Requirements

    +

    2.3.2. Authentication Context and Attribute Mapping

    +

    2.3.2.1. Extended Authentication Information

    +

    2.3.3. Certificate Policy

    +
    3. +

  3. Normative References

    +
    4. +

  4. Changes between versions

    +
    5. +
+
+

+

1. Introduction

+

This document specifies a certificate profile for certificates issued by +a signature service based on the OASIS DSS protocol [DSS], enhanced by +the DSS Extensions for Federated Central Signing Services [DSS-Ext].

+

+

1.1. Requirement key words

+

The key words MUST, MUST NOT, REQUIRED, SHALL, +SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, +MAY, and OPTIONAL are to be interpreted as described in +[RFC2119].

+

These keywords are capitalized when used to unambiguously specify +requirements over protocol features and behavior that affect the +interoperability and security of implementations. When these words are +not capitalized, they are meant in their natural-language sense.

+

+

1.2. XML namespace references

+

The prefix saci: stands for the SAML Authentication Context Information XML Schema +namespace, http://id.elegnamnden.se/auth-cont/1.0/saci.

+
+

Schema location URL: https://docs.swedenconnect.se/schemas/cert-schemas/1.0/CertAuthContextExtension-SAML-1.0.xsd

+
+

The prefix sacex: stands for the Extended Authentication Information XML Schema +namespace, http://id.swedenconnect.se/auth-cont/1.0/ext-auth-info.

+
+

Schema location URL: https://docs.swedenconnect.se/schemas/cert-schemas/1.0/CertAuthContextExtension-ExtAuthInfo-1.0.xsd

+
+

+

1.3. Structure

+

This specification uses the following typographical conventions in text: +<Eid2Element>, <ns:ForeignElement>, Attribute, Datatype, +OtherCode.

+

+

2. Certificate Profile

+

+

2.1. Standards

+

The following standards provides normative requirements for this +certificate profile:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
StandardFunctionReference
RFC 5280Main certificate standard[RFC5280]
RFC 7773Authentication context extension[RFC7773]
EN 319 411-1Policy requirements for PKC certificates[EU-POL-NCP]
EN 319 411-2Policy requirements for Qualified certificates[EU-POL-QC]
EN 319 412-1Definitions of semantic identifies and formatting rules for identity data[EU-CERT-GEN]
EN 319 412-2Certificate profile for certificates issued to natural persons[EU-CERT-NP]
EN 319 412-5Declaration of qualified certificate properties[EU-CERT-QC]
+

+

2.2. Qualified and PKC Certificates

+

This profile supports both Qualified Certificates as well as certificates that are not Qualified Certificates, here named PKC certificates (Public Key Certificates).

+

All profile requirements apply to both Qualified Certificates and to PKC certificates unless it is explicitly stated that a particular requirement applies only to PKC or Qualified Certificates.

+

+

2.3. Certificate Content

+

All certificates SHALL be fully compliant with [RFC5280] and [EU-CERT-NP]. All Qualified Certificates SHALL also implement mandatory QC statements as defined in [EU-CERT-QC].

+

+

2.3.1. Subject Attributes and Name Forms

+

+
2.3.1.1. Person Identifier Attributes
+

+
2.3.1.1.1. Data Source
+

All certificates SHALL contain a unique person identifier, carried in the serialNumber attribute (OID 2.5.4.5) in the subject field. The person identifier SHALL be obtained from the Identity Provider in the form of a SAML attribute. For PKC certificates, the SAML attribute SHOULD be one of the attributes listed below. For Qualified Certificates, the SAML attribute SHALL be one of the attributes listed below.

+ + + + + + + + + + + + + + + + + + + + + + + +
AttributeAttribute nameSpecification
Swedish Personal Identity Number (personnummer)urn:oid:1.2.752.29.4.13[AttrSpec]
Provisional IDurn:oid:1.2.752.201.3.4[AttrSpec]
eIDAS Person Identifierurn:oid:1.2.752.201.3.7[AttrSpec]
+

+
2.3.1.1.1. Data Format
+

The identifier data obtained from the SAML assertion SHALL be stored in the serialNumber attribute using one of the following formats:

+
    +
  • using exactly the same format as it was obtained from the SAML attribute, or,
    • +
  • using conventions specified in [EU-CERT-GEN] as defined below.
    • +
+

When storing a person identifier in the serialNumber attribute in accordance with [EU-CERT-GEN], the certificate SHALL include a semantics identifier as specified in section 5.1 of [EU-CERT-GEN].

+

Swedish Personal Identity Number (personnummer)

+

When the identifier is a Swedish personal identity number (personnummer) the semantics identifier SHALL be a natural person semantics identifier using the identity type reference "PNO".

+
+

Example: PNOSE-194911172296

+
+

Provisional ID

+

When the identifier is a provisional ID the semantics identifier SHALL be a natural person semantics identifier using a local national identity type reference "PI:SE".

+
+

Example: PI:SE-NO:16043700158

+
+

This identifier illustrates that the identifier is a Provisional ID (PI) as defined in Sweden (SE) followed by a hyphen (-) and the actual provisional ID for a person from Norway (NO:16043700158).

+

When the identity type reference is "PI:SE", the nameRegistrationAuthorities element of SemanticsInformation shall be present and shall contain a uniformResourceIdentifier generalName with the following value:

+
+

http://id.elegnamnden.se/eln/name-registration-authority

+
+

eIDAS Person Identifier

+

eIDAS person identifier attributes MAY be stored in the serial number attribute having exactly the same format as received from the SAML attribute listed above, supported by providing a semantics identifier according to [EU-CERT-GEN] identified by the OID 0.4.0.194121.1.3.

+

NOTE:

+
+

A new version of the [EU-CERT-GEN] is processed for approval at the time of publication of this document. The new version will specify a semantics identifier for storing eIDAS person identifier attributes using the semantics identifier OID 0.4.0.194121.1.3. This semantics identifier (id-etsi-qcs-semanticsId-eIDASNatural) is not yet present in the latest published version of the standard.

+
+

+
2.3.1.2. Other Attribute Requirements
+

An e-mail address, when present, SHALL be stored in a Subject Alternative Name extension as an rfc822Name.

+

+

2.3.2. Authentication Context and Attribute Mapping

+

Certificates MUST include an AuthContextExtension according to [RFC7773]. This extension SHALL include one SAML Authentication Context Information element identified by the XML schema namespace identifier:

+
+

http://id.elegnamnden.se/auth-cont/1.0/saci

+
+

The <saci:SAMLAuthContext> element SHALL contain both an <saci:AuthContextInfo> element as well as an <saci:IdAttributes> element.

+

The <saci:IdAttributes> element SHALL contain one <saci:AttributeMapping> element for each +subject attribute or other name form that was obtained from a SAML attribute in the SAML +assertion used to authenticate the signer as part of the signature creation process. Each +<saci:AttributeMapping> element SHALL provide the <saml:AttributeValue> that were obtained from +the SAML assertion.

+

+
2.3.2.1. Extended Authentication Information
+

In addition to the attributes of <saci:AuthContextInfo> it is possible to provide additional authentication information through the extensibility of the <saci:AuthContextInfo> element which allows inclusion of a sequence of any element.

+

One such element is defined in this section, the <sacex:ExtAuthInfo> element.

+

This element MAY be included to provide a name of a parameter and its associated value.

+

This element MAY be used to carry the value of any single valued attribute from the associated SAML assertion as long as the SAML attribute value is not composed of a complex type. When used to carry a SAML attribute value, the value of the <sacex:ExtAuthInfo> element SHALL be identical to the content of the SAML attribute value element and the Name attribute SHALL hold the same value as the Name attribute of the corresponding SAML attribute.

+

The <sacex:ExtAuthInfo> element is defined by the following XML Schema:

+
<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
+    targetNamespace="http://id.swedenconnect.se/auth-cont/1.0/ext-auth-info"
+    xmlns:sacex="http://id.swedenconnect.se/auth-cont/1.0/ext-auth-info">
+    
+  <xs:element name="ExtAuthInfo" type="sacex:ExtAuthInfoType" />
+
+  <xs:complexType name="ExtAuthInfoType">
+    <xs:simpleContent>
+      <xs:extension base="xs:string">
+        <xs:attribute name="Name" type="xs:string" use="required" />
+        <xs:anyAttribute namespace="##any" processContents="lax" />
+      </xs:extension>
+    </xs:simpleContent>
+  </xs:complexType>
+</xs:schema>

Example:

+

The following example illustrates inclusion of the content of a transaction identifier SAML +attribute as extended authentication information.

+
<saci:SAMLAuthContext
+    xmlns:saci="http://id.elegnamnden.se/auth-cont/1.0/saci"
+    xmlns:sacext="http://id.swedenconnect.se/auth-cont/1.0/ext-auth-info">
+  <saci:AuthContextInfo IdentityProvider="http://eid.example.com/idp"
+      AuthenticationInstant="2020-01-10T17:02:46.000Z"
+      AuthnContextClassRef="http://id.elegnamnden.se/loa/1.0/loa3"
+      AssertionRef="_936e075dc2725b016de57b9a0624c766">
+    <sacext:ExtAuthInfo Name="urn:oid:1.2.752.201.3.2">dc6ac7656H89bfb51</sacext:ExtAuthInfo>
+  </saci:AuthContextInfo>
+  <saci:IdAttributes>...</saci:IdAttributes>
+</saci:SAMLAuthContext>

+

2.3.3. Certificate Policy

+

Certificates SHALL contain at least one referenced certificate policy. PKC certificates SHALL contain at least one reference to a policy identified in [EU-POL-NCP]. Qualified Certificates SHALL reference at least one certificate policy identified in [EU-POL-QC].

+

+

3. Normative References

+

+[DSS]

+
+

OASIS Standard - Digital Signature Service Core Protocols, Elements, and Bindings Version 1.0, April 11, 2007.

+
+

+[DSS-Ext]

+
+

DSS Extension for Federated Central Signing Services.

+
+

+[AttrSpec]

+
+

Attribute Specification for the Swedish eID Framework.

+
+

+[RFC2119]

+
+

Bradner, S., Key words for use in RFCs to Indicate Requirement Levels, March 1997.

+
+

+[RFC3739]

+
+

Santesson, S., Nystrom, M., and T. Polk, "Internet X.509 Public Key +Infrastructure: Qualified Certificates Profile", RFC 3739, March +2004.

+
+

+[RFC5280]

+
+

Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and +W. Polk, "Internet X.509 Public Key Infrastructure Certificate and +Certificate Revocation List (CRL) Profile", RFC 5280, May 2008.

+
+

+[RFC7773]

+
+

RFC-7773: Authentication Context Certificate Extension

+
+

+[EU-POL-NCP]

+
+

ETSI EN 319 411-1, Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements.

+
+

+[EU-POL-QC]

+
+

ETSI EN 319 411-2, Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Requirements for trust service providers issuing EU qualified certificates

+
+

+[EU-CERT-GEN]

+
+

ETSI EN 319 412-1, Electronic Signatures and Infrastructures (ESI); Certificate Profiles; Part 1: Overview and common data structures.

+
+

+[EU-CERT-NP]

+
+

ETSI EN 319 412-2, Electronic Signatures and Infrastructures (ESI); Certificate Profiles; Part 2: Certificate profile for certificates issued to natural persons.

+
+

+[EU-CERT-QC]

+
+

ETSI EN 319 412-5, Electronic Signatures and Infrastructures (ESI); Certificate Profiles; Part 5: QCStatements.

+
+

+[SKV704]

+
+

Skatteverket, SKV 704 utgåva 8, Personnummer, September +2007.

+
+

+[SKV707]

+
+

Skatteverket, SKV 707, Utgåva 2, +Samordningsnummer.

+
+

+

4. Changes between versions

+

Changes between version 1.1 and version 1.2:

+
    +

  • Update of logotype, fixes of typos and reference list.

    +
    • +

  • Section 2.3.2.1, "Extended Authentication Information", was added.

    +
    • +
+

Changes between version 1.0 and version 1.1:

+
    +
  • Removed the requirement to store "personnummer" or "samordningsnummer".
    • +
  • Updated standards references to remove old deprecated standards and replace them with the currently published documents.
    • +
  • Specified optional support for using semantics identifiers in accordance with ETSI EN 319 412-1 to specify that the serialNumber attribute contains a Swedish "personnummer" or "samordningsnummer", Provisional ID or eIDAS person identifier.
    • +
  • Added requirement to specify ETSI policy identifiers.
    • +
  • Fix of invalid links for SKV704 and SKV707.
    • +
+
+ + diff --git a/docs/december-2024/09_-_DSS_Extension_for_Federated_Signing_Services.html b/docs/december-2024/09_-_DSS_Extension_for_Federated_Signing_Services.html new file mode 100644 index 0000000..ec4276d --- /dev/null +++ b/docs/december-2024/09_-_DSS_Extension_for_Federated_Signing_Services.html @@ -0,0 +1,1668 @@ + + + + + + DSS Extension for Federated Central Signing Services + + + + + + +

+ + +

+

+ +

+ +

DSS Extension for Federated Central Signing Services

+

Version 1.5 - 2024-12-04

+

Registration number: 2019-314

+
+

+Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All Rights Reserved. +

+ +

Table of Contents

+
    +

  1. Introduction

    +

    1.1. Terminology

    +

    1.1.1. Keywords

    +

    1.1.2. Structure

    +

    1.1.3. Definitions

    +

    1.2. Schema Organization and Namespaces

    +

    1.3. Common Data Types

    +

    1.3.1. String values

    +

    1.3.2. URI Values

    +

    1.3.3. Time Values

    +

    1.3.4. MIME Types for <dss:TransformedData>

    +
    2. +

  2. Common Protocol Structures

    +

    2.1. Type AnyType

    +
    3. +

  3. Federated Signing DSS Extensions

    +

    3.1. Element <SignRequestExtension>

    +

    3.1.1. Type CertRequestPropertiesType

    +

    3.1.1.1. Type RequestedAttributesType

    +

    3.1.2. Element <SignMessage>

    +

    3.2. Element <SignResponseExtension>

    +

    3.2.1. Type SignerAssertionInfoType

    +

    3.2.1.1. Type ContextInfoType

    +

    3.2.1.2. Type SAMLAssertionsType

    +

    3.2.2. Type CertificateChainType

    +
    4. +

  4. Extensions to <dss:InputDocuments> and <dss:SignatureObject>

    +

    4.1. Element <SignTasks>

    +

    4.1.1. Element <SignTaskData>

    +

    4.1.1.1. Type AdESObjectType

    +
    5. +

  5. Signing Sign Requests and Responses

    +
    6. +

  6. Normative References

    +
    7. +

  7. Changes between versions

    +
    8. +
+

Appendix A. XML Schema

+

+

1. Introduction

+

This specification defines elements that extend the +<dss:SignRequest> and <dss:SignResponse> elements of +[OASIS-DSS].

+

One element <SignRequestExtension> is defined for extending sign +requests and one element <SignResponseExtension> is defined for +extending sign responses. The <SignTasks> element extends the +<dss:InputDocuments> element of sign requests and +<dss:SignatureObject> element of sign responses.

+

These extensions to the DSS protocols provide essential protocol +elements in a scenario where:

+
    +

  • The user's signature is requested by a service with which the user + has an active session and where this service has authenticated the + user using a SAML assertion.

    +
    • +

  • The service provider holds the data to be signed.

    +
    • +

  • The central signing service is requested to authenticate the user + with the same Identity Provider that was used to authenticate the + user to the Service Provider.

    +
    • +
+

This particular use case is relevant when a user logs in to a service +using a federated identity, where the user at some point is required to +sign some data such as a tax declaration or payment transaction. The +user is forwarded to the signing service together with a sign request +from the Service Provider, specifying the information to be signed +together with the conditions for signing. After completed signing, the +user is returned to the Service Provider together with a sign response +from which the Service Provider can assemble a complete signed document, +signed by the user.

+

This scenario requires more information in both sign requests and sign +responses than the original DSS core standard provides, and it also +requires the capability to let the service provider sign the sign +request.

+

+

1.1. Terminology

+

+

1.1.1.  Keywords

+

The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, +SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL are to be +interpreted as described in [RFC 2119].

+

These keywords are capitalized when used to unambiguously specify +requirements over protocol features and behavior that affect the +interoperability and security of implementations.

+

When these words are not capitalized, they are meant in their +natural-language sense.

+

+

1.1.2. Structure

+

This specification uses the following typographical conventions in text: +<ThisSpecifictionElements>, <ns:ForeignElement>, Attribute, +Datatype, OtherCode.

+

Listings of DSS schemas appear like this.

+

+

1.1.3. Definitions

+

Identity Provider

+
+

An Identity Provider that is assigned to authenticate the signer.

+
+

Signing Service

+
+

A Signing Service that receives sign requests and responds with sign +responses according to this specification.

+
+

Service Provider

+
+

A service that has identified the signer through the user's Identity +Provider and requests that the signer signs some data using the +Central Signing Service.

+
+

+

1.2. Schema Organization and Namespaces

+

The structures described in this specification are contained in the XML +schema for this protocol [Csig-XSD]. All schema +listings in the current document are excerpts from the complete XML +schema.

+

This schema is associated with the following XML namespace:

+

http://id.elegnamnden.se/csig/1.1/dss-ext/ns

+

Compliance with this specification requires support of the latest version of +the [Csig-XSD] schema which is 1.1.3.

+

If a future, non backwards compatible, version of this specification is needed, it will use a +different namespace.

+

Conventional XML namespace prefixes are used in the schema:

+
    +

  • The prefix csig: stands for this specification's XML schema + namespace [Csig-XSD].

    +
    • +

  • The prefix dss: stands for the DSS core namespace + [OASIS-DSS].

    +
    • +

  • The prefix ds: stands for the W3C XML Signature namespace + [XMLDSIG].

    +
    • +

  • The prefix xs: stands for the W3C XML Schema namespace + [Schema1].

    +
    • +

  • The prefix saml: stands for the OASIS SAML Schema namespace + [SAML2.0].

    +
    • +

  • The prefix xades: stands for the ETSI XAdES Schema namespace + [XAdES].

    +
    • +
+

Applications MAY use different namespace prefixes, and MAY use whatever +namespace defaulting/scoping conventions they desire, as long as they +are compliant with the Namespaces in XML specification +[XML-ns].

+

The following schema fragment defines the XML namespaces and other +header information for this specification's core XML schema:

+
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" 
+    elementFormDefault="qualified"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    targetNamespace="http://id.elegnamnden.se/csig/1.1/dss-ext/ns"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:dss="urn:oasis:names:tc:dss:1.0:core:schema"
+    xmlns:csig="http://id.elegnamnden.se/csig/1.1/dss-ext/ns">
+    <xs:import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+        schemaLocation="saml-schema-assertion-2.0.xsd"/>

+

1.3. Common Data Types

+

The following sections define how to use and interpret common data types +that appear throughout the specification.

+

+

1.3.1. String values

+

All string values have the type xs:string, which is built in to the +W3C XML Schema Datatypes specification [Schema2]. Unless +otherwise noted in this specification or particular profiles, all +strings in this specification MUST consist of at least one +non-whitespace character (whitespace is defined in the XML +Recommendation [XML] Section 2.3).

+

Unless otherwise noted in this specification, all elements that have the +XML Schema xs:string type, or a type derived from that, MUST be +compared using an exact binary comparison. In particular, +implementations MUST NOT depend on case-insensitive string comparisons, +normalization or trimming of whitespace, or conversion of +locale-specific formats such as numbers or currency. This requirement is +intended to conform to the W3C working group note "Requirements for String +Identity, Matching, and String Indexing" [W3C-CHAR].

+

+

1.3.2. URI Values

+

All SAML URI reference values have the type xs:anyURI, which is +built in to the W3C XML Schema Datatypes specification +[Schema2].

+

Unless otherwise indicated in this specification, all URI reference +values used within defined elements or attributes MUST consist of at +least one non-whitespace character, and are REQUIRED to be absolute +[RFC 3986].

+

Note that this specification makes use of URI references as identifiers, +such as status codes, format types, attribute and system entity names, +etc. In such cases, it is essential that the values be both unique and +consistent, such that the same URI is never used at different times to +represent different underlying information.

+

+

1.3.3. Time Values

+

All time values have the type xs:dateTime, which is built in to the +W3C XML Schema Datatypes specification [Schema2], and +MUST be expressed in UTC form, with no time zone component.

+

Implementations SHOULD NOT rely on time resolution finer than +milliseconds. Implementations MUST NOT generate time instants that +specify leap seconds.

+

+

1.3.4. MIME Types for <dss:TransformedData>

+

The following MIME type is defined for transformed data included in a +<dss:Base64Data> element within a <dss:TransformedData> +element in a <dss:SignRequest>.

+

application/cms-signed-attributes

+
+

This MIME type identifies that the data contained in the +<dss:Base64Data> element, is a DER encoded CMS signed attributes +structure [RFC 5652]. This data is useful when signing +a PDF document in cases where the whole PDF document is not included +in the request. The signature on a PDF document is generated by +signing the hash of a CMS signed attributes structure representing the +PDF document to be signed. These signed attributes include data that +a Signing Service may want to check before signing, such as the +claimed signing time.

+
+

+

2. Common Protocol Structures

+

The following sections describe XML structures and types that are used +in multiple places.

+

+

2.1. Type AnyType

+

The AnyType complex type allows arbitrary XML element content within +an element of this type (see section 3.2.1 Element Content +[XML]).

+
<xs:complexType name="AnyType">
+  <xs:sequence>
+    <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" />
+  </xs:sequence>
+</xs:complexType>

+

3. Federated Signing DSS Extensions

+

This section defines elements that extend the <dss:SignRequest> +and <dss:SignResponse> elements of the DSS Signing Protocol.

+

+

3.1. Element <SignRequestExtension>

+

The <SignRequestExtension> element allows a requesting service to +add essential sign request information to a DSS Sign request. When +present, this element MUST be included in the <dss:OptionalInputs> +element in a DSS Sign Request. This element's +SignRequestExtensionType complex type includes the following +attributes and elements:

+

Version [Optional] (Default 1.1)

+
+

The version of this specification supported by the sender. If absent, +the version value defaults to "1.1".

+
+
+

This attribute provides means for the receiving +service to determine the expected semantics of the request based on the +protocol version.

+
+
+

The receiving service MUST use the same version +in the resulting response, see section 3.2. +If the receiving service does not support the requested version, the service +MUST refuse to process the request and respond with an error message where +<dss:ResultMajor> is set to urn:oasis:names:tc:dss:1.0:resultmajor:RequesterError +and the <dss:ResultMinor> is set to urn:oasis:names:tc:dss:1.0:resultminor:NotSupported.

+
+

<RequestTime> [Required]

+
+

The time when this request was created.

+
+

<saml:Conditions> [Required]

+
+

This element MUST include the element <saml:AudienceRestriction> which in +turn MUST contain one <saml:Audience> element, specifying the return URL for +any resulting Sign Response message.

+
+

<Signer> [Optional]

+
+

The identity of the signer expressed as a sequence of SAML attributes +using the saml:AttributeStatementType complex type. If this +element is present, then the Signing Service MUST verify that the +authenticated identity of the signer is consistent with the attributes +in this element.

+
+

<IdentityProvider> [Required]

+
+

The SAML entityID of the Identity Provider that MUST be used to +authenticate the signer before signing. The entitID value is specified +using the saml:NameIDType complex type and MUST include a Format +attribute with the value +urn:oasis:names:tc:SAML:2.0:nameid-format:entity.

+
+

<AuthnProfile> [Optional]

+
+

An opaque string that can be used to inform the Signing Service about specific +requirements regarding the user authentication at the given Identity Provider (see above). +This specification does not define any possible values or semantics for the element.

+
+
+

Note: If this element is set, the Version attribute of the SignRequestExtension element MUST be set to "1.4" or higher. Implementations prior to version 1.4 of this specification do not support the element.

+
+

<SignRequester> [Required]

+
+

The SAML entityID of the service that sends this request to the +Signing Service. The entityID value is specified using the +saml:NameIDType complex type and MUST include a Format attribute +with the value urn:oasis:names:tc:SAML:2.0:nameid-format:entity.

+
+

<SignService> [Required]

+
+

The SAML entityID of the service to which this Sign Request is sent. +The entityID value is specified using the saml:NameIDType complex +type and MUST include a Format attribute with the value +urn:oasis:names:tc:SAML:2.0:nameid-format:entity.

+
+

<RequestedSignatureAlgorithm> [Optional]

+
+

An identifier of the signature algorithm the requesting service +prefers when generating the requested signature.

+
+

<SignMessage> [Optional]

+
+

Optional sign message with information to the signer about the +requested signature.

+
+

<CertRequestProperties> [Optional]

+
+

An optional set of requested properties of the signature certificate +that is generated as part of the signature process.

+
+

<OtherRequestInfo> [Optional]

+
+

Any additional inputs to the request extension.

+
+

The following schema fragment defines the <SignRequestExtension> +element and its SignRequestExtensionType complex type:

+
<xs:element name="SignRequestExtension" type="csig:SignRequestExtensionType" />
+
+<xs:complexType name="SignRequestExtensionType">
+  <xs:sequence>
+    <xs:element ref="csig:RequestTime" />
+    <xs:element ref="saml:Conditions" />
+    <xs:element ref="csig:Signer" minOccurs="0" />
+    <xs:element ref="csig:IdentityProvider" />
+    <xs:element ref="csig:AuthnProfile" minOccurs="0" />
+    <xs:element ref="csig:SignRequester" />
+    <xs:element ref="csig:SignService" />
+    <xs:element ref="csig:RequestedSignatureAlgorithm" minOccurs="0" />
+    <xs:element ref="csig:CertRequestProperties" minOccurs="0" />
+    <xs:element ref="csig:SignMessage" minOccurs="0" />
+    <xs:element ref="csig:OtherRequestInfo" minOccurs="0" />
+  </xs:sequence>
+  <xs:attribute name="Version" type="xs:string" use="optional" default="1.1" />
+</xs:complexType>

+

3.1.1. Type CertRequestPropertiesType

+

The CertRequestPropertiesType complex type is used to specify +requested properties of the signature certificate that is associated +with the generated signature.

+

The CertRequestPropertiesType complex type has the following +attributes and elements:

+

CertType [Default "PKC"]

+
+

An enumeration of certificate types, default "PKC". The supported +values are "PKC", "QC" and "QC/SSCD". "QC" means that the certificate +is requested to be a Qualified Certificate according to legal +definitions in national law governing the issuer. "QC/SSCD" means a +Qualified Certificate where the private key is declared to be residing +within a Secure Signature Creation Device according to national law. +"PKC" (Public Key Certificate) means a certificate that is not a +Qualified Certificate.

+
+

<saml:AuthnContextClassRef> [Optional]

+
+

URI(s) identifying the requested level of assurance that authentication +of the signature certificate subject MUST comply with in order to +complete signing and certificate issuance. A Signing Service MUST NOT +issue signature certificates and generate the requested signature +unless the authentication process used to authenticate the requested +signer meets one of the requested level of assurance URI:s expressed +in this element.

+

If this element is absent, the locally configured policy of +the Signing Service is assumed. This can either mean that the Signing Service +includes one or more locally configured URI:s in the saml:RequestedAuthnContext element +of the saml:AuthnRequest issued to authenticate the user, or that no +saml:RequestedAuthnContext element is included in the saml:AuthnRequest. +In the latter case the Signature Service puts no requirements on the +required level of assurance.

+
+
+

Note: If more than one URI is given, the Version attribute of the SignRequestExtension element MUST be set to "1.4" or higher. Implementations prior to version 1.4 of this specification assume that this element may only contain one URI.

+
+

<RequestedCertAttributes> [Optional]

+
+

Element holding a SAML entity ID of an Attribute Authority that MAY be +used to obtain an attribute value for the requested attribute. The +entityID value is specified using the saml:NameIDType complex type +and MUST include a Format attribute with the value +urn:oasis:names:tc:SAML:2.0:nameid-format:entity.

+
+

<OtherProperties> [Optional]

+
+

Other requested properties of the signature certificate.

+
+

The following schema fragment defines the CertRequestPropertiesType +complex type:

+
<xs:complexType name="CertRequestPropertiesType">
+  <xs:sequence>
+    <xs:element ref="saml:AuthnContextClassRef" minOccurs="0" maxOccurs="unbounded" />
+    <xs:element ref="csig:RequestedCertAttributes" minOccurs="0" />
+    <xs:element ref="csig:OtherProperties" minOccurs="0" />
+  </xs:sequence>
+  <xs:attribute default="PKC" name="CertType">
+    <xs:simpleType>
+      <xs:restriction base="xs:string">
+        <xs:enumeration value="PKC"/>
+        <xs:enumeration value="QC"/>
+        <xs:enumeration value="QC/SSCD"/>
+      </xs:restriction>
+    </xs:simpleType>
+  </xs:attribute>
+</xs:complexType>
+
+<xs:element name="RequestedCertAttributes" type="csig:RequestedAttributesType" />
+<xs:element name="OtherProperties" type="csig:AnyType" />

+
3.1.1.1. Type RequestedAttributesType
+

The RequestedAttributesType complex type is used to represent +requests for subject attributes in a signer certificate that is +associated with the signer of the generated signature as a result of the +sign request. This protocol is designed to accommodate the scenario +where the Signing Service generates the signer key and the signer +certificate at the time of signing and where the Signing Service +collects the user's attributes from a SAML assertion. However, this +element can also be used as a requirement for attributes in existing +certificates, where the Signing Service can determine if the existing +signing certificate matches the requirements of the requesting service.

+

The RequestedAttributesType has the following element:

+

<RequestedCertAttribute> [One or More]

+
+

Information of type MappedAttributeType about a requested +certificate attribute.

+
+

The following schema fragment defines the RequestedAttributesType +complex type:

+
<xs:complexType name="RequestedAttributesType">
+  <xs:sequence>
+    <xs:element name="RequestedCertAttribute" type="csig:MappedAttributeType" 
+      maxOccurs="unbounded" minOccurs="1" />
+  </xs:sequence>
+</xs:complexType>

The MappedAttributeType complex type has the following elements and +attributes:

+

CertAttributeRef [Optional]

+
+

A reference to the certificate attribute or name type where the +requester wants to store this attribute value. The information in this +attribute depends on the selected CertNameType attribute value. If the +CertNameType is "rdn" or "sda", then this attribute MUST +contain a string representation of an object identifier (OID). If the +CertNameType is "san" (Subject Alternative Name) and the target +name is a GeneralName, then this attribute MUST hold a string +representation of the tag value of the target GeneralName type, e.g. +"1" for rfc822Name (e-mail) or "2" for dNSName. If the CertNameType is +"san" and the target name form is an OtherName, then this +attribute value MUST include a string representation of the object +identifier of the target OtherName form.

+

Representation of an OID as a string in this attribute MUST consist of +a sequence of integers delimited by a dot. This string MUST not +contain white space or line breaks. Example: "2.5.4.32".

+
+

CertNameType [Optional]

+
+

An enumeration of the target name form for storing the associated SAML +attribute value in the certificate. The available values are "rdn" for +storing the attribute value as an attribute in a Relative +Distinguished Name in the subject field of the certificate, "san" for +storing the attribute value in a subject alternative name extension +and "sda" for storing the attribute value in a subject directory +attribute extension. The default value for this attribute is "rdn".

+
+

FriendlyName [Optional]

+
+

An optional friendly name of the subject attribute, e.g. "givenName". +Note that this name does not need to map to any particular naming +convention and its value MUST NOT be used by the Signing Service for +attribute type mapping. This name is present for display purposes +only.

+
+

DefaultValue [Optional]

+
+

An optional default value for the requested attribute. This value MAY +be used by the Signing Service if no authoritative value for the +attribute can be obtained when the Signing Service authenticates the +user. This value MUST NOT be used by the Signing Service unless this +value is consistent with a defined policy at the Signing Service. A +typical valid use of this attribute is to hold a default countryName +attribute value that matches a set of allowed countryName values. By +accepting the default attribute value provided in this attribute, the +Signing Service accept the requesting service as an authoritative +source for this particular requested attribute.

+
+

Required [Optional] (Default false)

+
+

If this attribute is set to true, the Signing Service MUST ensure that +the signing certificate contains a subject attribute of the requested +type, or else the Signing Service MUST NOT generate the requested +signature.

+
+

<AttributeAuthority> [Zero or More]

+
+

Element holding an entityID of an Attribute Authority that MAY be +used to obtain an attribute value for the requested attribute. The +entityID value is specified using the saml:NameIDType complex type +and MUST include a Format attribute with the value +urn:oasis:names:tc:SAML:2.0:nameid-format:entity.

+
+

<SamlAttributeName> [Zero or More]

+
+

Element of type PreferredSAMLAttributeNameType complex type +holding a name of a SAML subject attribute that is allowed to provide +the content value for the requested certificate attribute.

+
+

The following schema fragment defines the MappedAttributeType +complex type:

+
<xs:complexType name="MappedAttributeType">
+  <xs:sequence>
+    <xs:element name="AttributeAuthority" type="saml:NameIDType"
+      maxOccurs="unbounded" minOccurs="0" />
+    <xs:element name="SamlAttributeName" type="csig:PreferredSAMLAttributeNameType"
+      maxOccurs="unbounded" minOccurs="0" />
+  </xs:sequence>
+  <xs:attribute name="CertAttributeRef" type="xs:string" use="optional" />
+  <xs:attribute name="CertNameType" default="rdn" use="optional">
+    <xs:simpleType>
+      <xs:restriction base="xs:string">
+        <xs:enumeration value="rdn"/>
+        <xs:enumeration value="san"/>
+        <xs:enumeration value="sda"/>
+      </xs:restriction>
+    </xs:simpleType>
+  </xs:attribute>
+  <xs:attribute name="FriendlyName" type="xs:string" />
+  <xs:attribute name="DefaultValue" type="xs:string" />
+  <xs:attribute name="Required" type="xs:boolean" default="false" />
+</xs:complexType>

The PreferredSAMLAttributeNameType complex type holds a string value +of a SAML attribute name. This attribute name SHALL be mapped against +attribute names in <saml:Attribute> elements representing the +subject in a SAML assertion that is used to authenticate the signer.

+

The PreferredSAMLAttributeNameType complex type has the following +attribute:

+

Order [Optional]

+
+

An integer specifying the order of preference of this SAML attribute. +If more than one SAML attribute is listed, the SAML attribute with the +lowest Order integer value that is present as a subject attribute in +the SAML assertion, SHALL be used. SAML attributes with an absent +Order attribute SHALL be treated as having an order value of 0. +Multiple SAML attributes with an identical Order attribute values +SHALL be treated as having equal priority.

+
+

The following schema fragment defines the +PreferredSAMLAttributeNameType complex type:

+
<xs:complexType name="PreferredSAMLAttributeNameType">
+  <xs:simpleContent>
+    <xs:extension base="xs:string">
+      <xs:attribute name="Order" type="xs:int" default="0" />
+    </xs:extension>
+  </xs:simpleContent>
+</xs:complexType>

+

3.1.2. Element <SignMessage>

+

The <SignMessage> element holds a message to the signer with +information about what is being signed. The sign message is provided +either in plain text using the <Message> child element or as an +encrypted message using the <EncryptedMessage> child element. This +element's SignMessageType complex type includes the following +attributes and elements:

+

MustShow [Optional] (Default false)

+
+

When this attribute is set to true then the requested signature MUST +NOT be created unless this message has been displayed and accepted by +the signer. The default is false.

+
+

DisplayEntity [Optional]

+
+

The entityID of the entity responsible for displaying the sign message +to the signer. When the sign message is encrypted, then this entity is +also the holder of the private decryption key necessary to decrypt the +sign message.

+
+

MimeType [Optional] (Default text)

+
+

The MIME type defining the message format. This is an enumeration of +the valid attribute values text (plain text), text/html (html) or +text/markdown (markdown). This specification does not specify any +particular restrictions on the provided message, but it is RECOMMENDED +that sign message content is restricted to a limited set of valid tags +and attributes, and that the display entity performs filtering to +enforce these restrictions before displaying the message. The means +through which parties agree on such restrictions are outside the scope +of this specification, but one valid option to communicate such +restrictions could be through federation metadata.

+
+

<Message> [Choice]

+
+

The base64 encoded sign message in unencrypted form. The message MUST +be encoded using UTF-8.

+
+

<EncryptedMessage> [Choice]

+
+

An encrypted <Message> element.

+
+
+

Either a <Message> or an <EncryptedMessage> element MUST be present.

+
+

The following schema fragment defines the <SignMessage> element +and the SignMessageType complex type:

+
<xs:complexType name="SignMessageType">
+  <xs:choice>
+    <xs:element ref="csig:Message" />
+    <xs:element ref="csig:EncryptedMessage" />
+  </xs:choice>
+  <xs:attribute name="MustShow" type="xs:boolean" default="false" />
+  <xs:attribute name="DisplayEntity" type="xs:anyURI" />
+  <xs:attribute name="MimeType" default="text">
+    <xs:simpleType>
+      <xs:restriction base="xs:string">
+        <xs:enumeration value="text/html" />
+        <xs:enumeration value="text" />
+        <xs:enumeration value="text/markdown" />
+      </xs:restriction>
+    </xs:simpleType>
+  </xs:attribute>
+  <xs:anyAttribute namespace="##other" processContents="lax" />
+</xs:complexType>
+
+
+<xs:element name="Message" type="xs:base64Binary"/>
+<xs:element name="EncryptedMessage" type="saml:EncryptedElementType"/>

+

3.2. Element <SignResponseExtension>

+

The <SignResponseExtension> element is an extension that +allows a requesting service to add essential sign response information +to the sign response. When present, this element MUST be included in the +<dss:OptionalOutputs> element in a <dss:SignResponse> +element.

+

This element's SignResponseExtensionType complex type includes the +following attributes and elements:

+

Version [Optional] (Default 1.1)

+
+

The version of this specification under which the response message was produced. +If absent, the version value +defaults to "1.1". This attribute provides means for the receiving +service to determine the expected semantics of the response based on the +protocol version.

+
+
+

Note: The sender MUST use the same version number as received in the Version +attribute of the SignRequestExtension (see section 3.1).

+
+

<ResponseTime> [Required]

+
+

The time when the sign response was created.

+
+

<Request> [Optional]

+
+

A base64 encoded signed <dss:SignRequest> element that contains +the request related to this sign response. This element MAY be +present if signing was successful.

+
+

<SignerAssertionInfo> [Optional]

+
+

An element of type SignerAssertionInfoType holding information +about how the signer was authenticated by the sign service as well as +information about subject attribute values present in the SAML +assertion authenticating the signer, which was incorporated into the +signer certificate. This element MUST be present if signing was +successful.

+
+

<SignatureCertificateChain> [Optional]

+
+

An element of type CertificateChainType holding the signer +certificate as well as other certificates that may be used to validate +the signature. This element MUST be present if signing was successful +and MUST contain all certificates that are necessary to compile a +complete and functional signed document. Certificates in +<SignatureCertificateChain> MUST be provided in sequence with +the signature certificate first followed by any CA certificates that +can be used to verify the previous certificate in the sequence, ending +with a self-signed root certificate.

+
+

<OtherResponseInfo> [Optional]

+
+

Optional sign response elements of type AnyType.

+
+

The following schema fragment defines the <SignResponseExtension> +element and the SignResponseExtensionType complex type:

+
<xs:element name="SignResponseExtension" type="csig:SignResponseExtensionType" />
+
+<xs:complexType name="SignResponseExtensionType">
+  <xs:sequence>
+    <xs:element ref="csig:ResponseTime" />
+    <xs:element ref="csig:Request" minOccurs="0" />
+    <xs:element ref="csig:SignerAssertionInfo" minOccurs="0" maxOccurs="1" />
+    <xs:element ref="csig:SignatureCertificateChain" minOccurs="0" />
+    <xs:element ref="csig:OtherResponseInfo" minOccurs="0" />
+  </xs:sequence>
+  <xs:attribute name="Version" type="xs:string" default="1.1" />
+</xs:complexType>
+
+<xs:element name="ResponseTime" type="xs:dateTime" />
+<xs:element name="Request" type="xs:base64Binary" />
+<xs:element name="SignerAssertionInfo" type="csig:SignerAssertionInfoType" />
+<xs:element name="SignatureCertificateChain" type="csig:CertificateChainType" />
+<xs:element name="OtherResponseInfo" type="csig:AnyType" />

+

3.2.1. Type SignerAssertionInfoType

+

The SignerAssertionInfoType complex type has the following elements:

+

<ContextInfo> [Required]

+
+

This element of type ContextInfoType holds information about SAML +authentication context related to signer authentication through a SAML +assertion.

+
+

<saml:AttributeStatement> [Required]

+
+

This element of type saml:AttributeStatementType (see +[SAML2.0]) holds subject attributes obtained from the +SAML assertion used to authenticate the signer at the Signing Service. +For integrity reasons, this element SHOULD only provide information +about SAML attribute values that maps to subject identity information +in the signer's certificate.

+
+

<SamlAssertions> [Zero or More]

+
+

Any number of relevant SAML assertions that was relevant for +authenticating the signer and signer's identity attributes at the +Signing Service.

+
+

The following schema fragment defines the SignerAssertionInfoType +complex type:

+
<xs:complexType name="SignerAssertionInfoType">
+  <xs:sequence>
+    <xs:element ref="csig:ContextInfo" />
+    <xs:element ref="saml:AttributeStatement" />
+    <xs:element ref="csig:SamlAssertions" minOccurs="0" />
+  </xs:sequence>
+</xs:complexType>
+
+<xs:element name="ContextInfo" type="csig:ContextInfoType" />
+<xs:element name="SamlAssertions" type="csig:SAMLAssertionsType" />

+
3.2.1.1. Type ContextInfoType
+

The ContextInfoType complex type has the following elements:

+

<IdentityProvider>[Required]

+
+

The entityID of the Identity Provider that authenticated the signer to +the Signing Service.

+
+

<AuthenticationInstant> [Required]

+
+

The time when the Signing Service authenticated the signer.

+
+

<saml:AuthnContextClassRef> [Required]

+
+

A URI reference to the authentication context class (see +[SAML2.0]).

+
+

<ServiceID> [Optional]

+
+

An arbitrary identifier of the instance of the Signing Service that +authenticated the signer.

+
+

<AuthType> [Optional]

+
+

An arbitrary identifier of the service used by the Signing Service to +authenticate the signer (e.g. "shibboleth".)

+
+

<AssertionRef> [Optional]

+
+

A reference to the assertion used to identify the signer. This MAY be +the ID attribute of a <saml:Assertion> element but MAY also be +any other reference that can be used to locate and identify the +assertion.

+
+
<xs:complexType name="ContextInfoType">
+  <xs:sequence minOccurs="0" maxOccurs="1">
+    <xs:element name="IdentityProvider" type="saml:NameIDType" />
+    <xs:element name="AuthenticationInstant" type="xs:dateTime" />
+    <xs:element ref="saml:AuthnContextClassRef" />
+    <xs:element name="ServiceID" type="xs:string" minOccurs="0" />
+    <xs:element name="AuthType" type="xs:string" minOccurs="0" />
+    <xs:element name="AssertionRef" type="xs:string" minOccurs="0" />
+  </xs:sequence>
+</xs:complexType>

+
3.2.1.2. Type SAMLAssertionsType
+

The SAMLAssertionsType is used to store the bytes of an arbitrary +number of SAML assertions (see [SAML2.0]). This complex +type has the following elements:

+

<Assertion>[One or More]

+
+

One or more SAML assertions represented by the bytes of each +assertion. Assertions are stored as byte data to ensure that the +signature on each assertion can be validated. Assertions stored in +this element MUST retain its original canonical format so that any +signature on the assertion can be validated.

+
+
<xs:complexType name="SAMLAssertionsType">
+  <xs:sequence>
+    <xs:element name="Assertion" type="xs:base64Binary" maxOccurs="unbounded" />
+  </xs:sequence>
+</xs:complexType>

+

3.2.2. Type CertificateChainType

+

This complex type can be used to hold a sequence of X.509 certificates. +Certificates MUST be provided in sequence with the end-entity +certificate first in the sequence followed by any CA certificates that +can be used to verify the previous certificate in the sequence, ending +with a self-signed root certificate.

+

The CertificateChainType complex type has the following elements:

+

<X509Certificate> [One or More]

+
+

An X.509 certificate [RFC 5280] that is part of a +certificate chain that can be used to verify the generated signature. +The certificate SHALL be represented as a base64Binary of the DER +encoded certificate.

+
+

The following schema fragment defines the CertificateChainType +complex type:

+
<xs:complexType name="CertificateChainType">
+  <xs:sequence>
+    <xs:element name="X509Certificate" type="xs:base64Binary" maxOccurs="unbounded" />
+  </xs:sequence>
+</xs:complexType>

+

4. Extensions to <dss:InputDocuments> and <dss:SignatureObject>

+

This section defines elements that extends the +<dss:InputDocuments> element of DSS sign requests and the +<dss:SignatureObject> element of DSS sign responses by inclusion +in their respective <dss:Other> element.

+

+

4.1. Element <SignTasks>

+

The <SignTasks> element, when present, MUST appear either in the +<dss:Other> element of the <dss:InputDocuments> element of a +sign request or in the <dss:Other> element of the +<dss:SignatureObject> element of a sign response.

+

This element holds information about sign tasks that are requested in a +sign request and returned in a sign response. If information about a +sign task is provided using this element in a sign request, then the +corresponding signature result data MUST also be provided using this +element in the sign response.

+

This element's SignTasksType complex type includes the following +attributes and elements:

+

<SignTaskData> [One or More]

+
+

Input and output data associated with a sign task. A request MAY +contain several instances of this element. When multiple instances of +this element are present in the request, this means that the Signing +Service is requested to generate multiple signatures (one for each +<SignTaskData> element) using the same signing key and signature +certificate. This allows batch signing of several different documents +in the same signing instance or creation of multiple signatures on the +same document such as signing XML content of a PDF document with an +XML signature, while signing the rest of the document with a PDF +signature.

+
+

The following schema fragment defines the <SignTasks> element and +its SignTasksType complex type:

+
<xs:element name="SignTasks" type="csig:SignTasksType" />
+
+<xs:complexType name="SignTasksType">
+  <xs:sequence>
+    <xs:element ref="csig:SignTaskData" maxOccurs="unbounded" />
+  </xs:sequence>
+</xs:complexType>
+
+<xs:element name="SignTaskData" type="csig:SignTaskDataType" />

+

4.1.1. Element <SignTaskData>

+

When present in a sign request, this element provides input data to a +signature generation process. When present in a sign response, this +element provides the corresponding signature result data. When a request +provides input data using this type of element, then an element of this +type MUST also be used to return the corresponding signature result +data.

+

This element's SignTaskDataType complex type includes the following +attributes and elements:

+

SignTaskId [Optional]

+
+

An identifier of the signature task that is represented by this +element. If the request contains multiple instances of +<SignTaskData> representing separate sign tasks, then each +instance of the element MUST have a SignatureId attribute value that +is unique among all sign tasks in the sign request. When this +attribute is present, the same attribute value MUST be returned in the +corresponding <SignTaskData> element in the response that holds +corresponding signature result data.

+
+

SigType [Required]

+
+

Enumerated identifier of the type of signature format the +canonicalized signed information octets in the <ToBeSignedBytes> +element are associated with. This MUST be one of the enumerated values +"XML", "PDF", "CMS" of "ASiC".

+
+

AdESType [Optional]

+
+

Specifies the type of AdES signature. BES means that the signing +certificate hash must be covered by the signature. EPES means that the +signing certificate hash and a signature policy identifier must be +covered by the signature.

+
+

ProcessingRules [Optional]

+
+

A URI identifying one or more processing rules that the Signing +Service MUST apply when processing and using the provided signed +information octets. The Signing Service MUST NOT process and complete +the signature request if this attribute contains a URI that is not +recognized by the Signing Service. When this attribute is present in +the sign response, it represents a statement by the Signing Service +that the identified processing rule was successfully executed.

+
+

<ToBeSignedBytes> [Required]

+
+

The bytes to be hashed and signed when generating the requested +signature. For an XML signature this MUST be the canonicalized octets +of a <dss:SignedInfo> element. For a PDF signature this MUST be +the octets of the DER encoded SignedAttrs value (signed attributes). +If this data was altered by the signature process, for example as a +result of changing a signing time attribute in PDF SignedAttrs, or as +a result of adding a reference to a hash of the signature certificate +in an XAdES signature, the altered data MUST be returned in the sign +response using this element.

+
+

<AdESObject> [Optional]

+
+

An element of type AdESObjectType complex type holding data to +support generation of a signature according to any of the ETSI +Advanced Electronic Signature (AdES) standard formats.

+
+

<Base64Signature> [Optional]

+
+

The output signature value of the signature creation process +associated with this sign task. This element's optional Type +attribute, if present, SHALL contain a URI indicating the signature +algorithm that was used to generate the signature value.

+
+

<OtherSignTaskData> [Optional]

+
+

Other input or output data elements associated with the sign task.

+
+

The following schema fragment defines the <SignTaskData> element +and its SignTaskDataType complex type:

+
<xs:element name="SignTaskData" type="csig:SignTaskDataType" />
+
+<xs:complexType name="SignTaskDataType">
+  <xs:sequence>
+    <xs:element ref="csig:ToBeSignedBytes" />
+    <xs:element ref="csig:AdESObject" minOccurs="0" maxOccurs="1" />
+    <xs:element ref="csig:Base64Signature" minOccurs="0" />
+    <xs:element ref="csig:OtherSignTaskData" minOccurs="0" />
+  </xs:sequence>
+  <xs:attribute name="SignTaskId" type="xs:string" />
+  <xs:attribute name="SigType" use="required">
+    <xs:simpleType>
+      <xs:restriction base="xs:string">
+        <xs:enumeration value="XML" />
+        <xs:enumeration value="PDF" />
+        <xs:enumeration value="CMS" />
+        <xs:enumeration value="ASiC" />
+      </xs:restriction>
+    </xs:simpleType>
+  </xs:attribute>
+  <xs:attribute name="AdESType" default="None">
+    <xs:simpleType>
+      <xs:restriction base="xs:string">
+        <xs:enumeration value="None" />
+        <xs:enumeration value="BES" />
+        <xs:enumeration value="EPES" />
+      </xs:restriction>
+    </xs:simpleType>
+  </xs:attribute>
+  <xs:attribute name="ProcessingRules" type="xs:anyURI" use="optional" />
+</xs:complexType>
+
+<xs:element name="ToBeSignedBytes" type="xs:base64Binary" />
+<xs:element name="AdESObject" type="csig:AdESObjectType" />
+<xs:element name="Base64Signature" type="csig:Base64SignatureType" />
+<xs:element name="OtherSignTaskData" type="csig:AnyType" />

+
4.1.1.1. Type AdESObjectType
+

The AdESObjectType complex type holds a base64 encoded object that +is referenced from the signature and which content has to be modified as +part of the certificate and signature generation process. Handling of +this data as in the signature generation process MAY be affected by +rules identifyed by the ProcessingRules, SigType and AdESType attributes +of the parent <SignatureInputObjects> elements.

+

This complex type has the following elements:

+

<SignatureId> [Optional]

+
+

An optional identifier of the signature. When the requested signature +is a XAdES signature, this is the value of the Id attribute of the +<ds:Signature> element of the resulting signature, which is used +to construct the Target attribute of the +<xades:QualifyingProperties> element.

+
+

<AdESObjectBytes> [Optional]

+
+

A base64 encoded object that is referenced from the signature and +which content has to be modified as part of the certificate and +signature generation process. The type of data in the base64 encoded +bytes and the rules of handling of this data as in the signature +generation process is determined through the ProcessingRules, SigType +and AdESType attributes of the parent <SignatureInputObjects> +elements. When the signature type is XAdES, then this is the bytes of +the <ds:Object> element that holds the +<xades:QualifyingProperties> element of the signature where the +hash of the signature certificate will be placed.

+

When this element is present in the request, it forms a base for +construction of this object in the signature process.

+
+

<OtherAdESData> [Optional]

+
+

Other input data related to the AdES signature generation process.

+
+

The following schema fragment defines the AdESObjectType complex +type

+
<xs:complexType name="AdESObjectType">
+  <xs:sequence>
+    <xs:element name="SignatureId" type="xs:string" minOccurs="0" />
+    <xs:element name="AdESObjectBytes" type="xs:base64Binary" minOccurs="0" />
+    <xs:element name="OtherAdESData" type="csig:AnyType" minOccurs="0" />
+  </xs:sequence>
+</xs:complexType>

+

5. Signing Sign Requests and Responses

+

This specification supports a scenario where a requesting service +requests the signer to sign some data and where the same requesting +service receives the signature from the Signing Service. In this +scenario the requesting service acts as the presenter of information to +be signed to the signer. Implementers of this specification MUST sign +requests and responses for signature creation to protect against +spoofing and substitution attacks. If a hash of the document to be +signed is replaced in a sign request, the signer may end up signing +something completely different from what the requesting service +presented to the signer.

+

When a <dss:SignRequest> is signed, the signature of that request +MUST be placed as the last child element in the +<dss:OptionalInputs> element. The Signing Service MUST check this +signature and MUST check that the signature covers all data in the +<dss:SignRequest> element (except for the signature itself).

+

When a <dss:SignResponse> is signed, the signature of that +response MUST be placed as the last child element in the +<dss:OptionalOutputs> element. The Signing Service MUST check this +signature and MUST check that the signature covers all data in the +<dss:SignResponse> element (except for the signature itself)

+

+

6. Normative References

+

+[Csig-XSD]

+
+

This specification's DSS Extensions schema Version 1.1.3, https://docs.swedenconnect.se/schemas/csig/1.1/EidCentralSigDssExt-1.1.3.xsd, November 2024.

+
+

+[OASIS-DSS]

+
+

Digital Signature Service Core Protocols, Elements, and Bindings Version 1.0, OASIS, 11 April 2007.

+
+

+[RFC 2119]

+
+

RFC 2119: Key words for use in RFCs to Indicate Requirement Levels.

+
+

+[RFC 3986]

+
+

RFC 3986: Uniform Resource Identifier (URI): Generic Syntax.

+
+

+[RFC 5652]

+
+

RFC 5652: Cryptographic Message Syntax (CMS).

+
+

+[RFC 5280]

+
+

RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.

+
+

+[SAML2.0]

+
+

Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0.

+
+

+[Schema1]

+
+

XML Schema Part 1: Structures. W3C Recommendation 28 October 2004.

+
+

+[Schema2]

+
+

XML Schema Part 2: Datatypes. W3C Recommendation 28 October 2004.

+
+

+[XAdES]

+
+

XAdES digital signatures; Part 1: Building blocks and XAdES baseline signatures.

+
+

+[XML]

+
+

Extensible Markup Language (XML) 1.0 (Fifth Edition). W3C +Recommendation 26 November 2008.

+
+

+[XML-ns]

+
+

Namespaces in XML. W3C Recommendation, January 1999.

+
+

+[XMLDSIG]

+
+

XML-Signature Syntax and Processing. W3C Recommendation, February 2002.

+
+

+

7. Changes between versions

+

Changes between version 1.4 and 1.5:

+
    +

  • The [Csig-XSD] schema was updated to version 1.1.3.

    +
    • +

  • In section 3.1, "Element SignRequestExtension", the requirements for NotBefore and NotOnOrAfter to be present under the <saml:Conditions> element was removed. The reason for this is that it will always be the SignService itself that determines whether a message has expired or not.

    +
    • +

  • Links in the appendix pointed to a draft version of the schema. This was fixed.

    +
    • +
+

Changes between version 1.3 and 1.4:

+
    +

  • In section 3.2, "Element SignResponseExtension", the requirement for the Request element was changed so that it is optional to include even if the signature was successful.

    +
    • +

  • Section 3.1, "Element SignRequestExtension", was updated with the element AuthnProfile.

    +
    • +

  • Section 3.1 and 3.2 was updated to clarify the use of the Version attribute in the SignRequestExtension and SignResponseExtension elements.

    +
    • +

  • Section 3.1.1, "Type CertRequestPropertiesType", was updated so that more than one <saml:AuthnContextClassRef> element can be included. The schema was also updated (to version 1.1.2 but keeping the same namespace identifier).

    +
    • +
+

Changes between version 1.2 and 1.3:

+
    +
  • No functional changes. The document has been re-branded with the Sweden Connect- and DIGG logotypes and the document format has been changed from OASIS-style to the style used by all other specifications within the Swedish eID Framework. Some typos were also fixed.
    • +
+

Changes between version 1.1 and 1.2:

+
    +
  • Incorrect versions and references were corrected.
    • +
+

Changes between version 1.0 and 1.1:

+
    +
  • Version 1.1 of the XML Schema for DSS extensions was introduced.
    • +
+

+

Appendix A: XML Schema

+

This appendix provides the full XML Schema declaration for the DSS +protocol extension defined in this document. In case of differences +between the XML Schema in this appendix and XML Schema fragments in the +sections above, the XML Schema in this appendix is the normative one.

+

The schema can also be downloaded from https://docs.swedenconnect.se/schemas/csig/1.1/EidCentralSigDssExt-1.1.2.xsd.

+
<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
+    version="1.1.3"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    targetNamespace="http://id.elegnamnden.se/csig/1.1/dss-ext/ns"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:dss="urn:oasis:names:tc:dss:1.0:core:schema"
+    xmlns:csig="http://id.elegnamnden.se/csig/1.1/dss-ext/ns">
+
+  <xs:annotation>
+    <xs:documentation>
+      Version: 1.1.3
+      Schema location URL: https://docs.swedenconnect.se/schemas/csig/1.1/EidCentralSigDssExt-1.1.3.xsd
+    </xs:documentation>
+  </xs:annotation>
+
+  <xs:import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+      schemaLocation="https://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd"/>
+
+  <xs:element name="SignRequestExtension" type="csig:SignRequestExtensionType">
+    <xs:annotation>
+      <xs:documentation>
+        Extension to an OASIS DSS SignRequest, providing additional 
+        information about a sign request. This element extends the 
+        dss:OptionalInputs element of a dss:SignRequest.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="SignResponseExtension" type="csig:SignResponseExtensionType">
+    <xs:annotation>
+      <xs:documentation>
+        Extension to an OASIS DSS SignResponse, providing additional information 
+        about a sign response. This element extends the dss:OptionalOutput element 
+        of a dss:SignResponse.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="SignTasks" type="csig:SignTasksType" />
+
+  <xs:element name="SignTaskData" type="csig:SignTaskDataType" />
+    
+  <xs:element name="RequestTime" type="xs:dateTime">
+    <xs:annotation>
+      <xs:documentation>
+        Time when the request was created.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="Signer" type="saml:AttributeStatementType">
+    <xs:annotation>
+      <xs:documentation>
+        The identity of the signer expressed as a sequence of SAML attributes 
+        using the AttributesType complex type.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="IdentityProvider" type="saml:NameIDType">
+    <xs:annotation>
+      <xs:documentation>
+        The SAML entityID of the Identity Provider that MUST be used to 
+        authenticate the signer before signing. The EntitID value is specified 
+        using the saml:NameIDType complex type and MUST include a Format 
+        attribute with the value urn:oasis:names:tc:SAML:2.0:nameid-format:entity.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="AuthnProfile" type="xs:string">
+    <xs:annotation>
+      <xs:documentation>
+        An opaque string that can be used to inform the Signing Service about 
+        specific requirements regarding the user authentication at the given 
+        Identity Provider.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="SignRequester" type="saml:NameIDType">
+    <xs:annotation>
+      <xs:documentation>
+        The SAML entityID of the service that sends this request to the signing service. 
+        The entityID value is specified using the saml:NameIDType complex type and MUST 
+        include a Format attribute with the value 
+        urn:oasis:names:tc:SAML:2.0:nameid-format:entity.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="SignService" type="saml:NameIDType">
+    <xs:annotation>
+      <xs:documentation>
+        The SAML entityID of the service to which this Sign Request is sent. 
+        The entityID value is specified using the saml:NameIDType complex type 
+        and MUST include a Format attribute with the value 
+        urn:oasis:names:tc:SAML:2.0:nameid-format:entity.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="RequestedSignatureAlgorithm" type="xs:anyURI">
+    <xs:annotation>
+      <xs:documentation>
+        An identifier of the signature algorithm the requesting service prefers 
+        when generating the requested signature.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="CertRequestProperties" type="csig:CertRequestPropertiesType">
+    <xs:annotation>
+      <xs:documentation>
+        The requested properties of the signature certificate being issued by the 
+        signature service.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="RequestedCertAttributes" type="csig:RequestedAttributesType">
+    <xs:annotation>
+      <xs:documentation>
+        An optional set of requested attributes that the requesting service prefers 
+        or requires in the subject name of the generated signing certificate.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="OtherProperties" type="csig:AnyType" />
+
+  <xs:element name="SignMessage" type="csig:SignMessageType">
+    <xs:annotation>
+      <xs:documentation>
+        Sign message included as a choice of a Base64 encoded string or 
+        an encrypted sign message.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="Message" type="xs:base64Binary" />
+  
+  <xs:element name="EncryptedMessage" type="saml:EncryptedElementType" />
+
+  <xs:element name="OtherRequestInfo" type="csig:AnyType">
+    <xs:annotation>
+      <xs:documentation>
+        Any additional inputs to the request extension.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="ResponseTime" type="xs:dateTime">
+    <xs:annotation>
+      <xs:documentation>
+        The time when the sign response was created.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="Request" type="xs:base64Binary">
+    <xs:annotation>
+      <xs:documentation>
+        An element of type EncodedRequestType with base64Binary base type, holding 
+        a representation of a complete and signed dss:SignRequest element that is 
+        related to this sign response. This element MUST be present if signing was 
+        successful.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="SignerAssertionInfo" type="csig:SignerAssertionInfoType">
+    <xs:annotation>
+      <xs:documentation>
+        An element of type SignerAssertionInfoType holding information about how 
+        the signer was authenticated by the sign service as well as information 
+        about subject attribute values present in the SAML assertion authenticating 
+        the signer, which was incorporated into the signer certificate. This element 
+        MUST be present if signing was successful.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+  
+  <xs:element name="ContextInfo" type="csig:ContextInfoType" />
+
+  <xs:element name="SamlAssertions" type="csig:SAMLAssertionsType" />
+
+  <xs:element name="SignatureCertificateChain" type="csig:CertificateChainType">
+    <xs:annotation>
+      <xs:documentation>
+        An element of type CertificateChainType holding the signer certificate as 
+        well as other certificates that may be used to validate the signature. This 
+        element MUST be present if signing was successful and MUST contain all 
+        certificate that are necessary to compile a complete and functional signed 
+        document.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="OtherResponseInfo" type="csig:AnyType">
+    <xs:annotation>
+      <xs:documentation>
+        Optional sign response elements of type AnyType.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+  
+  <xs:element name="ToBeSignedBytes" type="xs:base64Binary">
+    <xs:annotation>
+      <xs:documentation>
+        The octets that are hashed and signed when generating the signture. For 
+        PDF and common modes of CMS this is the DER encoded SignedAttributess field. 
+        For XML this is the canonicalized SignedInfo octets.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+  
+  <xs:element name="AdESObject" type="csig:AdESObjectType">
+    <xs:annotation>
+      <xs:documentation>
+        Information in support of AdES signature creation.
+      </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="Base64Signature" type="csig:Base64SignatureType">
+    <xs:annotation>
+      <xs:documentation>Result signature bytes</xs:documentation>
+    </xs:annotation>
+  </xs:element>
+
+  <xs:element name="OtherSignTaskData" type="csig:AnyType" />
+
+  <xs:complexType name="SignRequestExtensionType">
+    <xs:sequence>
+      <xs:element ref="csig:RequestTime"/>
+      <xs:element ref="saml:Conditions">
+        <xs:annotation>
+          <xs:documentation>
+            This element MUST include the element saml:AudienceRestriction which in
+            turn MUST contain one saml:Audience element, specifying the return URL for
+            any resulting Sign Response message.
+          </xs:documentation>
+        </xs:annotation>
+      </xs:element>
+      <xs:element ref="csig:Signer" minOccurs="0" />
+      <xs:element ref="csig:IdentityProvider" />
+      <xs:element ref="csig:AuthnProfile" minOccurs="0">
+        <xs:annotation>
+          <xs:documentation>
+            If set, the Version attribute MUST be 1.4 or higher.
+          </xs:documentation>
+        </xs:annotation>
+      </xs:element>
+      <xs:element ref="csig:SignRequester" />
+      <xs:element ref="csig:SignService" />
+      <xs:element ref="csig:RequestedSignatureAlgorithm" minOccurs="0" />
+      <xs:element ref="csig:CertRequestProperties" minOccurs="0" />
+      <xs:element ref="csig:SignMessage" minOccurs="0" maxOccurs="1" />
+      <xs:element ref="csig:OtherRequestInfo" minOccurs="0" />
+    </xs:sequence>
+    <xs:attribute name="Version" type="xs:string" use="optional" default="1.1">
+      <xs:annotation>
+        <xs:documentation>
+          The version of the DSS specification. If absent, the version value defaults to "1.1".
+        </xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
+  </xs:complexType>
+  
+  <xs:complexType name="SignResponseExtensionType">
+    <xs:sequence>
+      <xs:element ref="csig:ResponseTime"/>
+      <xs:element ref="csig:Request" minOccurs="0" />
+      <xs:element ref="csig:SignerAssertionInfo" minOccurs="0" maxOccurs="1" />
+      <xs:element ref="csig:SignatureCertificateChain" minOccurs="0" />
+      <xs:element ref="csig:OtherResponseInfo" minOccurs="0" />
+    </xs:sequence>
+    <xs:attribute name="Version" type="xs:string" default="1.1">
+      <xs:annotation>
+        <xs:documentation>
+          The version of the DSS specification. If absent, the version value defaults to "1.1".
+        </xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
+  </xs:complexType>
+
+  <xs:complexType name="CertificateChainType">
+    <xs:sequence>
+      <xs:element name="X509Certificate" type="xs:base64Binary" maxOccurs="unbounded" />
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="MappedAttributeType">
+    <xs:sequence>
+      <xs:element name="AttributeAuthority" type="saml:NameIDType" 
+                  minOccurs="0" maxOccurs="unbounded" />
+      <xs:element name="SamlAttributeName" type="csig:PreferredSAMLAttributeNameType"
+                  minOccurs="0" maxOccurs="unbounded" />
+    </xs:sequence>
+    <xs:attribute name="CertAttributeRef" type="xs:string" use="optional" />
+    <xs:attribute name="CertNameType" default="rdn" use="optional">
+      <xs:simpleType>
+        <xs:restriction base="xs:string">
+          <xs:enumeration value="rdn" />
+          <xs:enumeration value="san" />
+          <xs:enumeration value="sda" />
+        </xs:restriction>
+      </xs:simpleType>
+    </xs:attribute>
+    <xs:attribute name="FriendlyName" type="xs:string" />
+    <xs:attribute name="DefaultValue" type="xs:string" />
+    <xs:attribute name="Required" type="xs:boolean" default="false" />
+  </xs:complexType>
+
+  <xs:complexType name="RequestedAttributesType">
+    <xs:sequence>
+      <xs:element name="RequestedCertAttribute" type="csig:MappedAttributeType"
+                  minOccurs="1" maxOccurs="unbounded" />
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="AnyType">
+    <xs:sequence>
+      <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" />
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="SAMLAssertionsType">
+    <xs:sequence>
+      <xs:element name="Assertion" type="xs:base64Binary" maxOccurs="unbounded" />
+    </xs:sequence>    
+  </xs:complexType>
+
+  <xs:complexType name="PreferredSAMLAttributeNameType">
+    <xs:simpleContent>
+      <xs:extension base="xs:string">
+        <xs:attribute name="Order" type="xs:int" default="0" />
+      </xs:extension>
+    </xs:simpleContent>
+  </xs:complexType>
+
+  <xs:complexType name="SignTasksType">
+    <xs:sequence>
+      <xs:element maxOccurs="unbounded" ref="csig:SignTaskData"/>
+    </xs:sequence>
+  </xs:complexType>
+  
+  <xs:complexType name="SignTaskDataType">
+    <xs:sequence>
+      <xs:element ref="csig:ToBeSignedBytes" />
+      <xs:element ref="csig:AdESObject" minOccurs="0" maxOccurs="1" />
+      <xs:element ref="csig:Base64Signature" minOccurs="0" />
+      <xs:element ref="csig:OtherSignTaskData" minOccurs="0" />
+    </xs:sequence>
+    <xs:attribute name="SignTaskId" type="xs:string">
+      <xs:annotation>
+        <xs:documentation>
+          A distinguishing id of this sign task which is used to distinguish between 
+          multiple sign tasks in the same request.
+        </xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
+    <xs:attribute name="SigType" use="required">
+      <xs:annotation>
+        <xs:documentation>
+          Enumeration of the type of signature the canonical signed information is
+          associated with.
+        </xs:documentation>
+      </xs:annotation>
+      <xs:simpleType>
+        <xs:restriction base="xs:string">
+          <xs:enumeration value="XML" />
+          <xs:enumeration value="PDF" />
+          <xs:enumeration value="CMS" />
+          <xs:enumeration value="ASiC" />
+        </xs:restriction>
+      </xs:simpleType>
+    </xs:attribute>
+    <xs:attribute name="AdESType" default="None">
+      <xs:annotation>
+        <xs:documentation>
+          Specifies the type of AdES signature. BES means that the signing certificate
+          hash must be covered by the signature. EPES means that the signing 
+          certificate hash and a signature policy identifier must be covered by 
+          the signature.
+        </xs:documentation>
+      </xs:annotation>
+      <xs:simpleType>
+        <xs:restriction base="xs:string">
+          <xs:enumeration value="None" />
+          <xs:enumeration value="BES" />
+          <xs:enumeration value="EPES" />
+        </xs:restriction>
+      </xs:simpleType>
+    </xs:attribute>
+    <xs:attribute name="ProcessingRules" type="xs:anyURI" use="optional">
+      <xs:annotation>
+        <xs:documentation>
+          An identifier for processing rules that must be executed by the signature 
+          service when processing data in this element.
+        </xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
+  </xs:complexType>
+
+  <xs:complexType name="AdESObjectType">
+    <xs:sequence>
+      <xs:element name="SignatureId" type="xs:string" minOccurs="0" />
+      <xs:element name="AdESObjectBytes" type="xs:base64Binary" minOccurs="0" />
+      <xs:element name="OtherAdESData" type="csig:AnyType" minOccurs="0" />
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="CertRequestPropertiesType">
+    <xs:sequence>
+      <xs:element ref="saml:AuthnContextClassRef" minOccurs="0" maxOccurs="unbounded">
+        <xs:annotation>
+          <xs:documentation>
+            The URI reference(s) to the requested level of assurance with which the 
+            certificate subject should be authenticated.
+          </xs:documentation>
+        </xs:annotation>
+      </xs:element>
+      <xs:element ref="csig:RequestedCertAttributes" minOccurs="0" />
+      <xs:element ref="csig:OtherProperties" minOccurs="0" />
+    </xs:sequence>
+    <xs:attribute default="PKC" name="CertType">
+      <xs:simpleType>
+        <xs:restriction base="xs:string">
+          <xs:enumeration value="PKC" />
+          <xs:enumeration value="QC" />
+          <xs:enumeration value="QC/SSCD" />
+        </xs:restriction>
+      </xs:simpleType>
+    </xs:attribute>
+  </xs:complexType>
+
+  <xs:complexType name="SignerAssertionInfoType">
+    <xs:sequence>
+      <xs:element ref="csig:ContextInfo" />
+      <xs:element ref="saml:AttributeStatement" />
+      <xs:element ref="csig:SamlAssertions" minOccurs="0" />
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="ContextInfoType">
+    <xs:sequence minOccurs="0" maxOccurs="1">
+      <xs:element name="IdentityProvider" type="saml:NameIDType" />
+      <xs:element name="AuthenticationInstant" type="xs:dateTime" />
+      <xs:element ref="saml:AuthnContextClassRef" />
+      <xs:element name="ServiceID" type="xs:string" minOccurs="0" />
+      <xs:element name="AuthType" type="xs:string" minOccurs="0" />
+      <xs:element name="AssertionRef" type="xs:string" minOccurs="0" />
+    </xs:sequence>
+  </xs:complexType>
+  
+  <xs:complexType name="Base64SignatureType">
+    <xs:simpleContent>
+      <xs:extension base="xs:base64Binary">
+        <xs:attribute name="Type" type="xs:anyURI" />
+      </xs:extension>
+    </xs:simpleContent>
+  </xs:complexType>
+
+  <xs:complexType name="SignMessageType">
+    <xs:choice>
+      <xs:element ref="csig:Message" />
+      <xs:element ref="csig:EncryptedMessage" />
+    </xs:choice>
+    <xs:attribute name="MustShow" type="xs:boolean" default="false" />
+    <xs:attribute name="DisplayEntity" type="xs:anyURI" />
+    <xs:attribute name="MimeType" default="text">
+      <xs:simpleType>
+        <xs:restriction base="xs:string">
+          <xs:enumeration value="text/html" />
+          <xs:enumeration value="text" />
+          <xs:enumeration value="text/markdown" />
+        </xs:restriction>
+      </xs:simpleType>
+    </xs:attribute>
+    <xs:anyAttribute namespace="##other" processContents="lax" />
+  </xs:complexType>
+
+</xs:schema>
+ + diff --git a/docs/december-2024/11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html b/docs/december-2024/11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html new file mode 100644 index 0000000..0f81095 --- /dev/null +++ b/docs/december-2024/11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html @@ -0,0 +1,648 @@ + + + + + + eIDAS Constructed Attributes Specification for the Swedish eID Framework + + + + + + +

+ + +

+

+ +

+ +

eIDAS Constructed Attributes Specification for the Swedish eID Framework

+

Version 1.2 - 2021-11-11

+

Registration number: 2019-315

+
+

+Copyright © The Swedish Agency for Digital Government (DIGG), 2015-2021. All Rights Reserved. +

+ +

Table of Contents

+
    +

  1. Introduction

    +

    1.1. Requirement key words

    +
    2. +

  2. Provisional Identifier

    +

    2.1. Provisional Identifier (prid) Attribute

    +

    2.2. Provisional Identifier Persistence Indicator (pridPersistence) Attribute

    +

    2.3. Algorithms

    +

    2.3.1. Algorithm: default-eIDAS

    +

    2.3.2. Algorithm: colresist-eIDAS

    +

    2.3.3. Algorithm: special-characters-eIDAS

    +

    2.4. Algorithm Selection and Resulting pridPersistence Value

    +
    3. +

  3. References

    +
    4. +

  4. Changes between versions

    +
    5. +
+

Appendix A. PRID Algorithm implementations (Java)

+

+

1. Introduction

+

This document extends “Attribute Specification for the Swedish eID +Framework”, [EidAttributes], providing specifications for constructed +attributes.

+

The concept of constructed attributes is introduced in Swedish national +authentication nodes (proxy nodes) delivering identity assertions to +Swedish Service Providers based on user authentication with a foreign +eID.

+

A constructed attribute is an attribute that was not delivered by the +foreign Identity Provider service, but was constructed in the Swedish +authentication node by applying defined rules and algorithms to the +authenticated user (subject) received from the foreign Identity Provider +service (typically an eIDAS node).

+

+

1.1. Requirement key words

+

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, +“SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” are to be +interpreted as described in [RFC2119].

+

These keywords are capitalized when used to unambiguously specify +requirements over protocol features and behavior that affect the +interoperability and security of implementations. When these words are +not capitalized, they are meant in their natural-language sense.

+

+

2. Provisional Identifier

+

The Attribute Specification for the Swedish eID Framework, [EidAttributes], defines the attributes prid and pridPersistence.

+

The prid attribute holds a unique identifier for a person derived from +attributes provided from another country. The purpose of this attribute +is to provide a common unique attribute for an authenticated user +independently of the attribute set or the characteristics of these +attributes provided by the authentication service in the other country.

+

The pridPersistence attribute provides an indicator of the expected +persistence of the prid identifier over time. The value in this +attribute is determined by assessing the persistence of underlying +foreign attributes from a particular source used in a particular prid +generation algorithm.

+

This document defines a set of prid algorithms, when to use each +algorithm and the resulting pridPersistence value.

+

+

2.1. Provisional Identifier (prid) Attribute

+

The provisional identifier (prid) attribute is a SAML attribute +identified by the SAML attribute name urn:oid:1.2.752.201.3.4.

+

The prid attribute holds a string value containing the following data:

+
+

{2 letter ISO 3166 country code of eID country} + ”:“ + +{10..30 character identifier}

+
+

Syntactically, provisional ID is defined by the following regular +expression:

+
+

^[A-Z]{2}:[0-9a-z][0-9a-z-]{8,28}[0-9a-z]$

+
+

Examples:

+
+

NO:29078534891

+

DK:09208-2002-2-194967071622

+
+

The country code is the 2 letter ISO 3166 country code +expressed in upper case letters, for example, “SE” for Sweden and “NO” +for Norway. This identifies the country that issued the eID used to +authenticate the user (i.e., provided the infrastructure to identify the +person). This is not necessarily the person’s actual citizenship or +country of residence.

+

The identifier component holds a minimum of 10 and a maximum of 30 +characters. The primary reason for this is to provide an identifier that +can be displayed to a user and still relatively convenient to write down +or communicate by humans in case of problems. The characters in the +identifier component are restricted to the numeric characters 0-9, the +letters a-z and the hyphen character “-“ (0x2D) serving as delimiter. +Letters “a-z” MUST be lower case. Should a provisional ID ever be +presented with upper case letters then such letter should be matched +using case insensitive matching (e.g. “a” is equivalent to “A”). The +identifier component MUST NOT start or end with a hyphen character. The +resulting ID MUST have at least 8 characters that are not a hyphen +character, for example, the character sequence “1-2-3-4-56” is not +allowed as it only holds 6 distinguishing ID characters.

+

+

2.2. Provisional Identifier Persistence Indicator (pridPersistence) Attribute

+

The provisional identifier (pridPersistence) attribute is a SAML +attribute identified by the SAML attribute name urn:oid:1.2.752.201.3.5.

+

The pridPersistence attribute holds a string value containing the +following data:

+
+

{1 letter Identifier (A, B or C)}

+
+

Examples:

+
+

A

+

B

+

C

+
+

Value definitions:

+ + + + + + + + + + + + + + + + + + + +
ValueDefined meaning
APersistence over time is expected to be comparable or better than a Swedish personal identity number (personnummer). This means that the identifier typically is stable throughout the lifetime of the subject and is typically preserved even if the subject changes address, name or civil status.
BPersistence over time is expected to be relatively stable, but lower than a Swedish personal identity number (personnummer). This means that the identifier typically remains unchanged as long as the person does not change address, name or civil status. Such or similar event may cause the identifier to change but the identifier will not change just because the subject gets a new eID (electronic identification means) or changes eID provider.
CNo expectations regarding persistence over time. The identifier may change if the subject changes eID or eID provider.
+

+

2.3. Algorithms

+

This section defines algorithms for generating the identifier component +of prid attribute values. The identifier component makes up the +characters following the “:” (colon) character in the prid.

+

+

2.3.1. Algorithm: default-eIDAS

+

Name: default-eIDAS

+

Input values:

+
    +
  • eidasID - The identifier string value from the eIDAS PersonIdentifier attribute from the attribute source (identified by the attribute name http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier.
    • +
+

Calculated values:

+
    +

  • strippedID = eidasID after:

    +
      +
    1. removing the 6 leading characters matching the regular expression ^[A-Za-z]{2}[\/](SE\|se)[\/] (e.g., ”NO/SE/”), and;
      2. +
    2. removing any white space and non-printable characters.
      3. +
    +
    • +

  • normalizedID = strippedID converted according to the following steps:

    +
      +
    1. converting all upper case letters [A-Z] to lower case, and,
      2. +
    2. replacing with a single “-“ character, all sequences of characters of length (1…n) that does not contain [0-9] or [a-z], and,
      3. +
    3. remove any leading or trailing “-“ characters.
      4. +
    +
    • +
+

Result:

+

If length of normalizedID < 10 characters:

+
+

Return normalizedID padded with leading “0” (zero) characters until +length = 10 characters.

+
+

If length of normalizedID 10 - 30 characters:

+
+

Return normalizedID

+
+

If length of normalizedID > 30 characters**:**

+
+

Return the string representation of the first 30 hexadecimal digits of +the SHA256 hash of the UTF-8 encoded bytes of strippedID.

+
+

Exceptions:

+
+

If the following conditions occur in the process, prid generation +fails:

+
+
    +
  1. Leading 6 characters of PersonIdentifier does not match regexp ^[A-Za-z]{2}[\/](SE|se)[\/]$
    2. +
  2. normalizedID < 6 characters (not counting “-“ (hyphen) characters).
    3. +
+

Collision resistance:

+

All eIDAS PersonIdentifier attributes are required to be unique. That +uniqueness is preserved in this algorithm based on the assumption that +distinguishing symbols in the PersonIdentifier are represented +exclusively by case insensitive letters a-z and numbers 0-9. If this is +not a case for the PersonIdentifier provided by a particular country, +then this algorithm should not be selected due to the risk of ID +collisions.

+

In case the normalized identifier string exceeds 30 characters this +algorithm falls back on providing a 30 hex digit representation of a +concatenated SHA-2 hash value. The collision probability for such +identifier among 2 users is 1 in 1,25 * 10^36 (Calculated as 16^30 – +16^29 since first digit can not be 0). For a population of 100 million +people the probability of a collision is approximately 1 in 2.5 * +10^20 or 1 in 250 trillion countries of that population size1.

+

Countries typically do not use ID attributes that exceed 30 characters +in size, but it cannot be ruled out that some countries will generate an +ID for cross-border use that is different from a national ID and that +that ID may exceed 30 characters. This algorithm assumes that the +collision resistance provided is sufficient given both the low +probability combined with the fact that only a very small fraction of +users from any country outside of Sweden is likely to authenticate to a +Swedish e-service. A collision among all citizens would in most cases +not be security critical since the unique eIDAS ID in its original form +also is present in the assertion to the service provider, which +guarantees that a transaction is traceable back to the right individual.

+

In case these properties are not enough to guarantee sufficient +collision resistance, the algorithm colresist-eIDAS should be used.

+

Examples:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PersonIdentifierResulting prid
NO/SE/05068907693NO:05068907693
DK/SE/09208-2002-2-194967071622DK:09208-2002-2-194967071622
UK/DK/1234567890UK:NULL (Failed: target country is not SE)
DE/SE/#12345-3456//ABCDE:12345-3456-abc
DE/SE/aErf#(EAd9)DE:0aerf-ead9
de/se/aErf#(E)NULL (Failed: Less than 6 ID characters)
DE/SE/(1952 12 14-1122)DE:19521214-1122
19521214-1122NULL (Failed: Leading 6 character format error)
DE/SE/1234567890123456789012345678901DE:3b7184c0ceaf76a9607a31e4e1f87f
+

+
+

[1]: Birthday paradox approximation p(n) ≈ n^2 / 2m, where p(n) is the collision probability, n is the number of people and m is the number of possible ID combinations.

+
+

+

2.3.2. Algorithm: colresist-eIDAS

+

This algorithm is identical to default-eIDAS except that the hashed +expression of the ID in case the normalized ID exceeds 30 characters, +has higher collision resistance by expressing the ID in radix 36 instead +of radix 16 (Hexadecimal)1.

+

Name: colresist-eIDAS

+

Input values: Identical to default-eIDAS

+

Calculated values: Identical to default-eIDAS

+

Result:

+

If length of normalizedID < 10 characters:

+
+

Identical to default-eIDAS result

+
+

If length of normalizedID 10 - 30 characters:

+
+

Identical to default-eIDAS result

+
+

If length of normalizedID > 30 characters**:**

+
+

Return the string representation of the first 30 radix 36 digits of the SHA256 hash of the UTF-8 encoded bytes of strippedID.

+
+

Exceptions: Identical to default-eIDAS

+

Collision resistance:

+

Expression of this ID in hashed form use 30 radix 36 symbols. This +reduces the collision resistance among 2 users to 1 in 4.75 * 10^46. +The collision probability among 100 million users is reduced to +approximately 1 in 10^31.

+

Examples:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PersonIdentifierResulting prid
NO/SE/05068907693NO:05068907693
DK/SE/09208-2002-2-194967071622DK:09208-2002-2-194967071622
UK/DK/1234567890UK:NULL (Failed: target country is not SE)
DE/SE/#12345-3456//ABCDE:12345-3456-abc
DE/SE/aErf#(EAd9)DE:0aerf-ead9
de/se/aErf#(E)NULL (Failed: Less than 6 ID characters)
DE/SE/(1952 12 14-1122)DE:19521214-1122
19521214-1122NULL (Failed: Leading 6 character format error)
DE/SE/1234567890123456789012345678901DE:1hc3tpoleczqu3t8jz2995k2rq7nt8
+

+
+

[1]: Radix 36 express values ranging from 0 to 36 through a single character using the symbols ”0123456789abcdefghijklmnopqrstuvwxyz” in the presented order.

+
+

+

2.3.3. Algorithm: special-characters-eIDAS

+

The default-eIDAS and the colresist-eIDAS algoritms are suitable when the base identifier from the authenticating country is constructed from digits and basic case-insensitive characters. These algoritms do not work on identifiers constructed as a Base64 string of binary data, such as a hash of another identifier.

+

The present algoritm is intended to be used where the base identifier contains case-sensitive characters and where characters other than a-z and 0-9 are used to add entropy to the identifier.

+

Name: special-characters-eIDAS

+

Input values: Identical to default-eIDAS.

+

Calculated values: Identical to default-eIDAS with the exception that normalizedID is not calculated and used.

+

Result:

+
+

Return the string representation of the first 30 radix 36 digits of the SHA256 hash of the UTF-8 encoded bytes of strippedID.

+
+

Exceptions:

+
+

If the following conditions occur in the process, prid generation fails:

+
+
    +
  1. Leading 6 characters of PersonIdentifier does not match regexp ^[A-Za-z]{2}[\/](SE|se)[\/]$
    2. +
  2. strippedID < 16 characters.
    3. +
+

Collision resistance: Identical to colresist-eIDAS.

+

Examples:

+ + + + + + + + + + + +
PersonIdentifierResulting prid
AT/SE/Zk2ME2pjxwzQOjVeFGeqSIage34=AT:50bwytdle2mzexopcolmdhmhznihms
+

+

2.4. Algorithm Selection and Resulting pridPersistence Value

+

This section defines the current algorithm selection rules and the +resulting pridPersistence value. These rules are processed in the +presented order. The first rule where the present conditions matches all +the matching rules is selected.

+

If the present conditions do not match any of the listed rules, then +prid generation fails.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Rule 1Description
Matching rule 1Authenticated attributes are provided by an eIDAS node (proxy service).
Matching rule 2Authenticated subject is a person and has a PersonIdentifier attribute.
Matching rule 3Attributes provided by any of the countries that issue identities according to persistance class A.
Selected algorithmdefault-eIDAS
pridPersistence valueA
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Rule 2Description
Matching rule 1Authenticated attributes are provided by an eIDAS node (proxy service).
Matching rule 2Authenticated subject is a person and has a PersonIdentifier attribute.
Matching rule 3Attributes provided by any of the countries that issue identities according to persistance class B.
Selected algorithmdefault-eIDAS
pridPersistence valueB
+ + + + + + + + + + + + + + + + + + + + + + + +
Rule 3Description
Matching rule 1Authenticated attributes are provided by an eIDAS node (proxy service).
Matching rule 2Authenticated subject is a person and has a PersonIdentifier attribute.
Selected algorithmdefault-eIDAS
pridPersistence valueC
+

+

3. References

+

+[RFC2119]

+
+

Bradner, S., Key words for use in RFCs to Indicate Requirement +Levels, March 1997.

+
+

+[SAML2Core]

+
+

OASIS Standard, Assertions and Protocols for the OASIS Security +Assertion Markup Language (SAML) V2.0, March +2005.

+
+

+[SAML-XSD]

+
+

S. Cantor et al., SAML assertions schema. OASIS SSTC, March 2005. +Document ID saml-schema-assertion-2.0. See +http://www.oasisopen.org/committees/security/.

+
+

+[XML-Schema]

+
+

XML Schema Part 2: Datatypes Second Edition, W3C Recommendation, 28 +October 2004. See http://www.w3.org/TR/xmlschema-2/.

+
+

+[EidAttributes]

+
+

Attribute Specification for the Swedish eID Framework.

+
+

+[eIDAS-Attr]

+
+

eIDAS SAML Attribute Profile, version 1.2, 21 May 2019.

+
+

+

4. Changes between versions

+

Changes between version 1.1 and version 1.2:

+
    +
  • The length requirement for identifier characters has been changed from 8 to 6. This applies to the default-eIDAS and colresist-eIDAS algorithms.
    • +
+

Changes between version 1.0 and version 1.1:

+
    +

  • Update of logotype and fixes of minor typos.

    +
    • +

  • Update of reference of eIDAS attribute profile to version 1.2.

    +
    • +

  • Removed Appendix A, "Countries with pridPersistence of class A" and Appendix B, "Countries with pridPersistence of class B". This information is continuously updated and maintained on https://swedenconnect.se.

    +
    • +
+

+

Appendix A. PRID Algorithm implementations (Java)

+

default-eIDAS

+
  private static final String personIdentifierPrefixRegexp = "^[A-Za-z]{2}[\\/](SE|se)[\\/]";
+
+  public String getPridIdentifierComponent(String personIdentifier) throws PridGenerationException {
+    
+    if (personIdentifier == null) {
+      throw new PridGenerationException("Missing personIdentifier");
+    }
+    if (!personIdentifier.substring(0, 6).matches(personIdentifierPrefixRegexp)) {
+      throw new PridGenerationException("Invalid ID format");
+    }
+    // Get ID component without whitespace and non-printable characters
+    String strippedID = personIdentifier.substring(6).replaceAll("\\s+", "");
+        
+    // Convert to lower case
+    String normalizedID = strippedID.toLowerCase();
+            
+    // Replace sequences of non ID characters to "-"
+    normalizedID = normalizedID.replaceAll("[^a-z0-9]+", "-");
+    
+    // Remove leading and trailing "-" 
+    normalizedID = normalizedID.replaceAll("^-+", "").replaceAll("-+$", "");
+    if (normalizedID.replaceAll("-", "").length() < 6) {
+      throw new PridGenerationException("Invalid ID format");
+    }
+    if (normalizedID.length() < 10) {
+      normalizedID = "0000000000".substring(normalizedID.length()) + normalizedID;
+    }
+    if (normalizedID.length() > 30) {
+      try {
+        MessageDigest md = MessageDigest.getInstance("SHA-256");
+        byte[] digest = md.digest(strippedID.getBytes(Charset.forName("UTF-8")));
+        return new BigInteger(1, digest).toString(16).substring(0, 30);
+      }
+      catch (NoSuchAlgorithmException ex) {
+        throw new PridGenerationException(e);
+      }
+    }
+    return normalizedID;
+  }
+

colresist-eIDAS

+
  private static final String personIdentifierPrefixRegexp = "^[A-Za-z]{2}[\\/](SE|se)[\\/]";
+  
+  public static String getPridIdentifierComponent(String personIdentifier) throws PridGenerationException {
+    if (personIdentifier == null) {
+      throw new PridGenerationException("Missing personIdentifier");
+    }
+    if (!personIdentifier.substring(0, 6).matches(personIdentifierPrefixRegexp)) {
+      throw new PridGenerationException("Invalid ID format");
+    }
+    
+    // Get ID component without whitespace and non-printable characters
+    String strippedID = personIdentifier.substring(6).replaceAll("\\s+", "");
+    
+    // Convert to lower case
+    String normalizedID = strippedID.toLowerCase();
+    
+    // Replace sequences of non ID characters to "-"
+    normalizedID = normalizedID.replaceAll("[^a-z0-9]+", "-");
+    
+    // Remove leading and trailing "-" 
+    normalizedID = normalizedID.replaceAll("^-+", "").replaceAll("-+$", "");
+    if (normalizedID.replaceAll("-", "").length() < 6) {
+      throw new PridGenerationException("Invalid ID format");
+    }
+    if (normalizedID.length() < 10) {
+      normalizedID = "0000000000".substring(normalizedID.length()) + normalizedID;
+    }
+    if (normalizedID.length() > 30) {
+      try {
+        MessageDigest md = MessageDigest.getInstance("SHA-256");
+        byte[] digest = md.digest(strippedID.getBytes(Charset.forName("UTF-8")));
+        return new BigInteger(1, digest).toString(36).substring(0, 30);
+      } 
+      catch (NoSuchAlgorithmException ex) {
+        throw new PridGenerationException(e);
+      }
+    }
+    return normalizedID;
+  }

special-characters-eIDAS

+
  private static final String personIdentifierPrifixRegexp = "^[A-Za-z]{2}[\\/](SE|se)[\\/]";
+
+  public String getPridIdentifierComponent(String personIdentifier) throws PridGenerationException {
+    if (personIdentifier == null) {
+      throw new PridGenerationException("Missing personIdentifier");
+    }
+    if (!personIdentifier.substring(0, 6).matches(personIdentifierPrifixRegexp)) {
+      throw new PridGenerationException("Invalid ID format");
+    }
+    
+    // Get ID component without whitespace and non-printable characters
+    String strippedID = personIdentifier.substring(6).replaceAll("\\s+", "");
+    if (strippedID.length() < 16) {
+      throw new PridGenerationException("Invalid ID format");
+    }
+    try {
+      MessageDigest md = MessageDigest.getInstance("SHA-256");
+      byte[] digest = md.digest(strippedID.getBytes(Charset.forName("UTF-8")));
+      return new BigInteger(1, digest).toString(36).substring(0, 30);
+    }
+    catch (NoSuchAlgorithmException ex) {
+      throw new PridGenerationException(e);
+    }
+  }
+ + diff --git a/docs/december-2024/12_-_BankID_Profile_for_the_Swedish_eID_Framework.html b/docs/december-2024/12_-_BankID_Profile_for_the_Swedish_eID_Framework.html new file mode 100644 index 0000000..6ea242c --- /dev/null +++ b/docs/december-2024/12_-_BankID_Profile_for_the_Swedish_eID_Framework.html @@ -0,0 +1,487 @@ + + + + + + Implementation Profile for BankID Identity Providers within the Swedish eID Framework + + + + + + +

+ + +

+

+ +

+ +

Implementation Profile for BankID Identity Providers within the Swedish eID Framework

+

Version 1.4 - 2024-12-04

+

Registration number: 2019-316

+
+

+Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All Rights Reserved. +

+ +

Table of Contents

+
    +

  1. Introduction

    +

    1.1. Requirements Notation

    +

    1.2. References to SAML 2.0 Standards and Profiles

    +

    1.3. BankID Methods and Applications

    +

    1.3.1. Representation as Identity Providers

    +

    1.3.2. Recommended Limitations

    +

    1.4. Relying Party Configuration

    +
    2. +

  2. Attributes

    +

    2.1. Attribute Transformation

    +

    2.1.1. The authContextParams Attribute

    +
    3. +

  3. Identity Provider User Interface

    +

    3.1. General Requirements

    +

    3.2. Automatic Start of the BankID Client

    +

    3.3. Cancelling an Operation

    +
    4. +

  4. Authentication Requests

    +

    4.1. Binding and Security Requirements

    +

    4.2. Handling of Principal Selection

    +

    4.3. Authentication for Signature

    +

    4.3.1. Input to BankID Signing

    +

    4.3.1.1. userVisibleData - Signature Message

    +

    4.3.1.2. userNonVisibleData

    +
    5. +

  5. Authentication Responses

    +

    5.1. Attribute Release Rules

    +

    5.2. Error Responses

    +
    6. +

  6. Metadata

    +

    6.1. Service Providers

    +

    6.2. Identity Providers

    +

    6.3. Signature Services

    +
    7. +

  7. References

    +
    8. +

  8. Changes between versions

    +
    9. +
+
+

+

1. Introduction

+

This profile defines how a SAML Identity Provider that offers authentication using the Swedish BankID technology should implement its services to be compliant with the Swedish eID Framework. It extends the "Deployment Profile for the Swedish eID Framework", [SC.SAML.Profile], with requirements and recommendations for Identity Providers offering BankID authentication and signature services.

+

The BankID interface for authentication and signature, the Relying Party Interface, is described at https://developers.bankid.com. This specification MUST be fully implemented and supported by BankID Identity Providers compliant with the Swedish eID Framework specifications.

+

+

1.1. Requirements Notation

+

The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", +"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this +document are to be interpreted as described in [RFC2119].

+

The use of SHOULD, SHOULD NOT, and RECOMMENDED reflects broad consensus +on deployment practices intended to foster both interoperability and +guarantees of security and confidentiality needed to satisfy the +requirements of many organizations that engage in the use of federated +identity. Deviating may limit a deployment's ability to technically +interoperate without additional negotiation, and should be undertaken +with caution.

+

+

1.2. References to SAML 2.0 Standards and Profiles

+

When referring to elements from the SAML 2.0 core specification [SAML2Core], +the following syntax is used:

+
    +

  • <saml2p:Element> – for elements from the SAML 2.0 Protocol + namespace.

    +
    • +

  • <saml2:Element> – for elements from the SAML 2.0 Assertion + namespace.

    +
    • +
+

When referring to elements from the SAML 2.0 metadata specifications, +the following syntax is used:

+
    +

  • <md:Element> – for elements defined in [SAML2Meta].

    +
    • +

  • <mdattr:Element> – for elements defined in [SAML2MetaAttr].

    +
    • +
+

+

1.3. BankID Methods and Applications

+

There are three types of BankID:

+
    +
  • Mobile BankID - End users use the "BankID app" on their mobile devices to authenticate or perform a signature. In these cases the user certificate is stored in the app and protected by a personal code.
    • +
  • BankID on file - End users use the desktop program "BankID Security Application" to authenticate or perform a signature. The user certificate is stored in a file on the computer and is protected by a user password.
    • +
  • BankID on card - End users make use of the same desktop program as described above, but the certificate is placed on a smart card. The user private key is unlocked using the PIN-pad on the smart card reader.
    • +
+

The three above methods are all "BankID", but historically, relying parties have made a difference between "Mobile BankID" and "BankID" (the original desktop version).

+

+

1.3.1. Representation as Identity Providers

+

An actor offering BankID services can choose to use one BankID Identity Provider supporting all different BankID methods, or use several Identity Provider instances, one for each BankID method.

+

Services that support all methods within one Identity Provider instance usually displays a question to the user before authentication starts, where the user chooses between "Using BankID on this device or another device". In an environment where a discovery service (or similar) is being used, this means that the user has to make two choices before the actual authentication process starts; first at the discovery service where the user selects "BankID" and then at the BankID Identity Provider where the user selects the type of BankID authentication to use.

+

It is RECOMMENDED that BankID services are split into separate Identity Providers for each supported BankID method. The reasons for this are the above argument about discovery, but also the fact that a Service Provider should be able to select which type of authentication that is required (for example, Mobile BankID may be accepted but not BankID on file).

+

+ +

The table below states the RECOMMENDED support and behaviour when support for BankID is implemented using separate Identity Providers (as recommended in section 1.3.1 above).

+ + + + + + + + + + + + + + + + + + + + + +
Identity ProviderDesktopMobile PhoneTablet
Mobile BankIDStart BankID on other device1 (mobile phone or tablet).Start BankID on the same device2.Prompt the user to ask whether to start BankID on the tablet or on another device3 (mobile phone).
BankID on file (or on card)Start BankID on the same device4.Not supported5.Not supported5.
+
    +
  1. The user initiates a BankID operation from his or hers desktop computer and selects to use Mobile BankID. In this case the Mobile BankID app is started on another device (since Mobile BankID does not exist on desktop computers).
    2. +
  2. The user initiates a BankID operation from his or hers mobile phone and selects to use Mobile BankID. In this case the BankID app is started on the same device. It is highly unlikely that a user uses one mobile phone to visit a service and wants to use his or hers BankID on another device.
    3. +
  3. The user initiates a BankID operation from his or hers tablet and selects to use Mobile BankID. In this case the recommendation is to prompt the user to ask whether the Mobile BankID app should be automatically started on the tablet, or if the user wishes to use BankID on another device (probably a mobile phone). The reason for this recommendation is that most users have a BankID on their mobile phones, but not necessarily on their tablets.
    4. +
  4. The user initiates a BankID operation from his or hers desktop computer and selects to use BankID on file. The BankID Security Application is started on the same computer. It is not a likely use case to use one computer to connect to the service and another one for BankID.
    5. +
  5. This case should not be supported. If the user selects "BankID on file" from a mobile phone or tablet, the Identity Provider should display an error message stating that Mobile BankID should be used instead and post an error response back to the Service Provider.
    6. +
+

Note: Items 4 and 5 above also apply to BankID on card. A service MAY choose to implement BankID on file and BankID on card as separate Identity Providers or as one Identity Provider instance.

+

For Identity Providers implementing BankID support in one Identity Provider instance it is RECOMMENDED to make the assumption that the BankID app should be started on the same device if the user connects via a mobile phone.

+

+

1.4. Relying Party Configuration

+

When a Relying Party uses the BankID Relying Party API directly in order to implement BankID services, it has a set of configuration settings to choose from (see requirements object under the Auth and Sign API). Examples are:

+
    +

  • Should fingerprints be allowed instead of the user entering his or hers security code?

    +
    • +

  • Active certificate policies.

    +
    • +

  • Smart card reader preferences.

    +
    • +
+

However, the services of a BankID Identity Provider are used by several parties within the federation, and it is thus harder to maintain a per-Service Provider configuration. Therefore, a BankID Identity Provider compliant with this profile SHOULD use the same configuration defaults as stated in Auth and Sign API.

+
+

Note: It is of course allowed for a BankID Identity Provider to maintain specific Service Provider configurations, but this is outside the scope for this profile, and there will be no specification support to accomplish this.

+
+

+

2. Attributes

+

An BankID Identity Provider use the BankID Relying Party API, as described in BankID API, to communicate with the BankID-server when providing its services to end users. When a BankID-operation has completed successfully, the Identity Provider (the BankID Relying Party) invokes the Collect-method (/collect) to obtain the result from the operation.

+

The table below contains attribute transformation mappings between attributes from a Collect-method response as described in /collect and attributes defined within the Sweden Connect Framework as defined in [SC.SAML.Attrs].

+

An Identity Provider should not necessarily release all transformed attributes received from the BankID-server to the Service Provider. See further section 5.1, "Attribute Release Rules".

+

+

2.1. Attribute Transformation

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
BankID attributeSAML AttributeDescription
orderReftransactionIdentifier
urn:oid:1.2.752.201.3.2		The BankID order reference received from a BankID Auth (/rp/v5/auth) or Sign (rp/v5/sign) method invocation. This parameter is supplied as an input parameter to the Collect-call and is the unique transaction identifier for the BankID-operation.
completionData.
user.personalNumber		personalIdentityNumber
urn:oid:1.2.752.29.4.13		Swedish ”personnummer”. 12 digits without hyphen.
completionData.
user.givenName		givenName
urn:oid:2.5.4.42		User's given name.
completionData.
user.surname		sn
urn:oid:2.5.4.4		User's surname.
completionData.
user.name		displayName
urn:oid:2.16.840.1.113730.3.1.241		User's given name and surname.
completionData.
device.ipAddress		bankidUserAgentAddress key in authContextParams
urn:oid:1.2.752.201.3.3		The IP-address of the user agent presented to the BankID server. In cases where a user uses BankID "on another device" this address may not be the same as the web user agent. No direct attribute mapping exists, but may be represented as key-value pair in authContextParams, where the key is bankidUserAgentAddress, see 2.1.1 below.
completionData.
device.uhi		bankidUhi key in authContextParams
urn:oid:1.2.752.201.3.3		Unique hardware identifier for the user's device. No direct attribute mapping exists, but may be represented as key-value pair in authContextParams, where the key is bankidUhi, see 2.1.1 below.
completionData.
bankIdIssueDate		bankidIssueDate key in authContextParams
urn:oid:1.2.752.201.3.3		The date the BankID was issued to the user.
No direct attribute mapping exists, but may be represented as key-value pair in authContextParams, where the key is bankidIssueDate, see 2.1.1 below.
completionData.
signature		userSignature
urn:oid:1.2.752.201.3.11		The signature applied by the user as part of the authentication/signature process.
completionData.
ocspResponse		authServerSignature
urn:oid:1.2.752.201.3.13		The OCSP response signed by the BankID issuer that proves that the user BankID was checked for revocation.
+

+

2.1.1. The authContextParams Attribute

+

The authContextParams attribute, see section 3.2.1 of [SC.SAML.Attrs], is a general purpose attribute to be used when non-standardized authentication data is to be transfered in a SAML assertion.

+

The attribute is used by attribute providers to release data from an authentication process that has no attribute definition of its own. Thus, should the BankID attributes completionData.bankIdIssueDate, completionData.device.ipAddress and completionData.device.uhi be transformed and included into an assertion, they would have to be placed as key-value pairs of the authContextParams attribute as the example below.

+
<saml2:Attribute xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    
+                           FriendlyName="authContextParams"
+                           Name="urn:oid:1.2.752.201.3.3"
+                           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+  <saml2:AttributeValue xsi:type="xs:string">
+    bankidIssueDate=2024-05-30T09%3A30%3A10Z;bankidUserAgentAddress=85.229.202.232;bankidUhi=RTREUI8
+  </saml2:AttributeValue>
+</saml2:Attribute>

+

3. Identity Provider User Interface

+

This profile does not state any requirements on how the user interface for an Identity Provider implementing BankID services should be implemented other than the statements listed in the subsections below.

+

+

3.1. General Requirements

+

The user interface for a BankID Identity Provider SHOULD use the recommended user and error messages as defined in sections 5, "Recommended User Messages", and BankID's Recommended user messages resource.

+

The user interface for a BankID Identity Provider MUST display information about the Service Provider that sent the request. It is RECOMMENDED that this information is obtained from the <mdui:UIInfo> element from the Service Provider's metadata entry.

+

It MUST be clear to the user whether an authentication or a signature process is ongoing.

+

It is RECOMMENDED that an Identity Provider compliant with this profile supports the User Message authentication request extension, as defined in [SC.SAML.UMsg].

+

If the Identity Provider supports this extension, the userVisibleData field of the BankID /auth and /sign endpoints, MUST be assigned the value received in the UserMessage extension.

+

When an error occurs during an authentication or signature operation, the Identity Provider MUST display an error message that can be easily understood by the end user, and offer the possibility to acknowledge the error so that an error response may be posted back to the requesting Service Provider (as specified in section 6.4, "Error Responses", of [SC.SAML.Profile]).

+

+

3.2. Automatic Start of the BankID Client

+

When an operation is initiated where the BankID client (app or desktop program) is on the same device as the user agent (web browser) the Identity Provider SHOULD attempt to "auto start" the BankID client as described in the BankID guide.

+

Auto starting the BankID app from a mobile device requires the built-in web browser to be used to guarantee support. If the Identity Provider detects that the user is not using the platform's default browser it MAY ask the user to manually start the BankID app (and switch back to the browser after the BankID operation).

+

+

3.3. Cancelling an Operation

+

A BankID Identity Provider MUST include a Cancel-button in the user interface enabling the possibility for the user to cancel the BankID operation.

+

If the use clicks the Cancel-button after a BankID-operation has been started1 the Identity Provider MUST invoke the BankID-operation /cancel. Failure to do so may lead to a dangling BankID session that needs to time out before the user can use BankID again.

+
+

[1]: Meaning that /auth or /sign has been called for the transaction.

+
+

+

4. Authentication Requests

+

+

4.1. Binding and Security Requirements

+

An Identity Provider conformant with this profile MUST require <saml2p:AuthnRequest> messages to be signed (by indicating this in its metadata, see section 6, "Metadata"). Thus, the Identity Provider MUST not accept messages that are not signed, or where the verification of the signature fails. In these cases the Identity Provider MUST respond with an error.

+

+

4.2. Handling of Principal Selection

+

An Identity Provider that has declared support for the <psc:PrincipalSelection> extension (see section 6) MUST assign the requirement.personalNumber field of /auth or /sign if a Swedish personal identity number is received in the <psc:PrincipalSelection> extension.

+

See [SC.SAML.Principal] for further requirements concerning the principal selection extension.

+

+

4.3. Authentication for Signature

+

An Identity Provider conforming to the Sweden Connect Framework is obliged to handle requests received from Signature Services as described in section 7, “Authentication for Signature”, of [SC.SAML.Profile]. This section further specifies how a BankID Identity Provider should support “authentication for signature”.

+

A BankID Identity Provider that receives an <saml2p:AuthnRequest> message from a Signature Service MUST initiate a BankID signature operation. It MUST NOT initiate a BankID authentication operation for several reasons:

+
    +
  • the user interface in the BankID client (app or Desktop program) during authentication indicates that the user is logging on (and not signing which is the case when a request from a Signature Service is being processed),
    • +
  • the user expects to be displayed a text describing what he or she is signing,
    • +
  • and most importantly, BankID is PKI-based and has support for signing using a non-repudiation key, so there is no reason not to use this function.
    • +
+

The BankID client (app or desktop program) comprises a text box in which the signature message is displayed for the user. A BankID Identity Provider MUST NOT display the signature message in any other way than in this text box. How the signature message is assigned is specified below.

+

+

4.3.1. Input to BankID Signing

+

An Identity Provider that processes an <saml2p:AuthnRequest> from a Signature Service is not given the actual data that is being signed by the user via the Signature Service. However, in order to invoke the BankID signature function, the Identity Provider must supply the BankID-server with data to be signed. This section specifies the input to the BankID signature operation.

+

The "To-be-signed" data that is passed as input the BankID Sign-method (/sign) is a combination of the data from the userVisibleData and userNonVisibleData parameters (https://developers.bankid.com/api-references/auth--sign/sign).

+

+
4.3.1.1. userVisibleData - Signature Message
+

The Sign-method parameter userVisibleData holds data that will be signed by the user, but it is also displayed in the BankID application text box.

+

If the <saml2p:AuthnRequest> message contains a SignMessage extension, the contents of this message MUST be assigned to the userVisibleData parameter (after necessary encoding).

+

A BankID Identity Provider MUST support SignMessage elements having their MimeType attribute set to text, and SHOULD support Markdown (text/markdown) according to BankID - Guidelines for Formatted Text, [BankID.MD]. For other values (text/html), the Identity Provider MUST respond with an error.

+

If the <saml2p:AuthnRequest> message does not contain a SignMessage extension, the Identity Provider MUST assign a sensible default signature message to the userVisibleData parameter. How this message is constructed is the responsibility of the Identity Provider, but it must be obvious for the user who is the requesting party, i.e., the Service Provider that has ordered the signature operation2.

+
+

[1]: If the MimeType attribute is not set, text is the default value.

+

[2]: For this purpose, the <mdui:DisplayName> element of the Signature Service’s metadata entry, is a good and generic choice.

+
+

+
4.3.1.2. userNonVisibleData
+

In order to produce a BankID signature that contains a binding to the <saml2p:AuthnRequest> message that initiated this signature, a BankID Identity Provider compliant to this profile MUST assign the userNonVisibleData parameter with data that uniquely binds the signature to the <saml2p:AuthnRequest> message.

+

It is RECOMMENDED that the following function is used to produce this unique binding:

+
Base64Encode("entityID=" + URLEncode(<entityID of SP>) + ";" + "authnRequestID=" + URLEncode(<ID of AuthnRequest>))

+

5. Authentication Responses

+

+

5.1. Attribute Release Rules

+

Section 2.1, "Attribute Transformation", specifies how BankID attributes should be transformed into SAML attributes defined in [SC.SAML.Attrs]. However, it does not specify the attribute release rules stating which attributes that are to be released based on a particular request.

+

A BankID Identity Provider compliant to the Swedish eID Framework MUST honor the attribute release rules specified in section 6.2.1, "Attribute Release Rules", of [SC.SAML.Profile]. This section further extends these rules with the following:

+
    +
  • A BankID Identity Provider SHOULD include the transactionIdentifier-attribute (a mapping of the BankID orderRef-attribute) in the <saml2:AttributeStatement> element independently of which attribute set that is requested. This attribute links the BankID operation to the assertion.
    • +
  • It is RECOMMENDED that a BankID Identity Provider includes the userSignature-attribute (containing the BankID signature) in the <saml2:AttributeStatement> element when a BankID signature operation has been performed.
    • +
  • Unless explicitly required1 by the Service Provider the Identity Provider SHOULD NOT release any other attributes than those specified by the current attribute set(s)2.
    • +
+
+

[1]: A Service Provider explicitly requests attributes by declaring them as requested attributes in the <md:AttributeConsumingService> element of the Service Provider's metadata entry. See section 6.1.

+
+
+

[2]: Based on the service entity categories that a Service Provider has declared in its metadata, an Identity Provider derives which attribute sets to apply during attribute release.

+
+

+

5.2. Error Responses

+

A BankID Identity Provider MUST map errors received from the underlying BankID-server into SAML error response messages where the top level status code is either:

+
    +
  • urn:oasis:names:tc:SAML:2.0:status:Requester - for errors that are due to authentication or signature failures or faults due to an error on the part of the Service Provider,
    • +
  • urn:oasis:names:tc:SAML:2.0:status:Responder - for errors that are due to an internal, or technical, error in the BankID-server or Identity Provider.
    • +
+

Before a <saml2p:Response> message is posted back to the Service Provider the Identity Provider MUST display a relevant error message to the user.

+

It is RECOMMENDED that authentication/signature errors and failures to start the BankID client are represented using the second level status code urn:oasis:names:tc:SAML:2.0:status:AuthnFailed.

+

If the user cancels a BankID operation, either by clicking the Cancel-button in the Identity Provider user interface or the Cancel-button in the BankID app/Security Application, the Identity Provider SHOULD respond with a <saml2p:Response> message where the second level status code is http://id.elegnamnden.se/status/1.0/cancel.

+

In cases where the Identity Provider receives the BankID error code ALREADY_IN_PROGRESS in response to an Auth- or Sign-call the Identity Provider MAY display a warning to the user that someone may have initiated a BankID operation using their personal identity number1. If this warning is displayed, it is RECOMMENDED that the second level status code http://id.elegnamnden.se/status/1.0/possibleFraud is included in the error response message posted back to the Service Provider.

+
+

[1]: There have been reports where fraudsters remotely try to convince people of using their Mobile BankID to log in to a service. In these cases, the fraudster initiates a BankID authentication prior to the person he tries to trick into logging in to the service, and is waiting for the user to enter his or hers personal code, thus authenticating the fraudster's session.

+
+

+

6. Metadata

+

This section extends section 2 of [SC.SAML.Profile] with requirements specific for BankID.

+

+

6.1. Service Providers

+

As stated in section 5.1, "Attribute Release Rules", a Service Provider may request additional attributes, other than those implicitly requested via the use of service entity categories, by declaring requested attributes under the <md:AttributeConsumingService> element.

+
<md:AttributeConsumingService index="0" isDefault="true" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
+  <md:ServiceName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="sv">E-myndigheten</md:ServiceName>
+  <md:ServiceName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">The e-Authority</md:ServiceName>
+  ...
+  <md:RequestedAttribute Name="urn:oid:1.2.752.201.3.2" isRequired="false"/>
+  <md:RequestedAttribute Name="urn:oid:1.2.752.201.3.13" isRequired="false"/>      
+</md:AttributeConsumingService>

Example of how a Service Provider declares that it wishes to receive the transactionIdentifier and authServerSignature attributes in assertions.

+

A Service Provider requesting an attribute that is not supported by all Identity Providers that it may communicate with MUST NOT set the isRequired attribute of the <md:RequestedAttribute> element to true.

+

It is RECOMMENDED that Service Providers communicating with BankID Identity Providers include the transactionIdentifier attribute as a requested attribute.

+

+

6.2. Identity Providers

+

A BankID Identity Provider MUST require authentication request messages to be signed. This is indicated by assigning the WantAuthnRequestsSigned attribute of the <md:IDPSSPDescriptor> element to a value of true.

+

A BankID Identity Provider SHOULD declare the <psc:RequestedPrincipalSelection> element containing the attribute name for personalIdentityNumber (urn:oid:1.2.752.29.4.13) and include it in its metadata entry as described in section 2.1.3 of [SC.SAML.Profile].

+

Using this extension the Identity Provider announces that the requestor should send the personal identity number in the authentication request if this is known to the requestor. In this way, the Identity Provider does not have to prompt the user for the personal identity number for the use cases where this is required.

+
...
+<md:IDPSSODescriptor WantAuthnRequestsSigned="true"
+     protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+  <md:Extensions>
+    <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
+      ...
+    </mdui:UIInfo>
+    <psc:RequestedPrincipalSelection 
+         xmlns:psc="http://id.swedenconnect.se/authn/1.0/principal-selection/ns">
+      <psc:MatchValue Name="urn:oid:1.2.752.29.4.13" />
+    </psc:RequestedPrincipalSelection>
+  </md:Extensions>
+  <md:KeyDescriptor use="signing">
+    ...

Example of how the Identity Provider declares the RequestedPrincipalSelection extension in its metadata.

+

Also, since a BankID Identity Provider MUST support the display of BankID QR codes, it MUST declare this in its metadata using the http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding entity category. See [SC.SAML.EntCat].

+

It is RECOMMENDED that the BankID Identity Provider supports the <umsg:UserMessage> authentication request extension as defined in [SC.SAML.UMsg]. Support for this extension is declared by declaring the http://id.swedenconnect.se/general-ec/1.0/supports-user-message entity category. See [SC.SAML.EntCat].

+

+

6.3. Signature Services

+

It is RECOMMENDED that a Signature Service explicitly requires release of the userSignature attribute (urn:oid:1.2.752.201.3.11) in assertions. The reason for this is that the BankID-signature may then be part of the assertion that is included in the resulting signature created by the Signature Service giving a non-repudiation proof of the BankID signature process.

+
<md:AttributeConsumingService index="0" isDefault="true" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
+  <md:ServiceName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="sv">E-myndighetens underskriftstjänst</md:ServiceName>
+  <md:ServiceName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">The e-Authority's Signing Service</md:ServiceName>
+  ...
+  <md:RequestedAttribute Name="urn:oid:1.2.752.201.3.11" isRequired="false"/>
+</md:AttributeConsumingService>

Example of how the userSignature attribute is explicitly required.

+

+

7. References

+

+[RFC2119]

+
+

Bradner, S., Key words for use in RFCs to Indicate Requirement +Levels, March 1997.

+
+

+[SAML2Core]

+
+

OASIS Standard, Assertions and Protocols for the OASIS Security +Assertion Markup Language (SAML) V2.0, March +2005.

+
+

+[SAML2Meta]

+
+

OASIS Standard, Metadata for the OASIS Security Assertion Markup +Language (SAML) V2.0, March +2005.

+
+

+[SAML2MetaAttr]

+
+

OASIS Committee Specification, SAML V2.0 Metadata Extension for +Entity Attributes Version 1.0, August +2009.

+
+

+[BankID.MD]

+
+

BankID - Guidelines for Formatting Text.

+
+

+[SC.SAML.Profile]

+
+

Deployment Profile for the Swedish eID Framework.

+
+

+[SC.SAML.Attrs]

+
+

Attribute Specification for the Swedish eID Framework.

+
+

+[SC.SAML.EntCat]

+
+

Entity Categories for the Swedish eID Framework.

+
+

+[SC.SAML.Principal]

+
+

Principal Selection in SAML Authentication Requests.

+
+

+[SC.SAML.UMsg]

+
+

User Message Extension in SAML Authentication Requests.

+
+

+

8. Changes between versions

+

Changes between version 1.3 and 1.4

+
    +

  • New references to BankID resources are used, since BankID has abandoned its "Relying Party Guidelines"-document.

    +
    • +

  • The discussions concerning QR-codes vs. prompting for personal ID number has been removed, since QR-code now is mandatory for the use case where the user agent and mobile phone are on different devices.

    +
    • +

  • Section 2.1, "Attribute Transformation", was updated to reflect changes in the BankID API.

    +
    • +

  • A recommendation to support the "User Message Extension" was added to section 3, "Identity Provider User Interface".

    +
    • +

  • Section 3.3, "Mobile BankID on another Device", was removed since personal identity number prompting is no longer allowed.

    +
    • +

  • Section 4.2, "Handling of Principal Selection", was introduced.

    +
    • +
+

Changes between version 1.2 and 1.3:

+
    +
  • Section 4.2.1.1, "userVisibleData - Signature Message", was updated with information about the usage of Markdown in visible sign data.
    • +
+

Changes between version 1.1 and 1.2:

+
    +

  • Section 1.4, "Relying Party Configuration", was added. The section describes how a Service Provider, +using the secure-authenticator-binding entity category, may request that QR codes are used to initiate BankID operations (which is a more secure process).

    +
    • +

  • Section 3.3 was renamed from "Prompting for Personal Identity Number" to "Mobile BankID on another Device" and its contents was updated to add requirements of the use of QR codes.

    +
    • +

  • Since the BankID API now includes a cancel-method section 3.4, "Cancelling an Operation", was updated to require usage of this method if the user cancels the operation.

    +
    • +

  • Sections 3.3 and 4.2.2 were updated with new recommendations and requirements for the <psc:PrincipalSelection> extension.

    +
    • +

  • Section 6.2 was updated with a requirement that a BankID Identity Provider should include the <psc:RequestedPrincipalSelection> element in its metadata.

    +
    • +

  • The recommendation in section 3.2 concerning handling of non default browsers was updated.

    +
    • +

  • Section 4.2 was updated with a requirement that ensures that only the intended user sees a sign message.

    +
    • +
+

Changes between version 1.0 and 1.1:

+
    +
  • Section 3.4, "Cancelling an Operation" was extended with a suggestion of how to avoid dangling sessions after user cancel.
    • +
  • The profile now references the BankID Relying Party Guidelines that makes use of JSON.
    • +
+
+ + diff --git a/docs/december-2024/13_-_Signature_Activation_Protocol.html b/docs/december-2024/13_-_Signature_Activation_Protocol.html new file mode 100644 index 0000000..a130cd2 --- /dev/null +++ b/docs/december-2024/13_-_Signature_Activation_Protocol.html @@ -0,0 +1,489 @@ + + + + + + Signature Activation Protocol for Federated Signing + + + + + + +

+ + +

+

+ +

+ +

Signature Activation Protocol for Federated Signing

+

Version 1.2 - 2024-12-04

+

Registration number: 2019-317

+
+

+Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All Rights Reserved. +

+ +

Table of Contents

+
    +

  1. Introduction

    +

    1.1. Requirement keywords

    +

    1.2. XML namespace references

    +

    1.3. Structure

    +
    2. +

  2. Signature Activation Protocol

    +

    2.1. Scope

    +

    2.2. Data Exchange

    +
    3. +

  3. Data elements

    +

    3.1. SADRequest

    +

    3.1.1. Syntax

    +

    3.1.2. Example

    +

    3.2. Signature Activation Data

    +

    3.2.1. SAD JSON Web Token

    +

    3.2.1.1. Registered JWT Claims

    +

    3.2.1.2. SAD Extension Claim

    +

    3.2.2. Example

    +

    3.2.3 Verification of a SAD

    +
    4. +

  4. Schemas

    +
    5. +

  5. Normative References

    +
    6. +

  6. Changes between versions

    +
    7. +
+

+

1. Introduction

+

This document specifies a Signature Activation Protocol (SAP) and its data elements for implementation of Sole Control Assurance Level 2 (SCAL2) according the European standards prEN 419241 - Trustworthy Systems Supporting Server Signing - Part 1 and 2 (prEN 419 241-1 [RSIG-PP-1] and prEN 419 241-2 [RSIG-PP-2]).

+

The Signature Activation Protocol (SAP) defined in this document is used to exchange data between a signature service and a delegated authenticating authority such as a SAML Identity Provider. The function of the SAP is to authenticate the intent of a signer to sign a particular document, or collection of documents, through exchange of the following data elements.

+
    +
  • Signature Activation Data (SAD) - Signed data, asserting the signer's agreement to sign specific data.
    • +
  • SADRequest - Request for a SAD.
    • +
+

The SAP specified in this document is specifically designed to be used with a signing service operating in accordance with the federated signing specification [DSS-Ext].

+

+

1.1. Requirement keywords

+

The keywords MUST, MUST NOT, REQUIRED, SHALL, +SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, +MAY, and OPTIONAL are to be interpreted as described in +[RFC2119].

+

These keywords are capitalized when used to unambiguously specify +requirements over protocol features and behavior that affect the +interoperability and security of implementations. When these words are +not capitalized, they are meant in their natural-language sense.

+

+

1.2. XML namespace references

+

The prefix sap: stands for the Signature Activation Protocol XML Schema namespace http://id.elegnamnden.se/csig/1.1/sap/ns (https://docs.swedenconnect.se/schemas/csig/1.1/EidCsigSAP-1.1.xsd).

+

The prefix saml2: stands for the OASIS SAML 2 Assertion Schema namespace urn:oasis:names:tc:SAML:2.0:assertion.

+

The prefix saml2p: stands for the OASIS SAML 2 Protocol Schema namespace urn:oasis:names:tc:SAML:2.0:protocol.

+

+

1.3. Structure

+

This specification uses the following typographical conventions in text: +<Eid2Element>, <ns:ForeignElement>, Attribute, Datatype, +OtherCode.

+

+

2. Signature Activation Protocol

+

+

2.1. Scope

+

The scope of the Signature Activation Protocol (SAP) is to support request for and delivery of the Signature Activation Data (SAD) to the Signature Activation Module (SAM). The SAM is a tamper resistant module inside the Remote Signing Service which validates the SAD in order to ensure that:

+
    +
  • the signer is properly authenticated,
    • +
  • the signer agrees to sign the data to be signed, and,
    • +
  • the correct signing key for this signer and this instance of signing is properly identified.
    • +
+

The federated signing model does not use pre-assigned signing keys. Instead, a new signing key is generated for each sign request and then permanently deleted. This particular use-case is recognised by prEN 419 241-1 [RSIG-PP-1] and prEN 419 241-2 [RSIG-PP-2], which under these conditions allows the signature key reference to be implicit and derived from the signer's identity. For the present implementation of the SAP the following data is included in the SAD:

+
    +
  • the signer's identity,
    • +
  • information about how the signer was authenticated and by whom, and,
    • +
  • reference to the signature request, binding this instance of authentication to the specific instance of signing, the data being signed and the agreement to sign.
    • +
+

This implements the scenario where the Identity Provider is the sole entity which can verify the signer's private credentials via the SIC (Signer’s Interaction Component). This instance of authentication is used by the Identity Provider to generate the SAD in accordance with section 5.10 of [RSIG-PP-1].

+

+

2.2. Data exchange

+

This document specifies exchange of two data elements:

+
    +
  • SADRequest
    • +
  • SAD
    • +
+

The SADRequest SHALL have the format defined in section 3.1. When a Remote Signing Service request a SAD from the Identity Provider, it MUST include the SADRequest element as a request extension by including it as a child element to a <saml2p:Extensions> element in the <saml2p:AuthnRequest>.

+

When an Identity Provider returns a SAD, as defined in section 3.2, in a SAML Assertion, it MUST be included as a single string value of a sad attribute identified by the attribute name urn:oid:1.2.752.201.3.12 as defined in the attribute specification [EidAttributes].

+

+

3. Data elements

+

The SAD requested in the SAP binds the documents to be signed to the intent by the signer to sign. This is accomplished by the interaction of a number of independent information attributes and elements as follows:

+
    +
  • Sign request ID. Identifies the sign request for signing specific documents. This sign request is sent to the signing service from the service provider requesting the signature. The sign request bound by this identifier contains all detailed data about what is being signed.
    • +
  • LoA. The level of assurance declaration asserting the level of security used to authenticate the user.
    • +
  • Number of documents to sign. Ensures that the user is aware whether more than one document is being signed. This allows adaptations of the signing UI displayed by the Identity Provider.
    • +
  • Identity of the signer. Allows verification that the signature is bound to the appropriate signer.
    • +
  • SAD Request ID. Unique identifier for the SADRequest element. This identifier is later included in the SAD in order to accomplish a binding between the request and the issued SAD.
    • +
+

The SAD request and the SAD specified in this section specifies the data that needs to be exchanged in addition to other protocol elements specified by SAML as well as the federated signing specification [DSS-Ext].

+

+

3.1. SADRequest

+

+

3.1.1. Syntax

+

The SAD Request is provided in a <sap:SADRequest> element. The element has the following elements and attributes:

+

<RequesterID> [Required]

+
+

Specifies the SAML entityID of the requesting entity. The value for this element should be the same identifier as given in the <saml2:Issuer> element of the <saml2p:AuthnRequest> that encapsulates the <sap:SADRequest> extension.

+
+

<SignRequestID> [Required]

+
+

Specifies the value of the RequestID attribute of the associated SignRequest.

+
+

<DocCount> [Required]

+
+

The number of requested signatures in the associated sign request.

+
+

<RequestedVersion> [Optional Default="1.0"]

+
+

The requested version of the SAD.

+
+

<RequestParams> [Optional]

+
+

Optional parameters provided as name-value pairs. This specification does not define any parameters. The use of parameters may be defined in profiles of this specification or may be negotiated by other means between a remote signing service and an Identity Provider.

+
+

ID [Required]

+
+

Attribute holding a unique identifier for the SADRequest.

+
+

The following schema fragment defines the <sap:SADRequest> element:

+
<xs:element name="SADRequest" type="sap:SADRequestType" />
+
+<xs:complexType name="SADRequestType">
+  <xs:sequence>
+    <xs:element name="RequesterID" type="xs:string" />
+    <xs:element name="SignRequestID" type="xs:string" />
+    <xs:element name="DocCount" type="xs:int" />
+    <xs:element name="RequestedVersion" type="xs:string" minOccurs="0" default="1.0" />
+    <xs:element name="RequestParams" minOccurs="0">
+      <xs:complexType>
+        <xs:sequence>
+          <xs:element name="Parameter" type="sap:ParameterType" minOccurs="0" maxOccurs="unbounded" />
+        </xs:sequence>
+      </xs:complexType>
+    </xs:element>
+  </xs:sequence>
+  <xs:attribute name="ID" type="xs:ID" use="required" />
+</xs:complexType>
+
+<xs:complexType name="ParameterType">
+  <xs:simpleContent>
+    <xs:extension base="xs:string">
+      <xs:attribute name="name" type="xs:string" use="required" />
+    </xs:extension>
+  </xs:simpleContent>
+</xs:complexType>

+

3.1.2. Example

+
<sap:SADRequest ID="_a74a068d0548a919e503e5f9ef901851" xmlns:sap="http://id.elegnamnden.se/csig/1.1/sap/ns">
+  <sap:RequesterID>http://www.example.com/sigservice</sap:RequesterID>
+  <sap:SignRequestID>f6e7d061a23293b0053dc7b038a04dad</sap:SignRequestID>
+  <sap:DocCount>1</sap:DocCount>
+  <sap:RequestedVersion>1.0</sap:RequestedVersion>
+  <sap:RequestParams>
+    <sap:Parameter name="ParamName">paramValue</sap:Parameter>
+  </sap:RequestParams>
+</sap:SADRequest>

Example of a SADRequest.

+

+

3.2. Signature Activation Data

+

+

3.2.1. SAD JSON Web Token

+

This section specifies a JSON Web Token (JWT) in accordance with [RFC7519] as the SAD container, binding the data as defined in section 2.1.

+

The SAD JWT MUST have the form of a signed JWS (JSON Web Signature).

+

+
3.2.1.1. Registered JWT Claims
+

The data signed by the SAD JWT is carried in the JWS payload in the form of JWT claims using registered claim names (as specified in [RFC7519]) in addition to one private claim name (seElnSadext) specified in section 3.2.1.2. The following table defines the use of registered claims.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
nameContent
subSubject - holds the attribute value of the signer's unique identifier.
audAudience - holds the entityID of the Signature Service which is the legitimate recipient of this SAD. This value corresponds to the <sap:RequesterID> element of the SAD request.
issIssuer - holds the entityID of the IdP that generated this SAD.
expExpiry - specifies the time when this SAD is no longer valid (epoch time/seconds since 1970-01-01).
iatIssued At - specifies the time when this SAD was issued (epoch time/seconds since 1970-01-01).
jtiUnique identifier of this SAD.
+

+
3.2.1.2. SAD Extension Claim
+

A private claim name is defined in this specification which extends the registered claims with additional SAD data:

+
+

seElnSadext

+
+

The claim identified by this name has the value of a JSON object holding name-value pairs in accordance with the following table:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeContent
verStringThe version of this claim, default 1.0 (Optional).
irtStringIn Response To - holds the identifier of the SAD request (ID attribute) that was used to request this SAD.
attrStringAttribute - holds the URI identifier of the attribute specifying the users unique identifier value.
loaStringLevelOfAssurance - holds the URI identifier of the level of assurance (LoA) used to authenticate the signer.
reqidStringRequestID - holds the ID of the sign request associated with this SAD. Inclusion of this ID assert that the authenticated subject agrees to sign the docuements identified by this sign reqeust.
docsIntegerSpecifies the number of documents to be signed in the associated sign request.
+

+

3.2.2. Example

+

The following example illustrates a claim binding the following claim values:

+

Registered Claims

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameValue
sub197802031877
audhttps://sandbox.swedenconnect.se/eid2cssp
isshttp://dev.test.swedenconnect.se/idp
exp1666128029 (Oct 18, 2022, 23:20:29 CET)
iat1666127729 (Oct 18, 2022, 23:15:29 CET)
jtiNbnmpGA1gwtL3AgtKPfe77Ia
+

seElnSadext Claim

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameValue
ver1.0
irt752c30b3-30c1-49f0-ab04-a28909dc3b67
attrurn:oid:1.2.752.29.4.13
loahttp://id.elegnamnden.se/loa/1.0/loa3
reqid70fabf30-d474-4d21-8463-2c6811005ce0
docs4
+

JWS Header

+

The Header of the JWS specifies that it is a JWT by the "typ" parameter and the signature algoritm through the "alg" parameter. In this example the header is {"typ":"JWT","alg":"RS256"}. The Base64 URL-encoded header is:

+
+

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9

+
+

JWS Payload

+

The JWS payload holding the JWT claims is represented by the following JSON object:

+
{
+    "sub": "197802031877",
+    "aud": "https://sandbox.swedenconnect.se/eid2cssp",
+    "iss": "http://dev.test.swedenconnect.se/idp",
+    "exp": 1666128029,
+    "iat": 1666127729,
+    "jti": "NbnmpGA1gwtL3AgtKPfe77Ia",
+    "seElnSadext": {
+        "ver": "1.0",
+        "irt": "752c30b3-30c1-49f0-ab04-a28909dc3b67",
+        "attr": "urn:oid:1.2.752.29.4.13",
+        "loa": "http://id.elegnamnden.se/loa/1.0/loa3",
+        "reqid": "70fabf30-d474-4d21-8463-2c6811005ce0",
+        "docs": 4
+    }
+}
+

This payload is represented by the following Base64 URL-encoded string:

+
+

eyJzdWIiOiIxOTc4MDIwMzE4NzciLCJhdWQiOiJodHRwczovL3NhbmRib3guc3dlZGVuY29ubmVjdC5zZS9laWQyY3NzcCIsImlzcyI6Imh0dHA6Ly9kZXYudGVzdC5zd2VkZW5jb25uZWN0LnNlL2lkcCIsImV4cCI6MTY2NjEyODAyOSwiaWF0IjoxNjY2MTI3NzI5LCJqdGkiOiJOYm5tcEdBMWd3dEwzQWd0S1BmZTc3SWEiLCJzZUVsblNhZGV4dCI6eyJ2ZXIiOiIxLjAiLCJpcnQiOiI3NTJjMzBiMy0zMGMxLTQ5ZjAtYWIwNC1hMjg5MDlkYzNiNjciLCJhdHRyIjoidXJuOm9pZDoxLjIuNzUyLjI5LjQuMTMiLCJsb2EiOiJodHRwOi8vaWQuZWxlZ25hbW5kZW4uc2UvbG9hLzEuMC9sb2EzIiwicmVxaWQiOiI3MGZhYmYzMC1kNDc0LTRkMjEtODQ2My0yYzY4MTEwMDVjZTAiLCJkb2NzIjo0fX0

+
+

JWT

+

The complete SAD JWT including signature:

+
+

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIxOTc4MDIwMzE4NzciLCJhdWQiOiJodHRwczovL3NhbmRib3guc3dlZGVuY29ubmVjdC5zZS9laWQyY3NzcCIsImlzcyI6Imh0dHA6Ly9kZXYudGVzdC5zd2VkZW5jb25uZWN0LnNlL2lkcCIsImV4cCI6MTY2NjEyODAyOSwiaWF0IjoxNjY2MTI3NzI5LCJqdGkiOiJOYm5tcEdBMWd3dEwzQWd0S1BmZTc3SWEiLCJzZUVsblNhZGV4dCI6eyJ2ZXIiOiIxLjAiLCJpcnQiOiI3NTJjMzBiMy0zMGMxLTQ5ZjAtYWIwNC1hMjg5MDlkYzNiNjciLCJhdHRyIjoidXJuOm9pZDoxLjIuNzUyLjI5LjQuMTMiLCJsb2EiOiJodHRwOi8vaWQuZWxlZ25hbW5kZW4uc2UvbG9hLzEuMC9sb2EzIiwicmVxaWQiOiI3MGZhYmYzMC1kNDc0LTRkMjEtODQ2My0yYzY4MTEwMDVjZTAiLCJkb2NzIjo0fX0.Qn-K-5V5-979GMITVSXgqWOrSVQfYFUMLv0P8PLUMSZzF6s6Zk05SOztH3XGN-4AjmjQeBHcqylpzoqG26eIXW7kuJZB9zodhAyTcvOogQj62XUFsoun5wfWpou8v8-Cpw1G4cwFZdMKt-oRbN43ViZ8u7EIZHBjzYMxfJNgMv2YGmzMQDPQLmtIW-f_O0nE_NPcFsaweYGJXcEWxi7fE3wzNnOR2rPBgQ3L0oehF2mP9dhenlptKrugH6Ru6eLZH66yFaAtR5RRA2m1wh2fXnwXJWO0-8jrvIZiZ9GLDt9W0r1Hs5Le--KPeuPcStli0nIi5YVLoAiGUaHc-Eb_DILwdqYpHS6mxJL3lb8j8u5JsIdEj9FEpqD8MlCbVM4HaWDL_wIiU16QVUOrxPUjoo3wyxLYhW6x3WnQ2an8fhIgahck7m9gS6_rVHKG1OAL_jn4h5jZzP-gX9yZeNcfTmhSiEdwrObydZ4dKx7JGEbmKn4EK1-8Pc65SOj9Zg5jTsRsl6uo9dMoJ-35Tb-x5IKsGs9Y1_94NCuqJH_a7HgC8nORfHBDOTPjzG008FLEFHSRmql6hYSYEd9F3kvR5816KixZpLT_BEED1m4RNdufa8nYEgEroi6X_AvmjpZKiwXCgnJyW6_80IIV89EMViiQ-BjTSSt8AK5KxxpTLkA

+
+

+

3.2.3. Verification of a SAD

+

The recipient of a requested SAD MUST verify it as part of the SAML response processing by asserting the following:

+
    +
  • That the signature of the SAD JWT verifies correctly using the signature certificate of the issuing Identity Provider (found in the Identity Provider metadata).
    • +
  • That the version of the SAD (seElnSadext.ver) matches the <sap:RequestedVersion> element of the <sap:SADRequest>.
    • +
  • That the audience (aud) matches the entityID of the recipient, i.e., matches the <sap:RequesterID> element from the <sap:SADRequest>.
    • +
  • That the issuer (iss) value matches the issuer entityID of the assertion containing the SAD (*).
    • +
  • That the SAD is valid by checking the expiry (exp) and issued-at (iat) values (allowing for a reasonable clock skew).
    • +
  • That the in-response-to (seElnSadExt.irt) value matches that ID of the corresponding <sap:SADRequest>.
    • +
  • That the subject (sub) value is also represented in the SAML assertion as an attribute having the name given by the seElnSadExt.attr field.
    • +
  • That the level of assurance (seElnSadEx.loa) value matches the value given in the <saml2:AuthnContextClassRef> element of the assertion.
    • +
  • That the request ID (seElnSadEx.reqid) value matches the ID for the sign request (which is passed in the <sap:SignRequestID> element of the <sap:SADRequest>).
    • +
  • That the number of documents specified in the SAD (seElnSadEx.docs) matches the <sap:DocCount> element of the <sap:SADRequest>.
    • +
+

If any of the above verification steps fail, the Signature Service MUST reject the assertion.

+
+

[*]: In the case where a Signature Service communicates with a Proxy Identity Provider that forwards requests to an authenticating Identity Provider that issues a SAD, the iss-value of the SAD will differ from the issuer of the assertion that is received by the Signature Service. In these cases the Signature Service should compare the iss-value with the value found in the <saml2:AuthenticatingAuthority> element of the assertion, or with relevant local policy and out-of-band configuration data.

+
+

+

4. Schemas

+

The following XML schema defines the http://id.elegnamnden.se/csig/1.1/sap/ns name space:

+
<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
+    targetNamespace="http://id.elegnamnden.se/csig/1.1/sap/ns"
+    xmlns:sap="http://id.elegnamnden.se/csig/1.1/sap/ns">
+
+  <xs:annotation>
+    <xs:documentation>
+      Schema location URL: https://docs.swedenconnect.se/schemas/csig/1.1/EidCsigSAP-1.1.xsd
+    </xs:documentation>
+  </xs:annotation>
+
+  <xs:element name="SADRequest" type="sap:SADRequestType" />
+
+  <xs:complexType name="SADRequestType">
+    <xs:sequence>
+      <xs:element name="RequesterID" type="xs:string" />
+      <xs:element name="SignRequestID" type="xs:string" />
+      <xs:element name="DocCount" type="xs:int" />
+      <xs:element name="RequestedVersion" type="xs:string" minOccurs="0" default="1.0" />
+      <xs:element minOccurs="0" name="RequestParams">
+        <xs:complexType>
+          <xs:sequence>
+            <xs:element name="Parameter" type="sap:ParameterType" minOccurs="0" maxOccurs="unbounded" />
+          </xs:sequence>
+        </xs:complexType>
+      </xs:element>
+    </xs:sequence>
+    <xs:attribute name="ID" type="xs:ID" use="required" />
+  </xs:complexType>
+
+  <xs:complexType name="ParameterType">
+    <xs:simpleContent>
+      <xs:extension base="xs:string">
+        <xs:attribute name="name" type="xs:string" use="required" />
+      </xs:extension>
+    </xs:simpleContent>
+  </xs:complexType>
+</xs:schema>

+

5. Normative References

+

+[RFC2119]

+
+

Bradner, S., Key words for use in RFCs to Indicate Requirement +Levels, March 1997.

+
+

+[RFC7519]

+
+

Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015.

+
+

+[EidAttributes]

+
+

Attribute Specification for the Swedish eID Framework.

+
+

+[DSS-Ext]

+
+

DSS Extension for Federated Central Signing Services.

+
+

+[RSIG-PP-1]

+
+

European Standard prEN 419241-1 - Trustworthy Systems Supporting Server Signing - Part 1: +General System Security Requirements

+
+

+[RSIG-PP-2]

+
+

European Standard prEN 419241-2 - Trustworthy Systems Supporting Server Signing - Part 2: +Protection profile for QSCD for Server Signing

+
+

+

6. Changes between versions

+

Changes between version 1.1 and 1.2:

+
    +

  • The protocol logic was clarified by removing references to sign message (which was never present in the actual protocol) and replacing this with a clarification of the semantics of including the Sign Request ID in SAD to assert the acceptance to sign the documents referenced in that Sign Request.

    +
    • +

  • Updated examples where the use of "signmessage" LoA URI:s was removed.

    +
    • +

  • Updated broken links.

    +
    • +
+

Changes between version 1.0 and 1.1:

+
    +
  • The RequestedVersion element of the SADRequestType is now marked as optional in the schema definition.
    • +
+
+ + diff --git a/docs/december-2024/14_-_Principal_Selection_in_SAML_Authentication_Requests.html b/docs/december-2024/14_-_Principal_Selection_in_SAML_Authentication_Requests.html new file mode 100644 index 0000000..887e865 --- /dev/null +++ b/docs/december-2024/14_-_Principal_Selection_in_SAML_Authentication_Requests.html @@ -0,0 +1,234 @@ + + + + + + Principal Selection in SAML Authentication Requests + + + + + + +

+ + +

+

+ +

+ +

Principal Selection in SAML Authentication Requests

+

Version 1.0 - 2020-01-17

+

Registration number: 2019-318

+
+

+Copyright © The Swedish Agency for Digital Government (DIGG), 2015-2020. All Rights Reserved. +

+ +

Table of Contents

+
    +

  1. Introduction

    +

    1.1. Requirements Notation

    +

    1.2. XML Namespace References

    +

    1.3. Structure

    +
    2. +

  2. Data elements

    +

    2.1. PrincipalSelection

    +

    2.1.1. MatchValue

    +

    2.2. RequestedPrincipalSelection

    +
    3. +

  3. Examples

    +

    3.1. Authentication Requests

    +

    3.2. Metadata Extension

    +
    4. +

  4. Schemas

    +
    5. +

  5. Normative References

    +
    6. +

  6. Changes between versions

    +
    7. +
+

+

1. Introduction

+

When a Service Provider requests authentication of a user (principal), the Service Provider may have prior knowledge about the user to be authenticated, for example, when re-authenticating an already authenticated user, or when a user authenticates to a signature service where the user signs a document in a context where he or she already has been authenticated.

+

This specification defines the <psc:PrincipalSelection> element that may be included in the <saml2p:Extensions> element of a SAML <saml2p:AuthnRequest> where the requesting Service Provider can specify matching criteria that may be used by the Identity Provider to select the particular user that should be authenticated.

+

The specification also defines the <psc:RequestedPrincipalSelection> element that should be used by Identity Providers that may need information about a known user in order to avoid prompting for the user ID1. The element should be included as an extension in the Identity Provider metadata under the <md:IDPSSODescriptor> element.

+

Even though the main purpose of the <psc:PrincipalSelection> extension is to aid the Identity Provider +in selecting a particular subject for the authentication, an Identity Provider MAY also compare the match +values present in the extension with the resulting attributes from the user authentication, and in case of a +mismatch, respond with an error. In these cases the second-level SAML status code MUST be set to +urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal [SAML2Core].

+
+

[1]: The typical use case is when a user once has authenticated for a service and provided his or hers user ID to the Identity Provider, and is about to perform a signature. If the Identity Provider prompts the user for the user ID once again the user experience is poor and the Service Provider will receive customer complaints.

+
+

+

1.1. Requirements Notation

+

The key words MUST, MUST NOT, REQUIRED, SHALL, +SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, +MAY, and OPTIONAL are to be interpreted as described in +[RFC2119].

+

These keywords are capitalized when used to unambiguously specify requirements over protocol features and behaviour that affect the interoperability and security of implementations. When these words are not capitalized, they are meant in their natural-language sense.

+

+

1.2. XML Namespace References

+

The prefix psc: stands for the Principal Selection Criteria XML schema namespace http://id.swedenconnect.se/authn/1.0/principal-selection/ns.

+

The prefix saml2: stands for the OASIS SAML 2 Assertion schema namespace urn:oasis:names:tc:SAML:2.0:assertion.

+

The prefix saml2p: stands for the OASIS SAML 2 Protocol schema namespace urn:oasis:names:tc:SAML:2.0:protocol.

+

The prefix md: stands for the OASIS SAML 2 Metadata schema namespace urn:oasis:names:tc:SAML:2.0:metadata.

+

+

1.3. Structure

+

This specification uses the following typographical conventions in text: +<LocalElement>, <ns:ForeignElement>, Attribute, Datatype, +OtherCode.

+

+

2. Data elements

+

This specification defines the element <PrincipalSelection> to be included in the <Extensions> element of an AuthnRequest.

+

This element MAY be used by an Identity Provider to select the subject to authenticate.

+

+

2.1. PrincipalSelection

+

The Principal Selection Criteria is provided in a <PrincipalSelection> element. The element has the following elements and attributes:

+

<MatchValue> [One or more]

+
+

This element holds values that MAY be used by the Identity Provider to match against a principal to be authenticated.

+
+

The following schema fragment defines the <PrincipalSelection> element:

+
<xs:element name="PrincipalSelection" type="psc:PrincipalSelectionType"/>
+<xs:complexType name="PrincipalSelectionType">
+  <xs:sequence>
+    <xs:element maxOccurs="unbounded" name="MatchValue" type="psc:MatchValueType" minOccurs="1"/>
+  </xs:sequence>
+</xs:complexType>

+

2.1.1 MatchValue

+

The <MatchValue> element contains a string value to be matched against the selected principal. This element has the following attributes which determines the meaning of the match value:

+

Name [Required]

+
+

The identifying name of the type of identifier value expressed in the MatchValue element. This is analogous to the Name attribute of a SAML <saml2:Attribute> element.

+
+

NameFormat [Default urn:oasis:names:tc:SAML:2.0:attrname-format:uri]

+
+

Attribute specifying the format of the Name attribute value. This attribute is analogous to the NameFormat attribute of a SAML <saml2:Attribute> element.

+
+

##any [Optional]

+
+

Extension point for any attribute in accordance with local conventions and future specifications.

+
+

The following schema fragment defines the <MatchValueType> complex type:

+
<xs:complexType name="MatchValueType">
+  <xs:simpleContent>
+    <xs:extension base="xs:string">
+      <xs:attribute name="NameFormat" type="xs:anyURI"
+          default="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+      <xs:attribute name="Name" type="xs:string" use="required"/>
+      <xs:anyAttribute namespace="##any"/>
+    </xs:extension>
+  </xs:simpleContent>
+</xs:complexType>

+

2.2. RequestedPrincipalSelection

+

An Identity Provider uses the <RequestedPrincipalSelection> element to declare that it wishes to receive the <PrincipalSelection> extension element in authentication requests. The contained MatchValue elements should contain no values, only the attribute name of a MatchValue element is relevant to declare which attributes of a known user that is interest for the Identity Provider.

+

The following schema fragment defines the <RequestedPrincipalSelection> element:

+
<xs:element name="RequestedPrincipalSelection" type="psc:RequestedPrincipalSelectionType" />
+<xs:complexType name="RequestedPrincipalSelectionType">
+  <xs:complexContent>
+    <xs:extension base="psc:PrincipalSelectionType" />
+  </xs:complexContent>
+</xs:complexType>

+

3. Examples

+

Attributes in the examples below are specified in [EidAttributes].

+

+

3.1. Authentication Requests

+
...
+<saml2p:Extensions>
+  <psc:PrincipalSelection xmlns:psc="http://id.swedenconnect.se/authn/1.0/principal-selection/ns">
+    <psc:MatchValue Name="urn:oid:1.2.752.29.4.13">197309069289</psc:MatchValue>
+  </psc:PrincipalSelection>
+</saml2p:Extensions>
+...

Example of a PrincipalSelection specifying a Swedish personal identity number (personnummer) as match attribute.

+
...
+<saml2p:Extensions>
+  <psc:PrincipalSelection xmlns:psc="http://id.swedenconnect.se/authn/1.0/principal-selection/ns">
+    <psc:MatchValue Name="urn:oid:1.2.752.29.4.13">198906059483</psc:MatchValue>
+    <psc:MatchValue Name="urn:oid:1.2.752.201.3.4">NO:05068907693</psc:MatchValue>
+  </psc:PrincipalSelection>
+<saml2p:Extensions>
+...

Example of a PrincipalSelection specifying two alternative matching policies. The first policy specifies a Swedish personal identity number (personnummer) and the second specifies a ProvisionalID attribute.

+

+

3.2. Metadata Extension

+
...
+<md:IDPSSODescriptor WantAuthnRequestsSigned="true"
+     protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+  <md:Extensions>
+    <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
+      ...
+    </mdui:UIInfo>
+    <psc:RequestedPrincipalSelection 
+         xmlns:psc="http://id.swedenconnect.se/authn/1.0/principal-selection/ns">
+      <psc:MatchValue Name="urn:oid:1.2.752.29.4.13" />
+    </psc:RequestedPrincipalSelection>
+  </md:Extensions>
+  <md:KeyDescriptor use="signing">
+    ...

Example of how an Identity Provider advertises, it its metadata, that it wishes to receive the Swedish personal identity number (personnummer) of the user in a <PrincipalSelection> extension element of the authentication request if this information is known to the requestor.

+

+

4. Schemas

+

The following XML schema defines the http://id.swedenconnect.se/authn/1.0/principal-selection/ns namespace:

+
<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
+  targetNamespace="http://id.swedenconnect.se/authn/1.0/principal-selection/ns"
+  xmlns:psc="http://id.swedenconnect.se/authn/1.0/principal-selection/ns">
+
+  <xs:annotation>
+    <xs:documentation>
+      Schema location URL: https://docs.swedenconnect.se/schemas/authn/1.0/PrincipalSelection-1.0.xsd
+    </xs:documentation>
+  </xs:annotation>
+  
+  <xs:element name="PrincipalSelection" type="psc:PrincipalSelectionType" />
+  <xs:complexType name="PrincipalSelectionType">
+    <xs:sequence>
+      <xs:element name="MatchValue" type="psc:MatchValueType" minOccurs="1" maxOccurs="unbounded" />
+    </xs:sequence>
+  </xs:complexType>
+  
+  <xs:element name="RequestedPrincipalSelection" type="psc:RequestedPrincipalSelectionType" />
+  <xs:complexType name="RequestedPrincipalSelectionType">
+    <xs:complexContent>
+      <xs:extension base="psc:PrincipalSelectionType" />
+    </xs:complexContent>
+  </xs:complexType>
+  
+  <xs:complexType name="MatchValueType">
+    <xs:simpleContent>
+      <xs:extension base="xs:string">
+        <xs:attribute name="NameFormat" type="xs:anyURI" 
+            default="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" />
+        <xs:attribute name="Name" type="xs:string" use="required" />
+        <xs:anyAttribute namespace="##any" />
+      </xs:extension>
+    </xs:simpleContent>
+  </xs:complexType>
+  
+</xs:schema>

+

5. Normative References

+

+[RFC2119]

+
+

Bradner, S., Key words for use in RFCs to Indicate Requirement +Levels, March 1997.

+
+

+[SAML2Core]

+
+

OASIS Standard, Assertions and Protocols for the OASIS Security +Assertion Markup Language (SAML) V2.0, March +2005.

+
+

+[EidAttributes]

+
+

Attribute Specification for the Swedish eID Framework.

+
+

+

6. Changes between versions

+

This is the first version of this specification.

+
+ + diff --git a/docs/december-2024/18_-_User_Message_Extension_in_SAML_Authentication_Requests.html b/docs/december-2024/18_-_User_Message_Extension_in_SAML_Authentication_Requests.html new file mode 100644 index 0000000..c3906c6 --- /dev/null +++ b/docs/december-2024/18_-_User_Message_Extension_in_SAML_Authentication_Requests.html @@ -0,0 +1,220 @@ + + + + + + User Message Extension in SAML Authentication Requests + + + + + + +

+ + +

+

+ +

+ +

User Message Extension in SAML Authentication Requests

+

Version 1.0 - 2024-12-04

+

Registration number: 2024-7673

+
+

+Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All Rights Reserved. +

+ +

Table of Contents

+
    +

  1. Introduction

    +

    1.1. Requirements Notation

    +

    1.2. XML Namespace References

    +

    1.3. Structure

    +
    2. +

  2. Data elements

    +
    3. +

  3. Usage Requirements

    +

    3.1. Identity Provider Requirements

    +

    3.2. Service Provider Requirements

    +
    4. +

  4. Examples

    +
    5. +

  5. Schemas

    +
    6. +

  6. Normative References

    +
    7. +

  7. Changes between versions

    +
    8. +
+

+

1. Introduction

+

When a Service Provider requests authentication of a user, the Service Provider may want to pass a message along for the user to see during the authentication phase at the Identity Provider. Normally, an Identity Provider displays information about the requesting Service Provider for the user based on the registered presentation data from the SP's SAML metadata entry. This information is static and its purpose is to show for the user that he or she is still in the context of the Service Provider.

+

By using dynamic user messages to be displayed at the Identity Provider side (possibly in an authentication device such as a mobile phone), the Service Provider may further strengthen the coupling to its current context. Examples of messages can be information about the purpose of the authentication or warnings and prompts for the user to not authenticate based on another person's request.

+

This specification defines the <umsg:UserMessage> element that may be included in the <saml2p:Extensions> element of a SAML <saml2p:AuthnRequest> where the requesting Service Provider can specify a message text that is to be displayed by the Identity Provider during the user authentication process.

+

+

1.1. Requirements Notation

+

The keywords MUST, MUST NOT, REQUIRED, SHALL, +SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, +MAY, and OPTIONAL are to be interpreted as described in +[RFC2119].

+

These keywords are capitalized when used to unambiguously specify requirements over protocol features and behaviour that affect the interoperability and security of implementations. When these words are not capitalized, they are meant in their natural-language sense.

+

+

1.2. XML Namespace References

+

The prefix umsg: stands for the User Message Extension XML schema namespace http://id.swedenconnect.se/authn/1.0/user-message/ns.

+

The prefix saml2: stands for the OASIS SAML 2 Assertion schema namespace urn:oasis:names:tc:SAML:2.0:assertion.

+

The prefix saml2p: stands for the OASIS SAML 2 Protocol schema namespace urn:oasis:names:tc:SAML:2.0:protocol.

+

The prefix md: stands for the OASIS SAML 2 Metadata schema namespace urn:oasis:names:tc:SAML:2.0:metadata.

+

+

1.3. Structure

+

This specification uses the following typographical conventions in text: +<LocalElement>, <ns:ForeignElement>, Attribute, Datatype, +OtherCode.

+

+

2. Data elements

+

This specification defines the element <UserMessage> to be included in the <Extensions> element of an AuthnRequest.

+

This element MAY be included by a Service Provider asking the Identity Provider to display a given message for the user during the authentication phase. The element has the following elements and attributes:

+

<Message> [One or more]

+
+

Element that holds the user message for a specific language. See below.

+
+

mimeType

+
+

The MIME type for the text contained in all Message elements. This specification defines two possible values that are text/plain (where ;charset=UTF-8 is an implicit condition) and text/markdown1. If no value is given for this field, text/plain MUST be assumed. Other profiles MAY add support for additional MIME types.

+
+

The following schema fragment defines the <UserMessage> element:

+
<xs:element name="UserMessage" type="umsg:UserMessageType"/>
+
+<xs:complexType name="UserMessageType">
+  <xs:sequence>
+    <xs:element name="Message" type="umsg:MessageType" minOccurs="1" maxOccurs="unbounded"/>
+  </xs:sequence>
+  <xs:attribute name="mimeType" type="xs:string" default="text/plain">
+    <xs:annotation>
+      <xs:documentation>The format of the user message(s)</xs:documentation>
+    </xs:annotation>
+  </xs:attribute>
+  <xs:anyAttribute namespace="##any" processContents="lax"/>
+</xs:complexType>

The <Message> element is defined by the following schema definition:

+
<xs:complexType name="MessageType">
+  <xs:simpleContent>
+    <xs:extension base="xs:base64Binary">
+      <xs:attribute ref="xml:lang" use="required"/>
+      <xs:anyAttribute namespace="##any" processContents="lax"/>
+    </xs:extension>
+  </xs:simpleContent>
+</xs:complexType>

The <Message> element contains the Base64-encoding of the UTF-8 string holding the message to display to the user for a specific language.

+

The required xml:lang attribute contains the language tag for the message's language according to [BCP47].

+
+

[1]: The Markdown dialect, and potential restrictions for tags, is not regulated in this specification. However, the Markdown SHOULD NOT contain HTML-tags for security reasons.

+
+

+

3. Usage Requirements

+

+

3.1. Identity Provider Requirements

+

An Identity Provider that supports the <umsg:UserMessage> extension MUST declare this support in its metadata entry by declaring the http://id.swedenconnect.se/general-ec/1.0/supports-user-message entity category (see section 6.3 of [SC.SAML.EntCat]).

+

Identity Providers compliant with this specification MUST support the text/plain and text/markdown MIME types.

+

An OpenID Provider MUST NOT display a user message unless the user is being authenticated. Thus, if the IsPassive-flag of the authentication request is set to true, the Identity Provider MUST NOT display the user message.

+

An Identity Provider that receives a <umsg:UserMessage> extension containing user messages in several languages SHOULD display the message that best matches the user's current locale at the Identity Provider. If no message matches the user's current locale, the Identity Provider SHOULD select the first message from the list.

+

An Identity Provider MUST refuse to display a message if it does not support a given MIME type. It MAY respond with an error if a non-supported MIME type is received.

+

Should a message contain illegal characters, or any other constructs not accepted by the Identity Provider, the Identity Provider MAY choose not to display the message, or filter the message before displaying it.

+

The Identity Provider MUST be able to handle messages containing line breaks.

+

+

3.2. Service Provider Requirements

+

A Service Provider SHOULD check whether an Identity Provider supports the <umsg:UserMessage> extension before including it in a <saml2p:AuthnRequest> element. This is done by checking the Identity Provider metadata entry for the presence of the http://id.swedenconnect.se/general-ec/1.0/supports-user-message entity category (see 3.1 above).

+

A Service Provider MUST NOT supply user messages that contains integrity sensitive information. The message will be displayed for the user before he or she is authenticated.

+

+

4. Examples

+

Example of supplying a user message in Swedish ("Jag vill logga in till example.com") and in +English ("I wish to log in to example.com"):

+
...
+<saml2p:Extensions>
+  <umsg:UserMessage xmlns:umsg="http://id.swedenconnect.se/authn/1.0/user-message/ns"
+                    mimeType="text/plain">
+    <umsg:Message xml:lang="sv">
+      SmFnIHZpbGwgbG9nZ2EgaW4gdGlsbCBleGFtcGxlLmNvbQ==
+    </umsg:Message>
+    <umsg:Message xml:lang="en">
+      SSB3aXNoIHRvIGxvZ2luIHRvIGV4YW1wbGUuY29t
+    </umsg:Message>
+  </umsg:UserMessage>
+</saml2p:Extensions>
+...

+

5. Schemas

+

The following XML schema defines the http://id.swedenconnect.se/authn/1.0/user-message/ns namespace:

+
<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
+           targetNamespace="http://id.swedenconnect.se/authn/1.0/user-message/ns"
+           xmlns:umsg="http://id.swedenconnect.se/authn/1.0/user-message/ns">
+
+  <xs:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/>
+
+  <xs:annotation>
+    <xs:documentation>
+      Schema location URL: https://docs.swedenconnect.se/schemas/authn/1.0/UserMessage-1.0.xsd
+    </xs:documentation>
+  </xs:annotation>
+
+  <xs:element name="UserMessage" type="umsg:UserMessageType"/>
+
+  <xs:complexType name="UserMessageType">
+    <xs:annotation>
+      <xs:documentation>List of user messages (in different languages)</xs:documentation>
+    </xs:annotation>
+    <xs:sequence>
+      <xs:element name="Message" type="umsg:MessageType" minOccurs="1" maxOccurs="unbounded"/>
+    </xs:sequence>
+    <xs:attribute name="mimeType" type="xs:string" default="text/plain">
+      <xs:annotation>
+        <xs:documentation>The MIME type of the user message(s)</xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
+    <xs:anyAttribute namespace="##any" processContents="lax"/>
+  </xs:complexType>
+
+  <xs:complexType name="MessageType">
+    <xs:annotation>
+      <xs:documentation>
+        The Base64-encoding of UTF-8 string holding the user message.
+      </xs:documentation>
+    </xs:annotation>
+    <xs:simpleContent>
+      <xs:extension base="xs:base64Binary">
+        <xs:attribute ref="xml:lang" use="required"/>
+        <xs:anyAttribute namespace="##any" processContents="lax"/>
+      </xs:extension>
+    </xs:simpleContent>
+  </xs:complexType>
+
+</xs:schema>

+

6. Normative References

+

+[RFC2119]

+
+

Bradner, S., Key words for use in RFCs to Indicate Requirement +Levels, March 1997.

+
+

+[BCP47]

+
+

Tags for Identifying Languages, September 2009.

+
+

+[SAML2Core]

+
+

OASIS Standard, Assertions and Protocols for the OASIS Security +Assertion Markup Language (SAML) V2.0, March +2005.

+
+

+[SC.SAML.EntCat]

+
+

Entity Categories for the Swedish eID Framework.

+
+

+

7. Changes between versions

+

This is the first version of this specification.

+
+ + diff --git a/docs/december-2024/OpenID_Connect_Claims_and_Scopes_Specification.html b/docs/december-2024/OpenID_Connect_Claims_and_Scopes_Specification.html new file mode 100644 index 0000000..18915a4 --- /dev/null +++ b/docs/december-2024/OpenID_Connect_Claims_and_Scopes_Specification.html @@ -0,0 +1,381 @@ + + + + + + OpenID Connect Claims and Scopes Specification for Sweden Connect + + + + + + +

+ + +

+

+ +

+ +

OpenID Connect Claims and Scopes Specification for Sweden Connect

+

Version 1.0 - 2024-12-04

+

Registration number: 2024-7704

+
+

+Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All Rights Reserved. +

+ +

Table of Contents

+
    +

  1. Introduction

    +

    1.1. Requirements Notation and Conventions

    +
    2. +

  2. Claims

    +

    2.1. eIDAS Claims

    +

    2.1.1. Provisional Identifier

    +

    2.1.2. Provisional Identifier Persistence Indicator

    +

    2.1.3. Mapped Swedish Personal Identity Number

    +

    2.1.4. Mapped Swedish Coordination Number

    +

    2.1.5. Identity Binding

    +

    2.1.6. eIDAS Person Identifier

    +

    2.1.7. eIDAS Country

    +
    3. +

  3. Scopes

    +

    3.1. eIDAS Scopes

    +

    3.1.1. eIDAS Natural Person Identity

    +

    3.1.2. eIDAS Natural Person with Swedish Identity

    +

    3.1.3. Additional eIDAS Claims

    +
    4. +

  4. References

    +
    5. +

  5. Changes between versions

    +
    6. +
+

Appendix A: Conversion of eIDAS Attributes

+
+

+

1. Introduction

+

This specification extends the "Claims and Scopes Specification for the Swedish OpenID Connect Profile", [OIDC.Sweden.Claims], with OpenID Connect claims and scopes for usage within the Sweden Connect federation.

+

+

1.1. Requirements Notation and Conventions

+

The keywords “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” are to be interpreted as described in [RFC2119].

+

These keywords are capitalized when used to unambiguously specify requirements over protocol features and behaviour that affect the interoperability and security of implementations. When these words are not capitalized, they are meant in their natural-language sense.

+

+

2. Claims

+

This section defines a set of claims that extend the claims defined in [OIDC.Sweden.Claims], and the set of standard claims defined in [RFC7515] and section 5.1 of [OpenID.Core]. A full listing of standard claims can be found in the IANA JSON Web Token Claims Registry, [IANA-Reg].

+

The claims defined in this specification are named in a collision-resistant manner, as described in JSON Web Token (JWT), [RFC7515], specification. All claims defined within this specification are prefixed with the namespace https://id.swedenconnect.se/claim/.

+

+

2.1. eIDAS Claims

+

This section defines how identity attributes received from, or in conjunction with, an eIDAS authentication is represented as OpenID claims within the Sweden Connect federation.

+

Appendix A: Conversion of eIDAS Attributes presents a full listing of all eIDAS attributes and how they map to OpenID Connect claims. The subsections below define additional claims that may be added by the Swedish eIDAS-node.

+

+

2.1.1. Provisional Identifier

+

Claim: https://id.swedenconnect.se/claim/prid

+

Description: Provisional Identifier used to represent a subject that has been authenticated by the Swedish eIDAS Connector. See section 3.3.1 of [SAML.SC.Attributes] for details.

+

Type: String

+

Corresponding SAML Attribute: urn:oid:1.2.752.201.3.4 (prid) - [SAML.SC.Attributes]

+

+

2.1.2. Provisional Identifier Persistence Indicator

+

Claim: https://id.swedenconnect.se/claim/pridPersistence

+

Description: Indicator for the expected persistence of the prid claim. See section 3.3.1 of [SAML.SC.Attributes] for details.

+

Type: String, where the possible values are A, B or C. See [SC.Constructed] for details.

+

Corresponding SAML Attribute: urn:oid:1.2.752.201.3.5 (pridPersistence) - [SAML.SC.Attributes]

+

+

2.1.3. Mapped Swedish Personal Identity Number

+

Claim: https://id.swedenconnect.se/claim/mappedPersonalIdentityNumber

+

Description: A Swedish civic registration number ("personnummer"). This claim is used to represent a Swedish civic registration number that was the result of a query from the Swedish eIDAS Connector to the identity binding service after the subject was authenticated at a foreign eIDAS node. See section 3.3.2 of [SAML.SC.Attributes] for details.

+

Normally a Swedish civic registration number is represented using the claim https://id.oidc.se/claim/personalIdentityNumber defined in [OIDC.Sweden.Claims], but in order to avoid consumption of this claim without checking how the binding was made, i.e., how trustworthy the process of binding the Swedish +identity to the identity attributes from the eIDAS authentication is, the identity number is represented in a separate claim. See Identity Binding below.

+

Type: String where the format is 12 digits without a hyphen.

+

Corresponding SAML Attribute: urn:oid:1.2.752.201.3.16 (mappedPersonalIdentityNumber) - [SAML.SC.Attributes]

+

+

2.1.4. Mapped Swedish Coordination Number

+

Claim: https://id.swedenconnect.se/claim/mappedCoordinationNumber

+

Description: A Swedish coordination number ("samordningsnummer"). This claim is used to represent a Swedish coordination number that was the result of a query from the Swedish eIDAS Connector to the identity binding service after the subject was authenticated at a foreign eIDAS node. See section 3.3.2 of [SAML.SC.Attributes] for details.

+

Normally a Swedish coordination number is represented using the claim https://id.oidc.se/claim/coordinationNumber defined in [OIDC.Sweden.Claims], but for the same reasons as described for the mappedPersonalIdentityNumber claim above, a mapped coordination number is represented in a separate claim.

+

Type: String where the format is 12 digits without a hyphen.

+

Corresponding SAML Attribute: urn:oid:1.2.752.201.3.16 (mappedPersonalIdentityNumber) - [SAML.SC.Attributes]

+

+

2.1.5. Identity Binding

+

Claim: https://id.swedenconnect.se/claim/identityBinding

+

Description: A semicolon separated list of URI:s identifying the "binding process(es)" for a mappedPersonalIdentityNumber or mappedCoordinationNumber claim. See section 3.3.2 of [SAML.SC.Attributes] and [SC.ID-Binding] for details.

+

Type: Semicolon separated list of URI:s. Possible values are defined in section 3 of [SC.ID-Binding].

+

Corresponding SAML Attribute: urn:oid:1.2.752.201.3.6 (personalIdentityNumberBinding) - [SAML.SC.Attributes]

+

+

2.1.6. eIDAS Person Identifier

+

Claim: https://id.swedenconnect.se/claim/eidasPersonIdentifier

+

Description: A claim that holds the value for the eIDAS Person Identifier attribute, http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier. This value is issued by the foreign eIDAS node, and within the eIDAS federation this is the unique user identifier. See [eIDAS.Attributes].

+

Type: String

+

Corresponding SAML Attribute: urn:oid:1.2.752.201.3.7 (eidasPersonIdentifier) - [SAML.SC.Attributes]

+
+

Within eIDAS, the corresponding SAML attribute is: http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier [eIDAS.Attributes].

+
+

+

2.1.7. eIDAS Country

+

Claim: https://id.swedenconnect.se/claim/eidasCountry

+

Description: A claim that identifies the eIDAS member state that is providing the claims of the subject.

+

Type: String representing country in [ISO3166-1] Alpha-2 or [ISO3166-3] syntax.

+

Corresponding SAML Attribute: No specific SAML attribute exists for "eIDAS country". However, the generic urn:oid:2.5.4.6 (c) attribute is included in assertions issued by the Swedish eIDAS node.

+

+

3. Scopes

+

This section defines a set of scope that extends the claims defined in section 3 of [OIDC.Sweden.Claims].

+

The scopes defined in this specification are named in a collision-resistant manner, as described in JSON Web Token (JWT), [RFC7515], specification. All scopes defined within this specification are prefixed with the namespace https://id.swedenconnect.se/scope/.

+

+

3.1. eIDAS Scopes

+

Section 3 of [OIDC.Sweden.Claims] states the following:

+
+

Many Relying Parties that use OpenID Connect to authenticate users cannot solely depend on the user's session at the OpenID Provider and the sub claim to log in the user to the RP application. In the context of Swedish eID there are some obvious claims that are regarded to be "primary" identity claims by Relying Parties, for example, a Swedish personal identity number. Such claims are needed by the Relying Party in order to log in a user to its application. Therefore, this specification's scope definitions will define that some claims are to be delivered in the ID Token so that a Relying Party can fully log in a user without having to make a potentially unnecessary call to the UserInfo endpoint.

+
+

The above is true also for Relying Parties authenticating users against the Swedish eIDAS Connector.

+

+

3.1.1. eIDAS Natural Person Identity

+

Scope: https://id.swedenconnect.se/scope/eidasNaturalPersonIdentity

+

Description: A scope that defines a claim set that provides identity information for a natural person authenticated via the Swedish eIDAS-node (via a eIDAS member state).

+ + + + + + + + + + + + + + + + + + + + + + + +
Requested ClaimsDescription/commentReference
https://id.swedenconnect.se/claim/pridProvisional identifierThis specification - [2.1.1]
https://id.swedenconnect.se/claim/pridPersistencePersistence indicator for the above prid claimThis specification - [2.1.2]
https://id.swedenconnect.se/claim/eidasPersonIdentifiereIDAS Person IdentifierThis specification - [2.1.6]
+

Claims Parameter Equivalent:

+
{
+  "userinfo" : {
+    "https://id.swedenconnect.se/claim/prid" : { "essential" : true },
+    "https://id.swedenconnect.se/claim/pridPersistence" : { "essential" : true },
+    "https://id.swedenconnect.se/claim/eidasPersonIdentifier": { "essential" : true },
+  },
+  "id_token" : {
+    "https://id.swedenconnect.se/claim/prid" : { "essential" : true },
+    "https://id.swedenconnect.se/claim/pridPersistence" : { "essential" : true }
+  }
+}

Note: It is RECOMMENDED that Swedish Relying Parties use the https://id.swedenconnect.se/claim/prid claim as a primary identity for a user identified using eIDAS and therefore this claim will be available in the ID Token. The eIDAS Person Identifier, which is the identifier issued by the member state eIDAS-node, may be logged/saved by the Relying Party for potential future use in contacts with the member state node.

+

+

3.1.2. eIDAS Natural Person with Swedish Identity

+

Scope: https://id.swedenconnect.se/scope/eidasSwedishIdentity

+

Description: The Swedish eIDAS Connector has an integration against an "Identity Binding Service" holding bindings between eIDAS eID identities and Swedish identities (see [SC.ID-Binding] for details). If this scope is requested by a Relying Party, the eIDAS Connector will check if there exists a binding between the user's eIDAS identity and a Swedish identity, and if so, make those claims available for the Relying Party.

+ + + + + + + + + + + + + + + + + + + + + + + +
Requested ClaimsDescription/commentReference
https://id.swedenconnect.se/claim/
mappedPersonalIdentityNumber		A Swedish civic registration number ("personnummer") that was the result of a query from the Swedish eIDAS Connector to the identity binding service after the subject was authenticated at a foreign eIDAS node.This specification - [2.1.3]
https://id.swedenconnect.se/claim/
mappedCoordinationNumber		A Swedish coordination number ("samordningsnummer") that was the result of a query from the Swedish eIDAS Connector to the identity binding service after the subject was authenticated at a foreign eIDAS node.This specification - [2.1.4]
https://id.swedenconnect.se/claim/
identityBinding		Identification of the binding process(es) that were applied to obtain the binding between the eIDAS identity and the mappedPersonalIdentityNumber or mappedCoordinationNumber. See [SC.ID-Binding].This specification - [2.1.5]
+

Claims Parameter Equivalent:

+
{
+  "userinfo" : {
+    "https://id.swedenconnect.se/claim/mappedPersonalIdentityNumber" : null,
+    "https://id.swedenconnect.se/claim/mappedCoordinationNumber" : null,
+    "https://id.swedenconnect.se/claim/identityBinding" : null
+  }
+}

Note: None of the claims are marked as "essential" since the eIDAS Connector will only deliver the claims if an identity binding exists. Also, the scope definition states that the claims should be delivered via the UserInfo endpoint and not directly in the ID Token. The reason for this is that a mapped identity can never be seen as a primary eIDAS identity (since the claims are only delivered if a binding exists).

+

Note (ii): The mappedPersonalIdentityNumber and mappedCoordinationNumber claims are mutually exclusive. A user has bound his or hers eIDAS identity to a Swedish civic registration number ("personnummer") or a Swedish coordination number ("samordningsnummer"), never both.

+

+

3.1.3. Additional eIDAS Claims

+

Not all eIDAS attributes/claims listed in Appendix A are covered by the above scope definitions. This section is an informational text informing Relying Parties how to obtain additional claims for an eIDAS authentication.

+
    +

  • To obtain name and date of birth claims, include the https://id.oidc.se/scope/naturalPersonInfo scope (section 3.1 of [OIDC.Sweden.Claims]).

    +
    • +

  • For the transaction identifier holding the ID of the SAML assertion delivered from the foreign member state (as described in section 2.5 of [SAML.SC.Attributes]), include an explicit claim request for the txn claim ([RFC8417]).

    +
    • +

  • For the country code of the eIDAS country at which the user was authenticated (as described in section 2.5 of [SAML.SC.Attributes]), include an explicit claim request for the https://id.swedenconnect.se/claim/eidasCountry claim (2.1.7).

    +
    • +

  • For all other optional eIDAS attributes (see Appendix A), an explicit claim request should be included. These claims SHOULD NOT be marked as "essential" since they are not mandatory according to [eIDAS.Attributes].

    +
    • +
+
+

Section 2.2.1 of [eIDAS.Attributes] defines the eIDAS Minimum Dataset for Natural Persons. This set consists of the eIDAS attributes FamilyName, FirstName, DateOfBirth and PersonIdentifier. In order for a Relying Party to obtain the corresponding OpenID Connect claims from an eIDAS authentication it should specify the https://id.oidc.se/scope/naturalPersonInfo and https://id.swedenconnect.se/scope/eidasNaturalPersonIdentity scopes in an authentication request sent to the Swedish eIDAS Connector.

+
+

+

4. References

+

+[RFC2119]

+
+

Bradner, S., Key words for use in RFCs to Indicate Requirement Levels, March 1997.

+
+

+[OpenID.Core]

+
+

[Sakimura, N., Bradley, J., Jones, M., de Medeiros, B. and C. Mortimore, "OpenID Connect Core 1.0", August 2015] (https://openid.net/specs/openid-connect-core-1_0.html).

+
+

+[RFC7515]

+
+

Jones, M., Bradley, J., and N. Sakimura, “JSON Web Token (JWT)”, May 2015.

+
+

+[IANA-Reg]

+
+

IANA JSON Web Token Claims Registry.

+
+

+[OIDC.Sweden.Claims]

+
+

Claims and Scopes Specification for the Swedish OpenID Connect Profile - Version 1.0.

+
+

+[SAML.SC.Attributes]

+
+

Attribute Specification for the Swedish eID Framework.

+
+

+[SC.Constructed]

+
+

eIDAS Constructed Attributes Specification for the Swedish eID Framework.

+
+

+[SC.ID-Binding]

+
+

Binding eIDAS Identities to Records in the Swedish Population Register.

+
+

+[eIDAS.Attributes]

+
+

eIDAS SAML Attribute Profile, version 1.4, 31 October 2023.

+
+

+[OIDC.IAC]

+
+

T. Lodderstedt, D. Fett, M. Haine, A. Pulido, K. Lehmann, K. Koiwai, "OpenID Connect for Identity Assurance Claims Registration 1.0", October 2024.

+
+

+[RFC8417]

+
+

P. Hunt, M. Jones, W. Denniss, M. Ansari, "Security Event Token (SET)", July 2018.

+
+

+[ISO3166-1]

+
+

ISO, "ISO 3166-1:2020. Codes for the representation of names of countries and their subdivisions -- Part 1: Country codes", 2020.

+
+

+[ISO3166-3]

+
+

ISO, "ISO 3166-3:2020. Codes for the representation of names of countries and their subdivisions -- Part 3: Code for formerly used names of countries", 2020.

+
+

+

5. Changes between versions

+

This is the first version of this specification.

+

+

Appendix A: Conversion of eIDAS Attributes

+

This section provides a listing of how the eIDAS attributes for natural persons defined in section 2.2 of [eIDAS.Attributes] are mapped to their corresponding OpenID Connect claims.

+
+

Also see section 3.3.3 of [SAML.SC.Attributes] where a corresponding mapping between eIDAS attributes and Sweden Connect SAML attributes is presented.

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
eIDAS attributeClaimReference
http://eidas.europa.eu/attributes/
naturalperson/PersonIdentifier - PersonIdentifier		https://id.swedenconnect.se/claim/
eidasPersonIdentifier		This specification
http://eidas.europa.eu/attributes/
naturalperson/CurrentFamilyName - FamilyName		family_name[OpenID.Core]
http://eidas.europa.eu/attributes/
naturalperson/CurrentGivenName - FirstName		given_name[OpenID.Core]
http://eidas.europa.eu/attributes/
naturalperson/DateOfBirth - DateOfBirth		birthdate[OpenID.Core]
http://eidas.europa.eu/attributes/
naturalperson/BirthName - BirthName		birth_family_name
birth_given_name
birth_middle_name		[OIDC.IAC]
http://eidas.europa.eu/attributes/
naturalperson/PlaceOfBirth - PlaceOfBirth		place_of_birth[OIDC.IAC]
http://eidas.europa.eu/attributes/
naturalperson/CurrentAddress - CurrentAddress		address[OpenID.Core]
http://eidas.europa.eu/attributes/
naturalperson/Gender - Gender		gender[OpenID.Core]
http://eidas.europa.eu/attributes/
naturalperson/Nationality - Nationality		nationalities[OIDC.IAC]
http://eidas.europa.eu/attributes/
naturalperson/CountryOfBirth - CountryOfBirth		place_of_birth.country[OIDC.IAC]
http://eidas.europa.eu/attributes/
naturalperson/TownOfBirth - TownOfBirth		place_of_birth.locality[OIDC.IAC]
http://eidas.europa.eu/attributes/
naturalperson/CountryOfResidence - CountryOfResidence		address.country[OpenID.Core]
http://eidas.europa.eu/attributes/
naturalperson/PhoneNumber - PhoneNumber		phone_number[OpenID.Core]
http://eidas.europa.eu/attributes/
naturalperson/EmailAddress - EmailAddress		email[OpenID.Core]
+
+ + diff --git a/docs/december-2024/OpenID_Connect_Profile_for_Sweden_Connect.html b/docs/december-2024/OpenID_Connect_Profile_for_Sweden_Connect.html new file mode 100644 index 0000000..4001601 --- /dev/null +++ b/docs/december-2024/OpenID_Connect_Profile_for_Sweden_Connect.html @@ -0,0 +1,247 @@ + + + + + + OpenID Connect Profile for Sweden Connect + + + + + + +

+ + +

+

+ +

+ +

OpenID Connect Profile for Sweden Connect

+

Version 1.0 - 2024-12-04

+

Registration number: 2024-7674

+
+

+Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All Rights Reserved. +

+ +

Table of Contents

+
    +

  1. Introduction

    +

    1.1. Requirements Notation and Conventions

    +

    1.2. Conformance

    +
    2. +

  2. OpenID Provider Requirements

    +

    2.1. OpenID Provider Discovery and Metadata Requirements

    +

    2.2. Authentication Request Requirements

    +

    2.2.1. Single Sign-on Processing

    +

    2.2.2. User Message Request Parameter

    +

    2.2.3. Requested Authentication Provider Parameter

    +

    2.3. Token Endpoint Requirements

    +

    2.3.1. Client Authentication Requirements

    +

    2.3.2. Token Response Requirements

    +

    2.4. eIDAS Requirements

    +
    3. +

  3. Relying Party Requirements

    +

    3.1. Authentication Request Requirements

    +

    3.2. Client Registration and Metadata Requirements

    +
    4. +

  4. References

    +
    5. +

  5. Changes between versions

    +
    6. +
+
+

+

1. Introduction

+

This profile is an extension of The Swedish OpenID Connect Profile, [OIDC.Sweden.Profile], for the Sweden Connect identity federation.

+

The profile aims to get a baseline security and to facilitate interoperability between relying parties and OpenID providers within the Sweden Connect identity federation.

+
+

Note: This version of the profile does not address features concerning "Signature Services" and requirements for "authentication for Signature" that are specified in the corresponding Sweden Connect SAML deployment profile, [SC.SAML.Profile]. Nor does the profile specify how OpenID Provider metadata and Relying Party/Client metadata is distributed and made available to the members of the federation. This will be added in future versions of the profile.

+
+

+

1.1. Requirements Notation and Conventions

+

The keywords “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” are to be interpreted as described in [RFC2119].

+

These keywords are capitalized when used to unambiguously specify requirements over protocol features and behaviour that affect the interoperability and security of implementations. When these words are not capitalized, they are meant in their natural-language sense.

+

+

1.2. Conformance

+

This profile defines requirements for OpenID Connect Relying Parties (clients) and OpenID Providers (identity providers), and the interaction between them.

+

Components compliant with this profile MUST adhere to the requirements of The Swedish OpenID Connect Profile, [OIDC.Sweden.Profile] along with the extensions and requirements stated in the rest of this profile.

+

+

2. OpenID Provider Requirements

+

An OpenID Provider compliant with this profile MUST adhere to the requirements stated in [OIDC.Sweden.Profile] along with the additions declared below.

+

+

2.1. OpenID Provider Discovery and Metadata Requirements

+

The following requirements concerning OpenID Provider Metadata documents apply in addition to section 5.2 of [OIDC.Sweden.Profile]:

+
    +

  • The OP Metadata document SHOULD contain a service_documentation parameter having as its value a URL pointing to a resource containing human-readable information about the OP (for example, information about client registration). See section 3 of [OpenID.Discovery].

    +
    • +

  • The OP Metadata document MUST contain the ui_locales_supported parameter, and its value MUST contain English (en) and Swedish (sv), and MAY contain support for other languages. See section 3 of [OpenID.Discovery].

    +
    • +
+
+

Note: This version of the profile does not specify how OpenID Provider Metadata documents are made available to the Relying Parties/Clients of the federation. Future versions will include OpenID Federation and alternative mechanisms for distributing metadata.

+
+

+

2.2. Authentication Request Requirements

+

+

2.2.1. Single Sign-on Processing

+

Sweden Connect is a national identity federation and the Relying Parties of the federation generally have no organizational affinity, other than they use the same OpenID Providers for authentication of their users. Therefore, the feature of Single Sign-on by relying on a user's security context/session at an OpenID Provider that is used by several, non-connected, Relying Parties, should be used with great care.

+

This profile states the following requirements regarding the re-use of user sessions:

+
    +

  • An OpenID Provider within the Sweden Connect federation MUST NOT allow user sessions to exceed 60 minutes.

    +
    • +

  • If the prompt parameter is not present in an authentication request, the OpenID Provider MUST treat this request as if it would contain the prompt parameter with a value of login, meaning that a user (re-)authentication is required, no matter the state of the current user session at the provider.

    +
    • +

  • If the prompt parameter is present and its value is set to none (meaning that the Relying Party wishes to make use of an existing user security context/session, i.e., SSO), the following requirements apply:

    +
      +
    • If the security context/user session has expired, the OP MUST respond with an error holding the error code login_required.
      • +
    • If the original authentication process, which led to the establishment of the security context, was created based on the request from another Relying Party than the sender of the current request, the OP MUST respond with an error holding the error code login_required.

      The exception to this requirement is that an OP is allowed to maintain a configuration of "groups of Relying Parties", where SSO is allowed. How this configuration is maintained is out of scope for this profile.
      • +
    • If the original authentication process, which led to the establishment of the security context, was performed using another authentication method or acr (Authentication Context Class Reference) than what is requested in the current authentication request, the OP MUST respond with an error holding the error code login_required.
      • +
    • If the original authentication process, which led to the establishment of the security context, involved user consent for a set of claims, and the current authentication request contains a request for a different set of identity claims, the OP MUST respond with an error holding the error code interaction_required.
      • +
    +
    • +
+

See section 3.1.2.1 of [OpenID.Core] and section 2.1.4 of [OIDC.Sweden.Profile] regarding further requirements for the prompt request parameter.

+

+

2.2.2. User Message Request Parameter

+

It is RECOMMENDED that OpenID Providers compliant with this profile supports the https://id.oidc.se/param/userMessage request parameter according to section 2.1 of [OIDC.Sweden.RPar]. This parameter gives the Relying Party the possibility to request that a message (set by the RP) is displayed to the user during the authentication process.

+

OpenID Providers that support the https://id.oidc.se/param/userMessage request parameter MUST include the https://id.oidc.se/disco/userMessageSupported parameter in its Metadata document (see section 3.3.1 of [OIDC.Sweden.RPar]). If MIME types other than text/plain is supported, the OP MUST include the https://id.oidc.se/disco/userMessageSupportedMimeTypes parameter and as its value state all supported MIME types.

+

+

2.2.3. Requested Authentication Provider Parameter

+

An OpenID Provider that acts as a proxy for underlying authentication mechanisms SHOULD support the https://id.oidc.se/param/authnProvider request parameter extension (see section 2.2 of [OIDC.Sweden.RPar]).

+

OpenID Providers that support the https://id.oidc.se/param/authnProvider request parameter, MUST declare this support in its Metadata document using the https://id.oidc.se/disco/authnProviderSupported parameter, see section 3.2 of [OIDC.Sweden.RPar].

+

+

2.3. Token Endpoint Requirements

+

This section extends section 3 of [OIDC.Sweden.Profile] with additional requirements for Token endpoint requests and responses.

+

+

2.3.1. Client Authentication Requirements

+

The following requirements apply in addition to the requirements stated in section 3.1.1 of [OIDC.Sweden.Profile].

+

In the context of the Sweden Connect federation, the OpenID Provider MUST NOT accept any other client authentication methods than private_key_jwt, or, if a bilateral agreement exists with a Relying Party, mutual TLS authentication.

+

Mutual TLS authentication may be tls_client_auth or self_signed_tls_client_auth, and the requirements stated in section 2 of [RFC8705] MUST be followed.

+

+

2.3.2. Token Response Requirements

+

The contents of the Access Token issued in a Token response MUST NOT reveal any information about the user's identity or the authentication process.

+

Section 4.2 of [OIDC.Sweden.Profile] states:

+
+

An OpenID Provider compliant with this profile MUST NOT release any identity claims in the ID Token, or via the UserInfo endpoint, if they have not been explicitly requested via scope and/or claims request parameters, or indirectly by a policy known, and accepted, by the involved parties.

+
+

If the Access Token is a cleartext JWT holding user identity data, information that the Relying Party may not be authorized to access may be leaked. Therefore, it is RECOMMENDED that opaque strings are used as Access Tokens.

+

Note: An OpenID Provider that also acts as an OAuth2 Authorization Server may of course issue JWT Access Tokens. The above requirement only applies to the Access Tokens that are issued during authentication (i.e., for granting access to the UserInfo endpoint).

+

+

3. Relying Party Requirements

+

An OpenID Connect Relying Party (Client) compliant with this profile MUST adhere to the requirements stated in [OIDC.Sweden.Profile] along with the additions declared below.

+

+

3.1. Authentication Request Requirements

+

For all authentication requests where the Relying Party expects the user to authenticate itself, the RP SHOULD include the prompt request parameter and assign the login value. This is to prevent un-wanted SSO. See section 2.1.4 of [OIDC.Sweden.Profile].

+

It is RECOMMENDED that Relying Parties send authentication requests containing Request Objects, i.e., the request parameters are included in a JWT, and its encoding is assigned to the request parameter according to section 6.1 of [OpenID.Core]. It is also RECOMMENDED that the Request Object JWT is signed.

+
+

The above recommendation gives a higher level of security, and may be changed to an imperative requirement in future versions of this profile.

+
+

+

3.2. Client Registration and Metadata Requirements

+

Relying Parties compliant with this profile MUST follow the requirements stated in section 6 of [OIDC.Sweden.Profile] with the additions stated below.

+

The Relying Party/Client metadata MUST contain the following additional parameters:

+
    +

  • The contacts parameter holding at least one email address of people/groups responsible for the Relying Party.

    +
    • +

  • The client_name parameter holding the client presentation name. This name may be presented to the end-user by the OpenID Provider during authentication. The name MUST be given in Swedish (sv) and English (en).

    +
    • +

  • The logo_uri parameter containing a URL referencing a logotype for the Relying Party. This logotype may be displayed by the OpenID Provider for the end-user during authentication. The URL MUST use the HTTPS-scheme and point to a valid image file. It is RECOMMENDED that the image file is in SVG-format. The parameter MAY be given for different languages.

    +
    • +

  • The client_uri parameter containing a URL that is the home page for the Relying Party. This link may be used by the OpenID Provider when interacting with the user. The URL MUST use the HTTPS-scheme and point to a valid web page. The parameter MAY be given for different languages.

    +
    • +
+

Also, it is RECOMMENDED, that a Relying Party includes the organization_name claim and provides its human-readable organization name in Swedish and English. See section 5.2.2 of [OpenID.Federation].

+

Example:

+
{
+  ...
+  "contacts": [
+    "operations@example.com"
+  ],
+  "client_name#en": "The Example Service",
+  "client_name#sv": "Exempeltjänsten",
+  "logo_uri": "https://www.example.com/logo.svg",
+  "client_uri#en": "https://www.example.com",
+  "client_uri#sv": "https://www.example.com/sv",
+  "organization_name#en" : "Example Organization",
+  "organization_name#sv" : "Exempelorganisationen"
+  ...
+}

See further requirements concerning client metadata in section 2 of [OpenID.Registration].

+
+

Note: This version of the profile does not specify how client metadata is registered at/distributed to the OpenID Providers of the federation. Future versions will include OpenID Federation and alternative mechanisms for distributing client metadata.

+
+

+

4. References

+

+[RFC2119]

+
+

Bradner, S., Key words for use in RFCs to Indicate Requirement Levels, March 1997.

+
+

+[OpenID.Core]

+
+

[Sakimura, N., Bradley, J., Jones, M., de Medeiros, B. and C. Mortimore, "OpenID Connect Core 1.0", August 2015] (https://openid.net/specs/openid-connect-core-1_0.html).

+
+

+[OpenID.Discovery]

+
+

Sakimura, N., Bradley, J., Jones, M. and E. Jay, "OpenID Connect Discovery 1.0", August 2015.

+
+

+[OpenID.Registration]

+
+

Sakimura, N., Bradley, J., and M. Jones, “OpenID Connect Dynamic Client Registration 1.0,” November 2014.

+
+

+[OpenID.Federation]

+
+

Hedberg, R., Jones, M.B., Solberg, A.Å., Bradley, J., De Marco, G. and V. Dzhuvinov, "OpenID Federation 1.0".

+
+

+[RFC7515]

+
+

Jones, M., Bradley, J., and N. Sakimura, “JSON Web Token (JWT)”, May 2015.

+
+

+[RFC8705]

+
+

B. Campbell, J. Bradley, N. Sakimura, T. Lodderstedt, "OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens", February 2020.

+
+

+[IANA-Reg]

+
+

IANA JSON Web Token Claims Registry.

+
+

+[OIDC.Sweden.Profile]

+
+

The Swedish OpenID Connect Profile - version 1.0.

+
+

+[OIDC.Sweden.Claims]

+
+

Claims and Scopes Specification for the Swedish OpenID Connect Profile - Version 1.0.

+
+

+[OIDC.Sweden.RPar]

+
+

Authentication Request Parameter Extensions for the Swedish OpenID Connect Profile - Version 1.1.

+
+

+[OIDC.Sweden.Sign]

+
+

Signature Extension for OpenID Connect - Version 1.1.

+
+

+[SC.SAML.Profile]

+
+

Deployment Profile for the Swedish eID Framework.

+
+

+

5. Changes between versions

+

This is the first version of this specification.

+
+ + diff --git a/docs/december-2024/index.html b/docs/december-2024/index.html index 0f94212..80d4d02 100644 --- a/docs/december-2024/index.html +++ b/docs/december-2024/index.html @@ -1,135 +1,165 @@ - + - - -Specifications for the Swedish eID Framework - - - - + + + Specifications for the Swedish eID Framework + + + + -
-

- - - -

-

- -

+
+

+ Sweden Connect Logo + + +

+

+ +

-

Sweden Connect Specifications

-

December 2024

-
-

Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All Rights Reserved.

-
-

- This is the December 2024 version of the Sweden Connect Framework. It replaces the previous - November 2021 release as the official version for the Sweden Connect Framework. -

-

Changes since last version

-

Below follows a listing of all significant changes since the November 2021 release of the Sweden Connect Framework.

- +

Sweden Connect Specifications

+

December 2024

+
+

Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All + Rights Reserved.

+
+

+ This is the December 2024 version of the Sweden Connect Framework. It replaces the previous + November 2021 release as the official version for the Sweden Connect Framework. +

+

Changes since last version

+

Below follows a listing of all significant changes since the November 2021 release of the Sweden Connect + Framework.

+ +

+ Each document also contains a "Changes between versions" section where you can see what has been updated for + that particular specification. +

+

+ For a detailed list of changes you can view all changes in GitHub using this link: https://github.com/swedenconnect/technical-framework/compare. +

+ +

Introduction

+

Overview that describes the different parts of the Sweden Connect Framework.

+

- Each document also contains a "Changes between versions" section where you can see what has been updated for - that particular specification. + En introduktion till Sweden Connect Tekniskt ramverk - In + Swedish

-

- For a detailed list of changes you can view all changes in GitHub - using this link: https://github.com/swedenconnect/technical-framework/compare. -

- Check out the GitHub project for this release: https://github.com/swedenconnect/technical-framework/projects/4. - Here you can see all the GitHub issues describing each change that was made to the specifications. + Introduction to the Sweden Connect Technical + Framework - In English

- -

Introduction

-

Overview that describes the different parts of the Sweden Connect Framework.

-
-

- En introduktion till Sweden Connect Tekniskt ramverk - In Swedish -

-

- Introduction to the Sweden Connect Technical Framework - In English -

-
-

Specifications

- -
-

- All specifications are also available in Markdown format on GitHub - - https://github.com/swedenconnect/technical-framework. - Here you can follow the further development of the Sweden Connect Framework. -

-
-
+ +

Specifications

+ +
+

+ All specifications are also available in Markdown format on GitHub - + https://github.com/swedenconnect/technical-framework. + Here you can follow the further development of the Sweden Connect Framework. +

+
+
diff --git a/docs/latest/00_-_Swedish_eID_Framework_-_Introduction.html b/docs/latest/00_-_Swedish_eID_Framework_-_Introduction.html index 39f4da6..add31a8 120000 --- a/docs/latest/00_-_Swedish_eID_Framework_-_Introduction.html +++ b/docs/latest/00_-_Swedish_eID_Framework_-_Introduction.html @@ -1 +1 @@ -../updates/00_-_Swedish_eID_Framework_-_Introduction.html \ No newline at end of file +../december-2024/00_-_Swedish_eID_Framework_-_Introduction.html \ No newline at end of file diff --git a/docs/latest/00_-_Tekniskt_ramverk_-_Introduktion.html b/docs/latest/00_-_Tekniskt_ramverk_-_Introduktion.html index 20d8fb8..3b2d32b 120000 --- a/docs/latest/00_-_Tekniskt_ramverk_-_Introduktion.html +++ b/docs/latest/00_-_Tekniskt_ramverk_-_Introduktion.html @@ -1 +1 @@ -../updates/00_-_Tekniskt_ramverk_-_Introduktion.html \ No newline at end of file +../december-2024/00_-_Tekniskt_ramverk_-_Introduktion.html \ No newline at end of file diff --git a/docs/latest/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html b/docs/latest/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html index dd12be3..c34f5eb 120000 --- a/docs/latest/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html +++ b/docs/latest/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html @@ -1 +1 @@ -../november-2021/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html \ No newline at end of file +../december-2024/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html \ No newline at end of file diff --git a/docs/latest/03_-_Registry_for_Identifiers.html b/docs/latest/03_-_Registry_for_Identifiers.html index 42e4679..6487b0e 120000 --- a/docs/latest/03_-_Registry_for_Identifiers.html +++ b/docs/latest/03_-_Registry_for_Identifiers.html @@ -1 +1 @@ -../november-2021/03_-_Registry_for_Identifiers.html \ No newline at end of file +../december-2024/03_-_Registry_for_Identifiers.html \ No newline at end of file diff --git a/docs/latest/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html b/docs/latest/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html index e40e71e..2841068 120000 --- a/docs/latest/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html +++ b/docs/latest/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html @@ -1 +1 @@ -../november-2021/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html \ No newline at end of file +../december-2024/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html \ No newline at end of file diff --git a/docs/latest/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html b/docs/latest/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html index 29a9773..4cd40cf 120000 --- a/docs/latest/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html +++ b/docs/latest/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html @@ -1 +1 @@ -../november-2021/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html \ No newline at end of file +../december-2024/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html \ No newline at end of file diff --git a/docs/latest/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html b/docs/latest/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html index f88a8a9..9dca9cc 120000 --- a/docs/latest/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html +++ b/docs/latest/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html @@ -1 +1 @@ -../november-2021/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html \ No newline at end of file +../december-2024/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html \ No newline at end of file diff --git a/docs/latest/08_-_Certificate_Profile_for_Central_Signing_Services.html b/docs/latest/08_-_Certificate_Profile_for_Central_Signing_Services.html index cf8774d..d4381da 120000 --- a/docs/latest/08_-_Certificate_Profile_for_Central_Signing_Services.html +++ b/docs/latest/08_-_Certificate_Profile_for_Central_Signing_Services.html @@ -1 +1 @@ -../november-2021/08_-_Certificate_Profile_for_Central_Signing_Services.html \ No newline at end of file +../december-2024/08_-_Certificate_Profile_for_Central_Signing_Services.html \ No newline at end of file diff --git a/docs/latest/09_-_DSS_Extension_for_Federated_Signing_Services.html b/docs/latest/09_-_DSS_Extension_for_Federated_Signing_Services.html index 8682a61..86f50f6 120000 --- a/docs/latest/09_-_DSS_Extension_for_Federated_Signing_Services.html +++ b/docs/latest/09_-_DSS_Extension_for_Federated_Signing_Services.html @@ -1 +1 @@ -../november-2021/09_-_DSS_Extension_for_Federated_Signing_Services.html \ No newline at end of file +../december-2024/09_-_DSS_Extension_for_Federated_Signing_Services.html \ No newline at end of file diff --git a/docs/latest/11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html b/docs/latest/11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html index d10a54f..8ef2f45 120000 --- a/docs/latest/11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html +++ b/docs/latest/11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html @@ -1 +1 @@ -../november-2021/11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html \ No newline at end of file +../december-2024/11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html \ No newline at end of file diff --git a/docs/latest/12_-_BankID_Profile_for_the_Swedish_eID_Framework.html b/docs/latest/12_-_BankID_Profile_for_the_Swedish_eID_Framework.html index 79304ff..a02897a 120000 --- a/docs/latest/12_-_BankID_Profile_for_the_Swedish_eID_Framework.html +++ b/docs/latest/12_-_BankID_Profile_for_the_Swedish_eID_Framework.html @@ -1 +1 @@ -../november-2021/12_-_BankID_Profile_for_the_Swedish_eID_Framework.html \ No newline at end of file +../december-2024/12_-_BankID_Profile_for_the_Swedish_eID_Framework.html \ No newline at end of file diff --git a/docs/latest/13_-_Signature_Activation_Protocol.html b/docs/latest/13_-_Signature_Activation_Protocol.html index 9038148..0f17b6d 120000 --- a/docs/latest/13_-_Signature_Activation_Protocol.html +++ b/docs/latest/13_-_Signature_Activation_Protocol.html @@ -1 +1 @@ -../november-2021/13_-_Signature_Activation_Protocol.html \ No newline at end of file +../december-2024/13_-_Signature_Activation_Protocol.html \ No newline at end of file diff --git a/docs/latest/14_-_Principal_Selection_in_SAML_Authentication_Requests.html b/docs/latest/14_-_Principal_Selection_in_SAML_Authentication_Requests.html index f80c2ae..c843de4 120000 --- a/docs/latest/14_-_Principal_Selection_in_SAML_Authentication_Requests.html +++ b/docs/latest/14_-_Principal_Selection_in_SAML_Authentication_Requests.html @@ -1 +1 @@ -../november-2021/14_-_Principal_Selection_in_SAML_Authentication_Requests.html \ No newline at end of file +../december-2024/14_-_Principal_Selection_in_SAML_Authentication_Requests.html \ No newline at end of file diff --git a/docs/latest/18_-_User_Message_Extension_in_SAML_Authentication_Requests.html b/docs/latest/18_-_User_Message_Extension_in_SAML_Authentication_Requests.html new file mode 120000 index 0000000..38d335a --- /dev/null +++ b/docs/latest/18_-_User_Message_Extension_in_SAML_Authentication_Requests.html @@ -0,0 +1 @@ +../december-2024/18_-_User_Message_Extension_in_SAML_Authentication_Requests.html \ No newline at end of file diff --git a/docs/latest/ELN-0600_-_Tekniskt_ramverk_-_Introduktion.html b/docs/latest/ELN-0600_-_Tekniskt_ramverk_-_Introduktion.html deleted file mode 120000 index 5c908d5..0000000 --- a/docs/latest/ELN-0600_-_Tekniskt_ramverk_-_Introduktion.html +++ /dev/null @@ -1 +0,0 @@ -00_-_Tekniskt_ramverk_-_Introduktion.html \ No newline at end of file diff --git a/docs/latest/ELN-0602_-_Deployment_Profile_for_the_Swedish_eID_Framework.html b/docs/latest/ELN-0602_-_Deployment_Profile_for_the_Swedish_eID_Framework.html deleted file mode 120000 index 2a40b5a..0000000 --- a/docs/latest/ELN-0602_-_Deployment_Profile_for_the_Swedish_eID_Framework.html +++ /dev/null @@ -1 +0,0 @@ -02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html \ No newline at end of file diff --git a/docs/latest/ELN-0603_-_Registry_for_Identifiers.html b/docs/latest/ELN-0603_-_Registry_for_Identifiers.html deleted file mode 120000 index 8814a52..0000000 --- a/docs/latest/ELN-0603_-_Registry_for_Identifiers.html +++ /dev/null @@ -1 +0,0 @@ -03_-_Registry_for_Identifiers.html \ No newline at end of file diff --git a/docs/latest/ELN-0604_-_Attribute_Specification_for_the_Swedish_eID_Framework.html b/docs/latest/ELN-0604_-_Attribute_Specification_for_the_Swedish_eID_Framework.html deleted file mode 120000 index 1932c65..0000000 --- a/docs/latest/ELN-0604_-_Attribute_Specification_for_the_Swedish_eID_Framework.html +++ /dev/null @@ -1 +0,0 @@ -04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html \ No newline at end of file diff --git a/docs/latest/ELN-0606_-_Entity_Categories_for_the_Swedish_eID_Framework.html b/docs/latest/ELN-0606_-_Entity_Categories_for_the_Swedish_eID_Framework.html deleted file mode 120000 index 905ebde..0000000 --- a/docs/latest/ELN-0606_-_Entity_Categories_for_the_Swedish_eID_Framework.html +++ /dev/null @@ -1 +0,0 @@ -06_-_Entity_Categories_for_the_Swedish_eID_Framework.html \ No newline at end of file diff --git a/docs/latest/ELN-0607_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html b/docs/latest/ELN-0607_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html deleted file mode 120000 index 4828740..0000000 --- a/docs/latest/ELN-0607_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html +++ /dev/null @@ -1 +0,0 @@ -07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html \ No newline at end of file diff --git a/docs/latest/ELN-0608_-_Certificate_Profile_for_Central_Signing_Services.html b/docs/latest/ELN-0608_-_Certificate_Profile_for_Central_Signing_Services.html deleted file mode 120000 index a18101a..0000000 --- a/docs/latest/ELN-0608_-_Certificate_Profile_for_Central_Signing_Services.html +++ /dev/null @@ -1 +0,0 @@ -08_-_Certificate_Profile_for_Central_Signing_Services.html \ No newline at end of file diff --git a/docs/latest/ELN-0609_-_DSS_Extension_for_Federated_Signing_Services.html b/docs/latest/ELN-0609_-_DSS_Extension_for_Federated_Signing_Services.html deleted file mode 120000 index 9878a75..0000000 --- a/docs/latest/ELN-0609_-_DSS_Extension_for_Federated_Signing_Services.html +++ /dev/null @@ -1 +0,0 @@ -09_-_DSS_Extension_for_Federated_Signing_Services.html \ No newline at end of file diff --git a/docs/latest/ELN-0611_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html b/docs/latest/ELN-0611_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html deleted file mode 120000 index e233ff8..0000000 --- a/docs/latest/ELN-0611_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html +++ /dev/null @@ -1 +0,0 @@ -11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html \ No newline at end of file diff --git a/docs/latest/ELN-0612_-_BankID_Profile_for_the_Swedish_eID_Framework.html b/docs/latest/ELN-0612_-_BankID_Profile_for_the_Swedish_eID_Framework.html deleted file mode 120000 index cc6a6b8..0000000 --- a/docs/latest/ELN-0612_-_BankID_Profile_for_the_Swedish_eID_Framework.html +++ /dev/null @@ -1 +0,0 @@ -12_-_BankID_Profile_for_the_Swedish_eID_Framework.html \ No newline at end of file diff --git a/docs/latest/ELN-0613_-_Signature_Activation_Protocol.html b/docs/latest/ELN-0613_-_Signature_Activation_Protocol.html deleted file mode 120000 index 2acc9db..0000000 --- a/docs/latest/ELN-0613_-_Signature_Activation_Protocol.html +++ /dev/null @@ -1 +0,0 @@ -13_-_Signature_Activation_Protocol.html \ No newline at end of file diff --git a/docs/latest/ELN-0614_-_Principal_Selection_in_SAML_Authentication_Requests.html b/docs/latest/ELN-0614_-_Principal_Selection_in_SAML_Authentication_Requests.html deleted file mode 120000 index d43544a..0000000 --- a/docs/latest/ELN-0614_-_Principal_Selection_in_SAML_Authentication_Requests.html +++ /dev/null @@ -1 +0,0 @@ -14_-_Principal_Selection_in_SAML_Authentication_Requests.html \ No newline at end of file diff --git a/docs/latest/OpenID_Connect_Claims_and_Scopes_Specification.html b/docs/latest/OpenID_Connect_Claims_and_Scopes_Specification.html new file mode 120000 index 0000000..1c38ad2 --- /dev/null +++ b/docs/latest/OpenID_Connect_Claims_and_Scopes_Specification.html @@ -0,0 +1 @@ +../december-2024/OpenID_Connect_Claims_and_Scopes_Specification.html \ No newline at end of file diff --git a/docs/latest/OpenID_Connect_Profile_for_Sweden_Connect.html b/docs/latest/OpenID_Connect_Profile_for_Sweden_Connect.html new file mode 120000 index 0000000..2954279 --- /dev/null +++ b/docs/latest/OpenID_Connect_Profile_for_Sweden_Connect.html @@ -0,0 +1 @@ +../december-2024/OpenID_Connect_Profile_for_Sweden_Connect.html \ No newline at end of file diff --git a/docs/november-2021/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html b/docs/november-2021/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html index 6ef70a5..882b1b6 100644 --- a/docs/november-2021/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html +++ b/docs/november-2021/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html @@ -19,7 +19,7 @@

Implementation Profile for using OASIS DSS in Central Signing Services

-

Version 1.6 - 2024-11-26 - Draft version

+

Version 1.6 - 2024-12-04

Registration number: 2019-312

@@ -30,7 +30,7 @@

Table of Contents

  1. Introduction

    1.1. Terminology

    -

    1.2. Requirement key words

    +

    1.2. Requirements Notation

    1.3. Namespace references

    1.4. Identification

    1.5. Structure

    @@ -105,9 +105,9 @@

    1.1. Terminology

    A centralized service that manages the process to authenticate the user that has been requested to sign a document, and the process to obtain the user’s signature on the requested document. -

    -

    1.2. Requirement key words

    -

    The key words MUST, MUST NOT, REQUIRED, SHALL, +

    +

    1.2. Requirements Notation

    +

    The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL are to be interpreted as described in [RFC2119].

    @@ -302,14 +302,14 @@
    2.1.3.8.1. SignMessage Element

    Allowed HTML entities for character replacement SHALL be restricted to amp, gt, lt, quot and nbsp (in the form &entity-name;).

    -

    HTML messages MUST NOT contain any URI references to data outside of the +

    HTML messages MUST NOT contain any URI references to data outside the message and MUST NOT contain any JavaScript in any form.

    2.1.3.8.2. Requesting Identity Provider to Display SignMessage

    The means through which the Service Provider requests the Identity Provider to display a sign message is defined in section 7.1.1 of “Deployment Profile -for the Swedish eID Framework” [Eid-Profile].

    -

    In addition to the requirements in section 7.1.1 of [Eid-Profile] the +for the Swedish eID Framework” [SC.SAML.Profile].

    +

    In addition to the requirements in section 7.1.1 of [SC.SAML.Profile] the Signature Service MUST apply the following process regarding the inclusion of the AuthnContextClassRef URI to include in the AuthnRequest sent to the Identity Provider when authenticating the user for signing:

    @@ -328,8 +328,8 @@
    2.1.3.8.2. Re

    2.1.3.9. CertRequestProperties

    This element MAY be present to provide requested properties of generated -signature certificates according with section 3.1.1 of [DSS-Ext].

    -

    When the CertType attribute is present with a value of QC/SSCD the signature service MUST request authentication in accordance with section 7.1.2 of “Deployment Profile for the Swedish eID Framework” [Eid-Profile], or reject the request.

    +signature certificates according to section 3.1.1 of [DSS-Ext].

    +

    When the CertType attribute is present with a value of QC/SSCD the signature service MUST request authentication in accordance with section 7.1.2 of “Deployment Profile for the Swedish eID Framework” [SC.SAML.Profile], or reject the request.

    2.1.3.9.1. AuthnContextClassRef

    This element MAY be present to specify the Level of Assurance(s) required @@ -400,7 +400,7 @@

    2.2.2. Sign Response Status Inform | http://id.swedenconnect.se/sig-status/1.1/security-violation | The Signature Service, or Identity Provider authenticating the end user, has detected a security violation (such as a possible fraud). |

    Note: The authn-failed and security-violation codes were introduced for version 1.5 (of [DSS-Ext]), and a client not supporting this version will fail to understand these error codes. Whether a Signature Service checks the client version support or not before using these codes are out of scope for this profile.

    -

    [*]: Also listed in section 3.1.7 of [Eid-Registry].

    +

    [*]: Also listed in section 3.1.7 of [SC.Registry].

    2.2.3. Generated Signature

    @@ -419,14 +419,14 @@
    2.2.4.1. Version
    request was processed and response was constructed. This version MUST be the same version as given in the SignRequestExtension (see section 2.1.3.1, "Version)".

    For backwards compatibility reasons that attribute MAY be absent if version "1.1" was requested. -Otherwise it MUST be set.

    +Otherwise, it MUST be set.

    2.2.4.2. ResponseTime

    The <ResponseTime> element MUST be present in the response.

    2.2.4.3. Request

    The <Request> element MAY be present in a response. However, it is RECOMMENDED not to include this -element since it makes the response message unnecessary large. Instead the requester of a sign operation +element since it makes the response message unnecessary large, instead the requester of a sign operation is expected to save the request message in its session for later use when processing a response message.

    2.2.4.4. SignerAssertionInfo
    @@ -609,20 +609,20 @@

    4.1. Normative References

    XML Signature Schema. World Wide Web Consortium. See https://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd.

    -

    -[Eid-Profile]

    -
    -

    Deployment Profile for the Swedish eID Framework.

    -

    [DSS-Ext]

    DSS Extension for Federated Central Signing Services.

    -

    -[Eid-Registry]

    +

    +[SC.SAML.Profile]

    +
    +

    Deployment Profile for the Swedish eID Framework.

    +
    +

    +[SC.Registry]

    -

    Swedish eID Framework - Registry for identifiers.

    +

    Sweden Connect - Registry for identifiers.

    4.2. Informative References

    @@ -635,7 +635,7 @@

    4.2. Informative References

    5. Changes between versions

    Changes between version 1.5 and version 1.6:

      -

    • Section 2.2.2, "Sign Response Status Information", now defines the DSS status codes previously only appearing in [[Eid-Registry(#eid-registry)]. The status codes http://id.swedenconnect.se/sig-status/1.1/authn-failed and http://id.swedenconnect.se/sig-status/1.1/security-violation were also introduced.

      +

    • Section 2.2.2, "Sign Response Status Information", now defines the DSS status codes previously only appearing in [SC.Registry]. The status codes http://id.swedenconnect.se/sig-status/1.1/authn-failed and http://id.swedenconnect.se/sig-status/1.1/security-violation were also introduced.

    • Section 2.1.3.2, "Conditions", was updated with requirements on how to interpret NotBefore and/or NotOnOrAfter values.

      • @@ -659,11 +659,11 @@

      5. Changes between versions

    Changes between version 1.2 and version 1.3:

      -
    • In section 2.1.3.9, "CertRequestProperties", an requirement to adapt authentication request procedures when the requested signature is a qualified electronic signature was added.
      • +
    • In section 2.1.3.9, "CertRequestProperties", a requirement to adapt authentication request procedures when the requested signature is a qualified electronic signature was added.

    Changes between version 1.1 and version 1.2:

      -
    • In section 2.2.2, a reference to section 3.1.5 in [Eid-Registry] was changed to section 3.1.7.
      • +
    • In section 2.2.2, a reference to section 3.1.5 in [SC.Registry] was changed to section 3.1.7.

    Changes between version 1.0 and version 1.1:

      diff --git a/docs/november-2021/08_-_Certificate_Profile_for_Central_Signing_Services.html b/docs/november-2021/08_-_Certificate_Profile_for_Central_Signing_Services.html index 972de5d..8ee4f82 100644 --- a/docs/november-2021/08_-_Certificate_Profile_for_Central_Signing_Services.html +++ b/docs/november-2021/08_-_Certificate_Profile_for_Central_Signing_Services.html @@ -19,7 +19,7 @@

      Certificate Profile for Certificates Issued by Central Signing Services

      -

      Version 1.2 - 2020-01-17

      +

      Version 1.2 - 2020-01-17

      Registration number: 2019-313 (previously: ELN-0608)

      Table of Contents

      @@ -49,12 +49,12 @@

      Table of Contents

-

1. Introduction

+

1. Introduction

This document specifies a certificate profile for certificates issued by a signature service based on the OASIS DSS protocol [DSS], enhanced by the DSS Extensions for Federated Central Signing Services [DSS-Ext].

-

1.1. Requirement key words

+

1.1. Requirement key words

The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL are to be interpreted as described in @@ -64,7 +64,7 @@

1.1. Requirement key words

interoperability and security of implementations. When these words are not capitalized, they are meant in their natural-language sense.

-

1.2. XML namespace references

+

1.2. XML namespace references

The prefix saci: stands for the SAML Authentication Context Information XML Schema namespace, http://id.elegnamnden.se/auth-cont/1.0/saci.

@@ -76,14 +76,14 @@

1.2. XML namespace references

Schema location URL: https://docs.swedenconnect.se/schemas/cert-schemas/1.0/CertAuthContextExtension-ExtAuthInfo-1.0.xsd

-

1.3. Structure

+

1.3. Structure

This specification uses the following typographical conventions in text: <Eid2Element>, <ns:ForeignElement>, Attribute, Datatype, OtherCode.

-

2. Certificate Profile

+

2. Certificate Profile

-

2.1. Standards

+

2.1. Standards

The following standards provides normative requirements for this certificate profile:

@@ -94,8 +94,7 @@

2.1. Standards

- - + @@ -130,21 +129,20 @@

2.1. Standards

- -
Reference
RFC 5280 Main certificate standard [RFC5280] Declaration of qualified certificate properties [EU-CERT-QC]
+

-

2.2. Qualified and PKC Certificates

+

2.2. Qualified and PKC Certificates

This profile supports both Qualified Certificates as well as certificates that are not Qualified Certificates, here named PKC certificates (Public Key Certificates).

All profile requirements apply to both Qualified Certificates and to PKC certificates unless it is explicitly stated that a particular requirement applies only to PKC or Qualified Certificates.

-

2.3. Certificate Content

+

2.3. Certificate Content

All certificates SHALL be fully compliant with [RFC5280] and [EU-CERT-NP]. All Qualified Certificates SHALL also implement mandatory QC statements as defined in [EU-CERT-QC].

-

2.3.1. Subject Attributes and Name Forms

+

2.3.1. Subject Attributes and Name Forms

-
2.3.1.1. Person Identifier Attributes
+
2.3.1.1. Person Identifier Attributes

-
2.3.1.1.1. Data Source
+
2.3.1.1.1. Data Source

All certificates SHALL contain a unique person identifier, carried in the serialNumber attribute (OID 2.5.4.5) in the subject field. The person identifier SHALL be obtained from the Identity Provider in the form of a SAML attribute. For PKC certificates, the SAML attribute SHOULD be one of the attributes listed below. For Qualified Certificates, the SAML attribute SHALL be one of the attributes listed below.

@@ -154,8 +152,7 @@
2.3.1.1.1. Data Source
- - + @@ -170,10 +167,9 @@
2.3.1.1.1. Data Source
- -
Specification
Swedish Personal Identity Number (personnummer) urn:oid:1.2.752.29.4.13 [AttrSpec] urn:oid:1.2.752.201.3.7 [AttrSpec]
+

-
2.3.1.1.1. Data Format
+
2.3.1.1.1. Data Format

The identifier data obtained from the SAML assertion SHALL be stored in the serialNumber attribute using one of the following formats:

  • using exactly the same format as it was obtained from the SAML attribute, or,
    • @@ -202,10 +198,10 @@
    2.3.1.1.1. Data Format

    A new version of the [EU-CERT-GEN] is processed for approval at the time of publication of this document. The new version will specify a semantics identifier for storing eIDAS person identifier attributes using the semantics identifier OID 0.4.0.194121.1.3. This semantics identifier (id-etsi-qcs-semanticsId-eIDASNatural) is not yet present in the latest published version of the standard.

    -
    2.3.1.2. Other Attribute Requirements
    +
    2.3.1.2. Other Attribute Requirements

    An e-mail address, when present, SHALL be stored in a Subject Alternative Name extension as an rfc822Name.

    -

    2.3.2. Authentication Context and Attribute Mapping

    +

    2.3.2. Authentication Context and Attribute Mapping

    Certificates MUST include an AuthContextExtension according to [RFC7773]. This extension SHALL include one SAML Authentication Context Information element identified by the XML schema namespace identifier:

    http://id.elegnamnden.se/auth-cont/1.0/saci

    @@ -217,45 +213,45 @@

    2.3.2. Authenticati <saci:AttributeMapping> element SHALL provide the <saml:AttributeValue> that were obtained from the SAML assertion.

    -

    2.3.2.1. Extended Authentication Information
    +
    2.3.2.1. Extended Authentication Information

    In addition to the attributes of <saci:AuthContextInfo> it is possible to provide additional authentication information through the extensibility of the <saci:AuthContextInfo> element which allows inclusion of a sequence of any element.

    One such element is defined in this section, the <sacex:ExtAuthInfo> element.

    This element MAY be included to provide a name of a parameter and its associated value.

    This element MAY be used to carry the value of any single valued attribute from the associated SAML assertion as long as the SAML attribute value is not composed of a complex type. When used to carry a SAML attribute value, the value of the <sacex:ExtAuthInfo> element SHALL be identical to the content of the SAML attribute value element and the Name attribute SHALL hold the same value as the Name attribute of the corresponding SAML attribute.

    The <sacex:ExtAuthInfo> element is defined by the following XML Schema:

    -
    <?xml version="1.0" encoding="UTF-8"?>
-<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
-    targetNamespace="http://id.swedenconnect.se/auth-cont/1.0/ext-auth-info"
-    xmlns:sacex="http://id.swedenconnect.se/auth-cont/1.0/ext-auth-info">
-
-  <xs:element name="ExtAuthInfo" type="sacex:ExtAuthInfoType" />
+
    <?xml version="1.0" encoding="UTF-8"?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
+    targetNamespace="http://id.swedenconnect.se/auth-cont/1.0/ext-auth-info"
+    xmlns:sacex="http://id.swedenconnect.se/auth-cont/1.0/ext-auth-info">
+    
+  <xs:element name="ExtAuthInfo" type="sacex:ExtAuthInfoType" />
 
-  <xs:complexType name="ExtAuthInfoType">
-    <xs:simpleContent>
-      <xs:extension base="xs:string">
-        <xs:attribute name="Name" type="xs:string" use="required" />
-        <xs:anyAttribute namespace="##any" processContents="lax" />
-      </xs:extension>
-    </xs:simpleContent>
-  </xs:complexType>
-</xs:schema>
    Example:
    
+  <xs:complexType name="ExtAuthInfoType">
+    <xs:simpleContent>
+      <xs:extension base="xs:string">
+        <xs:attribute name="Name" type="xs:string" use="required" />
+        <xs:anyAttribute namespace="##any" processContents="lax" />
+      </xs:extension>
+    </xs:simpleContent>
+  </xs:complexType>
+</xs:schema>

    Example:

    The following example illustrates inclusion of the content of a transaction identifier SAML attribute as extended authentication information.

    <saci:SAMLAuthContext
-    xmlns:saci="http://id.elegnamnden.se/auth-cont/1.0/saci"
-    xmlns:sacext="http://id.swedenconnect.se/auth-cont/1.0/ext-auth-info">
-  <saci:AuthContextInfo IdentityProvider="http://eid.example.com/idp"
-      AuthenticationInstant="2020-01-10T17:02:46.000Z"
-      AuthnContextClassRef="http://id.elegnamnden.se/loa/1.0/loa3"
-      AssertionRef="_936e075dc2725b016de57b9a0624c766">
-    <sacext:ExtAuthInfo Name="urn:oid:1.2.752.201.3.2">dc6ac7656H89bfb51</sacext:ExtAuthInfo>
+    xmlns:saci="http://id.elegnamnden.se/auth-cont/1.0/saci"
+    xmlns:sacext="http://id.swedenconnect.se/auth-cont/1.0/ext-auth-info">
+  <saci:AuthContextInfo IdentityProvider="http://eid.example.com/idp"
+      AuthenticationInstant="2020-01-10T17:02:46.000Z"
+      AuthnContextClassRef="http://id.elegnamnden.se/loa/1.0/loa3"
+      AssertionRef="_936e075dc2725b016de57b9a0624c766">
+    <sacext:ExtAuthInfo Name="urn:oid:1.2.752.201.3.2">dc6ac7656H89bfb51</sacext:ExtAuthInfo>
   </saci:AuthContextInfo>
   <saci:IdAttributes>...</saci:IdAttributes>
 </saci:SAMLAuthContext>

    -

    2.3.3. Certificate Policy

    +

    2.3.3. Certificate Policy

    Certificates SHALL contain at least one referenced certificate policy. PKC certificates SHALL contain at least one reference to a policy identified in [EU-POL-NCP]. Qualified Certificates SHALL reference at least one certificate policy identified in [EU-POL-QC].

    -

    3. Normative References

    +

    3. Normative References

    [DSS]

    @@ -333,7 +329,7 @@

    3. Normative References

    Samordningsnummer.

    -

    4. Changes between versions

    +

    4. Changes between versions

    Changes between version 1.1 and version 1.2:

    • Update of logotype, fixes of typos and reference list.

      diff --git a/docs/november-2021/09_-_DSS_Extension_for_Federated_Signing_Services.html b/docs/november-2021/09_-_DSS_Extension_for_Federated_Signing_Services.html index 10891e4..ec4276d 100644 --- a/docs/november-2021/09_-_DSS_Extension_for_Federated_Signing_Services.html +++ b/docs/november-2021/09_-_DSS_Extension_for_Federated_Signing_Services.html @@ -19,7 +19,7 @@

      DSS Extension for Federated Central Signing Services

      -

      Version 1.5 - 2024-11-25 - Draft version

      +

      Version 1.5 - 2024-12-04

      Registration number: 2019-314

      @@ -30,7 +30,7 @@

      Table of Contents

      1. Introduction

        1.1. Terminology

        -

        1.1.1. Key words

        +

        1.1.1. Keywords

        1.1.2. Structure

        1.1.3. Definitions

        1.2. Schema Organization and Namespaces

        @@ -69,7 +69,7 @@

        Table of Contents

        Appendix A. XML Schema

        1. Introduction

        -

        This specifications defines elements that extend the +

        This specification defines elements that extend the <dss:SignRequest> and <dss:SignResponse> elements of [OASIS-DSS].

        One element <SignRequestExtension> is defined for extending sign @@ -106,9 +106,9 @@

        1. Introduction

        request.

        1.1. Terminology

        -

        -

        1.1.1.  Key words

        -

        The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, +

        +

        1.1.1.  Keywords

        +

        The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL are to be interpreted as described in [RFC 2119].

        These keywords are capitalized when used to unambiguously specify @@ -123,7 +123,7 @@

        1.1.2. Structure

        Datatype, OtherCode.

        Listings of DSS schemas appear like this.

        -

        1.1.3.  Definitions

        +

        1.1.3. Definitions

        Identity Provider

        An Identity Provider that is assigned to authenticate the signer.

        @@ -153,7 +153,7 @@

        1.2. Schema Organization and Nam different namespace.

        Conventional XML namespace prefixes are used in the schema:

          -

        • The prefix csig: stands for the this specification's XML schema +

        • The prefix csig: stands for this specification's XML schema namespace [Csig-XSD].

        • The prefix dss: stands for the DSS core namespace @@ -202,7 +202,7 @@

          1.3.1. String values

          Unless otherwise noted in this specification, all elements that have the XML Schema xs:string type, or a type derived from that, MUST be compared using an exact binary comparison. In particular, -implementations MUST NOT depend on case insensitive string comparisons, +implementations MUST NOT depend on case-insensitive string comparisons, normalization or trimming of whitespace, or conversion of locale-specific formats such as numbers or currency. This requirement is intended to conform to the W3C working group note "Requirements for String @@ -615,7 +615,7 @@

          3.1.2. Element <SignMessage>

          The MIME type defining the message format. This is an enumeration of the valid attribute values text (plain text), text/html (html) or text/markdown (markdown). This specification does not specify any -particular restrictions on the provided message but it is RECOMMENDED +particular restrictions on the provided message, but it is RECOMMENDED that sign message content is restricted to a limited set of valid tags and attributes, and that the display entity performs filtering to enforce these restrictions before displaying the message. The means @@ -834,7 +834,7 @@

          3.2.2. Type CertificateChainType

          Certificates MUST be provided in sequence with the end-entity certificate first in the sequence followed by any CA certificates that can be used to verify the previous certificate in the sequence, ending -with a self signed root certificate.

          +with a self-signed root certificate.

          The CertificateChainType complex type has the following elements:

          <X509Certificate> [One or More]

          @@ -1056,7 +1056,7 @@

          5. Signing Sign Requests and Res requests and responses for signature creation to protect against spoofing and substitution attacks. If a hash of the document to be signed is replaced in a sign request, the signer may end up signing -something completely different than what the requesting service +something completely different from what the requesting service presented to the signer.

          When a <dss:SignRequest> is signed, the signature of that request MUST be placed as the last child element in the @@ -1073,7 +1073,7 @@

          6. Normative References

          [Csig-XSD]

          -

          This specification's DSS Extensions schema Version 1.1.3, https://docs.swedenconnect.se/schemas/csig/1.1/EidCentralSigDssExt-1.1.3.xsd, November, 2024.

          +

          This specification's DSS Extensions schema Version 1.1.3, https://docs.swedenconnect.se/schemas/csig/1.1/EidCentralSigDssExt-1.1.3.xsd, November 2024.

          [OASIS-DSS]

          diff --git a/docs/november-2021/11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html b/docs/november-2021/11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html index 4052224..0f81095 100644 --- a/docs/november-2021/11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html +++ b/docs/november-2021/11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html @@ -19,7 +19,7 @@

          eIDAS Constructed Attributes Specification for the Swedish eID Framework

          -

          Version 1.2 - 2021-11-11

          +

          Version 1.2 - 2021-11-11

          Registration number: 2019-315

          @@ -47,7 +47,7 @@

          Table of Contents

      Appendix A. PRID Algorithm implementations (Java)

      -

      1. Introduction

      +

      1. Introduction

      This document extends “Attribute Specification for the Swedish eID Framework”, [EidAttributes], providing specifications for constructed attributes.

      @@ -61,7 +61,7 @@

      1. Introduction

      authenticated user (subject) received from the foreign Identity Provider service (typically an eIDAS node).

      -

      1.1. Requirement key words

      +

      1.1. Requirement key words

      The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” are to be interpreted as described in [RFC2119].

      @@ -70,7 +70,7 @@

      1.1. Requirement key words

      interoperability and security of implementations. When these words are not capitalized, they are meant in their natural-language sense.

      -

      2. Provisional Identifier

      +

      2. Provisional Identifier

      The Attribute Specification for the Swedish eID Framework, [EidAttributes], defines the attributes prid and pridPersistence.

      The prid attribute holds a unique identifier for a person derived from attributes provided from another country. The purpose of this attribute @@ -85,7 +85,7 @@

      2. Provisional Identifier

      This document defines a set of prid algorithms, when to use each algorithm and the resulting pridPersistence value.

      -

      2.1. Provisional Identifier (prid) Attribute

      +

      2.1. Provisional Identifier (prid) Attribute

      The provisional identifier (prid) attribute is a SAML attribute identified by the SAML attribute name urn:oid:1.2.752.201.3.4.

      The prid attribute holds a string value containing the following data:

      @@ -123,7 +123,7 @@

      2.1. Provisional Identifie character, for example, the character sequence “1-2-3-4-56” is not allowed as it only holds 6 distinguishing ID characters.

      -

      2.2. Provisional Identifier Persistence Indicator (pridPersistence) Attribute

      +

      2.2. Provisional Identifier Persistence Indicator (pridPersistence) Attribute

      The provisional identifier (pridPersistence) attribute is a SAML attribute identified by the SAML attribute name urn:oid:1.2.752.201.3.5.

      The pridPersistence attribute holds a string value containing the @@ -141,32 +141,30 @@

      Value -Defined meaning +Value +Defined meaning - - -A -Persistence over time is expected to be comparable or better than a Swedish personal identity number (personnummer). This means that the identifier typically is stable throughout the lifetime of the subject and is typically preserved even if the subject changes address, name or civil status. + +A +Persistence over time is expected to be comparable or better than a Swedish personal identity number (personnummer). This means that the identifier typically is stable throughout the lifetime of the subject and is typically preserved even if the subject changes address, name or civil status. -B -Persistence over time is expected to be relatively stable, but lower than a Swedish personal identity number (personnummer). This means that the identifier typically remains unchanged as long as the person does not change address, name or civil status. Such or similar event may cause the identifier to change but the identifier will not change just because the subject gets a new eID (electronic identification means) or changes eID provider. +B +Persistence over time is expected to be relatively stable, but lower than a Swedish personal identity number (personnummer). This means that the identifier typically remains unchanged as long as the person does not change address, name or civil status. Such or similar event may cause the identifier to change but the identifier will not change just because the subject gets a new eID (electronic identification means) or changes eID provider. -C -No expectations regarding persistence over time. The identifier may change if the subject changes eID or eID provider. +C +No expectations regarding persistence over time. The identifier may change if the subject changes eID or eID provider. - - +

      -

      2.3. Algorithms

      +

      2.3. Algorithms

      This section defines algorithms for generating the identifier component of prid attribute values. The identifier component makes up the characters following the “:” (colon) character in the prid.

      -

      2.3.1. Algorithm: default-eIDAS

      +

      2.3.1. Algorithm: default-eIDAS

      Name: default-eIDAS

      Input values:

        @@ -198,7 +196,7 @@

        2.3.1. Algorithm: default-eIDAS

        Return normalizedID

        -

        If length of normalizedID > 30 characters:

        +

        If length of normalizedID > 30 characters**:**

        Return the string representation of the first 30 hexadecimal digits of the SHA256 hash of the UTF-8 encoded bytes of strippedID.

        @@ -209,8 +207,8 @@

        2.3.1. Algorithm: default-eIDAS

        fails:

          -
        1. Leading 6 characters of PersonIdentifier does not match regexp ^[A-Za-z]{2}[\/](SE|se)[\/]$
          2. -
        2. normalizedID < 6 characters (not counting “-“ (hyphen) characters).
          3. +
        3. Leading 6 characters of PersonIdentifier does not match regexp ^[A-Za-z]{2}[\/](SE|se)[\/]$
          4. +
        4. normalizedID < 6 characters (not counting “-“ (hyphen) characters).

        Collision resistance:

        All eIDAS PersonIdentifier attributes are required to be unique. That @@ -223,10 +221,10 @@

        2.3.1. Algorithm: default-eIDAS

        In case the normalized identifier string exceeds 30 characters this algorithm falls back on providing a 30 hex digit representation of a concatenated SHA-2 hash value. The collision probability for such -identifier among 2 users is 1 in 1,25 * 10\^36 (Calculated as 16\^30 – -16\^29 since first digit can not be 0). For a population of 100 million +identifier among 2 users is 1 in 1,25 * 10^36 (Calculated as 16^30 – +16^29 since first digit can not be 0). For a population of 100 million people the probability of a collision is approximately 1 in 2.5 * -10\^20 or 1 in 250 trillion countries of that population size1.

        +10^20 or 1 in 250 trillion countries of that population size1.

        Countries typically do not use ID attributes that exceed 30 characters in size, but it cannot be ruled out that some countries will generate an ID for cross-border use that is different from a national ID and that @@ -244,55 +242,53 @@

        2.3.1. Algorithm: default-eIDAS

        - - + + - - - - + + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - -
        PersonIdentifierResulting pridPersonIdentifierResulting prid
        NO/SE/05068907693NO:05068907693
        NO/SE/05068907693NO:05068907693
        DK/SE/09208-2002-2-194967071622DK:09208-2002-2-194967071622DK/SE/09208-2002-2-194967071622DK:09208-2002-2-194967071622
        UK/DK/1234567890UK:NULL (Failed: target country is not SE)UK/DK/1234567890UK:NULL (Failed: target country is not SE)
        DE/SE/#12345-3456//ABCDE:12345-3456-abcDE/SE/#12345-3456//ABCDE:12345-3456-abc
        DE/SE/aErf#(EAd9)DE:0aerf-ead9DE/SE/aErf#(EAd9)DE:0aerf-ead9
        de/se/aErf#(E)NULL (Failed: Less than 6 ID characters)de/se/aErf#(E)NULL (Failed: Less than 6 ID characters)
        DE/SE/(1952 12 14-1122)DE:19521214-1122DE/SE/(1952 12 14-1122)DE:19521214-1122
        19521214-1122NULL (Failed: Leading 6 character format error)19521214-1122NULL (Failed: Leading 6 character format error)
        DE/SE/1234567890123456789012345678901DE:3b7184c0ceaf76a9607a31e4e1f87fDE/SE/1234567890123456789012345678901DE:3b7184c0ceaf76a9607a31e4e1f87f
        +

        -

        [1]: Birthday paradox approximation p(n) ≈ n\^2 / 2m, where p(n) is the collision probability, n is the number of people and m is the number of possible ID combinations.

        +

        [1]: Birthday paradox approximation p(n) ≈ n^2 / 2m, where p(n) is the collision probability, n is the number of people and m is the number of possible ID combinations.

        -

        2.3.2. Algorithm: colresist-eIDAS

        +

        2.3.2. Algorithm: colresist-eIDAS

        This algorithm is identical to default-eIDAS except that the hashed expression of the ID in case the normalized ID exceeds 30 characters, has higher collision resistance by expressing the ID in radix 36 instead @@ -309,69 +305,67 @@

        2.3.2. Algorithm: colresist-eIDAS

        Identical to default-eIDAS result

    -

    If length of normalizedID > 30 characters:

    +

    If length of normalizedID > 30 characters**:**

    Return the string representation of the first 30 radix 36 digits of the SHA256 hash of the UTF-8 encoded bytes of strippedID.

    Exceptions: Identical to default-eIDAS

    Collision resistance:

    Expression of this ID in hashed form use 30 radix 36 symbols. This -reduces the collision resistance among 2 users to 1 in 4.75 * 10\^46. +reduces the collision resistance among 2 users to 1 in 4.75 * 10^46. The collision probability among 100 million users is reduced to -approximately 1 in 10\^31.

    +approximately 1 in 10^31.

    Examples:

    - - + + - - - - + + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - -
    PersonIdentifierResulting pridPersonIdentifierResulting prid
    NO/SE/05068907693NO:05068907693
    NO/SE/05068907693NO:05068907693
    DK/SE/09208-2002-2-194967071622DK:09208-2002-2-194967071622DK/SE/09208-2002-2-194967071622DK:09208-2002-2-194967071622
    UK/DK/1234567890UK:NULL (Failed: target country is not SE)UK/DK/1234567890UK:NULL (Failed: target country is not SE)
    DE/SE/#12345-3456//ABCDE:12345-3456-abcDE/SE/#12345-3456//ABCDE:12345-3456-abc
    DE/SE/aErf#(EAd9)DE:0aerf-ead9DE/SE/aErf#(EAd9)DE:0aerf-ead9
    de/se/aErf#(E)NULL (Failed: Less than 6 ID characters)de/se/aErf#(E)NULL (Failed: Less than 6 ID characters)
    DE/SE/(1952 12 14-1122)DE:19521214-1122DE/SE/(1952 12 14-1122)DE:19521214-1122
    19521214-1122NULL (Failed: Leading 6 character format error)19521214-1122NULL (Failed: Leading 6 character format error)
    DE/SE/1234567890123456789012345678901DE:1hc3tpoleczqu3t8jz2995k2rq7nt8DE/SE/1234567890123456789012345678901DE:1hc3tpoleczqu3t8jz2995k2rq7nt8
    +

    [1]: Radix 36 express values ranging from 0 to 36 through a single character using the symbols ”0123456789abcdefghijklmnopqrstuvwxyz” in the presented order.

    -

    2.3.3. Algorithm: special-characters-eIDAS

    +

    2.3.3. Algorithm: special-characters-eIDAS

    The default-eIDAS and the colresist-eIDAS algoritms are suitable when the base identifier from the authenticating country is constructed from digits and basic case-insensitive characters. These algoritms do not work on identifiers constructed as a Base64 string of binary data, such as a hash of another identifier.

    The present algoritm is intended to be used where the base identifier contains case-sensitive characters and where characters other than a-z and 0-9 are used to add entropy to the identifier.

    Name: special-characters-eIDAS

    @@ -386,27 +380,25 @@

    2.3.3. Algorithm: special-ch

    If the following conditions occur in the process, prid generation fails:

      -
    1. Leading 6 characters of PersonIdentifier does not match regexp ^[A-Za-z]{2}[\/](SE|se)[\/]$
      2. -
    2. strippedID < 16 characters.
      3. +
    3. Leading 6 characters of PersonIdentifier does not match regexp ^[A-Za-z]{2}[\/](SE|se)[\/]$
      4. +
    4. strippedID < 16 characters.

    Collision resistance: Identical to colresist-eIDAS.

    Examples:

    - - + + - - - - + + + - -
    PersonIdentifierResulting pridPersonIdentifierResulting prid
    AT/SE/Zk2ME2pjxwzQOjVeFGeqSIage34=AT:50bwytdle2mzexopcolmdhmhznihms
    AT/SE/Zk2ME2pjxwzQOjVeFGeqSIage34=AT:50bwytdle2mzexopcolmdhmhznihms
    +

    -

    2.4. Algorithm Selection and Resulting pridPersistence Value

    +

    2.4. Algorithm Selection and Resulting pridPersistence Value

    This section defines the current algorithm selection rules and the resulting pridPersistence value. These rules are processed in the presented order. The first rule where the present conditions matches all @@ -416,91 +408,85 @@

    2.4. Algor - - + + - - - - + + + - - + + - - + + - - + + - - + + - -
    Rule 1DescriptionRule 1Description
    Matching rule 1Authenticated attributes are provided by an eIDAS node (proxy service).
    Matching rule 1Authenticated attributes are provided by an eIDAS node (proxy service).
    Matching rule 2Authenticated subject is a person and has a PersonIdentifier attribute.Matching rule 2Authenticated subject is a person and has a PersonIdentifier attribute.
    Matching rule 3Attributes provided by any of the countries that issue identities according to persistance class A.Matching rule 3Attributes provided by any of the countries that issue identities according to persistance class A.
    Selected algorithmdefault-eIDASSelected algorithmdefault-eIDAS
    pridPersistence valueApridPersistence valueA
    + - - + + - - - - + + + - - + + - - + + - - + + - - + + - -
    Rule 2DescriptionRule 2Description
    Matching rule 1Authenticated attributes are provided by an eIDAS node (proxy service).
    Matching rule 1Authenticated attributes are provided by an eIDAS node (proxy service).
    Matching rule 2Authenticated subject is a person and has a PersonIdentifier attribute.Matching rule 2Authenticated subject is a person and has a PersonIdentifier attribute.
    Matching rule 3Attributes provided by any of the countries that issue identities according to persistance class B.Matching rule 3Attributes provided by any of the countries that issue identities according to persistance class B.
    Selected algorithmdefault-eIDASSelected algorithmdefault-eIDAS
    pridPersistence valueBpridPersistence valueB
    + - - + + - - - - + + + - - + + - - + + - - + + - -
    Rule 3DescriptionRule 3Description
    Matching rule 1Authenticated attributes are provided by an eIDAS node (proxy service).
    Matching rule 1Authenticated attributes are provided by an eIDAS node (proxy service).
    Matching rule 2Authenticated subject is a person and has a PersonIdentifier attribute.Matching rule 2Authenticated subject is a person and has a PersonIdentifier attribute.
    Selected algorithmdefault-eIDASSelected algorithmdefault-eIDAS
    pridPersistence valueCpridPersistence valueC
    +

    -

    3. References

    +

    3. References

    [RFC2119]

    @@ -538,7 +524,7 @@

    3. References

    eIDAS SAML Attribute Profile, version 1.2, 21 May 2019.

    -

    4. Changes between versions

    +

    4. Changes between versions

    Changes between version 1.1 and version 1.2:

    • The length requirement for identifier characters has been changed from 8 to 6. This applies to the default-eIDAS and colresist-eIDAS algorithms.
      • @@ -553,104 +539,105 @@

      4. Changes between versions

    -

    Appendix A. PRID Algorithm implementations (Java)

    +

    Appendix A. PRID Algorithm implementations (Java)

    default-eIDAS

    -
      private static final String personIdentifierPrefixRegexp = "^[A-Za-z]{2}[\\/](SE|se)[\\/]";
+
      private static final String personIdentifierPrefixRegexp = "^[A-Za-z]{2}[\\/](SE|se)[\\/]";
 
-  public String getPridIdentifierComponent(String personIdentifier) throws PridGenerationException {
-
-    if (personIdentifier == null) {
-      throw new PridGenerationException("Missing personIdentifier");
+  public String getPridIdentifierComponent(String personIdentifier) throws PridGenerationException {
+    
+    if (personIdentifier == null) {
+      throw new PridGenerationException("Missing personIdentifier");
     }
     if (!personIdentifier.substring(0, 6).matches(personIdentifierPrefixRegexp)) {
-      throw new PridGenerationException("Invalid ID format");
+      throw new PridGenerationException("Invalid ID format");
     }
     // Get ID component without whitespace and non-printable characters
-    String strippedID = personIdentifier.substring(6).replaceAll("\\s+", "");
-
+    String strippedID = personIdentifier.substring(6).replaceAll("\\s+", "");
+        
     // Convert to lower case
-    String normalizedID = strippedID.toLowerCase();
-
-    // Replace sequences of non ID characters to "-"
-    normalizedID = normalizedID.replaceAll("[^a-z0-9]+", "-");
-
-    // Remove leading and trailing "-" 
-    normalizedID = normalizedID.replaceAll("^-+", "").replaceAll("-+$", "");
-    if (normalizedID.replaceAll("-", "").length() < 6) {
-      throw new PridGenerationException("Invalid ID format");
+    String normalizedID = strippedID.toLowerCase();
+            
+    // Replace sequences of non ID characters to "-"
+    normalizedID = normalizedID.replaceAll("[^a-z0-9]+", "-");
+    
+    // Remove leading and trailing "-" 
+    normalizedID = normalizedID.replaceAll("^-+", "").replaceAll("-+$", "");
+    if (normalizedID.replaceAll("-", "").length() < 6) {
+      throw new PridGenerationException("Invalid ID format");
     }
-    if (normalizedID.length() < 10) {
-      normalizedID = "0000000000".substring(normalizedID.length()) + normalizedID;
+    if (normalizedID.length() < 10) {
+      normalizedID = "0000000000".substring(normalizedID.length()) + normalizedID;
     }
-    if (normalizedID.length() > 30) {
+    if (normalizedID.length() > 30) {
       try {
-        MessageDigest md = MessageDigest.getInstance("SHA-256");
-        byte[] digest = md.digest(strippedID.getBytes(Charset.forName("UTF-8")));
-        return new BigInteger(1, digest).toString(16).substring(0, 30);
+        MessageDigest md = MessageDigest.getInstance("SHA-256");
+        byte[] digest = md.digest(strippedID.getBytes(Charset.forName("UTF-8")));
+        return new BigInteger(1, digest).toString(16).substring(0, 30);
       }
-      catch (NoSuchAlgorithmException ex) {
-        throw new PridGenerationException(e);
+      catch (NoSuchAlgorithmException ex) {
+        throw new PridGenerationException(e);
       }
     }
-    return normalizedID;
-  }
    colresist-eIDAS
    
-
      private static final String personIdentifierPrefixRegexp = "^[A-Za-z]{2}[\\/](SE|se)[\\/]";
-
-  public static String getPridIdentifierComponent(String personIdentifier) throws PridGenerationException {
-    if (personIdentifier == null) {
-      throw new PridGenerationException("Missing personIdentifier");
+    return normalizedID;
+  }
+
    colresist-eIDAS
    
+
      private static final String personIdentifierPrefixRegexp = "^[A-Za-z]{2}[\\/](SE|se)[\\/]";
+  
+  public static String getPridIdentifierComponent(String personIdentifier) throws PridGenerationException {
+    if (personIdentifier == null) {
+      throw new PridGenerationException("Missing personIdentifier");
     }
     if (!personIdentifier.substring(0, 6).matches(personIdentifierPrefixRegexp)) {
-      throw new PridGenerationException("Invalid ID format");
+      throw new PridGenerationException("Invalid ID format");
     }
-
+    
     // Get ID component without whitespace and non-printable characters
-    String strippedID = personIdentifier.substring(6).replaceAll("\\s+", "");
-
+    String strippedID = personIdentifier.substring(6).replaceAll("\\s+", "");
+    
     // Convert to lower case
-    String normalizedID = strippedID.toLowerCase();
-
-    // Replace sequences of non ID characters to "-"
-    normalizedID = normalizedID.replaceAll("[^a-z0-9]+", "-");
-
-    // Remove leading and trailing "-" 
-    normalizedID = normalizedID.replaceAll("^-+", "").replaceAll("-+$", "");
-    if (normalizedID.replaceAll("-", "").length() < 6) {
-      throw new PridGenerationException("Invalid ID format");
+    String normalizedID = strippedID.toLowerCase();
+    
+    // Replace sequences of non ID characters to "-"
+    normalizedID = normalizedID.replaceAll("[^a-z0-9]+", "-");
+    
+    // Remove leading and trailing "-" 
+    normalizedID = normalizedID.replaceAll("^-+", "").replaceAll("-+$", "");
+    if (normalizedID.replaceAll("-", "").length() < 6) {
+      throw new PridGenerationException("Invalid ID format");
     }
-    if (normalizedID.length() < 10) {
-      normalizedID = "0000000000".substring(normalizedID.length()) + normalizedID;
+    if (normalizedID.length() < 10) {
+      normalizedID = "0000000000".substring(normalizedID.length()) + normalizedID;
     }
-    if (normalizedID.length() > 30) {
+    if (normalizedID.length() > 30) {
       try {
-        MessageDigest md = MessageDigest.getInstance("SHA-256");
-        byte[] digest = md.digest(strippedID.getBytes(Charset.forName("UTF-8")));
-        return new BigInteger(1, digest).toString(36).substring(0, 30);
+        MessageDigest md = MessageDigest.getInstance("SHA-256");
+        byte[] digest = md.digest(strippedID.getBytes(Charset.forName("UTF-8")));
+        return new BigInteger(1, digest).toString(36).substring(0, 30);
       } 
-      catch (NoSuchAlgorithmException ex) {
-        throw new PridGenerationException(e);
+      catch (NoSuchAlgorithmException ex) {
+        throw new PridGenerationException(e);
       }
     }
-    return normalizedID;
+    return normalizedID;
   }
    special-characters-eIDAS
    
-
      private static final String personIdentifierPrifixRegexp = "^[A-Za-z]{2}[\\/](SE|se)[\\/]";
+
      private static final String personIdentifierPrifixRegexp = "^[A-Za-z]{2}[\\/](SE|se)[\\/]";
 
   public String getPridIdentifierComponent(String personIdentifier) throws PridGenerationException {
     if (personIdentifier == null) {
-      throw new PridGenerationException("Missing personIdentifier");
+      throw new PridGenerationException("Missing personIdentifier");
     }
     if (!personIdentifier.substring(0, 6).matches(personIdentifierPrifixRegexp)) {
-      throw new PridGenerationException("Invalid ID format");
+      throw new PridGenerationException("Invalid ID format");
     }
-
+    
     // Get ID component without whitespace and non-printable characters
-    String strippedID = personIdentifier.substring(6).replaceAll("\\s+", "");
+    String strippedID = personIdentifier.substring(6).replaceAll("\\s+", "");
     if (strippedID.length() < 16) {
-      throw new PridGenerationException("Invalid ID format");
+      throw new PridGenerationException("Invalid ID format");
     }
     try {
-      MessageDigest md = MessageDigest.getInstance("SHA-256");
-      byte[] digest = md.digest(strippedID.getBytes(Charset.forName("UTF-8")));
+      MessageDigest md = MessageDigest.getInstance("SHA-256");
+      byte[] digest = md.digest(strippedID.getBytes(Charset.forName("UTF-8")));
       return new BigInteger(1, digest).toString(36).substring(0, 30);
     }
     catch (NoSuchAlgorithmException ex) {
diff --git a/docs/november-2021/12_-_BankID_Profile_for_the_Swedish_eID_Framework.html b/docs/november-2021/12_-_BankID_Profile_for_the_Swedish_eID_Framework.html
index bdc3df8..6ea242c 100644
--- a/docs/november-2021/12_-_BankID_Profile_for_the_Swedish_eID_Framework.html
+++ b/docs/november-2021/12_-_BankID_Profile_for_the_Swedish_eID_Framework.html
@@ -19,11 +19,11 @@
 
    
 
 
    Implementation Profile for BankID Identity Providers within the Swedish eID Framework
    
-
    Version 1.3 - 2021-11-11
    
+
    Version 1.4 - 2024-12-04
    
 
    Registration number: 2019-316
    
 
    
 
    
-Copyright © The Swedish Agency for Digital Government (DIGG), 2015-2021. All Rights Reserved.
+Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All Rights Reserved.
 
    
 
 
    Table of Contents
    
@@ -43,17 +43,15 @@ 
    Table of Contents
    
 
  • Identity Provider User Interface
    
 
     3.1. General Requirements
    
 
     3.2. Automatic Start of the BankID Client
    
-
     3.3. Mobile BankID on another Device
    
-
     3.3.1. User Experience Recommendations
    
-
     3.4. Cancelling an Operation
    
+
     3.3. Cancelling an Operation
    
 
    • 
 
  • Authentication Requests
    
 
     4.1. Binding and Security Requirements
    
-
     4.2. Authentication for Signature
    
-
     4.2.1. Input to BankID Signing
    
-
     4.2.1.1. userVisibleData - Signature Message
    
-
     4.2.1.2. userNonVisibleData
    
-
     4.2.2. Mobile BankID and the personNumber attribute
    
+
     4.2. Handling of Principal Selection
    
+
     4.3. Authentication for Signature
    
+
     4.3.1. Input to BankID Signing
    
+
     4.3.1.1. userVisibleData - Signature Message
    
+
     4.3.1.2. userNonVisibleData
    
 
    • 
 
  • Authentication Responses
    
 
     5.1. Attribute Release Rules
    
@@ -71,14 +69,12 @@ 
    Table of Contents
    
 
 
    
 
    
-
    1. Introduction
    
-
    This profile defines how a SAML Identity Provider that offers authentication using the Swedish BankID technology should implement its services to be compliant with the Swedish eID Framework. It extends the "Deployment Profile for the Swedish eID Framework", 
-[EidProfile], with requirements and recommendations for Identity Providers offering BankID authentication and signature services.
    
-
    The BankID interface for authentication and signature, the Relying Party Interface, is described in the "BankID Relying Party Guidelines", [BankID_Spec], specification. This specification MUST be fully implemented and supported by BankID Identity Providers compliant
-with the Swedish eID Framework specifications.
    
+
    1. Introduction
    
+
    This profile defines how a SAML Identity Provider that offers authentication using the Swedish BankID technology should implement its services to be compliant with the Swedish eID Framework. It extends the "Deployment Profile for the Swedish eID Framework",  [SC.SAML.Profile], with requirements and recommendations for Identity Providers offering BankID authentication and signature services.
    
+
    The BankID interface for authentication and signature, the Relying Party Interface, is described at https://developers.bankid.com. This specification MUST be fully implemented and supported by BankID Identity Providers compliant with the Swedish eID Framework specifications.
    
 
    
-
    1.1. Requirements Notation
    
-
    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+
    1.1. Requirements Notation
    
+
    The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
 document are to be interpreted as described in [RFC2119].
    
 
    The use of SHOULD, SHOULD NOT, and RECOMMENDED reflects broad consensus
@@ -89,27 +85,27 @@ 
    1.1. Requirements Notation
    
 interoperate without additional negotiation, and should be undertaken
 with caution.
    
 
    
-
    1.2. References to SAML 2.0 Standards and Profiles
    
+
    1.2. References to SAML 2.0 Standards and Profiles
    
 
    When referring to elements from the SAML 2.0 core specification [SAML2Core],
 the following syntax is used:
    
 
      
 
    • <saml2p:Element> – for elements from the SAML 2.0 Protocol
-namespace.
      
+  namespace.
      
 
      • 
 
    • <saml2:Element> – for elements from the SAML 2.0 Assertion
-namespace.
      
+  namespace.
      
 
      • 
 
    
 
    When referring to elements from the SAML 2.0 metadata specifications,
 the following syntax is used:
    
 
      
-
    • <md:Element> – for elements defined in [SAML2Meta].
      
+
    •   <md:Element> – for elements defined in [SAML2Meta].
      
 
      • 
-
    • <mdattr:Element> – for elements defined in [SAML2MetaAttr].
      
+
    •   <mdattr:Element> – for elements defined in [SAML2MetaAttr].
      
 
      • 
 
    
 
    
-
    1.3. BankID Methods and Applications
    
+
    1.3. BankID Methods and Applications
    
 
    There are three types of BankID:
    
 
      
 
    • Mobile BankID - End users use the "BankID app" on their mobile devices to authenticate or perform a signature. In these cases the user certificate is stored in the app and protected by a personal code.
      • 
@@ -118,37 +114,35 @@ 
      1.3. BankID Methods and Applicatio
 
    
 
    The three above methods are all "BankID", but historically, relying parties have made a difference between "Mobile BankID" and "BankID" (the original desktop version).
    
 
    
-
    1.3.1. Representation as Identity Providers
    
+
    1.3.1. Representation as Identity Providers
    
 
    An actor offering BankID services can choose to use one BankID Identity Provider supporting all different BankID methods, or use several Identity Provider instances, one for each BankID method. 
    
 
    Services that support all methods within one Identity Provider instance usually displays a question to the user before authentication starts, where the user chooses between "Using BankID on this device or another device". In an environment where a discovery service (or similar) is being used, this means that the user has to make two choices before the actual authentication process starts; first at the discovery service where the user selects "BankID" and then at the BankID Identity Provider where the user selects the type of BankID authentication to use.
    
 
    It is RECOMMENDED that BankID services are split into separate Identity Providers for each supported BankID method. The reasons for this are the above argument about discovery, but also the fact that a Service Provider should be able to select which type of authentication that is required (for example, Mobile BankID may be accepted but not BankID on file). 
    
 
    
-
+
 
    The table below states the RECOMMENDED support and behaviour when support for BankID is implemented using separate Identity Providers (as recommended in section 1.3.1 above). 
    
 
-
-
-
-
+
+
+
+
-
-
-
-
-
-
+
+
+
+
+
-
-
-
-
+
+
+
+
-
-
    
 
 
    Identity ProviderDesktopMobile PhoneTabletIdentity ProviderDesktopMobile PhoneTablet
 
    
 
    Mobile BankIDStart BankID on other device1 (mobile phone or tablet).Start BankID on the same device2.Prompt the user to ask whether to start BankID on the tablet or on another device3 (mobile phone).
    Mobile BankIDStart BankID on other device1 (mobile phone or tablet).Start BankID on the same device2.Prompt the user to ask whether to start BankID on the tablet or on another device3 (mobile phone).
 
    
 
    BankID on file (or on card)Start BankID on the same device4.Not supported5.Not supported5.BankID on file (or on card)Start BankID on the same device4.Not supported5.Not supported5.
 
    
+
 
      
 
    1. The user initiates a BankID operation from his or hers desktop computer and selects to use Mobile BankID. In this case the Mobile BankID app is started on another device (since Mobile BankID does not exist on desktop computers).
      2. 
 
    2. The user initiates a BankID operation from his or hers mobile phone and selects to use Mobile BankID. In this case the BankID app is started on the same device. It is highly unlikely that a user uses one mobile phone to visit a service and wants to use his or hers BankID on another device.
      3. 
@@ -159,8 +153,8 @@ 
 
      Note: Items 4 and 5 above also apply to BankID on card. A service MAY choose to implement BankID on file and BankID on card as separate Identity Providers or as one Identity Provider instance.
      
 
      For Identity Providers implementing BankID support in one Identity Provider instance it is RECOMMENDED to make the assumption that the BankID app should be started on the same device if the user connects via a mobile phone. 
      
 
      
-
      1.4. Relying Party Configuration
      
-
      When a Relying Party uses the BankID Relying Party API directly in order to implement BankID services, it has a set of configuration settings to choose from (see section 14.5 of [BankID_Spec]). Examples are:
      
+
      1.4. Relying Party Configuration
      
+
      When a Relying Party uses the BankID Relying Party API directly in order to implement BankID services, it has a set of configuration settings to choose from (see requirements object under the Auth and Sign API). Examples are:
      
 
        
 
      • Should fingerprints be allowed instead of the user entering his or hers security code?
        
 
        • 
@@ -169,187 +163,121 @@ 
        1.4. Relying Party Configuration
        
 
      • Smart card reader preferences.
        
 
        • 
 
      
-
      However, the services of a BankID Identity Provider are used by several parties within the federation and it is thus harder to maintain a per Service Provider configuration. Therefore, a BankID Identity Provider compliant with this profile SHOULD use the same configuration defaults as stated in section 14.5 of [BankID_Spec]).
      
+
      However, the services of a BankID Identity Provider are used by several parties within the federation, and it is thus harder to maintain a per-Service Provider configuration. Therefore, a BankID Identity Provider compliant with this profile SHOULD use the same configuration defaults as stated in Auth and Sign API.
      
 
      
-
      Note: It is of course allowed for a BankID Identity Provider to maintain specific Service Provider configurations, but this is outside of the scope for this profile, and there will be no specification support to accomplish this.
      
-
      
-
      Besides the above Relying Party configurations, the BankID API offers two different ways to initiate a BankID operation for the cases where the user agent and the BankID app is not on the same device.
      
-
        
-
      • A QR code is displayed in the UI and the user is prompted to scan this code using his or hers mobile device (see section 4 of [BankID_Spec]).
        
-
        • 
-
      • The user is prompted for his or hers personal number.
        
-
        • 
-
      
-
      The QR code functionality is a relatively new feature that was introduced to provide protection from fraudsters that remotely attempts to persuade people to authenticate or sign using their mobile BankID:s. By prompting the user to scan a QR code the user agent and mobile device are tied to the same physical location, and these kinds of frauds are eliminated.
      
-
      Due to large number of BankID users and the fear of changing a well established pattern, many BankID Relying Parties have not yet implemented the use of QR codes. It is a consideration of ease of use versus higher security, and different service providers may have different opinion regarding the feature.
      
-
      A Service Provider making use of a BankID Identity Provider has the possibility to explicitly
-request that QR codes, instead of user ID prompting, is used by the Identity Provider to
-initiate BankID operations. This is performed by declaring the 
-http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding entity category
-(see section 6.1 of [EidEntCat]) in the Service Provider metadata.
      
-
      A BankID Identity Provider compliant with this profile SHOULD support the use of QR codes to
-initialize BankID operations. 
      
-
      BankID Identity Providers that support the QR code feature MUST declare the 
-http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding entity
-category in its metadata and MUST check the presence of this entity category from a 
-requesting Service Provider's metadata when processing a request, and MUST prompt the 
-user to scan a QR code instead of asking for the personal identity number if the entity 
-category is present.
      
-
      
-
      See section 6, "Metadata", for details how to declare the secure-authenticator-binding entity category.
      
+
      Note: It is of course allowed for a BankID Identity Provider to maintain specific Service Provider configurations, but this is outside the scope for this profile, and there will be no specification support to accomplish this.
      
 
      
 
      
-
      2. Attributes
      
-
      An BankID Identity Provider use the BankID Relying Party API, as described in [BankID_Spec], to communicate with the BankID-server when providing its services to end users. When a BankID-operation has completed successfully, the Identity Provider (the BankID Relying Party) invokes the Collect-method (/rp/v5/collect) to obtain the result from the operation.
      
-
      The table below contains attribute transformation mappings between attributes from a Collect-method response as described in section 14.2.5 of [BankID_Spec] and attributes defined within the Swedish eID Framework as defined in [EidAttributes].
      
+
      2. Attributes
      
+
      An BankID Identity Provider use the BankID Relying Party API, as described in BankID API, to communicate with the BankID-server when providing its services to end users. When a BankID-operation has completed successfully, the Identity Provider (the BankID Relying Party) invokes the Collect-method (/collect) to obtain the result from the operation.
      
+
      The table below contains attribute transformation mappings between attributes from a Collect-method response as described in /collect and attributes defined within the Sweden Connect Framework as defined in [SC.SAML.Attrs].
      
 
      An Identity Provider should not necessarily release all transformed attributes received from the BankID-server to the Service Provider. See further section 5.1, "Attribute Release Rules".
      
 
      
-
      2.1. Attribute Transformation
      
+
      2.1. Attribute Transformation
      
 
-
-
-
+
+
+
-
-
-
-
-
+
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
      
 
 
      BankID attributeSAML AttributeDescriptionBankID attributeSAML AttributeDescription
 
      
 
      orderReftransactionIdentifier
      urn:oid:1.2.752.201.3.2      		The BankID order reference received from a BankID Auth (/rp/v5/auth) or Sign (rp/v5/sign) method invocation. This parameter is supplied as an input parameter to the Collect-call and is the unique transaction identifier for the BankID-operation.
      orderReftransactionIdentifier
      urn:oid:1.2.752.201.3.2      		The BankID order reference received from a BankID Auth (/rp/v5/auth) or Sign (rp/v5/sign) method invocation. This parameter is supplied as an input parameter to the Collect-call and is the unique transaction identifier for the BankID-operation.
 
      
 
      completionData.
      user.personalNumber      		personalIdentityNumber
      urn:oid:1.2.752.29.4.13      		Swedish ”personnummer”. 12 digits without hyphen.completionData.
      user.personalNumber      		personalIdentityNumber
      urn:oid:1.2.752.29.4.13      		Swedish ”personnummer”. 12 digits without hyphen.
 
      
 
      completionData.
      user.givenName      		givenName
      urn:oid:2.5.4.42      		User's given name.completionData.
      user.givenName      		givenName
      urn:oid:2.5.4.42      		User's given name.
 
      
 
      completionData.
      user.surname      		sn
      urn:oid:2.5.4.4      		User's surname.completionData.
      user.surname      		sn
      urn:oid:2.5.4.4      		User's surname.
 
      
 
      completionData.
      user.name      		displayName
      urn:oid:2.16.840.1.113730.3.1.241      		User's given name and surname.completionData.
      user.name      		displayName
      urn:oid:2.16.840.1.113730.3.1.241      		User's given name and surname.
 
      
 
      completionData.
      cert.notBefore      		bankidNotBefore key in authContextParams
      urn:oid:1.2.752.201.3.3      		Start of validity of user's BankID.
      No direct attribute mapping exists, but may be represented as key-value pair in authContextParams, where the key is bankidNotBefore, see 2.1.1 below.      		completionData.
      device.ipAddress      		bankidUserAgentAddress key in authContextParams
      urn:oid:1.2.752.201.3.3      		The IP-address of the user agent presented to the BankID server. In cases where a user uses BankID "on another device" this address may not be the same as the web user agent. No direct attribute mapping exists, but may be represented as key-value pair in authContextParams, where the key is bankidUserAgentAddress, see 2.1.1 below.
 
      
 
      completionData.
      cert.notAfter      		bankidNotAfter key in authContextParams
      urn:oid:1.2.752.201.3.3      		End of validity of user's BankID.
      No direct attribute mapping exists, but may be represented as key-value pair in authContextParams, where the key is bankidNotAfter, see 2.1.1 below.      		completionData.
      device.uhi      		bankidUhi key in authContextParams
      urn:oid:1.2.752.201.3.3      		Unique hardware identifier for the user's device. No direct attribute mapping exists, but may be represented as key-value pair in authContextParams, where the key is bankidUhi, see 2.1.1 below.
 
      
 
      completionData.
      device.ipAddress      		bankidUserAgentAddress key in authContextParams
      urn:oid:1.2.752.201.3.3      		The IP-address of the user agent presented to the BankID server. In cases where a user uses BankID "on another device" this address may not be the same as the web user agent. No direct attribute mapping exists, but may be represented as key-value pair in authContextParams, where the key is bankidUserAgentAddress, see 2.1.1 below.completionData.
      bankIdIssueDate      		bankidIssueDate key in authContextParams
      urn:oid:1.2.752.201.3.3      		The date the BankID was issued to the user.
      No direct attribute mapping exists, but may be represented as key-value pair in authContextParams, where the key is bankidIssueDate, see 2.1.1 below.      		
 
      
 
      completionData.
      signature      		userSignature
      urn:oid:1.2.752.201.3.11      		The signature applied by the user as part of the authentication/signature process.completionData.
      signature      		userSignature
      urn:oid:1.2.752.201.3.11      		The signature applied by the user as part of the authentication/signature process.
 
      
 
      completionData.
      ocspResponse      		authServerSignature
      urn:oid:1.2.752.201.3.13      		The OCSP response signed by the BankID issuer that proves that the user BankID was checked for revocation.completionData.
      ocspResponse      		authServerSignature
      urn:oid:1.2.752.201.3.13      		The OCSP response signed by the BankID issuer that proves that the user BankID was checked for revocation.
 
      
+
 
      
-
      2.1.1. The authContextParams Attribute
      
-
      The authContextParams attribute, see section 3.2.1 of [EidAttributes], is a general purpose attribute to be used when non-standardized authentication data is to be transfered in a SAML assertion. 
      
-
      The attribute is used by attribute providers to release data from an authentication process that has no attribute definition of its own. Thus, should the BankID attributes completionData.cert.notBefore, completionData.cert.notAfter and completionData.device.ipAddress be transformed and included into an assertion, they would have to be placed as key-value pairs of the authContextParams attribute as the example below.
      
-
      <saml2:Attribute xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    
-                           FriendlyName="authContextParams"
-                           Name="urn:oid:1.2.752.201.3.3"
-                           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
-  <saml2:AttributeValue xsi:type="xs:string">
-    bankidNotBefore=2016-05-30T09%3A30%3A10Z;bankidNotAfter=2018-05-30T09%3A30%3A10Z;bankidUserAgentAddress=85.229.202.232
-  </saml2:AttributeValue>
-</saml2:Attribute>
      The example above represents the following BankID attributes and values:
      
-
        
-
      • completionData.cert.notBefore = 2016-05-30T09-30-10Z
        • 
-
      • completionData.cert.notAfter = 2018-05-30T09-30-10Z
        • 
-
      • completionData.device.ipAddress = 85.229.202.232
        • 
-
      
-
      
-
      The format for the notBefore and notAfter attributes should be the representation as given by the XML type xs:dateTime.
      
-
      
-
      
-
      3. Identity Provider User Interface
      
-
      This profile does not state any requirements on how the user interface for an Identity Provider implementing BankID services should be implemented other than the statements listed in the sub sections below.
      
+
      2.1.1. The authContextParams Attribute
      
+
      The authContextParams attribute, see section 3.2.1 of [SC.SAML.Attrs], is a general purpose attribute to be used when non-standardized authentication data is to be transfered in a SAML assertion. 
      
+
      The attribute is used by attribute providers to release data from an authentication process that has no attribute definition of its own. Thus, should the BankID attributes completionData.bankIdIssueDate, completionData.device.ipAddress and completionData.device.uhi be transformed and included into an assertion, they would have to be placed as key-value pairs of the authContextParams attribute as the example below.
      
+
      <saml2:Attribute xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    
+                           FriendlyName="authContextParams"
+                           Name="urn:oid:1.2.752.201.3.3"
+                           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+  <saml2:AttributeValue xsi:type="xs:string">
+    bankidIssueDate=2024-05-30T09%3A30%3A10Z;bankidUserAgentAddress=85.229.202.232;bankidUhi=RTREUI8
+  </saml2:AttributeValue>
+</saml2:Attribute>
      
+
      3. Identity Provider User Interface
      
+
      This profile does not state any requirements on how the user interface for an Identity Provider implementing BankID services should be implemented other than the statements listed in the subsections below.
      
 
      
-
      3.1. General Requirements
      
-
      The user interface for a BankID Identity Provider SHOULD use the recommended user and error messages as defined in sections 6, "Recommended User Messages", and 11, "Recommended Terminology", of [BankID_Spec].
      
+
      3.1. General Requirements
      
+
      The user interface for a BankID Identity Provider SHOULD use the recommended user and error messages as defined in sections 5, "Recommended User Messages", and BankID's Recommended user messages resource.
      
 
      The user interface for a BankID Identity Provider MUST display information about the Service Provider that sent the request. It is RECOMMENDED that this information is obtained from the <mdui:UIInfo> element from the Service Provider's metadata entry.
      
 
      It MUST be clear to the user whether an authentication or a signature process is ongoing. 
      
-
      When an error occurs during an authentication or signature operation, the Identity Provider MUST display an error message that can be easily understood by the end user, and offer the possibility to acknowledge the error so that an error response may be posted back to the requesting Service Provider (as specified in section 6.4, "Error Responses", of [EidProfile]).
      
+
      It is RECOMMENDED that an Identity Provider compliant with this profile supports the User Message authentication request extension, as defined in [SC.SAML.UMsg]. 
      
+
      If the Identity Provider supports this extension, the userVisibleData field of the BankID /auth and /sign endpoints, MUST be assigned the value received in the UserMessage extension. 
      
+
      When an error occurs during an authentication or signature operation, the Identity Provider MUST display an error message that can be easily understood by the end user, and offer the possibility to acknowledge the error so that an error response may be posted back to the requesting Service Provider (as specified in section 6.4, "Error Responses", of [SC.SAML.Profile]).
      
 
      
-
      3.2. Automatic Start of the BankID Client
      
-
      When an operation is initiated where the BankID client (app or desktop program) is on the same device as the user agent (web browser) the Identity Provider SHOULD attempt to "auto start" the BankID client as described in [BankID_Spec].  
      
-
      For the above cases where the BankID client is automatically started from the Identity Provider, the Identity Provider user interface SHOULD NOT ask for the user's personal identity number. This information is available in the "BankID app" or "BankID Security Application".
      
-
      Auto starting the BankID app from a mobile device requires the built-in web browser to be used to guarantee full support, see section 3.1 of [BankID_Spec]. If the Identity Provider detects that the user is not using the platform's default browser it SHOULD prompt for the personal identity number and ask the user to manually start the BankID app (and switch back to the browser after the BankID operation).
      
-
      
-
      Note: As an alternative to the above requirement the Identity Provider may display a button with an autostart link that starts the BankID app when clicked. The personal identity number will not be needed and the user will not have to start the app manually. 
      
-
      However, on iOS this will not work if an embedded browser is running within an app, since apps that are started by apps need to be whitelisted. Another thing to take into account is that the user still has to switch back from the BankID app to the browser, and that may not be obvious for the user (since the app was started automatically). 
      
-
      The recommendation is to abstain from using autostart links/buttons.
      
-
      
-
      
-
      3.3. Mobile BankID on another Device
      
-
      If the user agent (web browser) and the BankID app is not on the same device, a BankID Identity 
-Provider that supports the BankID QR code feature MUST check for the presence of the 
-http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding entity category
-in a requesting Service Provider's metadata entry. If the Service Provider has declared this entity category, the BankID Identity Provider MUST display a generated QR code for the user and 
-MUST NOT prompt the user for the personal identity number.
      
-
      
-
      Note: If the secure-authenticator-binding entity category is present in the Service Provider 
-metadata entry and a <psc:PrincipalSelection> extension containing a personal identity number 
-is included in the authentication request from the Service Provider, the BankID Identity Provider 
-SHOULD include this number in the BankID operation (auth or sign) along with the BankID
-requirement parameter autoStartTokenRequired=true when initializing the BankID operation 
-(see chapter 4 in [BankID_Spec]). A generated QR code MUST still be displayed 
-by the BankID Identity Provider, but by providing the personal identity number in the initializing BankID call the session will be bound not only to the BankID app that is used to scan the QR code but also to a specific user. If a user with a different personal identity number scans the QR code the operation will fail.
      
-
      
-
      If the secure-authenticator-binding entity category is not declared by the requesting Service
-Provider, the Identity Provider needs to prompt the user for his or hers personal identity number (personnummer) in order to initiate a BankID operation. 
      
-
      Before prompting the user the Identity Provider SHOULD check if the current authentication request contains a <psc:PrincipalSelection> extension holding a personal identity number attribute value. 
      
-
      If the personal identity number is present in the <psc:PrincipalSelection> extension and the current operation is an "authentication for signature" operation (see section 4.2 below), the Identity Provider MUST NOT prompt the user for the personal identity number, but use the value received in the request to initiate the signature operation.
      
-
      If the current operation is an "ordinary" authentication and the personal identity number is received in the request, the Identity Provider MAY use this value to pre-fill the personal identity number in the prompt dialogue to make the user experience smooth, but it SHOULD NOT use it to initiate the BankID operation without user interaction. 
      
-
      
-
      Note: Until the <psc:PrincipalSelection> extension is widely used the Identity Provider MAY save the personal identity number in the user's web browser session storage (in a session cookie or more preferably using the HTML5 sessionStorage object). That way the Identity Provider can avoid prompting the user for the personal identity number for signature operations even if the requesting Signature Service does not support the <psc:PrincipalSelection> extension.
      
-
      
-
      See also section 4.2.2, "Mobile BankID and the personNumber attribute".
      
-
      
-
      3.3.1. User Experience Recommendations
      
-
      In a scenario where the user first logs in to a service, and later performs a signature, care should be taken to the user experience versus security. The user will probably think is disturbing to have to scan a QR code for every signature he or she performs within the logged in session. If the service can protect against the remote fraudster threat by using QR code for login, and if the <psc:PrincipalSelection> extension preventing personal identity number prompting is used for subsequent signatures, we probably have found the safest and most user friendly process. 
      
-
      This could be accomplished by declaring the secure-authenticator-binding entity category for the Service Provider responsible of user login, but not declaring it for the service's Signature Service. Instead the Signature Service makes sure to always include the <psc:PrincipalSelection> extension in authentication requests sent.
      
-
      Note: An Identity Provider processing a request from a signature service can derive the QR versus prompting for personal identity number setting for the corresponding "login service" if the RequesterID element is present in the authentication request. This element holds the entityID for the login service that initiated the signature operation.
      
+
      3.2. Automatic Start of the BankID Client
      
+
      When an operation is initiated where the BankID client (app or desktop program) is on the same device as the user agent (web browser) the Identity Provider SHOULD attempt to "auto start" the BankID client as described in the BankID guide.  
      
+
      Auto starting the BankID app from a mobile device requires the built-in web browser to be used to guarantee support. If the Identity Provider detects that the user is not using the platform's default browser it MAY ask the user to manually start the BankID app (and switch back to the browser after the BankID operation).
      
 
      
-
      3.4. Cancelling an Operation
      
+
      3.3. Cancelling an Operation
      
 
      A BankID Identity Provider MUST include a Cancel-button in the user interface enabling the possibility for the user to cancel the BankID operation. 
      
-
      If the use clicks the Cancel-button after a BankID-operation has been started1 the Identity Provider MUST invoke the BankID-operation /rp/v5/cancel. Failure to do so may lead to a dangling BankID session that needs to time out before the user can use BankID again.
      
+
      If the use clicks the Cancel-button after a BankID-operation has been started1 the Identity Provider MUST invoke the BankID-operation /cancel. Failure to do so may lead to a dangling BankID session that needs to time out before the user can use BankID again.
      
 
      
-
      [1]: Meaning that /rp/v5/auth or /rp/v5/sign has been called for the transaction.
      
+
      [1]: Meaning that /auth or /sign has been called for the transaction.
      
 
      
 
      
-
      4. Authentication Requests
      
+
      4. Authentication Requests
      
 
      
-
      4.1. Binding and Security Requirements
      
+
      4.1. Binding and Security Requirements
      
 
      An Identity Provider conformant with this profile MUST require <saml2p:AuthnRequest> messages to be signed (by indicating this in its metadata, see section 6, "Metadata"). Thus, the Identity Provider MUST not accept messages that are not signed, or where the verification of the signature fails. In these cases the Identity Provider MUST respond with an error.
      
+
      
+
      4.2. Handling of Principal Selection
      
+
      An Identity Provider that has declared support for the <psc:PrincipalSelection> extension (see section 6) MUST assign the requirement.personalNumber field of /auth or /sign if a Swedish personal identity number is received in the <psc:PrincipalSelection> extension.
      
+
      See [SC.SAML.Principal] for further requirements concerning the principal selection extension.
      
 
      
-
      4.2. Authentication for Signature
      
-
      An Identity Provider conforming to the Swedish eID Framework is obliged to handle requests received from Signature Services as described in section 7, “Authentication for Signature”, of [EidProfile]. This section further specifies how a BankID Identity Provider should support “authentication for signature”.
      
+
      4.3. Authentication for Signature
      
+
      An Identity Provider conforming to the Sweden Connect Framework is obliged to handle requests received from Signature Services as described in section 7, “Authentication for Signature”, of [SC.SAML.Profile]. This section further specifies how a BankID Identity Provider should support “authentication for signature”.
      
 
      A BankID Identity Provider that receives an <saml2p:AuthnRequest> message from a Signature Service MUST initiate a BankID signature operation. It MUST NOT initiate a BankID authentication operation for several reasons: 
      
 
        
 
      • the user interface in the BankID client (app or Desktop program) during authentication indicates that the user is logging on (and not signing which is the case when a request from a Signature Service is being processed), 
        • 
@@ -357,41 +285,30 @@ 
        4.2. Authentication for Signature
        and most importantly, BankID is PKI-based and has support for signing using a non-repudiation key, so there is no reason not to use this function.
 
      
 
      The BankID client (app or desktop program) comprises a text box in which the signature message is displayed for the user. A BankID Identity Provider MUST NOT display the signature message in any other way than in this text box. How the signature message is assigned is specified below.
      
-
      If the BankID Identity Provider prompts the user for his or hers personal identity number in order to initialize
-the BankID signature operation, the Identity Provider MUST honour the requirement that ensures that a sign message is only displayed to the intended principal, see section 7.2.1 in [EidProfile].
      
 
      
-
      4.2.1. Input to BankID Signing
      
+
      4.3.1. Input to BankID Signing
      
 
      An Identity Provider that processes an <saml2p:AuthnRequest> from a Signature Service is not given the actual data that is being signed by the user via the Signature Service. However, in order to invoke the BankID signature function, the Identity Provider must supply the BankID-server with data to be signed. This section specifies the input to the BankID signature operation.
      
-
      The "To-be-signed" data that is passed as input the the BankID Sign-method (/rp/v5/sign) is a combination of the data from the userVisibleData and userNonVisibleData parameters (section 14.1.2 of [BankID_Spec]).
      
+
      The "To-be-signed" data that is passed as input the BankID Sign-method (/sign) is a combination of the data from the userVisibleData and userNonVisibleData parameters (https://developers.bankid.com/api-references/auth--sign/sign).
      
 
      
-
      4.2.1.1. userVisibleData - Signature Message
      
-
      The Sign-method parameter userVisibleData holds data that will be signed by the user but it is also displayed in the BankID application text box.
      
+
      4.3.1.1. userVisibleData - Signature Message
      
+
      The Sign-method parameter userVisibleData holds data that will be signed by the user, but it is also displayed in the BankID application text box.
      
 
      If the <saml2p:AuthnRequest> message contains a SignMessage extension, the contents of this message MUST be assigned to the userVisibleData parameter (after necessary encoding).
      
-
      A BankID Identity Provider MUST support SignMessage elements having their MimeType attribute set to text, and SHOULD support
-Markdown (text/markdown) according to BankID - Guidelines for Formatted Text, [BankID_MD], and section 14.1.2 of [BankID_Spec]. For other values (text/html), the Identity Provider MUST respond with an error.
      
+
      A BankID Identity Provider MUST support SignMessage elements having their MimeType attribute set to text, and SHOULD support Markdown (text/markdown) according to BankID - Guidelines for Formatted Text, [BankID.MD]. For other values (text/html), the Identity Provider MUST respond with an error.
      
 
      If the <saml2p:AuthnRequest> message does not contain a SignMessage extension, the Identity Provider MUST assign a sensible default signature message to the userVisibleData parameter. How this message is constructed is the responsibility of the Identity Provider, but it must be obvious for the user who is the requesting party, i.e., the Service Provider that has ordered the signature operation2.
      
 
      
 
      [1]: If the MimeType attribute is not set, text is the default value.
      
-
      [2]: For this purpose, the <mdui:DisplayName> element of the Signature Service’s metadata entry, is a good and generic choice.  
      
+
      [2]: For this purpose, the <mdui:DisplayName> element of the Signature Service’s metadata entry, is a good and generic choice.
      
 
      
 
      
-
      4.2.1.2. userNonVisibleData
      
+
      4.3.1.2. userNonVisibleData
      
 
      In order to produce a BankID signature that contains a binding to the <saml2p:AuthnRequest> message that initiated this signature, a BankID Identity Provider compliant to this profile MUST assign the  userNonVisibleData parameter with data that uniquely binds the signature to the <saml2p:AuthnRequest> message.
      
 
      It is RECOMMENDED that the following function is used to produce this unique binding:
      
-
      Base64Encode("entityID=" + URLEncode(<entityID of SP>) + ";" + "authnRequestID=" + URLEncode(<ID of AuthnRequest>))
      
-
      4.2.2. Mobile BankID and the personNumber attribute
      
-
      When Mobile BankID is being used to sign data and the user has initiated the signature operation against the Signature Service from another device (desktop och tablet), and the BankID QR code functionality is not being used, the personNumber parameter must be assigned in the BankID Sign-call.
      
-
      Preferably this information was received in the <psc:PrincipalSelection> of the <saml2p:AuthnRequest> as described in section 3.3, "Mobile BankID on another Device". 
      
-
      Identity Providers wanting to support Signature Services that do not include the <psc:PrincipalSelection> extension MAY store the personal identity number in the user's web browser session storage during authentication, and use it during signature1, see section 3.3 above.
      
-
      
-
      [1]: Almost all use cases where a user signs data is preceded by a login (authentication).
      
-
      
-
      
-
      5. Authentication Responses
      
+
      Base64Encode("entityID=" + URLEncode(<entityID of SP>) + ";" + "authnRequestID=" + URLEncode(<ID of AuthnRequest>))
      
+
      5. Authentication Responses
      
 
      
-
      5.1. Attribute Release Rules
      
-
      Section 2.1, "Attribute Transformation", specifies how BankID attributes should be transformed into SAML attributes defined in [EidAttributes]. However, it does not specify the attribute release rules stating which attributes that are to be released based on a particular request.
      
-
      A BankID Identity Provider compliant to the Swedish eID Framework MUST honor the attribute release rules specified in section 6.2.1, "Attribute Release Rules", of [EidProfile]. This section further extends these rules with the following:
      
+
      5.1. Attribute Release Rules
      
+
      Section 2.1, "Attribute Transformation", specifies how BankID attributes should be transformed into SAML attributes defined in [SC.SAML.Attrs]. However, it does not specify the attribute release rules stating which attributes that are to be released based on a particular request.
      
+
      A BankID Identity Provider compliant to the Swedish eID Framework MUST honor the attribute release rules specified in section 6.2.1, "Attribute Release Rules", of [SC.SAML.Profile]. This section further extends these rules with the following:
      
 
        
 
      • A BankID Identity Provider SHOULD include the transactionIdentifier-attribute (a mapping of the BankID orderRef-attribute) in the <saml2:AttributeStatement> element independently of which attribute set that is requested. This attribute links the BankID operation to the assertion.
        • 
 
      • It is RECOMMENDED that a BankID Identity Provider includes the userSignature-attribute (containing the BankID signature) in the <saml2:AttributeStatement> element when a BankID signature operation has been performed.
        • 
@@ -399,10 +316,12 @@ 
        5.1. Attribute Release Rules
        
 
      
 
      
 
      [1]: A Service Provider explicitly requests attributes by declaring them as requested attributes in the <md:AttributeConsumingService> element of the Service Provider's metadata entry. See section 6.1.
      
+
      
+
      
 
      [2]: Based on the service entity categories that a Service Provider has declared in its metadata, an Identity Provider derives which attribute sets to apply during attribute release.
      
 
      
 
      
-
      5.2. Error Responses
      
+
      5.2. Error Responses
      
 
      A BankID Identity Provider MUST map errors received from the underlying BankID-server into SAML error response messages where the top level status code is either:
      
 
        
 
      • urn:oasis:names:tc:SAML:2.0:status:Requester - for errors that are due to authentication or signature failures or faults due to an error on the part of the Service Provider,
        • 
@@ -413,65 +332,55 @@ 
        5.2. Error Responses
        
 
        If the user cancels a BankID operation, either by clicking the Cancel-button in the Identity Provider user interface or the Cancel-button in the BankID app/Security Application, the Identity Provider SHOULD respond with a <saml2p:Response> message where the second level status code is http://id.elegnamnden.se/status/1.0/cancel.
        
 
        In cases where the Identity Provider receives the BankID error code ALREADY_IN_PROGRESS in response to an Auth- or Sign-call the Identity Provider MAY display a warning to the user that someone may have initiated a BankID operation using their personal identity number1. If this warning is displayed, it is RECOMMENDED that the second level status code http://id.elegnamnden.se/status/1.0/possibleFraud is included in the error response message posted back to the Service Provider.
        
 
        
-
        [1]: There have been reports where fraudsters remotely try to convince people of using their Mobile BankID to log in to a service. In these cases, the fraudster initiates a BankID authentication prior to the person he tries to trick into logging in to the service, and is waiting for the user to enter his or hers personal code, thus authenticating the fraudsters session. 
        
+
        [1]: There have been reports where fraudsters remotely try to convince people of using their Mobile BankID to log in to a service. In these cases, the fraudster initiates a BankID authentication prior to the person he tries to trick into logging in to the service, and is waiting for the user to enter his or hers personal code, thus authenticating the fraudster's session. 
        
 
        
 
        
-
        6. Metadata
        
-
        This section extends section 2 of [EidProfile] with requirements specific for BankID.
        
+
        6. Metadata
        
+
        This section extends section 2 of [SC.SAML.Profile] with requirements specific for BankID.
        
 
        
-
        6.1. Service Providers
        
+
        6.1. Service Providers
        
 
        As stated in section 5.1, "Attribute Release Rules", a Service Provider may request additional attributes, other than those implicitly requested via the use of service entity categories, by declaring requested attributes under the <md:AttributeConsumingService> element.
        
-
        <md:AttributeConsumingService index="0" isDefault="true" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
-  <md:ServiceName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="sv">E-myndigheten</md:ServiceName>
-  <md:ServiceName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">The e-Authority</md:ServiceName>
+
        <md:AttributeConsumingService index="0" isDefault="true" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
+  <md:ServiceName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="sv">E-myndigheten</md:ServiceName>
+  <md:ServiceName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">The e-Authority</md:ServiceName>
   ...
-  <md:RequestedAttribute Name="urn:oid:1.2.752.201.3.2" isRequired="false"/>
-  <md:RequestedAttribute Name="urn:oid:1.2.752.201.3.13" isRequired="false"/>      
-</md:AttributeConsumingService>
        Example of how a Service Provider declares that it wishes to receive the transactionIdentifier and authServerSignature attributes in assertions.
        
+  <md:RequestedAttribute Name="urn:oid:1.2.752.201.3.2" isRequired="false"/>
+  <md:RequestedAttribute Name="urn:oid:1.2.752.201.3.13" isRequired="false"/>      
+</md:AttributeConsumingService>
        Example of how a Service Provider declares that it wishes to receive the transactionIdentifier and authServerSignature attributes in assertions.
        
 
        A Service Provider requesting an attribute that is not supported by all Identity Providers that it may communicate with MUST NOT set the isRequired attribute of the <md:RequestedAttribute> element to true.
        
 
        It is RECOMMENDED that Service Providers communicating with BankID Identity Providers include the transactionIdentifier attribute as a requested attribute.
        
-
        As described in section 1.4, "Relying Party Configuration, a Service Provider may declare an entity category telling the BankID Identity Provider that it wishes QR codes to be used instead of prompting for the user personal identity number.
        
-
        <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
-  <saml:Attribute Name="http://macedir.org/entity-category" 
-                  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
-    <saml:AttributeValue xsi:type="xs:string">
-      http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding
-    </saml:AttributeValue>
-    ...
-  </saml:Attribute>
-</mdattr:EntityAttributes>
        Example of how a Service Provider declares the secure authenticator binding entity category. This means, for a BankID Identity Provider, that QR codes should be used to initiate BankID operations.
        
 
        
-
        6.2. Identity Providers
        
+
        6.2. Identity Providers
        
 
        A BankID Identity Provider MUST require authentication request messages to be signed. This is indicated by assigning the WantAuthnRequestsSigned attribute of the <md:IDPSSPDescriptor> element to a value of true. 
        
-
        A BankID Identity Provider SHOULD declare the <psc:RequestedPrincipalSelection> element containing the attribute name for personalIdentityNumber (urn:oid:1.2.752.29.4.13) and include it in its metadata entry as described in section 2.1.3 of [EidProfile]. 
        
+
        A BankID Identity Provider SHOULD declare the <psc:RequestedPrincipalSelection> element containing the attribute name for personalIdentityNumber (urn:oid:1.2.752.29.4.13) and include it in its metadata entry as described in section 2.1.3 of [SC.SAML.Profile]. 
        
 
        Using this extension the Identity Provider announces that the requestor should send the personal identity number in the authentication request if this is known to the requestor. In this way, the Identity Provider does not have to prompt the user for the personal identity number for the use cases where this is required.
        
 
        ...
-<md:IDPSSODescriptor WantAuthnRequestsSigned="true"
-     protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+<md:IDPSSODescriptor WantAuthnRequestsSigned="true"
+     protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
   <md:Extensions>
-    <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
+    <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
       ...
     </mdui:UIInfo>
     <psc:RequestedPrincipalSelection 
-         xmlns:psc="http://id.swedenconnect.se/authn/1.0/principal-selection/ns">
-      <psc:MatchValue Name="urn:oid:1.2.752.29.4.13" />
+         xmlns:psc="http://id.swedenconnect.se/authn/1.0/principal-selection/ns">
+      <psc:MatchValue Name="urn:oid:1.2.752.29.4.13" />
     </psc:RequestedPrincipalSelection>
   </md:Extensions>
-  <md:KeyDescriptor use="signing">
+  <md:KeyDescriptor use="signing">
     ...
        Example of how the Identity Provider declares the RequestedPrincipalSelection extension in its metadata.
        
-
        A BankID Identity Provider supporting the BankID QR code feature MUST declare this in its metadata using
-the http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding entity category.
        
+
        Also, since a BankID Identity Provider MUST support the display of BankID QR codes, it MUST declare this in its metadata using the http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding entity category. See [SC.SAML.EntCat].
        
+
        It is RECOMMENDED that the BankID Identity Provider supports the <umsg:UserMessage> authentication request extension as defined in [SC.SAML.UMsg]. Support for this extension is declared by declaring the http://id.swedenconnect.se/general-ec/1.0/supports-user-message entity category. See [SC.SAML.EntCat].
        
 
        
-
        6.3. Signature Services
        
+
        6.3. Signature Services
        
 
        It is RECOMMENDED that a Signature Service explicitly requires release of the userSignature attribute (urn:oid:1.2.752.201.3.11) in assertions. The reason for this is that the BankID-signature may then be part of the assertion that is included in the resulting signature created by the Signature Service giving a non-repudiation proof of the BankID signature process.
        
-
        <md:AttributeConsumingService index="0" isDefault="true" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
-  <md:ServiceName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="sv">E-myndighetens underskriftstjänst</md:ServiceName>
-  <md:ServiceName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">The e-Authority's Signing Service</md:ServiceName>
+
        <md:AttributeConsumingService index="0" isDefault="true" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
+  <md:ServiceName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="sv">E-myndighetens underskriftstjänst</md:ServiceName>
+  <md:ServiceName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">The e-Authority's Signing Service</md:ServiceName>
   ...
-  <md:RequestedAttribute Name="urn:oid:1.2.752.201.3.11" isRequired="false"/>
+  <md:RequestedAttribute Name="urn:oid:1.2.752.201.3.11" isRequired="false"/>
 </md:AttributeConsumingService>
        Example of how the userSignature attribute is explicitly required.
        
 
        
-
        7. References
        
+
        7. References
        
 
        
 [RFC2119]
        
 
        
@@ -499,39 +408,53 @@ 
        7. References
        
 Entity Attributes Version 1.0, August
 2009.
        
 
        
-
        
-[BankID_Spec]
        
-
        
-
        BankID Relying Party Guidelines, version 3.6.
        
-
        Check https://www.bankid.com/utvecklare/guider for the latest version.
        
-
        
 
        
-[BankID_MD]
        
+[BankID.MD]
        
 
        
 
        BankID - Guidelines for Formatting Text.
        
 
        
-
        
-[EidProfile]
        
+
        
+[SC.SAML.Profile]
        
 
        
 
        Deployment Profile for the Swedish eID Framework.
        
 
        
-
        
-[EidAttributes]
        
+
        
+[SC.SAML.Attrs]
        
 
        
 
        Attribute Specification for the Swedish eID Framework.
        
 
        
-
        
-[EidEntCat]
        
+
        
+[SC.SAML.EntCat]
        
 
        
 
        Entity Categories for the Swedish eID Framework.
        
 
        
-
        
-[PrincipalSel]
        
+
        
+[SC.SAML.Principal]
        
 
        
 
        Principal Selection in SAML Authentication Requests.
        
-
        
-
        8. Changes between versions
        
 
        
+
        
+[SC.SAML.UMsg]
        
+
        
+
        User Message Extension in SAML Authentication Requests.
        
+
        
+
        
+
        8. Changes between versions
        
+
        Changes between version 1.3 and 1.4
        
+
          
+
        • New references to BankID resources are used, since BankID has abandoned its "Relying Party Guidelines"-document.
          
+
          • 
+
        • The discussions concerning QR-codes vs. prompting for personal ID number has been removed, since QR-code now is mandatory for the use case where the user agent and mobile phone are on different devices.
          
+
          • 
+
        • Section 2.1, "Attribute Transformation", was updated to reflect changes in the BankID API.
          
+
          • 
+
        • A recommendation to support the "User Message Extension" was added to section 3, "Identity Provider User Interface".
          
+
          • 
+
        • Section 3.3, "Mobile BankID on another Device", was removed since personal identity number prompting is no longer allowed.
          
+
          • 
+
        • Section 4.2, "Handling of Principal Selection", was introduced.
          
+
          • 
+
        
 
        Changes between version 1.2 and 1.3:
        
 
          
 
        • Section 4.2.1.1, "userVisibleData - Signature Message", was updated with information about the usage of Markdown in visible sign data.
          • 
diff --git a/docs/november-2021/14_-_Principal_Selection_in_SAML_Authentication_Requests.html b/docs/november-2021/14_-_Principal_Selection_in_SAML_Authentication_Requests.html
index 03b014b..887e865 100644
--- a/docs/november-2021/14_-_Principal_Selection_in_SAML_Authentication_Requests.html
+++ b/docs/november-2021/14_-_Principal_Selection_in_SAML_Authentication_Requests.html
@@ -19,7 +19,7 @@
 
          
 
 
          Principal Selection in SAML Authentication Requests
          
-
          Version 1.0 - 2020-01-17
          
+
          Version 1.0 - 2020-01-17
          
 
          Registration number: 2019-318
          
 
          
 
          
@@ -50,55 +50,55 @@ 
          Table of Contents
          
 
 
    
 
    
-
    1. Introduction
    
+
    1. Introduction
    
 
    When a Service Provider requests authentication of a user (principal), the Service Provider may have prior knowledge about the user to be authenticated, for example, when re-authenticating an already authenticated user, or when a user authenticates to a signature service where the user signs a document in a context where he or she already has been authenticated.
    
 
    This specification defines the <psc:PrincipalSelection> element that may be included in the <saml2p:Extensions> element of a SAML <saml2p:AuthnRequest> where the requesting Service Provider can specify matching criteria that may be used by the Identity Provider to select the particular user that should be authenticated.
    
 
    The specification also defines the <psc:RequestedPrincipalSelection> element that should be used by Identity Providers that may need information about a known user in order to avoid prompting for the user ID1. The element should be included as an extension in the Identity Provider metadata under the <md:IDPSSODescriptor> element.
    
 
    Even though the main purpose of the <psc:PrincipalSelection> extension is to aid the Identity Provider
-in selecting a particular subject for the authentication, an Identity Provider MAY also compare the match
-values present in the extension with the resulting attributes from the user authentication, and in case of a
+in selecting a particular subject for the authentication, an Identity Provider MAY also compare the match 
+values present in the extension with the resulting attributes from the user authentication, and in case of a 
 mismatch, respond with an error. In these cases the second-level SAML status code MUST be set to
 urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal [SAML2Core].
    
 
    
 
    [1]: The typical use case is when a user once has authenticated for a service and provided his or hers user ID to the Identity Provider, and is about to perform a signature. If the Identity Provider prompts the user for the user ID once again the user experience is poor and the Service Provider will receive customer complaints.
    
 
    
 
    
-
    1.1. Requirements Notation
    
+
    1.1. Requirements Notation
    
 
    The key words MUST, MUST NOT, REQUIRED, SHALL,
 SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED,
 MAY, and OPTIONAL are to be interpreted as described in
 [RFC2119].
    
 
    These keywords are capitalized when used to unambiguously specify requirements over protocol features and behaviour that affect the interoperability and security of implementations. When these words are not capitalized, they are meant in their natural-language sense.
    
 
    
-
    1.2. XML Namespace References
    
+
    1.2. XML Namespace References
    
 
    The prefix psc: stands for the Principal Selection Criteria XML schema namespace http://id.swedenconnect.se/authn/1.0/principal-selection/ns. 
    
 
    The prefix saml2: stands for the OASIS SAML 2 Assertion schema namespace urn:oasis:names:tc:SAML:2.0:assertion.
    
 
    The prefix saml2p: stands for the OASIS SAML 2 Protocol schema namespace urn:oasis:names:tc:SAML:2.0:protocol.
    
 
    The prefix md: stands for the OASIS SAML 2 Metadata schema namespace urn:oasis:names:tc:SAML:2.0:metadata.
    
 
    
-
    1.3. Structure
    
+
    1.3. Structure
    
 
    This specification uses the following typographical conventions in text:
 <LocalElement>, <ns:ForeignElement>, Attribute, Datatype,
 OtherCode.
    
 
    
-
    2. Data elements
    
+
    2. Data elements
    
 
    This specification defines the element <PrincipalSelection> to be included in the <Extensions> element of an AuthnRequest. 
    
 
    This element MAY be used by an Identity Provider to select the subject to authenticate. 
    
 
    
-
    2.1. PrincipalSelection
    
+
    2.1. PrincipalSelection
    
 
    The Principal Selection Criteria is provided in a <PrincipalSelection> element. The element has the following elements and attributes:
    
 
    <MatchValue> [One or more]
    
 
    
 
    This element holds values that MAY be used by the Identity Provider to match against a principal to be authenticated.
    
 
    
 
    The following schema fragment defines the <PrincipalSelection> element:
    
-
    <xs:element name="PrincipalSelection" type="psc:PrincipalSelectionType"/>
-<xs:complexType name="PrincipalSelectionType">
+
    <xs:element name="PrincipalSelection" type="psc:PrincipalSelectionType"/>
+<xs:complexType name="PrincipalSelectionType">
   <xs:sequence>
-    <xs:element maxOccurs="unbounded" name="MatchValue" type="psc:MatchValueType" minOccurs="1"/>
+    <xs:element maxOccurs="unbounded" name="MatchValue" type="psc:MatchValueType" minOccurs="1"/>
   </xs:sequence>
 </xs:complexType>
    
-
    2.1.1 MatchValue
    
+
    2.1.1 MatchValue
    
 
    The <MatchValue> element contains a string value to be matched against the selected principal. This element has the following attributes which determines the meaning of the match value:
    
 
    Name [Required]
    
 
    
@@ -113,101 +113,101 @@ 
    2.1.1 MatchValue
    
 
    Extension point for any attribute in accordance with local conventions and future specifications.
    
 
    
 
    The following schema fragment defines the <MatchValueType> complex type:
    
-
    <xs:complexType name="MatchValueType">
+
    <xs:complexType name="MatchValueType">
   <xs:simpleContent>
-    <xs:extension base="xs:string">
-      <xs:attribute name="NameFormat" type="xs:anyURI"
-          default="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
-      <xs:attribute name="Name" type="xs:string" use="required"/>
-      <xs:anyAttribute namespace="##any"/>
+    <xs:extension base="xs:string">
+      <xs:attribute name="NameFormat" type="xs:anyURI"
+          default="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+      <xs:attribute name="Name" type="xs:string" use="required"/>
+      <xs:anyAttribute namespace="##any"/>
     </xs:extension>
   </xs:simpleContent>
 </xs:complexType>
    
-
    2.2. RequestedPrincipalSelection
    
+
    2.2. RequestedPrincipalSelection
    
 
    An Identity Provider uses the <RequestedPrincipalSelection> element to declare that it wishes to receive the <PrincipalSelection> extension element in authentication requests. The contained MatchValue elements should contain no values, only the attribute name of a MatchValue element is relevant to declare which attributes of a known user that is interest for the Identity Provider.
    
 
    The following schema fragment defines the <RequestedPrincipalSelection> element:
    
-
    <xs:element name="RequestedPrincipalSelection" type="psc:RequestedPrincipalSelectionType" />
-<xs:complexType name="RequestedPrincipalSelectionType">
+
    <xs:element name="RequestedPrincipalSelection" type="psc:RequestedPrincipalSelectionType" />
+<xs:complexType name="RequestedPrincipalSelectionType">
   <xs:complexContent>
-    <xs:extension base="psc:PrincipalSelectionType" />
+    <xs:extension base="psc:PrincipalSelectionType" />
   </xs:complexContent>
 </xs:complexType>
    
-
    3. Examples
    
+
    3. Examples
    
 
    Attributes in the examples below are specified in [EidAttributes].
    
 
    
-
    3.1. Authentication Requests
    
+
    3.1. Authentication Requests
    
 
    ...
 <saml2p:Extensions>
-  <psc:PrincipalSelection xmlns:psc="http://id.swedenconnect.se/authn/1.0/principal-selection/ns">
-    <psc:MatchValue Name="urn:oid:1.2.752.29.4.13">197309069289</psc:MatchValue>
+  <psc:PrincipalSelection xmlns:psc="http://id.swedenconnect.se/authn/1.0/principal-selection/ns">
+    <psc:MatchValue Name="urn:oid:1.2.752.29.4.13">197309069289</psc:MatchValue>
   </psc:PrincipalSelection>
 </saml2p:Extensions>
 ...
    Example of a PrincipalSelection specifying a Swedish personal identity number (personnummer) as match attribute.
    
 
    ...
 <saml2p:Extensions>
-  <psc:PrincipalSelection xmlns:psc="http://id.swedenconnect.se/authn/1.0/principal-selection/ns">
-    <psc:MatchValue Name="urn:oid:1.2.752.29.4.13">198906059483</psc:MatchValue>
-    <psc:MatchValue Name="urn:oid:1.2.752.201.3.4">NO:05068907693</psc:MatchValue>
+  <psc:PrincipalSelection xmlns:psc="http://id.swedenconnect.se/authn/1.0/principal-selection/ns">
+    <psc:MatchValue Name="urn:oid:1.2.752.29.4.13">198906059483</psc:MatchValue>
+    <psc:MatchValue Name="urn:oid:1.2.752.201.3.4">NO:05068907693</psc:MatchValue>
   </psc:PrincipalSelection>
 <saml2p:Extensions>
 ...
    Example of a PrincipalSelection specifying two alternative matching policies. The first policy specifies a Swedish personal identity number (personnummer) and the second specifies a ProvisionalID attribute.
    
 
    
-
    3.2. Metadata Extension
    
+
    3.2. Metadata Extension
    
 
    ...
-<md:IDPSSODescriptor WantAuthnRequestsSigned="true"
-     protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+<md:IDPSSODescriptor WantAuthnRequestsSigned="true"
+     protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
   <md:Extensions>
-    <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
+    <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
       ...
     </mdui:UIInfo>
-    <psc:RequestedPrincipalSelection
-         xmlns:psc="http://id.swedenconnect.se/authn/1.0/principal-selection/ns">
-      <psc:MatchValue Name="urn:oid:1.2.752.29.4.13" />
+    <psc:RequestedPrincipalSelection 
+         xmlns:psc="http://id.swedenconnect.se/authn/1.0/principal-selection/ns">
+      <psc:MatchValue Name="urn:oid:1.2.752.29.4.13" />
     </psc:RequestedPrincipalSelection>
   </md:Extensions>
-  <md:KeyDescriptor use="signing">
+  <md:KeyDescriptor use="signing">
     ...
    Example of how an Identity Provider advertises, it its metadata, that it wishes to receive the Swedish personal identity number (personnummer) of the user in a <PrincipalSelection> extension element of the authentication request if this information is known to the requestor.
    
 
    
-
    4. Schemas
    
+
    4. Schemas
    
 
    The following XML schema defines the http://id.swedenconnect.se/authn/1.0/principal-selection/ns namespace:
    
-
    <?xml version="1.0" encoding="UTF-8"?>
-<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
-  targetNamespace="http://id.swedenconnect.se/authn/1.0/principal-selection/ns"
-  xmlns:psc="http://id.swedenconnect.se/authn/1.0/principal-selection/ns">
+
    <?xml version="1.0" encoding="UTF-8"?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
+  targetNamespace="http://id.swedenconnect.se/authn/1.0/principal-selection/ns"
+  xmlns:psc="http://id.swedenconnect.se/authn/1.0/principal-selection/ns">
 
   <xs:annotation>
     <xs:documentation>
       Schema location URL: https://docs.swedenconnect.se/schemas/authn/1.0/PrincipalSelection-1.0.xsd
     </xs:documentation>
   </xs:annotation>
-
-  <xs:element name="PrincipalSelection" type="psc:PrincipalSelectionType" />
-  <xs:complexType name="PrincipalSelectionType">
+  
+  <xs:element name="PrincipalSelection" type="psc:PrincipalSelectionType" />
+  <xs:complexType name="PrincipalSelectionType">
     <xs:sequence>
-      <xs:element name="MatchValue" type="psc:MatchValueType" minOccurs="1" maxOccurs="unbounded" />
+      <xs:element name="MatchValue" type="psc:MatchValueType" minOccurs="1" maxOccurs="unbounded" />
     </xs:sequence>
   </xs:complexType>
-
-  <xs:element name="RequestedPrincipalSelection" type="psc:RequestedPrincipalSelectionType" />
-  <xs:complexType name="RequestedPrincipalSelectionType">
+  
+  <xs:element name="RequestedPrincipalSelection" type="psc:RequestedPrincipalSelectionType" />
+  <xs:complexType name="RequestedPrincipalSelectionType">
     <xs:complexContent>
-      <xs:extension base="psc:PrincipalSelectionType" />
+      <xs:extension base="psc:PrincipalSelectionType" />
     </xs:complexContent>
   </xs:complexType>
-
-  <xs:complexType name="MatchValueType">
+  
+  <xs:complexType name="MatchValueType">
     <xs:simpleContent>
-      <xs:extension base="xs:string">
-        <xs:attribute name="NameFormat" type="xs:anyURI"
-            default="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" />
-        <xs:attribute name="Name" type="xs:string" use="required" />
-        <xs:anyAttribute namespace="##any" />
+      <xs:extension base="xs:string">
+        <xs:attribute name="NameFormat" type="xs:anyURI" 
+            default="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" />
+        <xs:attribute name="Name" type="xs:string" use="required" />
+        <xs:anyAttribute namespace="##any" />
       </xs:extension>
     </xs:simpleContent>
   </xs:complexType>
-
+  
 </xs:schema>
    
-
    5. Normative References
    
+
    5. Normative References
    
 
    
 [RFC2119]
    
 
    
@@ -227,7 +227,7 @@ 
    5. Normative References
    
 
    Attribute Specification for the Swedish eID Framework.
    
 
    
 
    
-
    6. Changes between versions
    
+
    6. Changes between versions
    
 
    This is the first version of this specification.
    
     
   
diff --git a/docs/updates/00_-_Swedish_eID_Framework_-_Introduction.html b/docs/updates/00_-_Swedish_eID_Framework_-_Introduction.html
deleted file mode 100644
index 1777146..0000000
--- a/docs/updates/00_-_Swedish_eID_Framework_-_Introduction.html
+++ /dev/null
@@ -1,530 +0,0 @@
-
-
-  
-    
-    
-    Introduction to the Swedish eID Framework
-    
-    
-    
-    
-  
-  
-    
    
-
-
-
    
-
    
-
-
    
-
-
    Introduction to the Swedish eID Framework
    
-
    2022-10-05
    
-
    Registration number: 2019-267
    
-
    
-
    
-Copyright © The Swedish Agency for Digital Government (DIGG), 2015-2022. All Rights Reserved.
-
    
-
-
    Table of Contents
    
-
      
-
    1. Introduction
      
-
       1.1. Overview
      
-
       1.2. The Assurance Framework and Levels of Assurance
      
-
       1.3. Service for Collection, Administration and Publishing of Metadata
      
-
       1.4. Discovery Service
      
-
       1.5. Relying Party Integration
      
-
       1.6. Signatures
      
-
       1.7. The Technical Framework and eIDAS
      
-
       1.7.1. Foreign eID Authentication
      
-
       1.7.2. Signing using a Foreign eID
      
-
       1.7.3. Handling of Identities
      
-
       1.7.4. Swedish eID:s in Foreign Services
      
-
      2. 
-
    2. Technical Specifications
      
-
       2.1. SAML Profiles
      
-
       2.1.1. Deployment Profile for the Swedish eID Framework
      
-
       2.1.2. Swedish eID Framework - Registry for identifiers
      
-
       2.1.3. Attribute Specification for the Swedish eID Framework
      
-
       2.1.4. Entity Categories for the Swedish eID Framework
      
-
       2.1.5. eIDAS Constructed Attributes Specification for the Swedish eID Framework
      
-
       2.1.6. Implementation Profile for BankID Identity Providers within the Swedish eID Framework
      
-
       2.1.7. Principal Selection in SAML Authentication Requests
      
-
       2.2. Signature Specifications
      
-
       2.2.1. Implementation Profile for using OASIS DSS in Central Signing Services
      
-
       2.2.2. DSS Extension for Federated Central Signing Services
      
-
       2.2.3. Certificate Profile for Certificates Issued by Central Signing Services
      
-
       2.2.4. Signature Activation Protocol for Federated Signing
      
-
      3. 
-
    3. References
      
-
       3.1. DIGG
      
-
       3.2. Other References
      
-
      4. 
-
    
-
    
-
    1. Introduction
    
-
    
-
    1.1. Overview
    
-
    The Swedish eID Framework (Sweden Connect Technical Framework) is adapted for identity federations based on SAML 2.0.
    
-
    Relying parties receive identity assertions in a standardized format
-from an identity provider.
    
-
    Service providers that require electronic signatures do not need to be adapted to different
-signature techniques based on different types of eID:s. Instead, a service provider makes 
-use of a signature service where users with the support of authenticating at an identity 
-provider are given the possibility to sign digital documents.
    
-
    Within the federation, e-services and relying parties are taking the roles of 
-Service Providers (SP), and authenticating services issuing identity assertions assume 
-the roles of Identity Providers (IdP).
    
-
    In cases where the service provider needs more information about the user, for example its
-legal authority, an attribute service (Attribute Authority) within the federation can be queried, if such a service exists. Through an attribute 
-request a service provider can obtain the necessary supplementary information in order to
-authorize the user and provide access to its service.
    
-
    As both personal identity information and other attributes linked to
-users are provided through identity assertions, all types of eID:s that have 
-an identity provider within the federation can be used by a service provider
-that requires specific identity attributes, even if a particular eID does not
-hold this information.
    
-
    
-
    Figure 1: Illustration of the communication between the different services within an identity federation.
    
-
    
-
    1.2. The Assurance Framework and Levels of Assurance
    
-
    The basis for the level of security applied when a user authenticates is the 
-level of assurance for the eID required by the service provider. In order for
-these levels to be comparable within the federation, four assurance levels are defined (1 to
- 4) in the Swedish eID Assurance Framework [EidTillit] and three
-assurance levels (low, substantial, high) are defined by the EU regulation eIDAS. 
-Any service issuing identity assertions must prove that the process of issuing
-identity assertions meets the requirements of a given level. This includes:
    
-
      
-
    • Requirements for the creation of an identity assertion.
      
-
      • 
-
    • Requirements for electronic authentication.
      
-
      • 
-
    • Requirements for the issuing process.
      
-
      • 
-
    • Requirements for the actual eID and its use.
      
-
      • 
-
    • Requirements on the issuer of the eID.
      
-
      • 
-
    • Requirements for establishing the identity of the eID applicant.
      
-
      • 
-
    
-
    
-
    1.3. Service for Collection, Administration and Publishing of Metadata
    
-
    A SAML federation provides information about the federation
-participants through SAML metadata. Participants of a federation comprises of
-services providing identity and attributes assertions and relying parties, i.e., 
-service providers that consume these services.
    
-
    Through the federation's metadata, participants obtain information about others
-participants' services, including the information required for a safe
-exchange of information between services. Metadata needs to be updated
-by each party and conform to agreed conditions.
    
-
    The main purpose of metadata is to provide the keys/certificates
-required for secure communication and information exchange between services.
-In addition to keys, metadata also contain other important information
-for collaboration between services, for example, addresses of required functions,
-information on assurance levels, service categories, user interface information, etc.
    
-
    An identity federation is defined by a register in XML format that is
-signed with the federation operator certificate. The file contains
-information on identity federation members including their
-certificates. Because the metadata file is signed, it is sufficient to
-compare a certificate with its equivalent in metadata. An
-infrastructure based on a central federation register requires
-that the register is constantly updated and that the members of the federation
-always use the latest version of the file.
    
-
    
-
    1.4. Discovery Service
    
-
    Within an identity federation, it is possible to offer and consume a common
-Discovery Service, that lists which identity providers (or eID:s) that are 
-available for a user to choose from to authenticate. The purpose of such a
-service is to relieve the individual service providers that are part of the 
-identity federation from implementing support for how users choose how to
-authenticate.
    
-
    By making the discovery service available within the identity federation,
-service providers may direct its users there for the choice of how to authenticate.
-The discovery service interacts with the user who makes the choice and is
-directed back to the service provider, along with the selected authentication choice. 
-The service provider now knows to which identity provider the user should be directed
-to for authentication.
    
-
    
-
    Currently, there is no common discovery service available within the Sweden Connect federation.
    
-
    
-
    
-
    1.5. Relying Party Integration
    
-
    Relying parties, e.g., service providers, integrate towards identity providers using
-standardized messages and consume identity assertions that also have a standardized
-format.
    
-
    The Swedish eID Framework is influenced by the interoperability profile
-”SAML V2.0 Deployment Profile for Federation Interoperability”
-[SAML2Int]. This profile is supported by several commercial
-products and vendors as well as open source libraries. This facilitates
-the integration at the relying party side.
    
-
    Most relying parties use stand-alone authentication servers which means that
-the integration adaptation for supporting the Swedish eID Framework usually
-is limited to the authentication solution used.
    
-
    
-
    1.6. Signatures
    
-
    The Swedish eID Framework enables digital signatures using any type of eID, even
-those not based on certificates, as long as there is an identity provider for 
-the particular eID. The reason for this is that the identity assertion that is
-used during authentication for signature is standardized.
    
-
    A Signature Service has as its purpose to offer digital signature services
-within identity federations that follows the Swedish eID Framework.
    
-
    By procuring1 and introducing a signature service, a relying party within the 
-federation can offer users to sign electronic documents with the support
-of the signature service. The user signature, and associated signature certificate,
-is created by the signature service after the user has accepted to sign the
-document by authenticating for the signature service2.
    
-
    
-
    [1]: It is also possible for a relying party to implement a signature service based on the specifications.
    
-
    [2]: It is important to point out that it is of the utmost importance that the user 
-experiences that he or she is signing a document. Therefore, a signature flow should be 
-used for the eID types that support this during "authentication for signature".
    
-
    
-
    
-
    1.7. The Technical Framework and eIDAS
    
-
    The EU regulation (910/2014)
-on electronic identification and trust services, eIDAS, places demands on Swedish 
-public bodies to recognize the eID:s that other eIDAS countries have notified. 
-This means that a public Swedish e-service based on certain rules must be able
-to accept a login that is performed with an eID issued in another country.
    
-
    
-
    1.7.1. Foreign eID Authentication
    
-
    The eIDAS technical specifications is built, as for the Swedish eID
-Framework, upon SAML standards and profiles, and even though the
-similarities are many, there are also differences between the specifications.
-However, a Swedish service provider does not have top directly relate to
-the eIDAS specifications. The figure below illustrates how the Swedish
-eIDAS node (eIDAS connector) acts as a proxy between other countries
-and the Swedish federation when a person is authenticated using a foreign
-eID at a Swedish service provider.
    
-
    
-
    The flow is as follows:
    
-
      
-
    1. A user with a foreign eID requests access to a Swedish service provider (i.e., wants to log in).
      
-
      2. 
-
    2. The service provider lets the user select the login method using a
-discovery service. In this case the user chooses the "Foreign eID" option.
      
-
      3. 
-
    3. The service provider creates an authentication request according to
-the Swedish eID Framework and directs the user to the Swedish eIDAS
-node (connector). The eIDAS node acts as an identity provider within
-the federation, which implies that the interaction with this service is
-performed in the same way as for other identity providers that comply
-with the Swedish eID Framework.
      
-
      4. 
-
    4. The received request is processes and the eIDAS node displays a page
-where the user chooses his or hers country1. The Swedish
-eIDAS node now transforms the received authentication request into an
-authentication request according to the eIDAS format, and directs the
-user to the selected country's eIDAS Proxy Service.
      
-
      5. 
-
    5. When the authentication request is processed by the eIDAS proxy service
-of the selected country, this country's technique for authentication will
-be used. Not all countries within eIDAS use SAML for authentication, but
-if that was the case in our example, the user would be directed to a
-national identity provider, and before that, maybe also a discovery service
-where the eID to use would be selected.
      
-
      6. 
-
    6. When the user has authenticated an identity assertion, according to the
-eIDAS specifications, is created. This assertion contains eIDAS specific
-attribute that identify the user. This assertion is now posted back to the 
-Swedish eIDAS node.
      
-
      7. 
-
    7. The node receives the assertion and validates its validity. The assertion is
-transformed from eIDAS format to an assertion according to the Swedish eID Framework
-and is posted back to the service provider.
      
-
      8. 
-
    8. The service provider may now complement the data with additional information
-in order to decide whether the user should be granted access to the service.
      
-
      9. 
-
    
-
    Thus, Swedish services only have to implement support according to the Swedish eID
-Framework also when authenticating foreign users. However, in order for the service
-to fully accept the authenticated user it must also be able to handle the identity 
-presented, and this is most likely not a  Swedish personal identity number. See further
-section 1.7.3 below.
    
-
    
-
    [1]: The correct way to describe this would be to ask the user to which eIDAS Proxy
-Service to send the request to. This is dependent on the nationality of the user's
-eID issuer.
    
-
    
-
    
-
    1.7.2. Signing using a Foreign eID
    
-
    As already described, a model for digital signatures named "federated signatures"
-is used within the context of the Swedish eID Framework. A server based signature
-service is associated with the e-service that is the requestor of signatures.
-When a user signs a document the e-service directs the user along with a signature 
-request to the signature service. The signature service now requests that the
-user authenticate (at an identity provider). In conjunction with the authentication
-the user approves the signature. The signature service then sends the user back to
-the e-service along with the signature data, and the e-service stores the signature
-as a signed document.
    
-
    This procedure makes it possible for Swedish e-services to offer signing för users
-having foreign eID:s, since a signature service can choose to authenticate the user
-having a foreign eID in accordance with the process described in section 1.7.1 above.
    
-
    In this case, the Swedish eIDAS node is responsible of informing the user that
-the purpose of the authentication is to approve the signature of a document,
-and displays information about the requestor of the signature and information
-about what is being signed. When the user has authenticated an identity assertion
-is issued and sent back to the signature service who now generates the signature.
    
-
    
-
    1.7.3. Handling of Identities
    
-
    Identity assertions from other countries follow common technical
-specifications within the framework of the eIDAS regulations. These
-specifications define a Minimum Dataset (MDS) which is the a set of
-attributes that every country must supply for authenticated users and 
-legal entities. Each country must provide an unique identifier per eID
-that represents a natural person. For some countries, these identifiers
-will be unique and persistent per person in the same way as a Swedish
-personal identity number is, but identifiers may have different compositions
-and properties. A property that may vary is the persistence of an
-person identifier, i.e., whether such an identifier is unchanged during
-a person's lifetime, or whether it is changed because the user moves to
-another region, changes name, or simply obtains a new eID. For some
-countries (for example, Great Britain) the identifier will be different
-depending on which of the country's eID:s that user is currently using.
    
-
    In order to simplify the handling of users and identities in Swedish services
-the Swedish eIDAS node generates a standardized identity attribute for
-users that have been authenticated using a foreign eID, a so called 
-Provisional ID (PRID). The eIDAS node will also create an attribute
-that declares which persistence, or lifetime, the PRID attribute has.
-The PRID attribute is generated based on attributes values received from
-the foreign authentication according to specific methods for each country.
-Every combination of country and method a graded based on expected persistence,
-i.e., how likely it is that an identity for a person is changed over time.
-This makes it possible for Swedish services to customize the communication
-with the user and to proactively provide features for a user whose identity
-has changed, and make it possible for this user to access his or hers account.
    
-
    In some cases, a person that has been authenticated using a foreign eID may
-hold a Swedish personal identity number. It can, for example, be a Swedish
-citizen that has moved abroad and obtained a foreign eID, or a foreign
-citizen that is, or has been, registered (folkbokförd) in Sweden and has been
-assigned a Swedish personal identity number.
    
-
    The fact that a person holding a foreign eID possesses a Swedish personal identity
-number is normally not known to the foreign identity provider, and this information
-will not be part of the identity assertion from the foreign country. However, the
-Swedish eIDAS node has the possibility to query an attribute authority in Sweden1
-whether there exists a registered Swedish personal identity number for the person
-being authenticated, and may, if this is the case, add this information to the identity
-assertion that is sent back to the Swedish service provider.
    
-
    
-
    [1]: At the time of writing there is no attribute authority available
-providing Swedish personal identity numbers based on eIDAS attributes.
    
-
    
-
    
-
    1.7.4. Swedish eID:s in Foreign Services
    
-
    Sweden has notified Swedish eID:s according to the assurance levels substantial and high. 
    
-
    A request for authentication from a foreign service provider is sent to the Swedish 
-eIDAS node (eIDAS proxy service) via an eIDAS connector in the service provider country. 
-At the Swedish eIDAS node, the user chooses which Swedish eID he or she wants to use 
-to authenticate, and an authentication request is sent to the identity provider that
-offers authentication for the selected eID. This request is according to the Swedish
-eID Framework which means that a Swedish identity provider does not have to conform to
-the eIDAS technical specifications.
    
-
    The user is authenticated by the Swedish identity provider and an identity assertion
-is issued (according to the Swedish eID Framework). This assertion is received by the
-Swedish eIDAS node (proxy service), and transformed to an assertion according to the
-eIDAS specifications before being sent to the foreign eIDAS connector, and then to the
-initiating foreign service provider.
    
-
    
-
    2. Technical Specifications
    
-
    This chapter contains specifications and profiles for identity federations and 
-related services that conforms to the Swedish eID Framework (Sweden Connect 
-Technical Framework). These documents are normative for the delivery of services 
-within identity federations that implement the Swedish eID Framework, unless 
-otherwise stated.
    
-
    
-
    2.1. SAML Profiles
    
-
    Identity federations conforming to the Swedish eID Framework are built around
-”Deployment Profile for the Swedish eID Framework”, [EidProfile].
-This profile is influenced by, but not normatively dependent on, ”SAML V2.0 Deployment Profile for Federation Interoperability” [SAML2Int]. [EidProfile] also contains rules and guidelines specific for the Swedish eID Framework.
    
-
    
-
    2.1.1. Deployment Profile for the Swedish eID Framework
    
-
    The ”Deployment Profile for the Swedish eID Framework” specification, [EidProfile], 
-is the main specification of the eID Framework and comprises of:
    
-
      
-
    • How SAML metadata is constructed and interpreted.
      
-
      • 
-
    • How the format of an authentication request should be compiled.
      
-
      • 
-
    • How an authentication request should be processed, and how an identity assertion should be constructed, verified and processed.
      
-
      • 
-
    • Security requirements.
      
-
      • 
-
    • Specific SAML requirements for signature services and "authentication for signature".
      
-
      • 
-
    
-
    
-
    2.1.2. Swedish eID Framework - Registry for identifiers
    
-
    The implementation of an infrastructure for Swedish eID:s demand different forms
-of identifiers to represent objects in data structures. The document
-”Swedish eID Framework - Registry for identifiers”, [EidRegistry],
-defines the structure for identifiers that are assigned within the scope of
-the Swedish eID Framework, and contains a registry of defined identifiers.
    
-
    
-
    2.1.3. Attribute Specification for the Swedish eID Framework
    
-
    The specification ”Attribute Specification for the Swedish eID Framework”,
-[EidAttributes], declares the SAML attribute profiles
-that are used within identity federations that follow the Swedish eID
-Framework, including services that connect to eIDAS using the Swedish eID
-node.
    
-
    
-
    2.1.4. Entity Categories for the Swedish eID Framework
    
-
    Entity Categories are used within the federation for different purposes:
    
-
      
-
    • Service Entity Categories – Are used in metadata to represent service
-provider requirements regarding assurance levels and attributes,
-and identity provider declarations for supported assurance levels
-and attribute release capabilities.
      
-
      • 
-
    • Service Property Categories – Are used to represent certain properties
-of services within the federation.
      
-
      • 
-
    • Service Type Entity Categories – Represents different service types
-within the federation.
      
-
      • 
-
    • Service Contract Entity Categories - Are used by services to declare
-legal and business agreements.
      
-
      • 
-
    • General Entity Categories - Entity categories that do not fall within
-the scope of any of the other types.
      
-
      • 
-
    
-
    The specification ”Entity Categories for the Swedish eID Framework”
-[EidEntCat] specifies the entity categories that are defined in
-the Swedish eID Framework and describes their meaning.
    
-
    
-
    2.1.5. eIDAS Constructed Attributes Specification for the Swedish eID Framework
    
-
    The specification ”eIDAS Constructed Attributes Specification for the Swedish
-eID Framework”, [EidConstrAttributes], defines processes and
-rules for how an identity attribute are constructed based on the attributes that are
-received during an eIDAS authentication.
    
-
    
-
    2.1.6. Implementation Profile for BankID Identity Providers within the Swedish eID Framework
    
-
    The specification "Implementation Profile for BankID Identity Providers within the Swedish eID Framework", [EidBankID], defines rules for identity providers that implement
-support for the Swedish BankID eID.
    
-
    
-
    Note: This specification is not normative for conformance to the Swedish eID Framework.
-It is only relevant for identity providers implementing support for BankID and for service
-providers using those identity providers. However, an identity provider that implements BankID and wants to join the Sweden Connect federation must follow this specification.
    
-
    
-
    
-
    2.1.7. Principal Selection in SAML Authentication Requests
    
-
    The specification "Principal Selection in SAML Authentication Requests", [EidPrincipalSel], defines an extension to SAML making it possible for a relying party
-to inform an identity provider about the identity of the user that it wishes to be authenticated.
    
-
    
-
    2.2. Signature Specifications
    
-
    This section contains references to the documents that define signature services
-within federations conformant to the Swedish eID Framework.
    
-
    
-
    2.2.1. Implementation Profile for using OASIS DSS in Central Signing Services
    
-
    The implementation profile ”Implementation Profile for Using OASIS DSS in
-Central Signing Services”, [EidDSSProfile], specifies a profile
-for signature requests and responses according to the OASIS standard
-”Digital Signature Service Core Protocols, Elements, and Bindings”,
-[DSS].
    
-
    
-
    2.2.2. DSS Extension for Federated Central Signing Services
    
-
    ”DSS Extension for Federated Central Signing Services”, [EidDSSExt], is an
-extension to the OASIS standard ”Digital Signature Service Core Protocols, Elements, and Bindings”, [DSS], where definitions required for signatures according to the Swedish 
-eID Framework are specified.
    
-
    
-
    2.2.3. Certificate Profile for Certificates Issued by Central Signing Services
    
-
    The certificate profile ”Certificate profile for certificates issued by Central Signing services”, [EidCertProf], specifies the contents of a signature certificate. This profile
-defines a certificate extension for use by signature services.
    
-
    This profile refers to "Authentication Context Certificate Extension", [AuthContext], 
-that describes how an ”Authentication Context” is represented in X.509 certificates.
    
-
    
-
    2.2.4. Signature Activation Protocol for Federated Signing
    
-
    The specification "Signature Activation Protocol for Federated Signing", [EidSigAct], 
-defines a "Signature Activation Protocol" (SAP) for implementation of "Sole Control Assurance Level 2" (SCAL2) according to the standard "prEN 419241 - Trustworthy Systems Supporting Server Signing".
    
-
    
-
    3. References
    
-
    
-
    3.1. DIGG
    
-
    
-[EidTillit]
    
-
    
-
    Tillitsramverket för Svensk e-legitimation.
    
-
    
-
    
-[EidProfile]
    
-
    
-
    Deployment Profile for the Swedish eID Framework.
    
-
    
-
    
-[EidRegistry]
    
-
    
-
    Swedish eID Framework - Registry for identifiers.
    
-
    
-
    
-[EidAttributes]
    
-
    
-
    Attribute Specification for the Swedish eID Framework.
    
-
    
-
    
-[EidEntCat]
    
-
    
-
    Entity Categories for the Swedish eID Framework.
    
-
    
-
    
-[EidConstrAttributes]
    
-
    
-
    eIDAS Constructed Attributes Specification for the Swedish eID
-Framework.
    
-
    
-
    
-[EidBankID]
    
-
    
-
    Implementation Profile for BankID Identity Providers within the Swedish eID Framework.
    
-
    
-
    
-[EidPrincipalSel]
    
-
    
-
    Principal Selection in SAML Authentication Requests.
    
-
    
-
    
-[EidDSSProfile]
    
-
    
-
    Implementation Profile for Using OASIS DSS in Central Signing
-Services.
    
-
    
-
    
-[EidDSSExt]
    
-
    
-
    DSS Extension for Federated Central Signing Services.
    
-
    
-
    
-[EidCertProf]
    
-
    
-
    Certificate profile for certificates issued by Central Signing
-services.
    
-
    
-
    
-[EidSigAct]
    
-
    
-
    Signature Activation Protocol for Federated Signing.
    
-
    
-
    
-
    3.2. Other references
    
-
    
-[SAML2Int]
    
-
    
-
    SAML V2.0 Deployment Profile for Federation Interoperability.
    
-
    
-
    
-[DSS]
    
-
    
-
    OASIS Standard – Digital Signature Service Core Protocols, Elements,
-and Bindings Version 1.0, April 11,
-2007.
    
-
    
-
    
-[AuthContext]
    
-
    
-
    RFC-7773: Authentication Context Certificate Extension.
    
-
    
-    
    
-  
-
diff --git a/docs/updates/00_-_Swedish_eID_Framework_-_Introduction.html b/docs/updates/00_-_Swedish_eID_Framework_-_Introduction.html
new file mode 120000
index 0000000..add31a8
--- /dev/null
+++ b/docs/updates/00_-_Swedish_eID_Framework_-_Introduction.html
@@ -0,0 +1 @@
+../december-2024/00_-_Swedish_eID_Framework_-_Introduction.html
\ No newline at end of file
diff --git a/docs/updates/00_-_Tekniskt_ramverk_-_Introduktion.html b/docs/updates/00_-_Tekniskt_ramverk_-_Introduktion.html
deleted file mode 100644
index 3c53237..0000000
--- a/docs/updates/00_-_Tekniskt_ramverk_-_Introduktion.html
+++ /dev/null
@@ -1,548 +0,0 @@
-
-
-  
-    
-    
-    En introduktion till Sweden Connect Tekniskt ramverk
-    
-    
-    
-    
-  
-  
-    
    
-
-
-
    
-
    
-
-
    
-
-
    En introduktion till Sweden Connect Tekniskt ramverk
    
-
    2022-10-05
    
-
    Diarienummer: 2019-267
    
-
    
-
    
-Copyright © Myndigheten för digital förvaltning (DIGG), 2015-2022.
-
    
-
-
    Innehållsförteckning
    
-
      
-
    1. Introduktion
      
-
       1.1. Översikt
      
-
       1.2. Tillitsramverk och säkerhetsnivåer
      
-
       1.3. Tjänst för insamling, administration och publicering av metadata
      
-
       1.4. Anvisningstjänst
      
-
       1.5. Integration hos förlitande part
      
-
       1.6. Underskrift
      
-
       1.7. Tekniskt ramverk och eIDAS
      
-
       1.7.1. Autentiseringar med utländska e-legitimationer
      
-
       1.7.2. Underskrifter med utländska e-legitimationer
      
-
       1.7.3. Hantering av identiteter
      
-
       1.7.4. Svenska e-legitimationer i utländska e-tjänster
      
-
      2. 
-
    2. Tekniska specifikationer
      
-
       2.1. SAML-profiler
      
-
       2.1.1. Deployment Profile for the Swedish eID Framework
      
-
       2.1.2. Swedish eID Framework - Registry for identifiers
      
-
       2.1.3. Attribute Specification for the Swedish eID Framework
      
-
       2.1.4. Entity Categories for the Swedish eID Framework
      
-
       2.1.5. eIDAS Constructed Attributes Specification for the Swedish eID Framework
      
-
       2.1.6. Implementation Profile for BankID Identity Providers within the Swedish eID Framework
      
-
       2.1.7. Principal Selection in SAML Authentication Requests
      
-
       2.2. Specifikationer för Underskrift
      
-
       2.2.1. Implementation Profile for using OASIS DSS in Central Signing Services
      
-
       2.2.2. DSS Extension for Federated Central Signing Services
      
-
       2.2.3. Certificate Profile for Certificates Issued by Central Signing Services
-
      
-
       2.2.4. Signature Activation Protocol for Federated Signing
      
-
      3. 
-
    3. Referenslista
      
-
       3.1. DIGG
      
-
       3.2. Övriga referenser
      
-
      4. 
-
    
-
    
-
    1. Introduktion
    
-
    
-
    1.1. Översikt
    
-
    Sweden Connect Tekniskt Ramverk är anpassat för
-identitetsfederationer som baseras på SAML 2.0.
    
-
    Förlitande parter erhåller identitetsintyg i ett standardiserat format
-från en legitimeringstjänst1.
    
-
    E-tjänster som kräver underskrift behöver inte anpassas efter olika 
-användares e-legitimationer för att skapa elektroniska underskrifter. 
-Istället överlåter e-tjänsten detta till en underskriftstjänst där användare 
-med stöd av legitimering via en legitimeringstjänst ges möjlighet att underteckna
-elektroniska handlingar.
    
-
    Inom federationen intar e-tjänster och motsvarande förlitande parter
-rollen som Service Provider (SP) medan legitimeringstjänster som
-utfärdar identitetsintyg intar rollen som Identity Provider (IdP) och
-därmed den som autentiserar användaren, oavsett mot vilken e-tjänst som
-användaren legitimerar sig.
    
-
    För de fall där e-tjänsten behöver mer information om användaren t ex.
-uppgift om juridisk behörighet, kan en fråga ställas till en
-attributtjänst, Attribute Authority (AA), inom federationen, om sådan
-relevant attributtjänst finns. Genom en attributsförfrågan kan
-e-tjänsten erhålla nödvändig kompletterande information för att kunna
-auktorisera användaren och ge tillgång till e-tjänsten eller
-motsvarande.
    
-
    Då såväl personidentitetsuppgifter som andra attribut kopplat till
-användare tillhandahålls genom identitetsintyg och attributsintyg, kan
-alla typer av e-legitimationer som förlitande part har avtal om och som
-ingår i federationen användas för legitimering mot en e-tjänst som
-kräver såväl personnummer som ytterligare information, även om 
-e-legitimationen inte innehåller några specifika personuppgifter 
-(t.ex. koddosor för generering av engångslösenord).
    
-
    
-
    Figur 1: Illustration av kommunikationen mellan de olika tjänsterna inom
-en identitetsfederation.
    
-
    
-
    [1]: Legitimeringstjänst benämns i annan dokumentation från DIGG också som identitetstjänst och intygstjänst. I detta dokument används dock uteslutande benämningen legitimeringstjänst.
    
-
    
-
    
-
    1.2. Tillitsramverk och säkerhetsnivåer
    
-
    Grunden för vilken säkerhetsnivå som tillämpas när en användare
-legitimerar sig är den tillitsnivå avseende e-legitimationen som
-e-tjänsten kräver. För att dessa säkerhetsnivåer ska kunna vara
-jämförbara inom ramen för federationen definieras fyra tillitsnivåer (1
-– 4) i Tillitsramverket för Svensk e-legitimation [EidTillit] och tre
-tillitsnivåer (låg, väsentlig, hög) i EU-förordningen eIDAS. Alla som
-utfärdar identitetsintyg måste visa att hela den process som ligger till
-grund för utfärdandet av identitetsintyg uppfyller kraven i den
-efterfrågade tillitsnivån, detta innefattar bl.a.
    
-
      
-
    • Krav på skapandet av identitetsintyget.
      
-
      • 
-
    • Krav på den elektroniska legitimeringen (autentiseringen).
      
-
      • 
-
    • Krav på utfärdandeprocessen.
      
-
      • 
-
    • Krav på själva e-legitimationen och dess användning.
      
-
      • 
-
    • Krav på utfärdaren av e-legitimationen.
      
-
      • 
-
    • Krav på fastställande av den e-legitimationssökandens identitet.
      
-
      • 
-
    
-
    
-
    1.3. Tjänst för insamling, administration och publicering av metadata
    
-
    En SAML-federation tillhandahåller information om federationens
-deltagare genom SAML metadata. Som deltagare i en federation räknas
-såväl aktörer som levererar legitimerings- och attributtjänster i
-federationen som förlitande parter, d.v.s. aktörer som konsumerar dessa
-tjänster, t ex. e-tjänster.
    
-
    Genom federationens metadata kan deltagare inhämta information om andra
-deltagares tjänster, inklusive de uppgifter som krävs för ett säkert
-informationsutbyte mellan deltagarna. Metadata måste hållas uppdaterat
-av respektive part och överensstämma med avtalade förhållanden.
    
-
    Det viktigaste syftet med metadata är att tillhandahålla de nycklar/certifikat 
-som krävs för säker kommunikation och informationsutväxling mellan tjänster.
-Utöver nycklar innehåller metadata även annan information som är viktig
-för samverkan mellan tjänster t ex. adresser till funktioner som krävs,
-information om tillitsnivåer, tjänstekategorier,
-användargränssnittsinformation mm.
    
-
    En identitetsfederation definieras av ett register i XML-format som är
-signerat med federationsoperatörens certifikat. Filen innehåller
-information om identitetsfederationens medlemmar inklusive deras
-certifikat. Eftersom filen med metadata är signerad räcker det med att
-jämföra ett certifikat med dess motsvarighet i metadata. En
-infrastruktur baserad på ett centralt federationsregister förutsätter
-att registret uppdateras kontinuerligt samt att federationsmedlemmarna
-alltid använder den senaste versionen av filen.
    
-
    
-
    1.4. Anvisningstjänst
    
-
    I en identitetsfederation är det möjligt att erbjuda och konsumera en
-gemensam anvisningstjänst (Discovery Service), som listar vilka
-legitimeringstjänster som är möjliga för användaren att välja mellan.
-Syftet med en sådan anvisningstjänst är att avlasta de enskilda
-e-tjänsterna som ingår i identitetsfederationen från att själva
-implementera stöd för hur användare väljer legitimeringstjänst (eller
-inloggningsmetod).
    
-
    Genom att anvisningstjänsten finns tillgänglig inom
-identitetsfederationen kan e-tjänster styra sina användare dit för val
-av legitimeringstjänst. Anvisningstjänsten interagerar med användaren
-som gör sitt val och användaren, tillsammans med dennes val, styrs
-tillbaka till e-tjänsten som nu vet till vilken legitimeringstjänst
-användaren ska skickas för legitimering.
    
-
    
-
    För närvarande finns ingen gemensam anvisningstjänst för Sweden Connect-federationen.
    
-
    
-
    
-
    1.5. Integration hos förlitande part
    
-
    Förlitandeparter, t.ex. e-tjänster, integrerar mot legitimeringstjänster
-genom standardiserade meddelanden och konsumerar identitetsintyg vilka
-också har standardiserade format.
    
-
    Sweden Connect tekniskt ramverk är influerad av interoperabilitetsprofilen 
-”SAML V2.0 Deployment Profile for Federation Interoperability”
-[SAML2Int]. Profilen stöds av ett flertal kommersiella 
-produkter och Open Source-lösningar, vilket underlättar integrationsarbetet
-hos e-tjänster.
    
-
    Många e-tjänster använder fristående autentiseringslösningar vilket
-innebär att en anpassning av integrationen för att följa
-tekniskt ramverk får en begränsad påverkan på e-tjänsten som sådan.
    
-
    
-
    1.6. Underskrift
    
-
    Vid underskrift blir det med Sweden Connect tekniskt ramverk
-möjligt att använda olika typer av e-legitimationer, även sådana som
-inte är certifikatbaserade, utan att speciella anpassningar i e-tjänsten
-behövs. Anledningen är att det är det elektroniskt utställda
-identitetsintyget (som används för identifiering av användare vid
-underskrift) har samma format oavsett vilken typ av e-legitimation som
-användaren använder.
    
-
    En underskriftstjänst har som syfte att möjliggöra underskrift inom
-identitetsfederationer som följer tekniskt ramverk med stöd av alla 
-typer av e-legitimationer som erbjuder tillräcklig grad av säkerhet.
    
-
    Genom att upphandla1 och införa en underskriftstjänst kan en förlitande
-part som ingår i federationen låta en användare skriva under en
-elektronisk handling med stöd av underskriftstjänsten.
-Användarens elektroniska signatur och tillhörande signeringscertifikat
-skapas av underskriftstjänsten efter det att användaren accepterat att
-skriva under genom att legitimera sig mot underskriftstjänsten2.
    
-
    
-
    [1]: Det är också möjligt att själv implementera en underskriftstjänst baserat på specifikationerna i tekniskt ramverk, eller på annat sätt införskaffa en underskriftstjänst.
    
-
    [2]: Viktigt att påpeka är att det är av största vikt att användaren upplever det som att denne skriver under en handling. Därför ska ett underskriftsflöde användas för de e-legitimationer som stödjer detta i samband med "legitimering för underskrift".
    
-
    
-
    
-
    1.7. Tekniskt ramverk och eIDAS
    
-
    EU-förordningen (910/2014) om elektronisk identifiering och betrodda
-tjänster, eIDAS, ställer krav på svenska offentliga organ att erkänna de
-e-legitimationer som andra eIDAS-länder har anmält. Detta innebär att en
-offentlig svensk e-tjänst baserat på vissa regler skall kunna acceptera
-en inloggning som utförs med en e-legitimation utställd i ett annat
-land.
    
-
    
-
    1.7.1. Autentiseringar med utländska e-legitimationer
    
-
    De tekniska specifikationerna för eIDAS bygger, såsom
-tekniskt ramverk, på SAML-standarder, och även
-om likheterna är många finns även skillnader i dessa specifikationer. En
-svensk e-tjänst ska dock inte förhålla sig direkt till eIDAS tekniska
-specifikationer. Nedanstående bild illustrerar hur
-den svenska eIDAS-noden (eIDAS-connector) agerar som en brygga
-mellan andra länder och den svenska federationen då en person autentiseras
-med en utländsk e-legitimation mot en svensk e-tjänst.
-Den svenska eIDAS-noden följer tekniskt ramverk.
    
-
    
-
    Flödet är enligt följande:
    
-
      
-
    1. En användare med en utländsk e-legitimation begär åtkomst till en
-svensk e-tjänst (d.v.s., loggar in).
      
-
      2. 
-
    2. E-tjänsten låter användaren välja inloggningssätt med hjälp av en
-anvisningstjänst. Ett val ”Foreign eID” visas upp, vilket användaren
-i eIDAS-fallet väljer.
      
-
      3. 
-
    3. E-tjänsten skapar en legitimeringsbegäran enligt detta tekniska
-ramverk och styr användaren till den svenska eIDAS-noden (connector)
-som DIGG ansvarar för. eIDAS-noden uppträder som
-en legitimeringstjänst (Identity Provider) i federationen in
-mot svenska förlitande parter vilket innebär att kommunikation med
-denna tjänst utförs på samma sätt som mot övriga
-legitimeringstjänster inom federationer som följer tekniskt ramverk.
      
-
      4. 
-
    4. Den mottagna begäran behandlas och eIDAS-noden visar upp en valsida
-där användaren väljer ”sitt land”1. Den svenska eIDAS-noden
-omvandlar nu den mottagna legitimeringsbegäran till en
-legitimeringsbegäran enligt eIDAS och användaren styrs till det
-valda landets ”eIDAS Proxy-tjänst”.
      
-
      5. 
-
    5. Då legitimeringsbegäran mottas av den eIDAS-Proxy-tjänst för valt
-land tar detta lands teknik för autentisering över. Inte alla länder
-inom eIDAS använder SAML för autentisering, men om så var fallet i
-vårt exempel skulle användaren styras vidare till en
-legitimeringstjänst (Identity Provider), och innan dess kanske även
-en anvisningstjänst för val av legitimeringstjänst.
      
-
      6. 
-
    6. Då en autentisering utförts skapas ett intyg (Assertion) enligt
-eIDAS specifikationer. Detta intyg innehåller bl.a. eIDAS-specifika
-attribut som identifierar användaren. Detta intyg styrs nu vidare till
-den svenska eIDAS-noden.
      
-
      7. 
-
    7. Noden tar emot intyget och validerar dess korrekthet. Detta intyg
-transformeras från eIDAS-format till ett intyg utformat
-enligt tekniskt ramverk och postas till e-tjänsten.
      
-
      8. 
-
    8. Förlitande part kompletterar eventuellt med ytterligare information
-och avgör om användaren ska ges till åtkomst till tjänsten.
      
-
      9. 
-
    
-
    Svenska e-tjänster behöver således endast stödja 
-tekniskt ramverk för att kunna hantera en autentisering utförd med en
-europeisk e-legitimation. Dock måste e-tjänsten kunna hantera den
-identitet som presenteras, vilket inte nödvändigtvis är ett personnummer. 
-Det kan alltså hända att en e-tjänst autentiserar en användare via 
-eIDAS-ramverket, men att användarens
-presenterade identitet inte går att använda hos e-tjänsten. Mer om detta
-i kapitlet 1.7.3 nedan.
    
-
    
-
    [1]: Egentligen väljer användaren till vilken ”eIDAS Proxy-tjänst” som begäran ska skickas vidare till. Detta är beroende landstillhörigheten för användarens e-legitimationsutfärdare.
    
-
    
-
    
-
    1.7.2. Underskrifter med utländska e-legitimationer
    
-
    Som redan beskrivits tillämpas en modell för
-elektronisk underskrift inom ramen för detta tekniska ramverk
-som kallas federerad underskrift. En
-serverbaserad underskriftstjänst knyts till e-tjänsten som i sin tur
-begär underskrift. När en användare skriver under ett dokument skickar
-e-tjänsten en underskriftsbegäran till underskriftstjänsten.
-Underskriftstjänsten begär därefter att användaren legitimerar sig. I
-samband med legitimeringen godkänner användaren underskriften.
-Underskriftstjänsten skickar tillbaka uppgifter till e-tjänsten och
-därefter lagras underskriftsuppgifterna kopplade till den handling som
-har skrivits under.
    
-
    Detta förfarande möjliggör att skriva under även med utländsk
-e-legitimation då underskriftstjänsten kan välja att legitimera
-användaren med utländsk e-legitimation i enlighet med förfarandet som
-beskrivs ovan i avsnitt 1.7.1.
    
-
    Vid en underskrift ansvarar i det fallet den svenska eIDAS-noden för att
-användaren upplyses om att syftet med legitimeringen är att skriva under
-ett dokument, vem som begärt underskrift samt med eventuell information
-om vad som undertecknas. Först när användaren genom att legitimera sig
-(för underskrift) utfärdas ett identitetsintyg, som skickas till
-underskriftstjänsten och som i sin tur genererar underskriften.
    
-
    
-
    1.7.3. Hantering av identiteter
    
-
    Identitetsintyg från andra länder följer EU-gemensamma tekniska
-specifikationer framtagna inom ramen för eIDAS-regelverket. Här
-specificeras de attribut som varje land alltid måste skicka med för
-fysiska personer såväl som för organisationer (”Minimum Dataset”, MDS).
-Varje land måste skicka med en unik identifierare per e-legitimation som
-representerar endast en fysisk person. Från vissa länder kommer dessa
-identifierare vara unika och beständiga per person på motsvarande sätt
-som t.ex. svenska personnummer, men dessa identifierare kan ha vitt
-skilda sammansättningar och ha väldigt olika egenskaper. En egenskap som
-kan variera är hur persistent en sådan identifierare är, d.v.s., om en
-sådan identifierare är oförändrad under en persons livstid eller om den
-ändras om personen exempelvis flyttar till en annan region, byter namn
-eller bara byter e-legitimation. Från några länder (t.ex.
-Storbritannien) kommer identifieraren att vara olika beroende på vilken
-av landets e-legitimationer en användare för tillfället väljer att
-använda.
    
-
    För att förenkla hanteringen av användare i svenska e-tjänster
-genererar den svenska eIDAS-noden ett standardiserat ID-attribut för
-användare som legitimerats med utländsk e-legitimation, ett s.k.
-provisional ID (förkortat PRID). Dessutom skapas ett tillhörande
-attribut som deklarerar vilken förväntad persistens, eller livslängd,
-detta ID-attribut har. PRID-attributet genereras utifrån de
-attributvärden som erhålls från den utländska legitimeringen enligt
-specificerade metoder för respektive land. Varje kombination av land och
-metod klassas med avseende på förväntad persistens, d.v.s., hur
-sannolikt det är att en identitet ändras över tiden för samma person.
-Detta gör det möjligt för svenska e-tjänster att anpassa kommunikationen
-med användaren och proaktivt tillhandahålla funktioner som underlättar
-för en användare vars identitet har ändrats, att återfå kontrollen över
-sin information i e-tjänsten.
    
-
    I vissa fall kan en person som legitimeras med en utländsk
-e-legitimation även inneha ett svenskt personnummer. Det kan till exempel 
-röra sig om en svensk medborgare som flyttat utomlands och skaffat utländsk e-legitimation
-eller en utländsk medborgare som är folkbokförd i Sverige och har tilldelats ett
-personnummer.
    
-
    Det faktum att en person med utländsk e-legitimation innehar ett svenskt
-personnummer är normalt sett inte känt för den
-utländska legitimeringstjänsten och denna information ingår därför inte
-i identitetsintyg från landet där personen legitimeras. Den svenska
-noden har däremot möjlighet att fråga en attributtjänst i Sverige1 om
-det finns ett registrerat personnummer för den
-legitimerade personen och kan, om så är fallet, påföra sådan information
-i det identitetsintyg som skickas till e-tjänsten.
    
-
    
-
    [1]: I skrivande stund finns ingen attributtjänst som utför koppling mellan eIDAS-identiteter och svenska personnummer.
    
-
    
-
    
-
    1.7.4. Svenska e-legitimationer i utländska e-tjänster
    
-
    Sverige har anmält svenska e-legitimationer på tillitsnivå väsentlig (substantial) och hög (high) enligt eIDAS. 
    
-
    En begäran om legitimering från en utländsk e-tjänst ställs till den svenska eIDAS-noden (proxy-tjänst) via en s.k. eIDAS-connector i e-tjänstens land. 
-I den svenska eIDAS-noden väljer användaren med vilken svensk e-legitimation denne önskar autentisera sig, varpå en legitimeringsbegäran till den legitimeringstjänst (Identity Provider) som hanterar vald e-legitimation skickas. Denna begäran är utformad enligt tekniskt ramverk vilket innebär att en svensk legitimeringstjänst inte behöver förhålla sig till eIDAS tekniska specifikationer.
    
-
    Användaren autentiseras hos den svenska legitimeringstjänsten och ett identitetsintyg ställs ut (enligt tekniskt ramverk). Detta intyg mottas av den svenska eIDAS Proxy-tjänsten och omvandlas till ett intyg enligt eIDAS specifikationer innan det skickas vidare till den utländska eIDAS-connectorn och därpå till den anropande e-tjänsten (Service Provider).
    
-
    
-
    2. Tekniska specifikationer
    
-
    Detta kapitel innehåller specifikationer och profiler för
-identitetsfederationer som följer Sweden Connect tekniskt
-ramverk, och vissa kringliggande tjänster. Där inget annat nämns är
-dessa dokument normativa för leverans av tjänster inom
-identitetsfederationer som implementerar 
-tekniskt ramverk.
    
-
    
-
    2.1. SAML-profiler
    
-
    Identitetsfederationer som följer Sweden Connect tekniska ramverk är uppbyggda
-kring ”Deployment Profile for the Swedish eID Framework”, [EidProfile]. Denna profil är influerad av, men inte normativt beroende på, ”SAML V2.0 Deployment Profile for Federation Interoperability” [SAML2Int]. [EidProfile] innehåller också regler och riktlinjer specifika för Sweden Connect tekniskt ramverk. 
    
-
    
-
    2.1.1. Deployment Profile for the Swedish eID Framework
    
-
    ”Deployment Profile for the Swedish eID Framework”, [EidProfile], är huvuddokumentet för tekniskt ramverk och specificerar bland annat:
    
-
      
-
    • Hur SAML metadata ska byggas upp och tolkas.
      
-
      • 
-
    • Hur formatet av en legitimeringsbegäran ska se ut.
      
-
      • 
-
    • Hur en legitimeringsbegäran ska behandlas, och hur ett identitetsintyg ska konstrueras, verifieras och behandlas.
      
-
      • 
-
    • Krav på säkerhet.
      
-
      • 
-
    • Specifika SAML-krav för underskriftstjänster och "legitimering för underskrift".
      
-
      • 
-
    
-
    
-
    2.1.2. Swedish eID Framework - Registry for identifiers
    
-
    Implementering av en infrastruktur för Svensk e-legitimation kräver
-olika former av identifierare för att representera objekt i
-datastrukturer. Dokumentet ”Swedish eID Framework - Registry for identifiers”, [EidRegistry], definierar strukturen
-för identifierare som tilldelats inom ramen för tekniskt ramverk, samt ett
-register över definierade identifierare.
    
-
    
-
    2.1.3. Attribute Specification for the Swedish eID Framework
    
-
    Specifikationen ”Attribute Specification for the Swedish eID Framework”,
-[EidAttributes], deklarerar de SAML attributprofiler som används inom
-identitetsfederationer som följer tekniskt ramverk inklusive de som
-ansluter till eIDAS via den svenska eIDAS-noden.
    
-
    
-
    2.1.4. Entity Categories for the Swedish eID Framework
    
-
    Entitetskategorier (Entity Categories) används inom federationen för ett antal olika
-syften:
    
-
      
-
    • Service Entity Categories – Används i metadata för att
-representera e-tjänsters krav på tillitsnivåer och begärda attribut,
-samt legitimeringstjänsters uppfyllande av tillitsnivåer och
-leverans av attribut.
      
-
      • 
-
    • Service Property Categories – Används för att representera en viss
-egenskap hos en tjänst.
      
-
      • 
-
    • Service Type Entity Categories – Används för att representera olika
-tjänstetyper inom federationen.
      
-
      • 
-
    • Service Contract Entity Categories - Används av tjänster för att annonsera 
-avtalsformer och liknande.
      
-
      • 
-
    • General Entity Categories - Entitetskategorier som inte faller inom ramen
-för någon av de ovanstående typerna.
      
-
      • 
-
    
-
    Specifikationen ”Entity Categories for the Swedish eID Framework”
-[EidEntCat] specificerar de entitetskategorier som definieras av tekniskt ramverk och beskriver dess betydelse.
    
-
    
-
    2.1.5. eIDAS Constructed Attributes Specification for the Swedish eID Framework
    
-
    Specifikationen ”eIDAS Constructed Attributes Specification for the Swedish
-eID Framework”, [EidConstrAttributes], specificerar processer och regler
-för hur ID-attribut konstrueras baserat på attribut som tas emot vid
-legitimering mot eIDAS.
    
-
    
-
    2.1.6. Implementation Profile for BankID Identity Providers within the Swedish eID Framework
    
-
    Specifikationen "Implementation Profile for BankID Identity Providers within the Swedish eID Framework", [EidBankID], definierar regler för hur en legitimeringstjänst som implementerar stöd för BankID skall utformas.
    
-
    
-
    Notera: Denna specifikation är inte normativ för uppfyllande av tekniskt ramverk. Den är endast relevant för legitimeringstjänster som implementerar stöd för BankID samt e-tjänster som använder dessa. Dock så skall legitimeringstjänster som implementerar stöd för BankID och vill ansluta till Sweden Connect-federationen uppfylla denna specifikation.
    
-
    
-
    
-
    2.1.7. Principal Selection in SAML Authentication Requests
    
-
    Specifikationen "Principal Selection in SAML Authentication Requests", [EidPrincipalSel], definierar en utökning till SAML som möjliggör för en förlitande part att informera en legitimeringstjänst vilken identitet den önskar ska legitimeras.
    
-
    
-
    2.2. Specifikationer för Underskrift
    
-
    Detta stycke innehåller referenser till de dokument vilka definierar
-underskriftstjänster inom federationer som följer Sweden Connect tekniskt
-ramverk.
    
-
    
-
    2.2.1. Implementation Profile for using OASIS DSS in Central Signing Services
    
-
    Implementationsprofilen ”Implementation Profile for Using OASIS DSS in
-Central Signing Services”, [EidDSSProfile], specificerar en profil för
-underskriftsbegäran och respons enligt OASIS standarden "Digital
-Signature Service Core Protocols, Elements, and Bindings",
-[DSS].
    
-
    
-
    2.2.2. DSS Extension for Federated Central Signing Services
    
-
    ”DSS Extension for Federated Central Signing Services”, [EidDSSExt], är en påbyggnad av 
-OASIS standarden ”Digital Signature Service Core Protocols, Elements, and Bindings”, [DSS], där definitioner som behövs för underskrift enligt tekniskt ramverk specificeras.
    
-
    
-
    2.2.3. Certificate Profile for Certificates Issued by Central Signing Services
    
-
    Certifikatprofilen ”Certificate profile for certificates issued by Central Signing services”, [EidCertProf], specificerar innehåll i signeringscertifikat. Denna profil tillämpar en
-ny certifikatextension till stöd för underskriftstjänster.
    
-
    Denna profil refererar till "Authentication Context Certificate Extension", [AuthContext], vilken beskriver hur ”Authentication Context” representeras i X.509 certifikat.
    
-
    
-
    2.2.4. Signature Activation Protocol for Federated Signing
    
-
    Specifikationen "Signature Activation Protocol for Federated Signing", [EidSigAct], definierar ett "Signature Activation Protocol" (SAP) för implementation av "Sole Control Assurance Level 2" (SCAL2) enligt standarden "prEN 419241 - Trustworthy Systems Supporting Server Signing".
    
-
    
-
    3. Referenslista
    
-
    
-
    3.1. DIGG
    
-
    
-[EidTillit]
    
-
    
-
    Tillitsramverket för Svensk e-legitimation.
    
-
    
-
    
-[EidProfile]
    
-
    
-
    Deployment Profile for the Swedish eID Framework.
    
-
    
-
    
-[EidRegistry]
    
-
    
-
    Swedish eID Framework - Registry for identifiers.
    
-
    
-
    
-[EidAttributes]
    
-
    
-
    Attribute Specification for the Swedish eID Framework.
    
-
    
-
    
-[EidEntCat]
    
-
    
-
    Entity Categories for the Swedish eID Framework.
    
-
    
-
    
-[EidConstrAttributes]
    
-
    
-
    eIDAS Constructed Attributes Specification for the Swedish eID
-Framework.
    
-
    
-
    
-[EidBankID]
    
-
    
-
    Implementation Profile for BankID Identity Providers within the Swedish eID Framework.
    
-
    
-
    
-[EidPrincipalSel]
    
-
    
-
    Principal Selection in SAML Authentication Requests.
    
-
    
-
    
-[EidDSSProfile]
    
-
    
-
    Implementation Profile for Using OASIS DSS in Central Signing Services.
    
-
    
-
    
-[EidDSSExt]
    
-
    
-
    DSS Extension for Federated Central Signing Services.
    
-
    
-
    
-[EidCertProf]
    
-
    
-
    Certificate profile for certificates issued by Central Signing
-services.
    
-
    
-
    
-[EidSigAct]
    
-
    
-
    Signature Activation Protocol for Federated Signing.
    
-
    
-
    
-
    3.2. Övriga referenser
    
-
    
-[SAML2Int]
    
-
    
-
    SAML V2.0 Deployment Profile for Federation Interoperability.
    
-
    
-
    
-[DSS]
    
-
    
-
    OASIS Standard – Digital Signature Service Core Protocols, Elements,
-and Bindings Version 1.0, April 11,
-2007.
    
-
    
-
    
-[AuthContext]
    
-
    
-
    RFC-7773: Authentication Context Certificate Extension.
    
-
    
-    
    
-  
-
diff --git a/docs/updates/00_-_Tekniskt_ramverk_-_Introduktion.html b/docs/updates/00_-_Tekniskt_ramverk_-_Introduktion.html
new file mode 120000
index 0000000..3b2d32b
--- /dev/null
+++ b/docs/updates/00_-_Tekniskt_ramverk_-_Introduktion.html
@@ -0,0 +1 @@
+../december-2024/00_-_Tekniskt_ramverk_-_Introduktion.html
\ No newline at end of file
diff --git a/docs/updates/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html b/docs/updates/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html
deleted file mode 100644
index 5097c33..0000000
--- a/docs/updates/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html
+++ /dev/null
@@ -1,1585 +0,0 @@
-
-
-  
-    
-    
-    Deployment Profile for the Swedish eID Framework
-    
-    
-    
-    
-  
-  
-    
    
-
-
-
    
-
    
-
-
    
-
-
    Deployment Profile for the Swedish eID Framework
    
-
    Version 1.8 - 2022-10-19 - Draft version
    
-
    Registration number: 2019-308
    
-
    
-
    
-Copyright © The Swedish Agency for Digital Government (DIGG), 2015-2022. All Rights Reserved.
-
    
-
-
    Table of Contents
    
-
      
-
    1. Introduction
      
-
       1.1. Requirements Notation
      
-
       1.2. References to SAML 2.0 Standards and Profiles
      
-
      2. 
-
    2. Metadata and Trust Management
      
-
       2.1. Requirements for Metadata Content
      
-
       2.1.1. Generic
      
-
       2.1.2. Service Providers
      
-
       2.1.3. Identity Providers
      
-
       2.1.4. Signature Service
      
-
      3. 
-
    3. Name Identifiers
      
-
      4. 
-
    4. Attributes
      
-
      5. 
-
    5. Authentication Requests
      
-
       5.1. Discovery
      
-
       5.2. Binding and Security Requirements
      
-
       5.3. Message Content
      
-
       5.3.1. Requested Authentication Context
      
-
       5.3.2. Scoping
      
-
       5.3.3. Principal Selection
      
-
       5.4. Processing Requirements
      
-
       5.4.1. Validation of Destination
      
-
       5.4.2. Validation of Assertion Consumer Addresses
      
-
       5.4.3. Identity Provider User Interface
      
-
       5.4.4. Authentication Context and Level of Assurance Handling
      
-
       5.4.5. Single Sign On Processing
      
-
      6. 
-
    6. Authentication Responses
      
-
       6.1. Security Requirements
      
-
       6.2. Message Content
      
-
       6.2.1. Attribute Release and Consuming Rules
      
-
       6.2.2. Message Content Requirements for Holder-of-key
      
-
       6.3. Processing Requirements
      
-
       6.3.1. Signature Validation
      
-
       6.3.2. Subject Confirmation
      
-
       6.3.3. Conditions
      
-
       6.3.4. The Authentication Statement
      
-
       6.3.5. General Security Validation
      
-
       6.4. Error Responses
      
-
      7. 
-
    7. Authentication for Signature
      
-
       7.1. Authentication Requests
      
-
       7.1.1. Requesting Display of Signature Message
      
-
       7.1.2. Requesting SCAL2 Signature Activation Data
      
-
       7.2. Authentication Responses
      
-
      8. 
-
    8. Cryptographic Algorithms
      
-
       8.1. Digest Algorithms
      
-
       8.2. Signature Algorithms
      
-
       8.3. Block Encryption Algorithms
      
-
       8.4. Key Transport Algorithms
      
-
      9. 
-
    9. Normative References
      
-
      10. 
-
    10. Changes between versions
      
-
      11. 
-
    
-
    
-
    
-
    1. Introduction
    
-
    This profile specifies behaviour and options that deployments of the SAML
-V2.0 Web Browser SSO Profile, [SAML2Prof], and the SAML V2.0 Holder-of-key
-Web Browser SSO Profile, [SAML2HokProf],
-are required or permitted to rely on. The requirements specified in this profile
-are in addition to the underlying normative requirements of [SAML2Prof]
-and [SAML2HokProf] (including updates to these specifications provided by [SAML v2.0 Errata 05]).
    
-
    
-
    Note: The profile is influenced by, but not normatively dependent on, SAML2Int.
    
-
    
-
    Readers should be familiar with all relevant reference documents, and
-any requirements stated are not repeated unless where deemed necessary
-to clarify or highlight a certain issue.
    
-
    Any SAML features specified in referenced SAML documents that are
-optional are out of scope of this profile, unless explicitly specified
-by this profile.
    
-
    
-
    1.1. Requirements Notation
    
-
    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-document are to be interpreted as described in
-[RFC2119].
    
-
    The use of SHOULD, SHOULD NOT, and RECOMMENDED reflects broad consensus
-on deployment practices intended to foster both interoperability and
-guarantees of security and confidentiality needed to satisfy the
-requirements of many organizations that engage in the use of federated
-identity. Deviating may limit a deployment's ability to technically
-interoperate without additional negotiation, and should be undertaken
-with caution.
    
-
    
-
    1.2. References to SAML 2.0 Standards and Profiles
    
-
    When referring to elements from the SAML 2.0 core specification
-[SAML2Core], the following syntax is used:
    
-
      
-
    • <saml2p:Protocolelement> – for elements from the SAML 2.0
-Protocol namespace.
      
-
      • 
-
    • <saml2:Assertionelement> – for elements from the SAML 2.0
-Assertion namespace.
      
-
      • 
-
    
-
    When referring to elements from the SAML 2.0 metadata specifications,
-the following syntax is used:
    
-
      
-
    • <md:Metadataelement> – for elements defined in [SAML2Meta].
      
-
      • 
-
    • <mdui:Element> – for elements defined in [SAML2MetaUI].
      
-
      • 
-
    • <mdattr:Element> – for elements defined in [SAML2MetaAttr].
      
-
      • 
-
    • <alg:Element> – for elements defined in [SAML2MetaAlgSupport].
      
-
      • 
-
    
-
    When referring to elements from the SAML V2.0 Holder-of-key Web Browser SSO Profile, [SAML2HokProf], the following syntax is used:
    
-
      
-
    • <hoksso:ProtocolBinding> - for elements from the SAML V2.0 Web Browser Holder-of-key namespace.
      • 
-
    
-
    When referring to elements from the "Identity Provider Discovery Service Protocol and Profile" specification [IdpDisco], the following syntax is used:
    
-
      
-
    • <idpdisc:DiscoveryResponse>
      • 
-
    
-
    When referring to the Scope element defined in the "Subject Identifier Attributes Profile" specification, [SAML2SubjIdAttr], the following syntax is used:
    
-
      
-
    • <shibmd:Scope>
      • 
-
    
-
    When referring to elements from the W3C XML Signature namespace
-(http://www.w3.org/2000/09/xmldsig\#) the following syntax is used:
    
-
      
-
    • <ds:Signature>
      • 
-
    
-
    Note: For all references to core SAML specifications, direct or indirect, the [SAML v2.0 Errata 05] MUST always be considered.
    
-
    
-
    2. Metadata and Trust Management
    
-
    Identity Providers and Service Providers conformant with this profile MUST provide a SAML 2.0 Metadata document representing its entity. The provided metadata MUST conform to "Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0", [SAML2Meta], and SHOULD follow "SAML v2.0 Metadata Profile for Algorithm Support Version 1.0", [SAML2MetaAlgSupport].
    
-
    Services conforming to this profile MUST be able to consume SAML metadata on an automated and periodic basis using the processing rules defined by "SAML V2.0 Metadata Interoperability Profile Version 1.0" [SAML2MetaIOP]. Automatic consumption of metadata MUST be followed by a successful signature verification of the downloaded metadata before it is trusted and used. 
    
-
    
-
    2.1. Requirements for Metadata Content
    
-
    
-
    2.1.1. Generic
    
-
    
-
    2.1.1.1. Display Information
    
-
    All services that are represented in the Metadata SHALL include a
-<md:Organization> element with mandatory child elements, which
-includes at least one of each of the elements
-<md:OrganizationName>, <md:OrganizationDisplayName> and
-<md:OrganizationURL>.
    
-
    The <md:OrganizationName> element SHALL hold a registered name of
-the organization, which matches the agreement with the federation
-operator.
    
-
    The <md:OrganizationDisplayName> element SHALL contain a display
-name of the organization and SHALL NOT contain a service name that is
-unrelated to the name of the organization.
    
-
    Metadata for an entity SHALL contain an <mdui:UIInfo>
-extension, extending the <md:SPSSODescriptor> or <md:IDPSSODescriptor> element 
-(depending on the type of the entity). This <mdui:UIInfo> element SHALL at least contain a
-<mdui:DisplayName> element with the language attribute sv
-(Swedish), representing the entity name that has been approved
-by the federation operator. The <mdui:UIInfo> element SHALL also
-contain a reference to one, or more, logotype images (<mdui:Logo>) as described in section 2.1.5
-of [SAML2MetaUI] and SHOULD
-contain a <mdui:Description> element with the language attribute
-sv (Swedish).
    
-
    It is RECOMMENDED that the above elements represented in Swedish also be
-represented with the language attribute en (English).
    
-
    A federation operator may impose further requirements regarding the <mdui:UIInfo> extension.
    
-
    
-
    2.1.1.2. Certificates in Metadata
    
-
    Public keys used for signature validation and encryption MUST be expressed via X.509
-certificates included in metadata as <ds:X509Certificate> child elements to
-<md:KeyDescriptor> elements. These certificates merely acts as containers for the public keys 
-needed for signature validation and encryption and the consumer of a metadata entry cannot
-expect to be able to execute a successful certificate path validation of such certificates.
-A metadata consumer MUST NOT reject a metadata entry due to that certificate trust is missing,
-the certificate is expired, or certificate revocation information is missing.
    
-
    However, for interoperability reasons it is RECOMMENDED that:
    
-
      
-
    • self-signed certificates are used,
      • 
-
    • non-expired certificates (with a long validity time) are used,
      • 
-
    • certificates are not signed with MD5- och SHA1-based signature algorithms. 
      • 
-
    
-
    All services represented in metadata SHOULD include at least one <md:KeyDescriptor> 
-element holding a certificate to be used for signature validation (with the use-attribute
-set to signing), and one <md:KeyDescriptor> element containing a certificate 
-to be used for message encryption (with the use-attribute set to encryption).
-It is allowed to use the same key and certificate for both usages, but in order to enable
-a future key rollover it is RECOMMENDED to avoid using only one <md:KeyDescriptor> element
-for both usages (i.e., with an absent use-attribute).
    
-
    In order to facilitate key rollover of a signing key, a service MUST support multiple signing 
-certificates found in peer metadata and MUST support signature validation using a key from 
-any of the available peer signature certificates.
    
-
    For key rollover of encryption keys, the service that is performing the key rollover MUST only
-publish the latest key (in a certificate) to its metadata entry. Until all peers have consumed
-the service's metadata entry containing the new certificate, the service MUST support decrypting 
-messages using both the old and new key.
    
-
    
-
    2.1.1.3. Declaring Algorithm Support
    
-
    Services MAY declare encryption and signature capabilities as defined in [SAML2MetaAlgSupport]. The declared algorithms MUST meet the algorithm requirements defined by the Swedish eID Framework or by the federation operator . Thus, it is not allowed to declare an algorithm, or key size, that is prohibited from use. 
    
-
    All services conformant with this specification MUST support the mandatory algorithms defined by the Swedish eID Framework, meaning that a service has no possibility to opt-out from a certain mandatory algorithm by excluding it from the declared capabilities. The main purpose of declaring an algorithm using any of the elements <md:EncryptionMethod>, <alg:SigningMethod> or <alg:DigestMethod> is to declare which algorithm the service prefers.
    
-
    
-
    2.1.2. Service Providers
    
-
    The <mdattr:EntityAttributes> element of a Service Provider’s
-entity descriptor SHOULD contain one entity category attribute
-[EntCat] that holds at least
-one attribute value representing a service entity category as defined in
-[EidEntCat], identifying the Service Provider requirements in relation to
-identity services concerning attribute release and level of assurance.
    
-
    The example below illustrates how an entity declares the service entity
-category identifier http://id.elegnamnden.se/ec/1.0/loa3-pnr in its
-metadata.
    
-
    <md:Extensions>
-  <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
-    <saml2:Attribute Name="http://macedir.org/entity-category"
-                     NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-                     xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
-      <saml2:AttributeValue xsi:type="xs:string">
-        http://id.elegnamnden.se/ec/1.0/loa3-pnr
-      </saml2:AttributeValue>
-    </saml2:Attribute>
-  </mdattr:EntityAttributes>
-</md:Extensions>
    If a Service Provider does not have any attribute requirements other than those
-implicitly requested by inclusion of one or more service entity categories, the
-metadata entry of the Service Provider SHOULD NOT include a
-<md:AttributeConsumingService> element (with <md:RequestedAttribute> 
-elements). 
    
-
    Any needs for particular attributes from Identify Providers, when
-present, MUST be expressed through present service entity categories in
-combination with <md:RequestedAttribute> elements under the
-<md:AttributeConsumingService> element in the Service
-Provider metadata. The <md:RequestedAttribute> elements in the
-Service Provider metadata, when present, hold a list of requested and/or
-required attributes. This list of attributes MUST be interpreted in the
-context of present service entity categories defined in [EidEntCat].
    
-
    
-
    Note: Only the requirements for attributes that are not implicitly requested through a declared
-service entity category need to be expressed as <md:RequestedAttribute> elements.
    
-
    
-
    A Service Provider MAY sign authentication request messages sent to
-Identity Providers. A Service Provider that signs authentication
-requests messages MAY also ensure that a receiving Identity Provider
-will only accept valid signed requests from this Service Provider by
-assigning the AuthnRequestsSigned attribute of the
-<md:SPSSODescriptor> to a value of true.
    
-
    Section E7, “Metadata for Agreeing to Sign Authentication Requests”, of
-[SAML v2.0 Errata 05]
-specifies the following concerning the AuthnRequestsSigned attribute:
    
-
    
-
    Optional attribute that indicates whether the
-<saml2p:AuthnRequest> messages sent by this Service Provider
-will be signed. If omitted, the value is assumed to be false. A value
-of false (or omission of this attribute) does not imply that the
-Service Provider will never sign its requests or that a signed request
-should be considered an error. However, an Identity Provider that
-receives an unsigned <saml2p:AuthnRequest> message from a
-Service Provider whose metadata contains this attribute with a value
-of true MUST return a SAML error response and MUST NOT fulfill the
-request.
    
-
    
-
    Furthermore, a Service Provider MAY require assertions that are issued
-to it, to be signed. This is done by assigning the WantAssertionsSigned
-attribute of the <md:SPSSODescriptor> to a value of true.
    
-
    Note that the response message that carries the assertion will always be
-signed, so the Service Provider should only require signed assertions in
-case that it wants to preserve the proof of authenticity of an assertion
-separate from the response.
    
-
    A Service Provider wishing to make use of a central discovery service as specified in the "Identity Provider Discovery Service Protocol Profile" [IdPDisco] MUST include at least one <idpdisc:DiscoveryResponse> element as an extension under the <md:SPSSODescriptor> element. 
    
-
    
-
    2.1.2.1. Holder of Key Support
    
-
    A Service Provider that sends authentication requests using the Holder-of-key Web Browser SSO Profile MUST include a <md:AssertionConsumerService> element in its metadata according to section 2.8 of [SAML2HokProf].
    
-
    If the Service Provider also makes use of the ordinary Web Browser SSO Profile at least one <md:AssertionConsumerService> element according to section 2.4.4 of [SAML2Meta] MUST also be included in the Service Provider metadata. 
    
-
    In those cases, where a Service Provider supports both profiles, it is RECOMMENDED that the a <md:AssertionConsumerService> element for ordinary Web Browser SSO Profile is marked as default.
    
-
    <md:AssertionConsumerService index="0" isDefault="true"
-  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-  Location="https://sp.example.org/path1" />
-
-<md:AssertionConsumerService index="1" isDefault="false"   
-  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"   
-  xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" 
-  hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
-  Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" 
-  Location="https://sp.example.org/path2" />
    Example of a Service Provider's declared AssertionConsumerService elements; one for receiving assertions according the Web Browser SSO Profile and one for receiving assertions according to the Holder-of-key Web Browser SSO Profile.
    
-
    
-
    2.1.3. Identity Providers
    
-
    The <mdattr:EntityAttributes> element of an Identity Provider’s
-entity descriptor SHOULD contain one entity category attribute
-[EntCat] that holds at least
-one attribute value representing a service entity category as defined in
-[EidEntCat], defining the Identity Provider ability to deliver
-assertions (defining the level of assurance and attribute release).
    
-
    If an Identity Provider has the ability to release attributes, other than those
-implicitly given by the declared service entity categories, it is RECOMMENDED that 
-those attributes are declared as <saml:Attribute> elements under the 
-<md:IDPSSODescriptor> element. 
    
-
    The <mdattr:EntityAttributes> element of an Identity Provider’s
-metadata SHALL contain an attribute according to
-[SAML2IAP] with its Name attribute set to 
-urn:oasis:names:tc:SAML:attribute:assurance-certification
-and holding at least one attribute value identifying a Level of Assurance
-(LoA) for which the Identity Provider has been approved. 
-The Swedish eID Framework defines such identifier values in section 3.1.1 of
-[EidRegistry] and their meanings are defined in [EidTillit].
    
-
    <md:Extensions>
-  <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
-    <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification"
-                    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
-      <saml:AttributeValue xsi:type="xsd:string">http://id.elegnamnden.se/loa/1.0/loa3</saml:AttributeValue>
-    </saml:Attribute>
-    ...
-  </mdattr:EntityAttributes>
-</md:Extensions>
    Example of how an Identity Provider advertises that the service delivers authentication according to
-the http://id.elegnamnden.se/loa/1.0/loa3 level of assurance.
    
-
    An Identity Provider MAY require authentication request messages to be
-signed. This is indicated by assigning the
-WantAuthnRequestsSigned attribute of the <md:IDPSSPDescriptor>
-element to a value of true. See further section E7, “Metadata for
-Agreeing to Sign Authentication Requests”, of [SAML v2.0 Errata
-05].
    
-
    Identity Providers SHALL advertise support for the SAP protocol according to [SigSAP], by including the service property entity category URI
-http://id.elegnamnden.se/sprop/1.0/scal2 in its metadata. An Identity Provider that does not advertise support for SAP MAY ignore requests for SAD.
    
-
    <md:Extensions>
-  <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
-    <saml:Attribute Name="http://macedir.org/entity-category" 
-                    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
-      <saml:AttributeValue xsi:type="xs:string">http://id.elegnamnden.se/sprop/1.0/scal2</saml:AttributeValue>
-    </saml:Attribute>
-    ...
-  </mdattr:EntityAttributes>
-</md:Extensions>
    Example of how an Identity Provider advertises its support for SCAL2 authentication.
    
-
    An Identity Provider that wishes to receive the <psc:PrincipalSelection> extension in authentication requests SHOULD include the <psc:RequestedPrincipalSelection> extension extending the <md:IDPSSODescriptor> element. In this extension the Identity Provider declares which attribute value(s) it wants to receive in authentication requests from requestors using the <psc:PrincipalSelection> authentication request extension. See section 5.3.3 and [PrincipalSel].
    
-
    
-
    2.1.3.1. Declaring Authorized Scopes
    
-
    An Identity Provider that releases "scoped attributes", see section 3.1.3 of [EidAttributes],
-MUST be authorized to do so by the federation operator. Each authorized scope MUST be declared in the Identity Provider metadata entry using a <shibmd:Scope> element, see section 3.5.2, "Scope Filtering", in [SAML2SubjIdAttr]. The <shibmd:Scope> elements MUST appear within the <md:Extensions> element of the <md:IDPSSODescriptor>.
    
-
    <md:IDPSSODescriptor ...>
-  <md:Extensions>
-    <shibmd:Scope regexp="false" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0>2021006883</shibmd:Scope>
-    <shibmd:Scope regexp="false" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0>2021006255</shibmd:Scope>
-    <shibmd:Scope regexp="false" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0>example.com</shibmd:Scope>
-    ...
    Example of how an Identity Provider declares that it is authorized to deliver scoped attributes for three different scopes; two organizational numbers and one domain.
    
-
    
-
    2.1.3.2. Holder of Key Support
    
-
    An Identity Provider that supports the Holder-of-key Web Browser SSO Profile MUST declare <md:SingleSignOnService> elements* in its metadata according to section 2.8 of [SAML2HokProf].
    
-
    If the Identity Provider also supports authentication according the ordinary Web Browser SSO Profile <md:SingleSignOnService> elements* according to section 2.4.3 of [SAML2Meta] MUST also be included in the Identity Provider metadata.
    
-
    <md:SingleSignOnService
-  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-  Location="https://idp.example.org/path1" />
-
-<md:SingleSignOnService
-  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-  Location="https://idp.example.org/path2" />
-
-<md:SingleSignOnService
-  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-  xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
-  hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
-  Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
-  Location="https://idp.example.org/path2" />
-
-<md:SingleSignOnService
-  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-  xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
-  hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
-  Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
-  Location="https://idp.example.org/path2" />
    Example of an Identity Provider's declared SingleSignOnService elements; two for receiving requests according to the Web Browser SSO Profile and two for receiving requests according to the Holder-of-key Web Browser SSO Profile.
    
-
    
-
    [*]: This profile requires an Identity Provider to support both the POST and Redirect bindings, see section 5.2 below.
    
-
    
-
    
-
    2.1.4. Signature Service
    
-
    A Signature Service within the Swedish eID Framework is a Service
-Provider with specific requirements concerning its representation in
-metadata. 
    
-
    The <mdattr:EntityAttributes> element of a Signature Service SP
-entity descriptor SHALL include the service type entity category
-identifier http://id.elegnamnden.se/st/1.0/sigservice ([EidEntCat])
-as a value to the entity category attribute [EntCat].
    
-
    <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">`
-  <saml2:Attribute Name="http://macedir.org/entity-category"
-                   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-                   xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
-    <saml2:AttributeValue xsi:type="xs:string">http://id.elegnamnden.se/ec/1.0/loa3-pnr</saml2:AttributeValue>
-    <saml2:AttributeValue xsi:type="xs:string">http://id.elegnamnden.se/st/1.0/sigservice</saml2:AttributeValue>
-  </saml2:Attribute>
-</mdattr:EntityAttributes>
    Entity attributes for a Signature Service SP.
    
-
    A Signature Service MUST assign the AuthnRequestsSigned attribute of the
-<md:SPSSODescriptor> element to true. This requirement ensures
-that the Signature Service always signs its authentication requests in
-order for the request to be accepted by the Identity Provider. The
-federation operator will enforce that all Service Providers that operate
-as Signature Services have this attribute set.
    
-
    
-
    3. Name Identifiers
    
-
    Identity Providers and Service Providers MUST support both the
-urn:oasis:names:tc:SAML:2.0:nameid-format:persistent and the
-urn:oasis:names:tc:SAML:2.0:nameid-format:transient name identifier
-formats as specified in [SAML2Core].
    
-
    Identity Providers SHALL default to use the
-urn:oasis:names:tc:SAML:2.0:nameid-format:persistent name identifier
-format in cases where a Service Provider has not specified the name
-identifier to use (via the <md:NameIDFormat> element of the
-Service Provider metadata entry, or via the Format attribute of the
-<saml2p:NameIDPolicy> element of the authentication request
-message).
    
-
    
-
    4. Attributes
    
-
    Attribute specifications for the Swedish eID Framework are defined in
-[EidAttributes].
    
-
    The content of <saml2:AttributeValue> elements exchanged via any
-SAML 2.0 messages or assertions SHOULD be limited to a single child text
-node.
    
-
    For requirements regarding attribute inclusion in SAML assertions, see
-section 6.2.1, “Attribute Release and Consuming Rules”, below.
    
-
    
-
    5. Authentication Requests
    
-
    This profile supports two different SSO profiles; the Web Browser SSO Profile, [SAML2Prof], and the Holder-of-key Web Browser Profile, [SAML2HokProf]. 
    
-
    The profile in use is determined by how an authentication process is initiated, meaning to which Identity Provider endpoint an <saml2p:AuthnRequest> message is sent, see 2.1.3.2.
    
-
    
-
    5.1. Discovery
    
-
    This profile does not impose any requirements of
-how the process of discovery is implemented by Service Providers wishing
-to display user interfaces for selection of Identity Providers for end
-users. However, Service Providers making use of a centralized
-discovery service as defined in [IdpDisco] MUST follow the requirements
-stated for discovery responses in 
-section 2.1.2, "Service Providers".
    
-
    
-
    5.2. Binding and Security Requirements
    
-
    The endpoints, at which an Identity Provider receives a
-<saml2p:AuthnRequest> message, and all subsequent exchanges with
-the user agent, MUST be protected by TLS. 
    
-
    If the Identity Provider supports the Holder-of-key Web Browser SSO Profile, the
-dedicated endpoints for this profile (see section 2.1.3.2)
-MUST be configured to require a 
-client X.509 certificate being presented as part of the TLS handshake (mTLS, mutual TLS), 
-see section 2.4 of [SAML2HokProf]. If the Identity Provider receives
-a request on a Holder-of-key endpoint and is unable to retrieve the client X.509
-certificate it MUST respond with an error, see section 2.6.4 of [SAML2HokProf].
    
-
    A Service Provider sending an <saml2p:AuthnRequest> message to an Identity Provider
-may do so using either the HTTP-Redirect or HTTP-POST binding [SAML2Bind]*,
-meaning that Identity Providers conformant with this profile MUST support the
-HTTP-Redirect and the HTTP-POST binding.
    
-
    An Identity Provider that requires <saml2p:AuthnRequest> messages
-to be signed MUST not accept messages that are not signed, or where the
-verification of the signature fails. In these cases the Identity
-Provider MUST respond with an error.
    
-
    An Identity Provider that itself does not require authentication
-messages to be signed MUST still accept and verify signed request
-messages from Service Providers that indicate, in their metadata, that
-they sign request messages (see 2.1.2 above). If this signature
-verification fails, the Identity Provider MUST return a SAML error
-response and MUST NOT fulfil the request.
    
-
    An Identity Provider that receives a request message that is not signed
-from a Service Provider that has indicated, in its metadata, that it
-will only send signed request messages (see 2.1.2 above) MUST respond
-with an error.
    
-
    The signature for authentication request messages is applied differently
-depending on the binding. The HTTP-Redirect binding requires the
-signature to be applied to the URL-encoded value rather than being
-placed within the XML-message (see section 3.4.4.1 of
-[SAML2Bind]).
-For the HTTP-POST binding the <saml2p:AuthnRequest> element MUST
-be signed using a <ds:Signature> element within the
-<saml2:AuthnRequest>.
    
-
    Before signing the authentication request, the Service Provider SHOULD consult the Identity Provider's metadata (<alg:SigningMethod> and <alg:DigestMethod> elements) to determine the intersection of algorithms, key sizes and other parameters as defined by particular algorithms that it supports and that the Identity Provider prefers. If the intersection is empty, or if the Identity Provider has not declared any algorithms, the Service Provider MUST use one of the mandatory signing and digest algorithms defined in the Swedish eID Framework during the signature operation.
    
-
    
-
    [*]: A Service Provider should be aware of web browser, or web server, size limitations
-of URL:s, and it is RECOMMENDED that a Service Provider use the HTTP-POST binding in cases where 
-the <saml2p:AuthnRequest> message becomes very large. This may be the case when a SignMessage
-extension containing much data is used, or when a complete certificate chain is attached to the signature 
-of the message.
    
-
    
-
    
-
    5.3. Message Content
    
-
    An <saml2p:AuthnRequest> message MUST NOT contain a Document Type Definition (DTD).
    
-
    The <saml2p:AuthnRequest> message SHOULD contain an
-AssertionConsumerServiceURL* attribute identifying the desired response
-location. The Service Provider MUST NOT use any other values for this
-attribute than those listed in its metadata record as
-<md:AssertionConsumerService> elements for the HTTP-POST binding
-(see section 4.1.6 of [SAML2Prof]), and URL
-canonicalization or normalization MUST NOT be required.
    
-
    The Destination attribute of the <saml2p:AuthnRequest> message
-MUST contain the URL to which the Service Provider has instructed the
-user agent to deliver the request. This is useful to prevent malicious
-forwarding of signed requests from being accepted by unintended Identity
-Providers.
    
-
    Identity Providers conformant with this profile MUST support the
-ForceAuthn and IsPassive attributes received in
-<saml2p:AuthnRequest> messages.
    
-
    Service Providers SHOULD include the ForceAuthn attribute in all
-<saml2p:AuthnRequest> messages and explicitly set its value to
-true or false, and not rely on its default value. The reason for this is
-to avoid accidental SSO.
    
-
    If the Service Provider has included more than one <md:AttributeConsumingService> element in its metadata it is RECOMMENDED that the <saml2p:AuthnRequest> message contains the AttributeConsumingServiceIndex attribute holding the index of the <md:AttributeConsumingService> element that the Identity Provider should consider during attribute release.
    
-
    
-
    [*]: The AssertionConsumerServiceURL attribute is mutually exclusive with the AssertionConsumerServiceIndex attribute, meaning that a <saml2p:AuthnRequest> message MUST NOT contain both attributes. 
    
-
    
-
    
-
    5.3.1. Requested Authentication Context
    
-
    A Service Provider SHOULD explicitly specify a requested
-authentication context element (<saml2p:RequestedAuthnContext>),
-containing <saml2:AuthnContextClassRef> elements each holding
-a Level of Assurance authentication context URI (see section 3.1.1 of [EidRegistry]) 
-that the Service Provider considers acceptable for the authentication process.
    
-
    A present <saml2p:RequestedAuthnContext> element MUST specify
-exact matching by means of either an absent Comparison attribute or a
-Comparison attribute with the value set to exact. This means that the
-Identity Provider is forced to return an assertion with exactly one of
-the requested <saml2:AuthnContextClassRef> in the request as the
-declared <saml2:AuthnContext>, or return an error response. If the
-Service Provider requires the Identity Provider to return specifically
-one out of a selection of acceptable authentication context URIs, then
-all of these URIs MUST be included in the request.
    
-
    The requested authentication context SHOULD be consistent with at least
-one of the service entity categories [EidEntCat] declared in the
-Service Provider’s metadata entry. See further section 5.4.4 below.
    
-
    <saml2p:RequestedAuthnContext Comparison="exact">
-  <saml2:AuthnContextClassRef>http://id.elegnamnden.se/loa/1.0/loa3</saml2:AuthnContextClassRef>
-</saml2p:RequestedAuthnContext>
    Example of how an Authentication Context URI identifier representing a
-requested Level of Assurance is included in an authentication request
-message.
    
-
    <saml2p:RequestedAuthnContext Comparison="exact">
-  <saml2:AuthnContextClassRef>http://id.elegnamnden.se/loa/1.0/loa3</saml2:AuthnContextClassRef>
-  <saml2:AuthnContextClassRef>http://id.elegnamnden.se/loa/1.0/eidas-nf-sub</saml2:AuthnContextClassRef>
-</saml2p:RequestedAuthnContext>
    Example of how several Authentication Context URIs are included in an
-authentication request message. In this case, the Service Provider
-states that it requests the authentication to be performed according to
-either the LoA3 URI defined within the Swedish eID Framework or the
-substantial level for notified eIDs defined within the eIDAS Framework.
    
-
    
-
    5.3.2. Scoping
    
-
    An Identity Provider that acts as a proxy for other Identity Providers SHOULD support the <saml2p:Scoping> element holding one, or more, entries signalling to the Proxy Identity Provider which Identity Provider(s) that may be used to authenticate the user. A Service Provider that sends authentication requests to a Proxy
-IdP MAY include the <saml2p:Scoping> element. See section 3.4.1.5 of [SAML2Core].
    
-
    <saml2p:Scoping>
-  <saml2p:IDPList>
-    <saml2p:IDPEntry ProviderID="http://idp.example.com" />
-  </saml2p:IDPList>
-</saml2p:Scoping>
    Example of how an AuthnRequest contains a Scoping-element where the requester (Service Provider) signals to the Proxy IdP which Identity Provider that should perform the authentication of the user.
    
-
    The Swedish eIDAS Connector is a Proxy IdP that proxies requests to foreign eIDAS Proxy Services. Normally, the eIDAS connector presents a country selection dialogue to the user, prompting for the country where the user should be directed to for authentication. However, a Service Provider MAY include an eIDAS Proxy Service alias URI for a specific country's Proxy Service under the <saml2p:Scoping> element of the <saml2p:AuthnRequest> in order to bypass the country selection dialogue. See section 3.1.9.1 of [EidRegistry].
    
-
    <saml2p:Scoping>
-  <saml2p:IDPList>
-    <saml2p:IDPEntry ProviderID="http://id.swedenconnect.se/eidas/1.0/proxy-service/no" />
-  </saml2p:IDPList>
-</saml2p:Scoping>
    Example of how an AuthnRequest sent to the eIDAS Connector requests that the eIDAS Connector should
-proxy the request to the Norwegian eIDAS Proxy Service for authentication.
    
-
    
-
    Note: A Service Provider may list more than one country in the <saml2p:IDPList> of a <saml2p:Scoping> element. The eIDAS Connector will then present a country selection dialogue containing only the listed countries.
    
-
    
-
    Note: Another method of bypassing the country selection dialogue is to include the c (urn:oid:2.5.4.6) 
-attribute with the country code for the requested country as its value in a <psc:PrincipalSelection>
-extension of the AuthnRequest message, see section 5.3.3 below.
    
-
    
-
    5.3.3. Principal Selection
    
-
    The specification "Principal Selection in SAML Authentication Requests", [PrincipalSel], defines the <psc:PrincipalSelection> extension that enables a requestor to inform the Identity Provider about known attributes for the principal that is about to be authenticated. 
    
-
    This may be relevant for Identity Provider services who prompt users for an identifier in order initiate an authentication process with the user's eID. In such cases, this extension can be used to avoid unnecessary prompting when the user's identity is known in advance to the service requesting authentication, such as when a previously authenticated user is requested to sign a document.
    
-
    An Identity Provider that wishes to receive the <psc:PrincipalSelection> extension SHOULD advertise this in its metadata according to section 2.1.3.
    
-
    A Service Provider that sends an authentication request  to an Identity Provider that has declared that it wishes to receive certain attribute values MAY include the <psc:PrincipalSelection> extension in the <saml2p:AuthnRequest> message, provided that the Service Provider has knowledge about this information.
    
-
    A Service Provider that is a Signature Service SHOULD include the extension for the case described above.
    
-
    
-
    5.4. Processing Requirements
    
-
    
-
    5.4.1. Validation of Destination
    
-
    An Identity Provider receiving a <saml2p:AuthnRequest> message
-MUST verify that the Destination attribute is present, and that it is
-consistent with URLs configured in the Identity Provider’s metadata.
    
-
    
-
    5.4.2. Validation of Assertion Consumer Addresses
    
-
    If the AssertionConsumerServiceURL attribute is present in the
-<saml2p:AuthnRequest> message, its value MUST be verified to be
-consistent with one of the <md:AssertionConsumerService> elements
-having the HTTP-POST binding* found in the Service Provider’s metadata
-entry and matching the SSO profile** in use 
-(see section 2.1.2.1). If this is not the case, 
-the request must be rejected.
    
-
    If the AssertionConsumerServiceIndex attribute is present in the
-<saml2p:AuthnRequest> message, a <md:AssertionConsumerService> matching this
-index MUST be present in the Service Provider’s metadata. This
-<md:AssertionConsumerService> element MUST also match the binding and SSO
-profile in use as defined above. If this is not the case, 
-the request must be rejected.
    
-
    
-
    This means that an Identity Provider that services an authentication request
-received on an SingleSignOnService endpoint dedicated for the Holder-of-key
-Web Browser Profile MUST NOT allow an <md:AssertionConsumerService> element
-that is not intended for the Holder-of-key profile, see section 2.8 of 
-[SAML2HokProf].
    
-
    
-
    If the attribute is not present in the <saml2p:AuthnRequest>
-message, the Identity Provider MUST obtain the desired response location
-from the Service Provider’s metadata entry.  This location is determined by first 
-finding all the <md:AssertionConsumerService> 
-elements that matches the SSO profile** in use (see 
-section 2.1.2.1) and the binding* (HTTP-POST), 
-and then selecting the element that is marked as default (has the isDefault attribute set), 
-or if no matching element is marked as default, the one with the lowest index value (see 
-section 2.4.4.1 of [SAML2Meta] and section 2.8 of 
-[SAML2HokProf]). If no matching <md:AssertionConsumerService>
-element is found the request must be rejected.
    
-
    
-
    [*]: For Holder-of-key <md:AssertionConsumerService> elements the actual binding
-is given by the hoksso:ProtocolBinding attribute, see section 2.8 of [SAML2HokProf].
    
-
    [**]: The Web Browser SSO Profile or the Holder-of-key Web Browser SSO Profile are possible profiles.
    
-
    
-
    
-
    5.4.3. Identity Provider User Interface
    
-
    An Identity Provider presenting information related to a Service Provider
-in its user interface during processing of an <saml2p:AuthnRequest> message
-MUST obtain this information from the
-<mdui:UIInfo> element of the Service Provider’s metadata entry.
-Implementers of this profile MUST be capable of handling display
-information stored in the <mdui:DisplayName>, <mdui:Logo>
-and the <mdui:Description> elements.
    
-
    An Identity Provider displaying logotypes found in a Service Provider's
-metadata MUST be able to handle embedded in-line images, as well as
-vector-based images where the height and width given in metadata should
-be interpreted as image dimensions and not the actual size.
    
-
    
-
    5.4.4. Authentication Context and Level of Assurance Handling
    
-
    This framework defines a number of authentication context identifiers
-(URI), where each such identifier specifies a defined Level of Assertion
-and may define specific requirements on the authentication process.
-There can be multiple authentication context URIs representing the same
-Level of Assertion, but one authentication context URI always identifies
-one defined Level of Assurance. 
    
-
    Identity Providers SHALL exclusively use one of the requested
-authentication contexts in <saml2p:AuthnRequest> in the
-<saml2:AuthnContextClassRef> element under the
-<saml2p:RequestedAuthnContext> element, when present, to determine
-the requested authentication process and Level of Assurance. The
-Identity Provider SHALL respond with an error <saml2p:StatusCode>
-with the value urn:oasis:names:tc:SAML:2.0:status:Requester
-[SAML2Core]
-if no requested authentication context is supported. If no requested
-authentication context is present in the <saml2p:AuthnRequest>,
-the Identity Provider MAY return the result of a default authentication
-process that is consistent with the Identity Providers metadata.
    
-
    Note: The Identity Provider does not have to consider the service
-entity categories ([EidEntCat]) declared in the Service Provider’s
-metadata entry when determining the requested authentication context
-under which the authentication should be performed. The purpose of the
-service entity categories is primarily to support service matching in
-discovery services and attribute release policies in Identity Providers.
-Significant Identity Provider products and software are not equipped to
-use service entity category information to determine the requested
-authentication context.
    
-
    
-
    5.4.5. Single Sign On Processing
    
-
    An Identity Provider conformant to this profile MAY issue an assertion
-relying on a previously established security context (active session)
-instead of authenticating the user. However, the Identity Provider MUST
-NOT re-use an already existing security context in the following cases:
    
-
      
-
    • When the security context has expired, i.e., the time elapsed since
-the security context was established is too long given the
-SSO-policy stipulated by the federation or Identity Provider itself.
      
-
      • 
-
    • When the <saml2p:AuthnRequest> contains a ForceAuthn attribute
-with the value of true.
      
-
      • 
-
    • If the original authentication process, which led to the
-establishment of the security context, was performed using another
-Level of Assurance that what is requested in the current
-<saml2p:AuthnRequest> message.
      
-
      • 
-
    • If the original authentication was performed according to the Holder-of-key
-Web Browser SSO Profile, [SAML2HokProf], and
-no certificate, or a certificate not matching the certificate included
-in the <saml2:SubjectConfirmation> element of the original assertion, 
-is presented in along with the current <saml2p:AuthnRequest> message. 
      
-
      • 
-
    • If the original authentication was performed according to the Web Browser SSO
-Profile, [SAML2Prof] and the current request is made 
-according to the Holder-of-key Web Browser SSO Profile, 
-[SAML2HokProf].
      
-
      • 
-
    
-
    If the Identity Provider user interface contains some sort of user
-consent, or information, concerning which attributes, or any other
-information, that is included in an assertion being issued, the Identity
-Provider SHOULD preserve this functionality if a
-<saml2p:AuthnRequest> message requesting a different set of
-attributes (or any other information) compared to what was delivered in
-the assertion at the time of establishing the security context. The
-Identity Provider may require re-authentication or display a user
-interface for consent/information in these cases.
    
-
    
-
    6. Authentication Responses
    
-
    
-
    6.1. Security Requirements
    
-
    The endpoint(s) at which a Service Provider receives a
-<saml2p:Response> message MUST be protected by TLS.
    
-
    If a Service Provider wants to make use of the Holder-of-key Web Browser SSO Profile
-it needs to provide a dedicated endpoint for this purpose, see section 2.1.2.1. This endpoint MUST be configured to require a client X.509 certificate
-being presented as part of the TLS handshake (mTLS, mutual TLS), see section 2.4 of 
-[SAML2HokProf]. If the Service Provider receives a <saml2p:Response>
-on a Holder-of-key endpoint and is unable to retrieve the client X.509 certificate it MUST 
-reject the message and not create a security context for the principal, see section 2.6.6 of [SAML2HokProf].
    
-
    The <saml2p:Response> message issued by the Identity Provider MUST
-be signed using a <ds:Signature> element within the
-<saml2p:Response> element.
    
-
    The <saml2:Assertion> element issued by the Identity Provider MAY
-be signed using a <ds:Signature> element within the
-<saml2:Assertion>. If a Service Provider requires signed
-assertions, by assigning the WantAssertionsSigned attribute of its
-metadata record (see chapter 2.1.2), the Identity Provider MUST sign
-assertions issued to this Service Provider (as well as the response
-message as stated above).
    
-
    Identity Providers SHALL utilize XML Encryption and return a
-<saml2:EncryptedAssertion> element in the <saml2p:Response>
-message. The elements <saml2:EncryptedID> and
-<saml2:EncryptedAttribute> MUST NOT be used; instead the entire
-assertion MUST be encrypted.
    
-
    Before performing encryption and signing, the Identity Provider SHOULD consult the Service Provider's metadata (<md:EncryptionMethod>, <alg:SigningMethod> and <alg:DigestMethod> elements) to determine the intersection of algorithms, key sizes and other parameters as defined by particular algorithms that it supports and that the Service Provider prefers. If the intersection is empty, or if the Service Provider has not declared any algorithms, the Identity Provider MUST use algorithms listed as mandatory by the Swedish eID Framework. For encryption, the chosen algorithm MUST also be compatible with the Service Provider's encryption key 
-declared in metadata.
    
-
    Service Providers SHOULD NOT accept unsolicited <saml2p:Response>
-messages (i.e., responses that are not the result of an earlier
-<saml2p:AuthnRequest> message). Service Providers that do accept
-unsolicited response messages MUST ensure, by other means, that the
-security and processing requirements of this profile (section 6.3) can be fully satisfied.
    
-
    
-
    6.2. Message Content
    
-
    The <saml2:Response> message MUST NOT contain a Document Type Definition (DTD).
    
-
    Successful response messages MUST contain exactly one <saml2:AuthnStatement> element
-and exactly one <saml2:AttributeStatement> element.
    
-
    The <saml2:Response> message MUST contain an <saml2:Issuer>
-element containing the unique identifier (entityID) of the issuing
-Identity Provider.
    
-
    The AuthnInstant attribute of the <saml2:AuthnStatement> element
-MUST be assigned the time when the actual authentication took place.
-This time may differ from the IssueInstant attribute of the assertion
-itself, which holds the time when the assertion was issued. This is
-especially important in cases of re-use of already established security
-contexts at the Identity Provider side (Single Sign On).
    
-
    Each identity assertion MUST have a <saml:Subject> element that
-specifies the principal that is the subject of all of the statements in
-the assertion.
    
-
    The value of the <saml:NameID> element under the
-<saml:Subject> element MUST hold a pseudonym identifier of the
-subject, which SHALL be:
    
-
      
-
    • Unique for the IdP – SP combination being the issuer and recipient
-for the assertion.
      
-
      • 
-
    • Constructed in a manner that does not reveal the registered identity
-of the subject.
      
-
      • 
-
    
-
    The <saml2:Subject> element MUST contain one
-<saml2:SubjectConfirmation> element containing a Method attribute having the value
-of urn:oasis:names:tc:SAML:2.0:cm:bearer if the Web Browser SSO Profile was used,
-and urn:oasis:names:tc:SAML:2.0:cm:holder-of-key if the Holder-of-key Web Browser 
-SSO Profile was used. This element MUST contain a <saml2:SubjectConfirmationData> 
-element that contains at least the following:
    
-
      
-
    • An InResponseTo attribute matching the request’s ID.
      
-
      • 
-
    • A Recipient attribute containing the Service Provider’s assertion
-consumer service URL (see sections 5.3 and 
-5.4.1).
      
-
      • 
-
    • A NotOnOrAfter attribute containing a time instant at which the
-subject no longer can be confirmed.
      
-
      • 
-
    • An Address attribute containing the network address from which an attesting entity
-(user) can present the assertion.
      
-
      • 
-
    • If the Holder-of-key Web Browser SSO Profile was used to authenticate the
-principal a <ds:KeyInfo> element identifying the X.509 certificate presented
-to the Identity Provider. See section 6.2.2 below.
      
-
      • 
-
    
-
    The assertion MUST contain a <saml2:Conditions> element containing
-the following attributes and elements:
    
-
      
-
    • A <saml2:AudienceRestriction> element including the requesting
-Service Provider’s unique identifier (entityID) as an
-<saml2:Audience> value.
      
-
      • 
-
    • A NotBefore attribute specifying the earliest time instant at which
-the assertion is valid.
      
-
      • 
-
    • A NotOnOrAfter attribute specifying the time instant when the
-assertion expires.
      
-
      • 
-
    
-
    An Identity Provider conformant to this profile MUST, in its issued
-assertions, include an authentication context URI indicating under which
-Level of Assurance the assertion was issued. This identifier MUST be
-placed under the <saml2:AuthnStatement> element as the value of an
-<saml2:AuthnContextClassRef> element that is part of the
-<saml2:AuthnContext> element.
    
-
    <saml2:AuthnStatement AuthnInstant="2013-03-15T09:22:00" SessionIndex="b07b804c-7c29-ea16-7300-4f3d6f7928ac">
-  <saml2:AuthnContext>
-    <saml2:AuthnContextClassRef>http://id.elegnamnden.se/loa/1.0/loa3</saml2:AuthnContextClassRef>
-    ...
-  </saml2:AuthnContext>
-</saml2:AuthnStatement>
    Example of how an Authentication Context URI identifier representing a
-Level of Assurance is included in an authentication statement.
    
-
    An Identity Provider that acts as a proxy for other Identity Providers SHOULD include the <saml2:AuthenticatingAuthority> element under the <saml2:AuthnContext> element. This element will contain the entityID of the Identity Provider that authenticated the principal.
    
-
    <saml2:AuthnStatement AuthnInstant="2013-03-15T09:22:00" SessionIndex="b07b804c-7c29-ea16-7300-4f3d6f7928ac">
-  <saml2:AuthnContext>
-    ...
-    <saml2:AuthenticatingAuthority>http://idp.example.com/auth</saml2:AuthenticatingAuthority>
-  </saml2:AuthnContext>
-</saml2:AuthnStatement>
    Example of how the entityID of an Identity Provider that provided the authentication for the principal is included in an authentication statement.
    
-
    
-
    6.2.1. Attribute Release and Consuming Rules
    
-
    An Identity Provider determines which attributes to include in the
-<saml2:AttributeStatement> element of an assertion based on the
-Service Provider requirements and its agreements with the user being
-authenticated. Service Provider attribute preferences and requirements
-are specified by the service entity categories [EidEntCat] and
-requested attributes in the <md:AttributeConsumingService> element
-declared in the Service Provider metadata. A service entity category
-specifies the attribute set (as defined in [EidAttributes]) that is
-requested for the attribute release process.
    
-
    An Identity Provider declares service entity categories in order to
-publish its ability to deliver attributes according to certain attribute
-sets. For all declared service entity categories, the Identity Provider
-MUST possess the ability to deliver the mandatory attributes of the
-underlying attribute set. See [EidEntCat] and [EidAttributes] for details.
    
-
    An Identity Provider releasing scoped attributes, see section 3.1.3 of [EidAttributes], MUST be authorized to release attributes with given scopes by the federation operator. An Identity Provider's authorized scopes are published in its metadata according to section 2.1.3.1, "Declaring Authorized Scopes". 
    
-
    Consequently, a Service Provider consuming a scoped attribute SHOULD verify that the issuing Identity Provider has been authorized to release attributes for the given scope by asserting its presence in the Identity Provider's metadata, see section 2.1.3.1 and section 3.5.2 of [SAML2SubjIdAttr]. A scoped attribute that fails this check MUST NOT be accepted by the Service Provider.
    
-
    The Service Provider is responsible for checking that an Identity
-Provider is capable of providing necessary attributes before sending a
-request and to verify that it received all attributes necessary for
-providing a requested service. Checks whether an Identity Provider is
-capable of fulfilling the needs of a Service Provider can be done either
-by relying on a discovery process to filter out non-conformant Identity
-Providers, and/or by examining the metadata of Identity providers. 
    
-
    An Identity Provider receiving a request for more attributes than it can
-provide SHOULD return an assertion with the attributes it can provide
-according to its defined attribute release policy if the user has been successfully 
-authenticated, leaving it up to the Service Provider to decide how to proceed, 
-e.g., by denying service to the authenticated user, provide limited services or to use other
-resources to collect necessary attributes. However, if a Service Provider
-has expressed a specific attribute requirement using the <md:RequestedAttribute>
-element of a matching <md:AttributeConsumingService> element in its metadata
-and assigned the isRequired-attribute to true, and the Identity Provider knows that it will not be able to provide this attribute, then the Identity Provider SHOULD reject any request for authentication from that Service Provider and respond with an error.
    
-
    For privacy reasons, an Identity Provider SHOULD NOT release identity attributes* that are not requested by the Service Provider via its metadata declarations
- (service entity categories or <md:RequestedAttribute> elements).
    
-
    
-
    [*]: This requirement does not apply to attributes that are not "identity" attributes, for example transaction identifiers or any other attribute that does not directly belong to a user's identity.
    
-
    
-
    
-
    6.2.2. Message Content Requirements for Holder-of-key
    
-
    When the Holder-of-key Web Browser SSO Profile has been used during the authentication
-of the user, information about the X.509 certificate presented by the user MUST be 
-included in a <ds:KeyInfo> element placed in the <saml2:SubjectConfirmationData> element. Section 2.4 of [SAML2HokAP] defines the requirements for this.
    
-
    This profile adds the following requirements to what is specified in [SAML2HokAP]:
    
-
    The user X.509 certificate SHOULD be represented using a <ds:X509Certificate> element
-in all cases, except for the cases when this certificate contains identity information 
-about the subject that is not represented as SAML attributes in the 
-<saml2:AttributeStatement> element.
-The reason for this is to ensure the privacy of the user and not release identity information that is not requested by the Service Provider (see section 6.2.1 above).
    
-
    In these cases the <ds:X509Certificate> MUST NOT be used, and the Identity Provider 
-SHOULD include a <ds:KeyValue> representing the public key of the user certificate.
    
-
    
-
    6.3. Processing Requirements
    
-
    This profile mandates a correct processing of a <saml2p:Response>
-message in order to ensure proper protection from the security threats
-described in [SAML2Sec].
-Processing requirements are listed in [SAML2Core],
-[SAML2Prof] and [SAML2Sec].
-This document will list the necessary requirements that apply to this
-profile.
    
-
    After the Service Provider has encrypted the assertion from the received
-response message the following requirements apply. Any verification that
-fails MUST lead to that the Service Provider rejects the response
-message and does not use the assertion.
    
-
    Some of the processing requirements below are defined in order to
-protect from MITM- or MITB-attacks* were unsigned authentication
-requests may be changed before being sent to the Identity Provider.
-However, a Service Provider MUST implement all of the specified
-processing requirements even if it sends signed authentication request
-messages.
    
-
    
-
    [*]: MITM stands for ”man in the middle” and MITB stands for ”man in the browser”.
    
-
    
-
    
-
    6.3.1. Signature Validation
    
-
    The signature present on the <saml2p:Response> message, and
-optionally on the <saml2:Assertion>, MUST be successfully
-verified.
    
-
    The public key being used to verify the signature MUST appear in the
-issuing Identity Provider’s metadata record (as a
-<ds:X509Certificate> under the <ds:KeyInfo> element).
    
-
    
-
    6.3.2. Subject Confirmation
    
-
    Based on the InResponseTo attribute of the
-<saml2:SubjectConfirmationData> the Service Provider MUST be able
-to obtain the corresponding <saml2p:AuthnRequest> message, or a
-secure context containing corresponding information from the request
-(for future processing of the assertion).
    
-
    The Recipient attribute from the <saml2:SubjectConfirmationData> element 
-MUST match the location to which the <saml2p:Response> message was delivered 
-and match the value the AssertionConsumerServiceURL attribute included in the
-request message, or if this attribute was not provided in the request
-message, the default response location specified in the Service
-Provider’s metadata entry, as described in section 5.4.2.
    
-
    The time from the NotOnOrAfter attribute from the
-<saml2:SubjectConfirmationData> MUST NOT have passed compared with
-the time instant at which the subject is confirmed (i.e., when the
-assertion is validated). A reasonable allowable clock skew between the
-providers should be taken in account.
    
-
    If the Address attribute is assigned to the
-<saml2:SubjectConfirmationData> element, the Service Provider MAY
-choose to check the user agent’s client address against it. Practical
-issues regarding the Service Provider’s network setup and the risk of
-introducing false negatives makes this an optional step in the
-validation phase.
    
-
    If the <saml2:SubjectConfirmation> element has a Method set to
-urn:oasis:names:tc:SAML:2.0:cm:holder-of-key its containing 
-<saml2:SubjectConfirmationData> element MUST be processed according to
-section 2.5 of [SAML2HokAP]. The Service Provider MUST also
-be able to verify the holder-of-key assertion if the <saml2:SubjectConfirmationData>
-element contains a <ds:KeyValue> element, see 6.2.2.
    
-
    
-
    6.3.3. Conditions
    
-
    The Service Provider MUST assert that the value of the
-<saml2:Audience> element under the
-<saml2:AudienceRestriction> element matches the unique entityID of
-the Service Provider.
    
-
    The Service Provider MUST verify that the time instant at which the
-assertion is validated is within the range given by the NotBefore and
-NotOnOrAfter attributes of the <saml2:Conditions> element
-(allowing for a reasonable clock skew). See also the processing of the
-NotOnOrAfter attribute in section 6.3.2.
    
-
    
-
    6.3.4. The Authentication Statement
    
-
    The Service Provider MUST assert that the <saml2:AuthnStatement>
-contains a <saml2:AuthnContext> element that holds a
-<saml2:AuthnContextClassRef> element having as its value the
-authentication context URI indicating under which Level of Assurance the
-authentication was performed. If the Service Provider declared one, or more, 
-<saml2:AuthnContextClassRef> elements under the <saml2p:RequestedAuthnContext>
-element of the authentication request (see section 5.4), 
-the received authentication context URI MUST match one of the declared 
-authentication context URI:s from the request. If not, the Service Provider 
-MUST reject the assertion*.
    
-
    
-
    [*]: If the Service Provider does not declare an authentication context URI
-in the authentication request it should be prepared to receive any of the
-authentication context URI:s declared by the Identity Provider in its metadata
-record (see section 2.1.3).
    
-
    
-
    
-
    6.3.5. General Security Validation
    
-
    In order to protect itself from replay attacks, the Service Provider
-MUST ensure that the same assertion is not processed more than once
-within the time it is valid (with respect to the NotOnOrAfter attribute
-of the <saml2:Conditions> element).
    
-
    In order to prevent stolen assertions and user impersonation, the
-Service Provider SHOULD implement a validation that rejects an assertion
-if the time given it its IssueInstant attribute compared to the time
-when the response message is received is too great. This time is
-typically on the order of seconds, and limits the time window when a
-stolen assertion could be used.
    
-
    If the Service Provider included the attribute ForceAuthn with a value
-of true in the authentication request, the Service Provider SHOULD
-ensure that the AuthnInstant attribute of the
-<saml2:AuthnStatement> element is greater than the time when the
-request was sent (allowing for a reasonable clock skew).
    
-
    A reasonable clock skew according to this profile is between 3 and 5 minutes in either direction.
    
-
    
-
    6.4. Error Responses
    
-
    If the Identity Provider returns an error, it MUST NOT include any
-assertions in the <saml2p:Response> message.
    
-
    An Identity Provider conformant with this profile SHOULD NOT make use of
-any other <saml2p:StatusCode> values than those specified in
-section 3.2.2.2 of
-[SAML2Core] or in section 3.1.4 of [EidRegistry]. 
-The top-level <saml2p:StatusCode> value may only be one of the following error
-identifiers:
    
-
      
-
    • urn:oasis:names:tc:SAML:2.0:status:Requester – The request could not
-be performed due to an error on the part of the Service Provider.
      
-
      • 
-
    • urn:oasis:names:tc:SAML:2.0:status:Responder – The request could not
-be performed due to an error on the part of the Identity Provider.
      
-
      • 
-
    • urn:oasis:names:tc:SAML:2.0:status:VersionMismatch – The Identity
-Provider could not process the request because the version of the
-request message was incorrect.
      
-
      • 
-
    
-
    If the user cancels an authentication process the Identity Provider
-SHOULD indicate this by assigning the second-level status code to
-http://id.elegnamnden.se/status/1.0/cancel.
    
-
    If an Identity Provider displays information describing an error in its
-user interface it MUST also offer ways for the end user to confirm this
-information (for example, by including an OK-button). When the end user
-acknowledges taking part of the information (i.e., clicks on the OK-button),
-the <saml2p:Response> message is posted back to the Service
-Provider according to the HTTP POST binding [SAML2Bind].
    
-
    If an Identity Provider detects suspicious fraudulent behaviour or if any of its security checks alerts a (possible) fraud, the Identity Provider MUST NOT issue an assertion but instead display an error message. After the end user confirms this error message, the error message posted back to the Service Provider SHOULD contain a second-level status code set to http://id.elegnamnden.se/status/1.0/fraud or http://id.elegnamnden.se/status/1.0/possibleFraud (depending on whether the Identity Provider aborted the authentication due to a determined or suspected fraud).
    
-
    
-
    7. Authentication for Signature
    
-
    “DSS Extension for Federated Central Signing Services”, [EidDSS],
-defines an extension to the OASIS DSS protocol for providing centralized
-Signature Services within the Swedish eID Framework. This specification
-defines the communication between a Signature Requestor* and a
-Signature Service, but does not cover SAML specific requirements
-regarding the user authentication phase that is part of the signature
-process.
    
-
    This section defines requirements on the SAML authentication process
-when authentication is requested by a Signature Service, acting as a
-SAML Service Provider. All requirements regarding user authentication
-specified earlier in this profile are still valid. This section extends
-these requirements for the “authentication for signature” process.
    
-
    
-
    [*]: A Signature Requestor is a Service Provider within the federation to which the user previously has logged in to and from where the user initiates a signature operation.
    
-
    
-
    
-
    7.1. Authentication Requests
    
-
    Authentication requests from a Signature Service SHALL meet the
-following requirements:
    
-
      
-
    • The ForceAuthn attribute of the <saml2p:AuthnRequest> element
-MUST be set to true.
      
-
      • 
-
    • The <saml2p:AuthnRequest> element MUST be signed. This MUST
-also be indicated in the Signature Service metadata record using the
-AuthnRequestsSigned attribute (see section 2.1.4).
      
-
      • 
-
    
-
    If the receiving Identity Provider has declared that it wishes to receive principal selection information about the signer (see section 5.3.3), and the Signature Service has received any of the requested attribute values in the Signer element of the SignRequest ([EidDSS]), the Signature Service SHOULD include those attribute values in a <psc:PrincipalSelection> extension of the authentication request. 
    
-
    It is RECOMMENDED that the <saml2p:Scoping> element containing a <saml2p:RequesterID> element holding the entityID of the Service Requestor is included in <saml2p:AuthnRequest> messages generated by a Signature Service.
    
-
    <saml2p:Scoping>
-  <saml2p:RequesterID>http://www.origsp.com/sp</saml2:RequesterID>
-</saml2p:Scoping>
    Example when the <saml2p:RequesterID> element is used to inform the Identity Provider about which Service Provider that requested the signature associated with this request for authentication.
    
-
    
-
    The reason for this recommendation is that an Identity Provider may adapt user interfaces or authentication procedures to different Service Providers based on either static configuration or on information found in the Service Provider's metadata. It can therefore be useful for an Identity Provider to know which Service Provider that requested the signature (Signature Requestor) that caused a Signature Service to request authentication. The Identity Provider may use this information to maintain the same user experience and procedures regardless of whether authentication is requested directly by the Service Provider, or by a Signature Service as a result of a signature request from the same Service Provider.
    
-
    
-
    An Identity Provider that accepts an <saml2p:AuthnRequest> message
-from a Service Provider that has indicated that it is a Signature
-Service* MUST provide a user interface that is indicating that the
-end user is performing a signature.
    
-
    
-
    [*]: An Identity Provider identifies a Service Provider as a Signature Service if it declares the http://id.elegnamnden.se/st/1.0/sigservice URI as a service type entity category in its metadata (see 2.1.4).
    
-
    
-
    
-
    7.1.1. Requesting Display of Signature Message
    
-
    [EidDSS_Profile] specifies that a Signature Requestor may include a
-SignMessage element (as defined by [EidDSS]) in a signature request.
-This element holds a message that the Identity Provider, which is
-responsible for “authentication for signature”, should present to the
-user that is performing the signature.
    
-
    A Signature Service MAY request the Identity Provider to show a sign
-message to the user by including the SignMessage element from the
-signature request as a child element to an <saml2p:Extensions>
-element in the <saml2p:AuthnRequest> message (see section 3.2.1 of
-[SAML2Core]).
    
-
    All Identity Providers compliant with this profile MUST be able to parse and understand
-the SignMessage extension.
    
-
    If the Message-element of the SignMessage is to be encrypted, the Service Provider SHOULD consult the Identity Provider's metadata (<md:EncryptionMethod> elements) to determine the intersection of algorithms, key sizes and other parameters as defined by particular algorithms that it supports and that the Identity Provider prefers. If the intersection is empty, or if the Identity Provider has not declared any algorithms, the Service Provider MUST use one of the mandatory algorithms defined in the Swedish eID Framework during the encryption operation, which is compatible with the Identity Provider's encryption key declared in metadata.
    
-
    If an Identity Provider that has ways of determining the principal's identity before displaying
-a sign message receives a <psc:PrincipalSelection> extension in  the authentication request 
-it SHOULD ensure that the contents of the <psc:PrincipalSelection> extension matches the 
-principal identity. If there is a mismatch, the Identity Provider MUST NOT display the
-sign message, and if the request states that the sign message must be displayed, fail with
-an error response where the second-level status code is set to
-urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal ([SAML2Core]).
    
-
    
-
    Typical scenarios where the above requirement apply is for the Swedish eIDAS connector that first authenticates a principal and then displays the sign message, and for Identity Providers that prompt the user for its user identity as part of its authentication scheme. In those scenarios the Identity Providers must compare the principal identity with the contents of <psc:PrincipalSelection>, if received in the authentication request. 
    
-
    
-
    Identity Providers processing a request containing a SignMessage extension SHALL meet
-the following requirements (in addition to other general requirements associated with requests 
-from signature services):
    
-
      
-
    • If the MustShow attribute of the SignMessage extension is set, the Identity Provider
-MUST fail with an error response if the message, for some reason, can not be displayed 
-to the user.
      
-
      • 
-
    • The Identity Provider MUST display the sign message to the user in a manner that is consistent 
-with the data format of the sign message. If necessary, the Identity Provider MUST process 
-defined filtering rules on the message. If the present message format is not supported or the 
-sign message for any reason cannot be displayed in a proper manner, the Identity Provider must
-return an error response.
      
-
      • 
-
    • If authentication and sign message confirmation by the user was successful, the Identity Provider 
-MUST include the signMessageDigest attribute (see section 3.2.4 of [EidAttributes]) 
-in the assertion that is issued.
      
-
      • 
-
    • The Identity Provider MUST NOT return an assertion without performing an authentication process 
-consistent with the requested authentication context which includes display of a sign message,
-even if the request has no present ForceAuthn attribute or includes a ForceAuthn attribute set 
-to the value false.  
      
-
      • 
-
    
-
    
-
    7.1.2. Requesting SCAL2 Signature Activation Data
    
-
    The type of signature requested in a signature request is, according to [EidDSS_Profile], specified by the CertType attribute of the <CertRequestProperties> element. When the value of this attribute is set to QC/SSCD, the requested signature is a Qualified Signature created in a Qualified Signature Creation Device (QSCD). To achieve this level of signature the Authentication Request MUST include a request for Signature Activation Data (SAD) for Sole Control Assurance Level 2 (SCAL2) in accordance with the "Signature Activation Protocol for Federated Signing" [SigSAP], and MUST include the SignMessage extension (as described above).
    
-
    As pointed out in section 2.1.3 an Identity Provider that supports processing of SAD requests and issuance of SAD-attributes SHALL advertise this by declaring the service property entity category http://id.elegnamnden.se/sprop/1.0/scal2 in its metadata. An Identity Provider that has declared this entity category MUST return a SAD attribute in an issued assertion if the corresponding <saml2p:AuthnRequest> message contains the <sap:SADRequest> extension.
    
-
    A SAD returned from the Identity Provider MUST have a signature which can be verified using a certificate from the Identity Provider's metadata entry. The signature algorithm used to sign the SAD MUST be equivalent to the algorithm used to sign the responses and assertions from the Identity Provider.
    
-
    Verification of a received SAD-attribute MUST follow the verification rules specified in section 3.2.3 of [SigSAP].
    
-
    
-
    7.2. Authentication Responses
    
-
    By including the signMessageDigest attribute (see section 3.2.4 of [EidAttributes]) 
-in the SAML assertion, the Identity Provider asserts that it has successfully displayed the sign message
-received in the request for the user and that the user has accepted to sign under the context of this sign message. This attribute MUST be included in the issued assertion if a sign message was displayed for, and accepted by, the user.
    
-
    
-
    8. Cryptographic Algorithms
    
-
    This section lists the requirements for crypto algorithm support for being compliant with this profile.
    
-
    For signature and encryption keys the following requirements apply:
    
-
      
-
    • RSA public keys MUST be at least 2048 bits in length. 3072 bits or more is RECOMMENDED.
      • 
-
    • EC public keys MUST be at least 256 bits in length (signature only).
        
-
      • The curves NIST Curve P-256, NIST Curve P-384 and NIST Curve P-521 MUST be supported ([RFC5480]).
        • 
-
      
-
      • 
-
    
-
    Services conforming to this profile MUST support the mandatory algorithms below, and SHOULD support the algorithms listed as optional.
    
-
    The sender of a secure message MUST NOT use an algorithm that is not listed as mandatory in the sections below, unless it is explicitly declared by the peer in its metadata (see [SAML2MetaAlgSupport]). 
    
-
    A service processing a message in which an algorithm not listed below has been used MUST refuse to accept the message and respond with an error, unless this algorithm has been declared as preferred or supported by the service in its metadata entry.
    
-
    
-
    This profile does not specify a complete list of blacklisted algorithms. However, there is a need to explicitly point out that the commonly used algorithms SHA-1 for digests and RSA PKCS#1 v1.5 for key transport are considered broken and SHOULD not be used or accepted.
    
-
    
-
    The algorithms below are defined in [XMLEnc], [XMLDSig] and [RFC4051].
    
-
    
-
    8.1. Digest Algorithms
    
-
    Mandatory:
    
-
      
-
    • SHA-256, http://www.w3.org/2001/04/xmlenc#sha256
      • 
-
    
-
    Optional:
    
-
      
-
    • SHA-384, http://www.w3.org/2001/04/xmldsig-more#sha384
      • 
-
    • SHA-512, http://www.w3.org/2001/04/xmlenc#sha512
      • 
-
    
-
    
-
    8.2. Signature Algorithms
    
-
    Mandatory:
    
-
      
-
    • RSA-SHA256, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
      • 
-
    • ECDSA-SHA256, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256
      • 
-
    
-
    Optional:
    
-
      
-
    • RSA-SHA384, http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
      • 
-
    • RSA-SHA512, http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
      • 
-
    • ECDSA-SHA384, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384
      • 
-
    • ECDSA-SHA512, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512
      • 
-
    
-
    
-
    8.3. Block Encryption Algorithms
    
-
    Mandatory:
    
-
      
-
    • AES128-CBC, http://www.w3.org/2001/04/xmlenc#aes128-cbc
      • 
-
    • AES192-CBC, http://www.w3.org/2001/04/xmlenc#aes192-cbc
      • 
-
    • AES256-CBC, http://www.w3.org/2001/04/xmlenc#aes256-cbc
      • 
-
    
-
    Optional:
    
-
      
-
    • AES128-GCM, http://www.w3.org/2009/xmlenc11#aes128-gcm
      • 
-
    • AES192-GCM, http://www.w3.org/2009/xmlenc11#aes192-gcm
      • 
-
    • AES256-GCM, http://www.w3.org/2009/xmlenc11#aes256-gcm
      • 
-
    
-
    Note: The AES-CBC algorithm has been reported to have vulnerabilities, but these weaknesses can not be exploited when using signed SAML messages. Also, the support for AES-GCM in SAML software is not sufficiently spread at the time of writing. Therefore, the current version of this profile specifies AES-CBC as the default block encryption algorithm.
    
-
    Services supporting the AES-GCM algorithm SHOULD indicate this in its metadata.
    
-
    ...
-<md:KeyDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" use="encryption">
-  <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-    <ds:X509Data>
-      <ds:X509Certificate>MIIE+DC...SpWg==</ds:X509Certificate>
-    </ds:X509Data>
-  </ds:KeyInfo>
-  <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
-  <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
-  ...
-</md:KeyDescriptor>
    Example of how a service announces that it has support for AES-GCM and wishes peers to use these algorithms when encrypting for the service.
    
-
    
-
    8.4. Key Transport Algorithms
    
-
    Mandatory:
    
-
      
-
    • RSA-OAEP-MGF1P, http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
        
-
      • Key transport digest: SHA-1 (http://www.w3.org/2000/09/xmldsig#sha1)
        • 
-
      
-
      • 
-
    
-
    For interoperability reasons the current version of this profile specifies the RSA-OAEP-MGF1P algorithm as the default key transport algorithms. This algorithm's padding method defaults to the use of SHA-1 as a digest algorithm and also uses the "MGF1 with SHA-1" mask generation function*.
    
-
    Optional:
    
-
      
-
    • RSA-OAEP-MGF1P, http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
        
-
      • Key transport digest: Any of the digest methods listed as mandatory or optional in section 8.1.
        • 
-
      
-
      • 
-
    
-
    A service wishing to receive encrypted messages where SHA-1 is not used as the key transport digest SHOULD indicate this in its metadata using the <md:EncryptionMethod> element as the example below.
    
-
    ...
-<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
-  <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
-</md:EncryptionMethod>
-...
    Example of how a service announces that it wishes that the peer uses SHA-256 as the key transport digest when encrypting using RSA-OAEP-MGF1P.
    
-
    
-
    [*]: Note that the use if SHA-1 in this context (both as digest algoritm and as mask generation function) is limited to providing randomness of padding data and as a hash over optional OAEP parameter data which typically is an empty string. It is not used as a hash function to assert the integrity of the encrypted data. No weaknesses of SHA-1 is is known to be relevant to its use in this context.
    
-
    
-
    
-
    9. Normative References
    
-
    
-[RFC2119]
    
-
    
-
    Bradner, S., Key words for use in RFCs to Indicate Requirement
-Levels, March 1997.
    
-
    
-
    
-[XMLEnc]
    
-
    
-
    D. Eastlake et al. XML Encryption Syntax and Processing. W3C Recommendation, April 2013.
    
-
    
-
    
-[XMLDSig]
    
-
    
-
    D. Eastlake et al. XML-Signature Syntax and Processing, Version 1.1. W3C Recommendation, April 2013.
    
-
    
-
    
-[SAML2Core]
    
-
    
-
    OASIS Standard, Assertions and Protocols for the OASIS Security
-Assertion Markup Language (SAML) V2.0, March
-2005.
    
-
    
-
    
-[SAML v2.0 Errata 05]
    
-
    
-
    SAML Version 2.0 Errata 05. 01 May 2012. OASIS Approved
-Errata.
    
-
    
-
    
-[SAML2Bind]
    
-
    
-
    OASIS Standard, Bindings for the OASIS Security Assertion Markup
-Language (SAML) V2.0, March
-2005.
    
-
    
-
    
-[SAML2Prof]
    
-
    
-
    OASIS Standard, Profiles for the OASIS Security Assertion Markup
-Language (SAML) V2.0, March
-2005.
    
-
    
-
    
-[SAML2Meta]
    
-
    
-
    OASIS Standard, Metadata for the OASIS Security Assertion Markup
-Language (SAML) V2.0, March
-2005.
    
-
    
-
    
-[SAML2Sec]
    
-
    
-
    Security and Privacy Considerations for the OASIS Security Assertion
-Markup Language (SAML) V2.0, March
-2005.
    
-
    
-
    
-[SAML2IAP]
    
-
    
-
    SAML V2.0 Identity Assurance Profiles Version 1.0, 05 November
-2010.
    
-
    
-
    
-[SAML2MetaIOP]
    
-
    
-
    OASIS Standard, SAML V2.0 Metadata Interoperability Profile Version 1.0, October 2019.
    
-
    
-
    
-[SAML2MetaUI]
    
-
    
-
    OASIS Draft, SAML V2.0 Metadata Extensions for Login and Discovery
-User Interface Version 1.0, April 2012
    
-
    
-
    
-[SAML2MetaAttr]
    
-
    
-
    OASIS Committee Specification, SAML V2.0 Metadata Extension for
-Entity Attributes Version 1.0, August
-2009.
    
-
    
-
    
-[SAML2MetaAlgSupport]
    
-
    
-
    SAML v2.0 Metadata Profile for Algorithm Support Version 1.0, 21 February 2011.
    
-
    
-
    
-[EntCat]
    
-
    
-
    RFC8409 - The Entity Category Security Assertion Markup Language (SAML) Attribute Types.
    
-
    
-
    
-[IdpDisco]
    
-
    
-
    OASIS Committee Specification, Identity Provider Discovery Service
-Protocol and Profile, March
-2008.
    
-
    
-
    
-[SAML2SubjIdAttr]
    
-
    
-
    OASIS Committee Specification, SAML V2.0 Subject Identifier Attributes Profile Version 1.0, January 2019.
    
-
    
-
    
-[SAML2HokProf]
    
-
    
-
    OASIS Committee Specification, SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 1.0, August 2010.
    
-
    
-
    
-[SAML2HokAP]
    
-
    
-
    OASIS Committee Specification, SAML V2.0 Holder-of-Key Assertion Profile Version 1.0, January 2010.
    
-
    
-
    
-[EidTillit]
    
-
    
-
    Tillitsramverket för Svensk e-legitimation.
    
-
    
-
    
-[EidRegistry]
    
-
    
-
    Swedish eID Framework - Registry for identifiers.
    
-
    
-
    
-[EidAttributes]
    
-
    
-
    Attribute Specification for the Swedish eID Framework.
    
-
    
-
    
-[EidEntCat]
    
-
    
-
    Entity Categories for the Swedish eID Framework.
    
-
    
-
    
-[EidDSS]
    
-
    
-
    DSS Extension for Federated Central Signing Services.
    
-
    
-
    
-[EidDSS_Profile]
    
-
    
-
    Implementation Profile for Using OASIS DSS in Central Signing Services.
    
-
    
-
    
-[SigSAP]
    
-
    
-
    Signature Activation Protocol for Federated Signing.
    
-
    
-
    
-[PrincipalSel]
    
-
    
-
    Principal Selection in SAML Authentication Requests.
    
-
    
-
    
-[RFC4051]
    
-
    
-
    IETF RFC 4051, Additional XML Security Uniform Resource Identifiers, April 2005.
    
-
    
-
    
-[RFC5480]
    
-
    
-
    IETF RFC 5480, Elliptic Curve Cryptography Subject Public Key Information, March 2009.
    
-
    
-
    
-
    10. Changes between versions
    
-
    Changes between version 1.7 and 1.8:
    
-
      
-
    • Section 7.1.2 was updated to state that the requirement to include both a SAD and a SignMessage extension only applies when the requested CertType is "QC/SSCD". Voluntary use of SAD for other types of signatures (e.g. non qualified signatures) does not automatically trigger a requirement to include SignMessage.
      • 
-
    
-
    Changes between version 1.6 and 1.7:
    
-
      
-
    • Sections 2.1.2 and 2.1.3 were updated with clarifications for how a Service Provider declares requested attributes and how an Identity Provider declares its ability to deliver attributes.
      
-
      • 
-
    • Section 6.2.1, "Attribute Release and Consuming Rules", was updated with a privacy requirement that tells that an Identity Provider must not release identity attributes not requested by the Service Provider.
      
-
      • 
-
    • Section 2.1.3.1, "Declaring Authorized Scopes", was introduced in order to define how an Identity Provider declares authorized scopes. Section 6.2.1, "Attribute Release and Consuming Rules", was updated with release and consumption rules for scoped attributes.
      
-
      • 
-
    • Support for the Holder-of-key Web Browser SSO Profile has been added.
      
-
      • 
-
    • Removed text in section 7, "Authentication for Signature", regarding the use of the deprecated sigmessage URI:s.
      
-
      • 
-
    
-
    Changes between version 1.5 and 1.6:
    
-
      
-
    • In order to facilitate algorithm interoperability between peers additions concerning "Metadata Profile for Algorithm Support" [SAML2MetaAlgSupport] was added. Section 2.1.1 was updated with a section defining how preferred algorithms are declared in metadata, and sections 5.2, 6.1 and 7.2.1 was updated with requirements for algorithm selection during signing and encryption.
      • 
-
    • Section 5.3, "Message Content", was re-structured with sub-chapters for requested authentication contexts, scoping and principal selection.
      • 
-
    • The PrincipalSelection and RequestedPrincipalSelection extensions were introduced to sections 2.1.3, 5.3.3 and 7.2.
      • 
-
    • The link for the "Tillitsramverk för Svensk e-legitimation" specification was updated.
      • 
-
    • This profile is no longer normatively dependent upon SAML2Int. Therefore, the profile has been updated with requirements that previously was implicit (due to the normative dependency to SAML2Int).
      • 
-
    • Section 8, "Cryptographic Algorithms", was introduced in order to clearly define the algorithm requirements for services that are conformant to this profile.
      • 
-
    • Section 2.1.1 was updated with elaborations concerning certificates in metadata.
      • 
-
    • Section 7.2.1 was updated with a requirement that ensures that a sign message is only displayed to the intended user.
      
-
      • 
-
    • Section 7, "Authentication for Signature", was updated where "Sign Message Authentication Context URI" were deprecated
-and the use of the signMessageDigest attribute was introduced.
      
-
      • 
-
    
-
    Changes between version 1.4 and 1.5:
    
-
      
-
    • Section 2.1.3 "Identity Providers", was extended to include requirements on metadata to signal support for the SAP (Signature Activation Protocol).
      • 
-
    • Section 7.2, "Authentication Requests", was extended to recommend the usage of the <saml2p:RequesterID> element within <saml2p:Scoping>. The reason for this recommendation is that Identity Providers may need information about the "Signature Requestor", i.e., the Service Provider that requested the signature that caused a Signature Service to request authentication.
      • 
-
    • Section 6.3.4, "The Authentication Statement", contained a requirement about how to process a received authentication context URI that was incorrect. This has been corrected.
      • 
-
    • A new section, 7.2.2, "Requesting SCAL2 Signature Activation Data", was added. This amendment describes how and when to request Signature Activation Data from an Identity Provider in order to enable a signature service to operate as a Qualified Signature Creation Device (QSCD).
      • 
-
    • Attribute release rules have been clarified in sections 2.1.2, "Service Providers" and 6.2.1, "Attribute Release Rules".
      • 
-
    • Section 2.1.2, "Service Providers", was updated to include a requirement for Service Providers communicating with a centralized discovery service.
      • 
-
    • Section 5.3, "Message Content", was updated to describe the use of <saml2p:IDPEntry> elements under the <samp2p:Scoping> elements for requests sent to Identity Providers acting as proxies for other Identity Providers.
      • 
-
    • The reference to [SAML2MetaUI] was updated to the latest official version: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-ui/v1.0/sstc-saml-metadata-ui-v1.0.html.
      • 
-
    • The reference to [EntCat] was updated to the latest version. 
      • 
-
    
-
    Changes between version 1.3 and version 1.4:
    
-
      
-
    • Version 1.3 of this profile stated that a
-<saml2p:AuthnRequest> message MUST contain an
-AssertionConsumerServiceURL attribute identifying the desired
-response location. It has shown that this requirement aggravates
-interoperability since some of the major providers of Service
-Provider software do not fully support this attribute. Furthermore,
-the requirement does increase security since an Identity Provider
-may only post response messages to locations registered in the
-<md:AssertionConsumerService> elements of the Service Provider
-metadata entry. Therefore, chapter 5.3, “Message Content”, has been
-changed to state that the <saml2p:AuthnRequest> message SHOULD
-contain an AssertionConsumerServiceURL attribute. Changes have also
-been made to sections 5.4.2 and 6.3.2 where processing requirements
-were updated.
      
-
      • 
-
    • In section 5.3, a clarification regarding specifying more than one
-authentication context URI was made.
      
-
      • 
-
    • In section 7.1, a set of authentication context URIs for the eIDAS
-Framework was added.
      
-
      • 
-
    • In section 6.4, the requirement to use the sub-level status code
-http://id.elegnamnden.se/status/1.0/cancel was added. This status
-should be used to indicate a cancelled operation.
      
-
      • 
-
    • In section 6.4, the status codes http://id.elegnamnden.se/status/1.0/fraud and http://id.elegnamnden.se/status/1.0/possibleFraud were introduced. Their purpose is to alert (suspected) fraudulent behaviour.
      
-
      • 
-
    • The specification for “Discovery within the Swedish eID Framework”
-has been deprecated and requirements referring to this document have
-been updated.
      
-
      • 
-
    • A clarification to section 5.2 was made stating that conformant
-Identity Providers MUST support the HTTP-POST binding.
      
-
      • 
-
    • Section 6.2 was updated with requirements for proxy-IdP:s that are expected to include the <saml2:AuthenticatingAuthority> element holding the entityID of the Identity Provider that provided the authentication of the principal.
      
-
      • 
-
    
-
    Changes between version 1.2 and version 1.3:
    
-
      
-
    • This profile now extends a newer version of the SAML2Int Deployment
-Profile (see http://saml2int.org/profile/current/).
      
-
      • 
-
    • Clarifications on how entity categories are represented in metadata
-were made to chapters: 2.1.2, 2.1.3, and 2.1.4.
      
-
      • 
-
    • Changes were made to chapter 6.1, “Security Requirements”, where the
-profile now requires the entire <saml2p:Response> message to
-be signed, as compared to the previous version where the signature
-requirement was put on <saml2:Assertion> elements.
      
-
      • 
-
    • In chapter 6.2, it is now specified that an Address attribute MUST
-be part of the <saml2:SubjectConfirmationData> element. The
-previous version stated SHOULD.
      
-
      • 
-
    • Chapter 6.2.1, “Attribute Release Rules”, was introduced to clarify
-how the attribute release process should be handled by an issuing
-entity.
      
-
      • 
-
    • A Service Provider is now obliged to explicitly specify the required
-Level of Assurance under which a specific authentication should be
-performed. This is specified in chapter 5.3, “Message Content”, and
-5.4.4, “Authentication Context and Level of Assurance Handling”.
      
-
      • 
-
    • The specification “Authentication Context Classes for Levels of
-Assurance for the Swedish eID Framework” has been removed from the
-Swedish eID Framework. The reason for this is that it was proven
-difficult to make use of the <saml2:AuthnContextDecl> element
-to store authentication context parameters, and that no commercial,
-or open source, Identity Provider software had support for this
-feature. [EidAttributes] now describe how the authContextParams
-attribute may be used for the same purpose, and the examples where
-this information was stored under the <saml2:AuthnContextDecl>
-element was removed from chapter 6.2, “Message Content”.
      
-
      • 
-
    • Chapter 7, “Authentication for Signature”, was introduced to specify
-requirements regarding the process of “authentication for signature”
-where a Signature Service requests that a user performing a
-signature authenticates.
      
-
      • 
-
    
-
    Changes between version 1.1 and version 1.2:
    
-
      
-
    • This profile now explicitly defines requirements for the use of
-signed authentication request messages, see sections 2.1and 5.2.
      
-
      • 
-
    • This profile now allows the HTTP-POST binding to be used for sending
-authentication request messages (see chapter 5.2, “Binding and
-Security Requirements”). The main reason for this is to facilitate
-the use of signed authentication request messages.
      
-
      • 
-
    • In chapter 5.4, additional processing requirements for received
-authentication requests were added or changed. These include:
      
-
      • 
-
    • Validation of assertion consumer addresses (5.4.1).
      
-
      • 
-
    • Clarifications to chapter 5.4.4.
      
-
      • 
-
    • Single Sign On processing (5.4.5).
      
-
      • 
-
    • This profile now states that “Unsolicited response” messages are not
-accepted by Service Providers due to security reasons, see chapter
-6.1, “Security Requirements”.
      
-
      • 
-
    • Changes and additions in chapter 6.2, “Message Content”, for
-responses including:
      
-
      • 
-
    • Clarifications about the usage of the AuthnInstant attribute of the
-<saml2:AuthnStatement> element.
      
-
      • 
-
    • Specifications of the use of <saml2:SubjectConfirmation> in
-assertions.
      
-
      • 
-
    • Clarifications on the use of audience restrictions and assertion
-validity.
      
-
      • 
-
    • Chapter 6.3, “Processing Requirements”, was added. This chapter
-contains specifications and requirements of how a response message
-should be processed in order to maintain security.
      
-
      • 
-
    
-
    Changes between version 1.0 and version 1.1:
    
-
      
-
    • In chapter 5.1, “Discovery”, a reference to the specification
-“Discovery within the Swedish eID Framework” [Eid2Disco] was
-added.
      
-
      • 
-
    • In chapter 5.4.4, a note was added that informs about the need to
-ensure IdP-capabilities regarding level of assurance before issuing
-a request.
      
-
      • 
-
    • In chapter 6.2, “Message Content”, an example of how an Identity
-Provider may include an authentication context class declaration was
-provided.
      
-
      • 
-
    • Some faulty references were corrected.
      
-
      • 
-
    
-    
    
-  
-
diff --git a/docs/updates/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html b/docs/updates/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html
new file mode 120000
index 0000000..c34f5eb
--- /dev/null
+++ b/docs/updates/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html
@@ -0,0 +1 @@
+../december-2024/02_-_Deployment_Profile_for_the_Swedish_eID_Framework.html
\ No newline at end of file
diff --git a/docs/updates/03_-_Registry_for_Identifiers.html b/docs/updates/03_-_Registry_for_Identifiers.html
deleted file mode 100644
index ab370c4..0000000
--- a/docs/updates/03_-_Registry_for_Identifiers.html
+++ /dev/null
@@ -1,1214 +0,0 @@
-
-
-  
-    
-    
-    Swedish eID Framework - Registry for identifiers
-    
-    
-    
-    
-  
-  
-    
    
-
-
-
    
-
    
-
-
    
-
-
    Swedish eID Framework - Registry for identifiers
    
-
    Version 1.8 - 2024-11-26 - Draft version
    
-
    Registration number: 2019-309
    
-
    
-
    
-Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All Rights Reserved.
-
    
-
-
    Table of Contents
    
-
      
-
    1. Background
      
-
      2. 
-
    2. Structure
      
-
       2.1. URI Identifiers
      
-
       2.2. OID Identifiers
      
-
      3. 
-
    3. Assigned Identifiers
      
-
       3.1. URL Identifiers
      
-
       3.1.1. Authentication Context URIs
      
-
       3.1.1.1. Authentication Context URIs for Swedish Non-residents
      
-
       3.1.1.2. Authentication Context URIs for Uncertified Providers
      
-
       3.1.2. Attribute Sets
      
-
       3.1.3. Entity Category Identifiers
      
-
       3.1.3.1. Service Entity Categories
      
-
       3.1.3.2. Entity Categories for Service Properties
      
-
       3.1.3.3. Entity Categories for Service Type
      
-
       3.1.3.4. Entity Categories for Service Contract
      
-
       3.1.3.5. General Entity Categories
      
-
       3.1.4. SAML Protocol Status Codes
      
-
       3.1.5. Central Signing
      
-
       3.1.6. Authentication Context
      
-
       3.1.7. Sign Response Status Codes
      
-
       3.1.8. Name Registration Authorities
      
-
       3.1.9. eIDAS Identifiers
      
-
       3.1.9.1. eIDAS Proxy Service Aliases
      
-
       3.1.9.2. eIDAS Connector Aliases
      
-
       3.1.9.3. Identity Binding Processes
      
-
       3.2. OID Identifiers
      
-
       3.2.1. ASN.1 Declarations
      
-
      4. 
-
    4. References
      
-
      5. 
-
    5. Changes between versions
      
-
      6. 
-
    
-
    
-
    1. Background
    
-
    The implementation of a Swedish infrastructure for electronic
-identification and electronic signature requires various types of
-identifiers to represent objects in protocols and data structures.
    
-
    This document defines the structure for identifiers assigned by the Swedish eID Framework
-and provides a registry for assigned identifiers.
    
-
    The following types of identifiers are assigned in this document:
    
-
      
-
    •   URI (Uniform Resource Identifier)
      
-
      • 
-
    •   OID (Object Identifier)
      
-
      • 
-
    
-
    This registry is limited to registering assigned identifiers.
-Identifiers in this registry are typically defined within the context of
-a separate specification, which defines the semantic meaning of the
-identifier within the context of a particular protocol and/or data
-structure. Where applicable, this registry provides references to the
-documents where the exact meaning of each identifier is defined.
    
-
    
-
    2. Structure
    
-
    The basic structure of identifiers assigned by the Swedish eID Framework is based on the following components:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    ParameterDescription
    PrefixThe leading portion of the identifier that associates the identifier with this registry and identifies the Swedish e-identification board or Sweden Connect as the assigner of the identifier.
    CategoryA code for the category of an identifier. Each category is a defined context for a collection of identifiers within the scope of a protocol, service or object type.
    Version (optional)An indicator of the version of the object represented by this identifier. The exact semantic of the version indicator, if present, is defined within each category.
    IdentifierA sequence of characters or numbers (according to the syntax of the identifier type), which distinguish this identifier among all other identifiers within a particular prefix, category and version.
    
-
    
-
    2.1. URI Identifiers
    
-
    All URI identifiers in this registry are of URL type (Uniform Resource
-Locator), assigned under the prefixes http://id.elegnamnden.se and http://id.swedenconnect.se.
    
-
    These URL identifiers are defined using the following structure:
    
-
      
-
    • http://id.elegnamnden.se/{category}[/{version}]/{identifier}, or,
      • 
-
    • http://id.swedenconnect.se/{category}[/{version}]/{identifier}.
      • 
-
    
-
    
-
    2.2. OID Identifiers
    
-
    An object identifier consists of a node in a hierarchically-assigned
-namespace, formally defined using the ITU-T's ASN.1 standard, X.690.
-Successive numbers of the nodes, starting at the root of the tree,
-identify each node in the tree. Designers set up new nodes by
-registering them under the node's registration authority. The root of
-the tree contains the following three arcs:
    
-
      
-
    •   0: ITU-T
      • 
-
    •   1: ISO
      • 
-
    •   2: joint-iso-itu-t
      • 
-
    
-
    Object identifiers are in this document represented as a string
-containing a sequence of integers separated by a dot (“.”), e.g.
-2.3.4.25, where each integer represents a node in the hierarchy.
    
-
    The node assigned to the Swedish E-identification Board/Sweden Connect is: 1.2.752.201.
    
-
    This represents a hierarchical structure of nodes in the following
-sequence:
    
-
      
-
    •   1 = ISO
      • 
-
    •   2 = ISO member body
      • 
-
    •   752 = The Swedish Standardization Institute (SIS-ITS)
      • 
-
    •   201 = Swedish E-identification Board (see note below)
      • 
-
    
-
    This node is used as the Prefix (root node) for all OID identifiers in
-this registry, using the following structure:
    
-
    1.2.752.201.{category}.{identifier}
    
-
    OID identifiers according to this structure assign a node for each
-category and an identifier node under this category node. No node in
-this structure is assigned as version node. Version is handled, when
-necessary, within the identifier portion of the OID, typically by
-assigning a new identifier.
    
-
    Note: The OID 1.2.752.201 was assigned to the Swedish E-identification Board, but
-this organisation has been overtaken by the Swedish Agency for Digital Government (DIGG) who 
-now uses this OID arc for the Sweden Connect Technical Framework.
    
-
    
-
    3. Assigned Identifiers
    
-
    
-
    3.1. URL Identifiers
    
-
    The following category codes are defined:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    CodeCategory
    loaLevel of Assurance. Identifiers representing level of assurance for federated identity (Tillitsnivå).
    acAttribute profile.
    ecEntity Category. Generic service type declarations for service matching.
    spropService Property. Specific entity category identifiers for specific service property.
    stService Type. Specific entity category identifiers for defined types of services in the federation.
    contractService contract. Specific entity category identifiers for declaring contract, or business agreement, affiliation within a federation.
    csigCentral Signing Service – Identifiers used by the central signing service infrastructure.
    auth-contAuthentication context information schema.
    statusSAML Protocol status codes.
    sig-statusSign response status codes.
    eidasIdentifiers used for integration with the eIDAS Framework.
    nsXML Schema namespaces.
    
-
    
-
    3.1.1. Authentication Context URIs
    
-
    Authentication Context URIs representing assurance levels (Tillitsnivåer) relevant to
-[TillitRamv] and [EidDeploy].
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    URLObjectReference
    http://id.elegnamnden.se/loa/1.0/loa1Assurance level 1.[TillitRamv]
    http://id.elegnamnden.se/loa/1.0/loa2Assurance level 2.[TillitRamv]
    http://id.elegnamnden.se/loa/1.0/loa3Assurance level 3.[TillitRamv]
    http://id.elegnamnden.se/loa/1.0/loa4Assurance level 4.[TillitRamv]
    http://id.elegnamnden.se/loa/1.0/eidas-low*Authentication accordance to eIDAS assurance level low for non-notified and notified eID schemes.[eIDAS]
    http://id.elegnamnden.se/loa/1.0/eidas-sub*Authentication accordance to eIDAS assurance level substantial for non-notified and notified eID schemes.[eIDAS]
    http://id.elegnamnden.se/loa/1.0/eidas-high*Authentication accordance to eIDAS assurance level high for non-notified and notified eID schemes.[eIDAS]
    http://id.elegnamnden.se/loa/1.0/eidas-nf-low*Authentication accordance to eIDAS assurance level low using an eID scheme that MUST be notified.[eIDAS]
    http://id.elegnamnden.se/loa/1.0/eidas-nf-sub*Authentication accordance to eIDAS assurance level substantial using an eID scheme that MUST be notified.[eIDAS]
    http://id.elegnamnden.se/loa/1.0/eidas-nf-high*Authentication accordance to eIDAS assurance level high using an eID scheme that MUST be notified.[eIDAS]
    
-
    NOTE: eIDAS assurance levels low, substantial and high have the
-following AuthnContextClassRef URI:s defined by the EU commission:
    
-
      
-
    •   http://eidas.europa.eu/LoA/low
      
-
      • 
-
    •   http://eidas.europa.eu/NotNotified/LoA/low (for non-notified eID schemes)
      
-
      • 
-
    •   http://eidas.europa.eu/LoA/substantial
      
-
      • 
-
    •   http://eidas.europa.eu/NotNotified/LoA/substantial (for non-notified eID schemes)
      
-
      • 
-
    •   http://eidas.europa.eu/LoA/high
      
-
      • 
-
    •   http://eidas.europa.eu/NotNotified/LoA/high (for non-notified eID schemes)
      
-
      • 
-
    
-
    
-
    [*]: The authentication context URI:s are intended to be used to represent authentication
-over the eIDAS authentication framework using an official eIDAS-connector. Authorization to 
-issue assertions using these authentication context URI:s is determined by declaration of the
-"assurance certification" for the connector (see section 2.1.3 of [EidDeploy]).
    
-
    
-
    
-
    3.1.1.1. Authentication Context URIs for Swedish Non-residents
    
-
    The Swedish assurance framework, [TillitRamv], states that a Swedish eID
-according to any of the defined assurance levels must only be issued to an individual holding
-a Swedish personal identity number (personnummer) or a Swedish coordination number 
-(samordningsnummer).
    
-
    In some cases, a certified eID-issuer may also issue eIDs to persons that do not hold
-a Swedish identity number (non-residents). If this is the case, and the original 
-identification of the person has a strength that corresponds to the requirements 
-put in [TillitRamv], a certified Identity Provider MAY use the URIs
-defined below:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    URLObjectReference
    http://id.swedenconnect.se/loa/1.0/
    loa2-nonresident    		A URI that is indented to be used by a level 2-certified providers that authenticate a non-resident eID holder according to assurance level 2 - http://id.elegnamnden.se/loa/1.0/loa2.This document
    http://id.swedenconnect.se/loa/1.0/
    loa3-nonresident    		A URI that is indented to be used by a level 3-certified providers that authenticate a non-resident eID holder according to assurance level 3 - http://id.elegnamnden.se/loa/1.0/loa3.This document
    http://id.swedenconnect.se/loa/1.0/
    loa4-nonresident    		A URI that is indented to be used by a level 4-certified providers that authenticate a non-resident eID holder according to assurance level 4 - http://id.elegnamnden.se/loa/1.0/loa4.This document
    
-
    Note: An Identity Provider that includes any of the above URIs in an issued assertion
-MUST NOT provide the personalIdentityNumber attribute in the assertion. This is per
-definition since these URIs are intended to be used for non-residents (i.e., they do not hold
-a Swedish identity number).
    
-
    
-
    3.1.1.2. Authentication Context URIs for Uncertified Providers
    
-
    The assurance levels defined in section 3.1.1 may only be 
-used by Identity Providers that have been reviewed and approved by the Swedish Agency for 
-Digital Government (DIGG) according to [TillitRamv]. For Identity Providers 
-that have not undergone a review process but make a self declaration to be compliant 
-with [TillitRamv] this specification defines the following authentication
-context URIs:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    URLObjectReference
    http://id.swedenconnect.se/loa/1.0/
    uncertified-loa2    		URI that is indented to be used by uncertified providers that make a self declaration of providing an assurance level comparable to Assurance level 2 - http://id.elegnamnden.se/loa/1.0/loa2.This document
    http://id.swedenconnect.se/loa/1.0/
    uncertified-loa3    		URI that is indented to be used by uncertified providers that make a self declaration of providing an assurance level comparable to Assurance level 3 - http://id.elegnamnden.se/loa/1.0/loa3.This document
    
-
    Proxy Identity Providers that have eIDAS authentication as an option MUST NOT use the eIDAS
-authentication context URIs defined in section 3.1.1. 
-Instead they should use:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    URLObjectReference
    http://id.swedenconnect.se/loa/1.0/
    uncertified-eidas-low    		Should be used if a proxy IdP receives http://id.elegnamnden.se/loa/1.0/eidas-low or http://id.elegnamnden.se/loa/1.0/eidas-nf-low in an assertion from the official Swedish eIDAS-connector.This document
    http://id.swedenconnect.se/loa/1.0/
    uncertified-eidas-sub    		Should be used if a proxy IdP receives http://id.elegnamnden.se/loa/1.0/eidas-sub or http://id.elegnamnden.se/loa/1.0/eidas-nf-sub in an assertion from the official Swedish eIDAS-connector.This document
    http://id.swedenconnect.se/loa/1.0/
    uncertified-eidas-high    		Should be used if a proxy IdP receives http://id.elegnamnden.se/loa/1.0/eidas-high or http://id.elegnamnden.se/loa/1.0/eidas-nf-high in an assertion from the official Swedish eIDAS-connector.This document
    
-
    
-
    3.1.2. Attribute Sets
    
-
    Identifiers for attribute sets defined in the Attribute Profile
-Specification for the Swedish eID Framework.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    IdentifierURLObjectReference
    ELN-AP-Pseudonym-01http://id.elegnamnden.se/ap/1.0/pseudonym-01Pseudonym identity attribute set.[EidAttributes]
    ELN-AP-NaturalPerson-01http://id.elegnamnden.se/ap/1.0/natural-person-01Personal identity without civic registration number attribute set.[EidAttributes]
    ELN-AP-Pnr-01http://id.elegnamnden.se/ap/1.0/pnr-01Personal identity with civic registration number attribute set.[EidAttributes]
    ELN-AP-OrgPerson-01http://id.elegnamnden.se/ap/1.0/org-person-01Organizational identity attribute set.[EidAttributes]
    ELN-AP-eIDAS-NatPer-01http://id.elegnamnden.se/ap/1.0/eidas-natural-person-01Natural person identity for the eIDAS Framework.[EidAttributes]
    DIGG-AP-HSAid-01http://id.swedenconnect.se/ap/1.0/hsaid-01Natural Person Identity with HSA-ID[EidAttributes]
    
-
    
-
    3.1.3. Entity Category Identifiers
    
-
    Identifiers for categories of service entities, specified as an “Entity Attribute” in the federation metadata.
    
-
    
-
    3.1.3.1. Service Entity Categories
    
-
    Identifiers for entity categories representing alternative sets of requirements.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    URLObjectReference
    http://id.elegnamnden.se/
    ec/1.0/loa2-pnr    		Service consuming/providing assertions based on assurance level 2, implementing the attribute set http://id.elegnamnden.se/ap/1.0/pnr-01.[EidEntityCat]
    http://id.elegnamnden.se/
    ec/1.0/loa3-pnr    		Service consuming/providing assertions based on assurance level 3, implementing the attribute set http://id.elegnamnden.se/ap/1.0/pnr-01.[EidEntityCat]
    http://id.swedenconnect.se/
    ec/sc/uncertified-loa3-pnr    		Service consuming/providing assertions based on uncertified-loa3, as defined above, implementing the attribute set http://id.elegnamnden.se/ap/1.0/pnr-01.
    http://id.elegnamnden.se/
    ec/1.0/loa4-pnr    		Service consuming/providing assertions based on assurance level 4, implementing the attribute set http://id.elegnamnden.se/ap/1.0/pnr-01.[EidEntityCat]
    http://id.elegnamnden.se/
    ec/1.0/eidas-naturalperson    		Service consuming/providing assertions based on any eIDAS assurance level, implementing the attribute set http://id.elegnamnden.se/ap/1.0/eidas-natural-person-01.[EidEntityCat]
    http://id.elegnamnden.se/
    ec/1.0/eidas-pnr-delivery    		Service providing assertions to eIDAS services via Swedish eIDAS-node[EidEntityCat]
    http://id.swedenconnect.se/
    ec/1.0/loa3-hsaid    		Service consuming/providing assertions based on assurance level 3, implementing the attribute set http://id.swedenconnect.se/ap/1.0/hsaid-01.
    http://id.swedenconnect.se/
    ec/sc/uncertified-loa3-hsaid    		Service consuming/providing assertions based on uncertified-loa3, as defined above, implementing the attribute set http://id.swedenconnect.se/ap/1.0/hsaid-01.
    http://id.swedenconnect.se/
    ec/1.0/loa2-orgid    		Service consuming/providing assertions based on assurance level 2, implementing the attribute set http://id.elegnamnden.se/ap/1.0/org-person-01.[EidEntityCat]
    http://id.swedenconnect.se/
    ec/1.0/loa3-orgid    		Service consuming/providing assertions based on assurance level 3, implementing the attribute set http://id.elegnamnden.se/ap/1.0/org-person-01.[EidEntityCat]
    http://id.swedenconnect.se/
    ec/1.0/loa4-orgid    		Service consuming/providing assertions based on assurance level 4, implementing the attribute set http://id.elegnamnden.se/ap/1.0/org-person-01.[EidEntityCat]
    http://id.swedenconnect.se/
    ec/1.0/loa2-name    		Service consuming/providing assertions based on assurance level 2, implementing the attribute set http://id.elegnamnden.se/ap/1.0/natural-person-01.[EidEntityCat]
    http://id.swedenconnect.se/
    ec/1.0/loa3-name    		Service consuming/providing assertions based on assurance level 3, implementing the attribute set http://id.elegnamnden.se/ap/1.0/natural-person-01.[EidEntityCat]
    http://id.swedenconnect.se/
    ec/1.0/loa4-name    		Service consuming/providing assertions based on assurance level 4, implementing the attribute set http://id.elegnamnden.se/ap/1.0/natural-person-01.[EidEntityCat]
    
-
    
-
    3.1.3.2. Entity Categories for Service Properties
    
-
    Identifiers for defined service properties.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    URLObjectReference
    http://id.elegnamnden.se/sprop/1.0/mobile-authService adapted to require/provide user authentication based on mobile devices.[EidEntityCat]
    http://id.elegnamnden.se/sprop/1.0/scal2Service adapted to support authentication requests from signature services supporting Sole Control Assurance Level 2 (SCAL2).[EidEntityCat]
    
-
    
-
    3.1.3.3. Entity Categories for Service Type
    
-
    Identifiers for defined service types.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    URLObjectReference
    http://id.elegnamnden.se/st/1.0/sigserviceElectronic signature service[EidEntityCat]
    http://id.elegnamnden.se/st/1.0/public-sector-spPublic sector Service Provider[EidEntityCat]
    http://id.elegnamnden.se/st/1.0/private-sector-spPrivate sector Service Provider[EidEntityCat]
    
-
    
-
    3.1.3.4. Entity Categories for Service Contract
    
-
    Service Contract Entity Category identifiers are indented for performing service matching based on contracts, or business agreements, between providing and consuming services.
    
-
    All Service Contract identifiers are prefixed with http://id.swedenconnect.se/contract/<org>, where org is the identifier for the defining organization.
    
-
    The Swedish eID Framework specifications do not define any Service Contract identifiers. Instead the federation operator, or other parties, may define identifiers suitable for representing how consuming and providing services should be matched based on their respective agreements.
    
-
    
-
    3.1.3.5. General Entity Categories
    
-
    An entity category of the General Entity Category type is a category that does not fit into any of the other category types regarding definitions and matching rules.
    
-
    General category identifiers are prefixed with http://id.swedenconnect.se/general-ec.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    URLObjectReference
    http://id.swedenconnect.se/general-ec/
    1.0/secure-authenticator-binding    		Indicator that a secure authenticator binding is required, or supported.[EidEntityCat]
    http://id.swedenconnect.se/general-ec/
    1.0/accepts-coordination-number    		Category for opt-in for the acceptance of Swedish coordination numbers in the personalIdentityNumber attribute.[EidEntityCat]
    http://id.swedenconnect.se/general-ec/
    1.0/supports-user-message    		Indicator that an Identity Provider supports the UserMessage authentication request extension, see [UserMessageExt].[EidEntityCat]
    
-
    
-
    3.1.4. SAML Protocol Status Codes
    
-
    Status code identifiers for use in SAML Response messages. The list
-below extends the list of second-level status codes defined in section
-3.2.2.2 of [SAML2Core].
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    URLObjectReference
    http://id.elegnamnden.se/status/1.0/cancelStatus code representing a cancelled operation.[EidDeploy]
    http://id.elegnamnden.se/status/1.0/fraudStatus code indicating a fraudulent request.[EidDeploy]
    http://id.elegnamnden.se/status/1.0/possibleFraudStatus code indicating a possible fraudulent request.[EidDeploy]
    
-
    
-
    3.1.5. Central Signing
    
-
    Identifiers used in the protocol for requesting services form a central signing service.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    URLObjectReference
    http://id.elegnamnden.se/csig/1.0/dss-ext/nsDeprecated. XML schema name space for the protocol extensions to the OASIS DSS protocol (version 1.0).
    http://id.elegnamnden.se/csig/1.0/eid2-dss/profileDeprecated. Implementation profile identifier for the protocol extensions to the OASIS DSS protocol (version 1.0).
    http://id.elegnamnden.se/csig/1.1/dss-ext/nsXML schema name space for the protocol extensions to the OASIS DSS protocol (version 1.1).[EidDSSExt]
    http://id.elegnamnden.se/csig/1.1/dss-ext/profileImplementation profile identifier for the protocol extensions to the OASIS DSS protocol (version 1.1).[EidCSignProf]
    http://id.elegnamnden.se/csig/1.1/sap/nsXML schema name space for the Signature Activation Protocol, extending version 1.1 of the DSS protocol extension[EidSigSAP]
    
-
    
-
    3.1.6. Authentication Context
    
-
    Identifiers associated with the Authentication Context X.509 extension
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    URLObjectReference
    http://id.elegnamnden.se/auth-cont/1.0/saciXML schema namespace for SAML Authentication Context Information in the Authentication Context X.509 certificate extension[RFC7773]
    http://id.swedenconnect.se/auth-cont/1.0/ext-auth-infoXML schema namespace for Extended Authentication Information in the Authentication Context X.509 certificate extension[CertProf]
    
-
    
-
    3.1.7. Sign Response Status Codes
    
-
    Status code identifiers for the DSS Extension for SAML based Central Signing service. The following identifiers provide defined status codes
-for inclusion in a <ResultMinor> element of the <Result> element of a sign response message according to the OASIS standard “Digital Signature Service Core Protocols, Elements, and Bindings Version 1.0” [OASIS-DSS].
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    URLObjectReference
    http://id.elegnamnden.se/sig-status/1.0/req-expiredThe time window for the signature request has expired.[EidCSignProf]
    http://id.elegnamnden.se/sig-status/1.0/user-mismatchThe authenticated user does not match the signer identity attributes in the request.[EidCSignProf]
    http://id.elegnamnden.se/sig-status/1.0/unsupported-loaThe requested level of assurance for user authentication is not supported.[EidCSignProf]
    http://id.elegnamnden.se/sig-status/1.0/sigmessage-errorA requirement to display sign message was included in the sign request, but the sign service could not establish that the sign message was displayed to the user.[EidCSignProf]
    http://id.elegnamnden.se/sig-status/1.0/user-cancelThe end user cancelled the signature operation.[EidCSignProf]
    http://id.swedenconnect.se/sig-status/1.1/authn-failedThe authentication during the signature operation failed.[EidCSignProf]
    http://id.swedenconnect.se/sig-status/1.1/security-violationThe Signature Service, or Identity Provider authenticating the end user, has detected a security violation (such as a possible fraud).[EidCSignProf]
    
-
    
-
    3.1.8. Name Registration Authorities
    
-
    Some protocols require a URI identifier to uniquely identify the entity responsible for a particular namespace.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    URLObjectReference
    http://id.elegnamnden.se/eln/name-registration-authorityIdentifying the Swedish e-Identification Board* as name registration authority, responsible for a particular namespace.[CertProf]
    
-
    
-
    [*]: This also covers the Swedish Agency for Digital Government (DIGG) which has overtaken the Swedish E-identification Board's assignments.
    
-
    
-
    
-
    3.1.9. eIDAS Identifiers
    
-
    This section defines identifiers used within the Swedish eID Framework to integrate with the eIDAS Framework.
    
-
    
-
    3.1.9.1. eIDAS Proxy Service Aliases
    
-
    Each country within the eIDAS federation provides an eIDAS Proxy Service that is a Proxy Identity Provider for the authentication services within that specific country. The entityID identifier for an eIDAS Proxy Service in another country is not known to a Swedish Service Provider, but there are cases in which the Swedish Service Provider needs to refer to a specific eIDAS Proxy Service. Therefore, this specification defines an URI identifier format for eIDAS Proxy Service aliases. The format is as follows:
    
-
    http://id.swedenconnect.se/eidas/1.0/proxy-service/{country-code}
    
-
    where {country-code} is the country identifier in ISO 3166-1 alpha-2 format [ISO 3166].
    
-
    
-
    A consumer of an eIDAS Proxy Service alias URI MUST accept the country code part of the URI in both lower and upper case letters.
    
-
    
-
    
-
    3.1.9.2. eIDAS Connector Aliases
    
-
    A Swedish Identity Provider that delivers authentication services to eIDAS, via the Swedish eIDAS Proxy Service, will receive the entityID of the Service Provider from another country that has requested user authentication in a <saml2p:RequesterID> element of the authentication request. Along with this information, the Swedish Proxy Service will also include another RequesterID element that holds the "eIDAS Connector alias" URI, telling from which country the requesting Service Provider resides.
    
-
    The format of this alias is as follows:
    
-
    http://id.swedenconnect.se/eidas/1.0/connector/{country-code}
    
-
    where {country-code} is the country identifier in ISO 3166-1 alpha-2 format [ISO 3166].
    
-
    
-
    A consumer of an eIDAS Connector alias URI MUST accept the country code part of the URI in both lower and upper case letters.
    
-
    
-
    
-
    3.1.9.3. Identity Binding Processes
    
-
    Section 3.3.2 of [EidAttributes] describes how the personalIdentityNumberBinding attribute is assigned with one or more "Identity Binding Process URI:s" after an identity binding. The possible values are: 
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    URIObjectReference
    http://id.swedenconnect.se/
    id-binding/process/populationregister    		Unique match of name and birth date between eIDAS identity and the Swedish Population register.[ID-Binding]
    http://id.swedenconnect.se/
    id-binding/process/swedish-eid    		Digitally signed attestation using a Swedish eID.[ID-Binding]
    
-
    The Binding eIDAS Identities to Records in the Swedish Population Register ([ID-Binding]) document defines the above processes in detail. 
    
-
    
-
    3.2. OID Identifiers
    
-
    Defined categories:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    CodeCategory
    0ASN.1 modules
    1Test identifiers
    2Policy identifiers
    3Attribute identifiers
    4”Qualified Certificate” Statement identifiers (RFC 3739)
    5X.509 certificate extension identifiers
    
-
    The following OIDs are defined in the ASN.1 declarations in 3.2.1:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    OIDObjectReference
    1.2.752.201.5.1Authentication Context Extension[RFC7773]
    1.2.752.201.5.2Signature Validation Token Extension[SVT-PDF]
    1.2.752.201.2.1Object identifier for the Signature Validation Token RFC 3161 timestamp policy
    1.2.752.201.3.1Organization Affiliation Attribute[EidAttributes]
    1.2.752.201.3.2Transaction Identifier[EidAttributes]
    1.2.752.201.3.3Authentication Context Parameters[EidAttributes]
    1.2.752.201.3.4Provisional ID[EidAttributes]
    1.2.752.201.3.5Provisional ID Persistence Indicator[EidAttributes]
    1.2.752.201.3.6Personal Identity Number Binding URI[EidAttributes]
    1.2.752.201.3.7eIDAS Person Identifier[EidAttributes]
    1.2.752.201.3.8Birth name[EidAttributes]
    1.2.752.201.3.9eIDAS Natural Person Address[EidAttributes]
    1.2.752.201.3.10User Certificate[EidAttributes]
    1.2.752.201.3.11User Signature[EidAttributes]
    1.2.752.201.3.12Signature Activation Data[EidAttributes]
    1.2.752.201.3.13Authentication Server Signature[EidAttributes]
    1.2.752.201.3.14Sign Message Digest[EidAttributes]
    1.2.752.201.3.15Previous Personal Identity Number[EidAttributes]
    1.2.752.201.3.16Mapped Personal Identity Number[EidAttributes]
    
-
    
-
    3.2.1. ASN.1 Declarations
    
-
    Object Identifier Registry for Sweden Connect*
    
-
    id-eleg OBJECT IDENTIFIER ::= {iso(1) member-body(2) se(752) e-legitimationsnamnden(201)}
-
--- Sweden Connect arcs
-id-mod    OBJECT IDENTIFIER ::= { id-eleg 0 }    -- ASN.1 modules
-id-test   OBJECT IDENTIFIER ::= { id-eleg 1 }    -- OIDs for test
-id-pol    OBJECT IDENTIFIER ::= { id-eleg 2 }    -- Policy
-id-attr   OBJECT IDENTIFIER ::= { id-eleg 3 }    -- Attributes
-id-qcs    OBJECT IDENTIFIER ::= { id-eleg 4 }    -- QC Statement
-id-ce     OBJECT IDENTIFIER ::= { id-eleg 5 }    -- Cert Extensions
-
--- Sweden Connect Modules
-id-mod-auth-context-88 OBJECT IDENTIFIER ::= { id-mod 1 }    -- Used in RFC 7773
-id-mod-auth-context-08 OBJECT IDENTIFIER ::= { id-mod 2 }    -- Used in RFC 7773
-
--- Sweden Connect OIDs for test
-
--- Sweden Connect Policies
-id-pol-svt-ts-policy         OBJECT IDENTIFIER ::= { id-pol 1 }     -- SVT RFC 3161 timestamp policy
-
--- Sweden Connect Attributes
-id-attr-org-affiliation      OBJECT IDENTIFIER ::= { id-attr 1 }    -- Organizational affiliation
-id-attr-transaction-id       OBJECT IDENTIFIER ::= { id-attr 2 }    -- Transaction identifier
-id-attr-auth-context-params  OBJECT IDENTIFIER ::= { id-attr 3 }    -- Authentication context parameters
-id-attr-prid                 OBJECT IDENTIFIER ::= { id-attr 4 }    -- Provisional ID
-id-attr-prid-persistence     OBJECT IDENTIFIER ::= { id-attr 5 }    -- Provisional ID persistence indicator
-id-attr-pnr-binding          OBJECT IDENTIFIER ::= { id-attr 6 }    -- Personal Identity Number binding URI
-id-attr-eidas-pid            OBJECT IDENTIFIER ::= { id-attr 7 }    -- eIDAS Person Identifier
-id-attr-birth-name           OBJECT IDENTIFIER ::= { id-attr 8 }    -- Birth name
-id-attr-eidas-np-address     OBJECT IDENTIFIER ::= { id-attr 9 }    -- eIDAS Natural Person Address
-id-attr-user-certificate     OBJECT IDENTIFIER ::= { id-attr 10 }   -- User certificate
-id-attr-user-signature       OBJECT IDENTIFIER ::= { id-attr 11 }   -- User signature
-id-attr-sad                  OBJECT IDENTIFIER ::= { id-attr 12 }   -- Signature activation data
-id-attr-auth-srv-signature   OBJECT IDENTIFIER ::= { id-attr 13 }   -- Authentication server signature
-id-attr-sign-message-digest  OBJECT IDENTIFIER ::= { id-attr 14 }   -- Sign message digest
-id-attr-previous-pid-number  OBJECT IDENTIFIER ::= { id-attr 15 }   -- Previous personal identity number
-id-attr-mapped-pid-number    OBJECT IDENTIFIER ::= { id-attr 16 }   -- Mapped personal identity number
-
--- Sweden Connect QC Statement extension
-id-qcs-sid         OBJECT IDENTIFIER ::= { id-qcs 1 }   -- Semantics Identifiers
-id-qcs-statement   OBJECT IDENTIFIER ::= { id-qcs 2 }   -- QC statements
-
--- Sweden Connect Certificate Extensions
-id-ce-authContext  OBJECT IDENTIFIER ::= { id-ce 1 }    -- Auth context extension used in RFC 7773
-id-ce-svt          OBJECT IDENTIFIER ::= { id-ce 2 }    -- Signature Validation Token extension
    
-
    [*]: The OID 1.2.752.201 was assigned to the Swedish E-identification Board, but this organisation has been overtaken by the Swedish Agency for Digital Government (DIGG) who now uses this OID arc for the Sweden Connect Technical Framework.
    
-
    
-
    
-
    4. References
    
-
    
-[SAML2Core]
    
-
    
-
    OASIS Standard, Assertions and Protocols for the OASIS Security
-Assertion Markup Language (SAML) V2.0, March 2005
    
-
    
-
    
-[OASIS-DSS]
    
-
    
-
    Digital Signature Service Core Protocols, Elements, and Bindings
-Version 1.0.
    
-
    
-
    
-[TillitRamv]
    
-
    
-
    Tillitsramverket för Svensk e-legitimation.
    
-
    
-
    
-[RFC7773]
    
-
    
-
    RFC7773: Authentication Context Certificate Extension.
    
-
    
-
    
-[EidDeploy]
    
-
    
-
    Deployment Profile for the Swedish eID Framework.
    
-
    
-
    
-[EidEntityCat]
    
-
    
-
    Entity Categories for the Swedish eID Framework.
    
-
    
-
    
-[EidDSSExt]
    
-
    
-
    DSS Extension for Federated Central Signing Services.
    
-
    
-
    
-[EidSigSAP]
    
-
    
-
    Signature Activation Protocol for Federated Signing.
    
-
    
-
    
-[EidCSignProf]
    
-
    
-
    Implementation Profile for Using OASIS DSS in Central Signing Services.
    
-
    
-
    
-[CertProf]
    
-
    
-
    Certificate profile for certificates issued by Central Signing services
    
-
    
-
    
-[EidAttributes]
    
-
    
-
    Attribute Specification for the Swedish eID Framework.
    
-
    
-
    
-[UserMessageExt]
    
-
    
-
    User Message Extension in SAML Authentication Requests.
    
-
    
-
    
-[ID-Binding]
    
-
    
-
    Binding eIDAS Identities to Records in the Swedish Population Register
    
-
    
-
    
-[SVT-PDF]
    
-
    
-
    PDF Signature Validation Token.
    
-
    
-
    
-[eIDAS]
    
-
    
-
    REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE
-COUNCIL of 23 July 2014 on electronic identification and trust
-services for electronic transactions in the internal market and
-repealing Directive 1999/93/EC. Including implementation acts of the
-regulation and associated technical specifications.
    
-
    
-
    
-[ISO 3166]
    
-
    
-
    Country Codes - ISO 3166, https://www.iso.org/iso-3166-country-codes.html.
    
-
    
-
    
-
    5. Changes between versions
    
-
    Changes between version 1.7 and version 1.b:
    
-
      
-
    • Section 3.1.7, "Sign Response Status Codes", were extended with error codes for authn-failed and security-violation.
      
-
      • 
-
    • Section 3.1.9.3, "Identity Binding Processes", was introduced where binding process URI:s for matching eIDAS identities to Swedish identity numbers are listed.
      
-
      • 
-
    • The http://id.swedenconnect.se/general-ec/1.0/supports-user-message entity category was added to section, 3.1.3.5, "General Entity Categories".
      
-
      • 
-
    
-
    Changes between version 1.6 and version 1.7:
    
-
      
-
    • Section, 3.1.3.5, "General Entity Categories", was introduced and http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding and http://id.swedenconnect.se/general-ec/1.0/accepts-coordination-number was added.
      
-
      • 
-
    • In section 3.2, an object identifier (OID) for Signature Validation Token extension was added and one OID for a SVT timestamp policy.
      
-
      • 
-
    • Added service entity categories http://id.swedenconnect.se/ec/1.0/loa3-orgid and http://id.swedenconnect.se/ec/1.0/loa3-name to section 3.1.3.1.
      
-
      • 
-
    • In section 3.2, the attributes for "previous personal identity number" (1.2.752.201.3.15) and  "mapped personal identity number" (1.2.752.201.3.16) were added.
      
-
      • 
-
    • Section 3.1.3.1, "Service Entity Categories", was updated with categories for loaX-name and loaX-orgid.
      
-
      • 
-
    • Authentication context URIs for non-residents and uncertified providers were added to sections 3.1.1.1 and 3.1.1.2.
      
-
      • 
-
    
-
    Changes between version 1.5 and version 1.6:
    
-
      
-
    • The specification was renamed from "Registry for identifiers assigned by the Swedish e-identification board" to "Swedish eID Framework - Registry for identifiers".
      
-
      • 
-
    • The authentication context URIs http://id.swedenconnect.se/loa/1.0/uncertified-loa3 and http://id.swedenconnect.se/loa/1.0/uncertified-loa3-sigmessage were introduced in sections 3.1.1 and 3.1.1.1, and the service entity category http://id.swedenconnect.se/ec/sc/uncertified-loa3-pnr was added to section 3.1.3.1.
      
-
      • 
-
    • A description of Service Contract Entity Categories was added to section 3.1.3.4.
      
-
      • 
-
    • In section 3.1.1, the EU commission AuthnContextClassRef URI:s for non-notified schemes were changed.
      
-
      • 
-
    • Section 3.1.9.2, "eIDAS Connector Aliases", defining the URI format for representing country affiliation of eIDAS connector services, was added.
      
-
      • 
-
    • The link for the "Tillitsramverk för Svensk e-legitimation" specification was updated.
      
-
      • 
-
    • Added the attribute SignMessageDigest (1.2.752.201.3.14) to section 3.2.
      
-
      • 
-
    • The Sign Message Authentication Context URIs defined in section 3.1.1.1 are deprecated.
      
-
      • 
-
    • The XML Schema namespace identifier http://id.swedenconnect.se/auth-cont/1.0/ext-auth-info was added. This XML Schema defines an XML extension for the Authentication Context Extension to provide extended authentication information.
      
-
      • 
-
    • Associating the OID registry with Sweden Connect.
      
-
      • 
-
    • Aligned registered module OID:s with RFC 7773.
      
-
      • 
-
    • Adding a new extension OID for Signature Validation Tokens in timestamp extensions.
      
-
      • 
-
    • Added attribute set and service entity categories for HSA-ID.
      
-
      • 
-
    
-
    Changes between version 1.4 and version 1.5:
    
-
      
-
    • Added identifier for the service property entity category http://id.elegnamnden.se/sprop/1.0/scal2
      
-
      • 
-
    • Added XML Schema name space identifier http://id.elegnamnden.se/csig/1.1/sap/ns. This XML Schema defines XML elements related to the Signature Activation Protocol.
      
-
      • 
-
    • Added Semantics Identifiers section 3.1.8 to define a name registration authority URI necessary to express a provisional ID attribute in an X.509 certificate according to ETSI EN 319 412-1.
      
-
      • 
-
    • Added Authentication Context URI:s http://id.elegnamnden.se/loa/1.0/eidas-nf-low and http://id.elegnamnden.se/loa/1.0/eidas-nf-low-sigm to section 3.1.1.
      
-
      • 
-
    • Added section 3.1.9, "eIDAS Identifiers", that describes the format for eIDAS Proxy Service Alias URI identifiers.
      
-
      • 
-
    
-
    Changes between version 1.3 and version 1.4:
    
-
      
-
    •   Attributes and URI:s for the eIDAS Framework was added.
      
-
      • 
-
    • The SAML status code identifier
-  http://id.elegnamnden.se/status/1.0/cancel was added to be used in SAML
-  Response messages to indicate a cancelled operation.
      
-
      • 
-
    • Added the SAML status code identifiers http://id.elegnamnden.se/status/1.0/fraud and http://id.elegnamnden.se/status/1.0/possibleFraud were added to be used in SAML Response messages to alert fraudulent requests.
      
-
      • 
-
    • Added attribute definitions for “Birth name”, “User certificate”,
-  “User signature”, "Authentication Server Signature" and “Signature activation data”. See chapter 3.2.
      
-
      • 
-
    •  Added the Service Type Entity Categories http://id.elegnamnden.se/st/1.0/public-sector-sp and http://id.elegnamnden.se/st/1.0/private-sector-sp to section 3.1.3.3.
      
-
      • 
-
    
-
    Changes between version 1.2 and version 1.3:
    
-
      
-
    • Object identifiers for the attributes “Transaction identifier”,
-  “Authentication Context Parameters”, “Provisional ID” and
-  “Provisional ID quality indicator” were defined and added to section
-  3.2.
      
-
      • 
-
    • Chapter 3.1.7, “XML Schema namespaces”, was removed since the “Level
-  of Assurance context class declarations” are deprecated and thus,
-  the namespace http://id.elegnamnden.se/ns/1.0/loa-context-params
-  is no longer part of the Swedish eID Framework.
      
-
      • 
-
    • Authentication Context URIs for use by signature services during
-  authentication was added to section 3.1.1.
      
-
      • 
-
    • Service entity categories for future use within the eIDAS Framework
-  were added to section 3.1.3.1.
      
-
      • 
-
    • The status code identifier
-  http://id.elegnamnden.se/sig-status/1.0/sigmessage-error was added
-  to section 3.1.6 and the signature response status code http://id.elegnamnden.se/sig-status/1.0/user-cancel was added to section 3.1.7.
      
-
      • 
-
    
-
    Changes between version 1.1 and version 1.2:
    
-
      
-
    • URI identifiers for Attribute Profiles as specified in [AttrProf]
-  were introduced.
      • 
-
    
-
    Changes between version 1.0 and version 1.1:
    
-
      
-
    • In chapter 3.1.3.1, “Service Entity Categories”, service entity
-  categories for Level of Assurance 2 and 4 were introduced.
      
-
      • 
-
    •   Chapter 3.1.7, “XML Schema namespaces”, was added.
      
-
      • 
-
    •   Typos were fixed.
      
-
      • 
-
    
-    
    
-  
-
diff --git a/docs/updates/03_-_Registry_for_Identifiers.html b/docs/updates/03_-_Registry_for_Identifiers.html
new file mode 120000
index 0000000..6487b0e
--- /dev/null
+++ b/docs/updates/03_-_Registry_for_Identifiers.html
@@ -0,0 +1 @@
+../december-2024/03_-_Registry_for_Identifiers.html
\ No newline at end of file
diff --git a/docs/updates/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html b/docs/updates/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html
deleted file mode 100644
index eeeab56..0000000
--- a/docs/updates/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html
+++ /dev/null
@@ -1,1227 +0,0 @@
-
-
-  
-    
-    
-    Attribute Specification for the Swedish eID Framework
-    
-    
-    
-    
-  
-  
-    
    
-
-
-
    
-
    
-
-
    
-
-
    Attribute Specification for the Swedish eID Framework
    
-
    Version 1.8 - 2024-11-25 - Draft version
    
-
    Registration number: 2019-310
    
-
    
-
    
-Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All Rights Reserved.
-
    
-
-
    Table of Contents
    
-
      
-
    1. Introduction
      
-
       1.1. Terminology
      
-
       1.2. Requirement key words
      
-
       1.3. Name space references
      
-
       1.4. Structure
      
-
      2. 
-
    2. Attribute Sets
      
-
       2.1. Pseudonym Identity
      
-
       2.2. Natural Personal Identity without Civic Registration Number
      
-
       2.3. Natural Personal Identity with Civic Registration Number
      
-
       2.4. Organizational Identity for Natural Persons
      
-
       2.5. eIDAS Natural Person Attribute Set
      
-
       2.6. Natural Person Identity with HSA-ID
      
-
      3. 
-
    3. Attribute Definitions
      
-
       3.1. Attributes
      
-
       3.1.1. Attribute String Values
      
-
       3.1.2. Multi-valued Attributes
      
-
       3.1.3. Scoped Attributes
      
-
       3.2. SAML Attribute Format
      
-
       3.2.1. The authContextParams Attribute
      
-
       3.2.2. The userCertificate, userSignature and authServerSignature Attributes
      
-
       3.2.3. The sad Attribute
      
-
       3.2.4. The signMessageDigest Attribute
      
-
       3.2.5. The orgAffiliation Attribute
      
-
       3.2.6. The previousPersonalIdentityNumber Attribute
      
-
       3.3. Attributes for the eIDAS Framework
      
-
       3.3.1. The prid and pridPersistence Attributes
      
-
       3.3.2. The mappedPersonalIdentityNumber and personalIdentityNumberBinding Attributes
      
-
       3.3.3. Conversion of eIDAS Attributes
      
-
       3.3.3.1. Conversion of eIDAS CurrentAddress
      
-
      4. 
-
    4. References
      
-
      5. 
-
    5. Changes between versions
      
-
      6. 
-
    
-
    
-
    
-
    1. Introduction
    
-
    This document specifies an attribute profile for the Swedish eID
-Framework. The attribute profile defines attributes for use within the
-Swedish eID Framework, and a number of defined attribute sets that may
-be referenced by other documents as means to specify specific attribute
-release requirements.
    
-
    
-
    1.1. Terminology
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    TermDefined meaning
    AttributeA property, quality or characteristic of a person, thing or object. This term is used in general in this specification to denote an attribute of a person/entity that is represented by a set of attributes in a SAML attribute statement (see SAML Attribute). This term is also used in this specification when describing XML syntax to denote an attribute (property) of an XML element.
    SAML attributeAn attribute of an entity represented by a set of attributes in a SAML attribute statement (<saml:AttributeStatement> element).
    IDPIdentity Provider
    SPService Provider
    Natural personNatural person is legal term for a real human being, as opposed to a legal person, which may be a private (i.e., business entity) or public (i.e., government) organization.
    Civic registration numberA unique identifier assigned to each natural person in a national population register. Within the context of this specification this is a Swedish ”personnummer” or ”samordningsnummer” according to [SKV704] and [SKV707].
    
-
    
-
    1.2. Requirement key words
    
-
    The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”,
-“SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” are to be
-interpreted as described in [RFC2119].
    
-
    These keywords are capitalized when used to unambiguously specify
-requirements over protocol features and behavior that affect the
-interoperability and security of implementations. When these words are
-not capitalized, they are meant in their natural-language sense.
    
-
    
-
    1.3. Name space references
    
-
    Conventional XML namespace prefixes are used throughout the listings in
-this specification to stand for their respective namespaces as follows,
-whether or not a namespace declaration is present in the example:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    PrefixXML NamespaceComments
    samlurn:oasis:names:tc:SAML:2.0:assertionThe SAML V2.0 assertion namespace, defined in the schema [SAML-XSD].
    xshttp://www.w3.org/2001/XMLSchemaThe XML Schema namespace, representing definitions of data types in [XML-Schema].
    
-
    
-
    1.4. Structure
    
-
    This specification uses the following typographical conventions in text: <ns:Element>, Attribute, Datatype, OtherCode.
    
-
    
-
    2. Attribute Sets
    
-
    This section defines attribute sets based on attribute definitions in
-section 3. Common to all attribute sets is that each attribute MUST NOT
-be present more than once. An attribute that has more than one value
-MUST be provided as one attribute with multiple <AttributeValue>
-sub-elements in accordance with section 3.1.
    
-
    An identifier, named “Attribute Set Identifier”, and an URI, are defined
-for each attribute set as means for other documents to reference
-specific attribute sets.
    
-
    Each attribute set defines a number of mandatory attributes that MUST be
-released by an Attribute Provider* that provides attributes according
-to the given attribute set, and optionally recommended attributes that
-SHOULD be released as part of the attribute set if they are available to
-the provider.
    
-
    Note: An Attribute Provider may also release other attributes, not
-specified by the defined attribute sets it supports. See further section
-6.2.1, “Attribute Release and Consuming Rules”, of “Deployment Profile for the Swedish
-eID Framework” ([EidDeployProf]).
    
-
    In order to comply with a defined attribute set, the following attribute
-requirements apply:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    Attribute requirementDefinition
    REQUIREDAttributes that MUST be present.
    RECOMMENDEDAttributes that SHOULD be present, if available.
    
-
    A defined attribute set does not define any rules for attributes other
-than those listed as required or recommended.
    
-
    
-
    [*]: An Attribute Provider is an entity that releases attributes to a requesting entity. In all practical cases within the Swedish eID Framework this entity is an Identity Provider or an Attribute Authority. Within the eIDAS Framework, the Swedish eIDAS node acts as the Attribute Provider for the Service Providers.
    
-
    
-
    
-
    2.1. Pseudonym Identity
    
-
    Attribute set identifier: ELN-AP-Pseudonym-01
    
-
    URI: http://id.elegnamnden.se/ap/1.0/pseudonym-01
    
-
    This attribute set specifies the condition where there are no mandatory or recommended attributes.
    
-
    Typical use: In a pseudonym attribute release policy that just provides a persistent NameID identifier in the assertion but no attributes.
    
-
    
-
    2.2. Natural Personal Identity without Civic Registration Number
    
-
    Attribute set identifier: ELN-AP-NaturalPerson-01
    
-
    URI: http://id.elegnamnden.se/ap/1.0/natural-person-01
    
-
    The “Personal Identity without Civic Registration Number” attribute set provides basic natural person information without revealing the civic registration number of the subject.
    
-
-
-
-
-
-
-
-
-
-
-
-
    Attribute requirementAttributes
    REQUIREDsn (Surname) 
     givenName (Given name) 
     displayName (Display name)
    
-
    Typical use: In an attribute release policy that provides basic user name information together with a persistent NameID identifier in the assertion.
    
-
    
-
    2.3. Natural Personal Identity with Civic Registration Number
    
-
    Attribute set identifier: ELN-AP-Pnr-01
    
-
    URI: http://id.elegnamnden.se/ap/1.0/pnr-01
    
-
    The “Personal Identity with Civic Registration Number” attribute set provides basic personal identity information including a Swedish civic registration number of the subject.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    Attribute requirementAttributes
    REQUIREDsn (Surname) 
     givenName (Given name) 
     displayName (Display name) 
     personalIdentityNumber (National civic registration number)
    RECOMMENDEDdateOfBirth (Date of birth)
    
-
    Typical use: In an attribute release policy that provides basic user name information together with the person’s Swedish civic registration number.
    
-
    
-
    2.4. Organizational Identity for Natural Persons
    
-
    Attribute set identifier: ELN-AP-OrgPerson-01
    
-
    URI: http://id.elegnamnden.se/ap/1.0/org-person-01
    
-
    The “Organizational Identity for Natural Persons” attribute set provides basic organizational identity information about a person. The organizational identity does not necessarily imply that the subject has any particular relationship with or standing within the organization, but rather that this identity has been issued/provided by that organization for any particular reason (employee, customer, consultant, etc.).
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    Attribute requirementAttributes
    REQUIREDdisplayName (Display name)* 
     orgAffiliation (Personal identifier and organizational identifier code)** 
     o (Organization name)
    RECOMMENDEDorganizationIdentifier (Organizational identifier code)***
    
-
    Typical use: In an attribute release policy that provides basic organizational identity information about a natural person.
    
-
    The "Organizational Identity for Natural Persons" attribute set defines a minimum set of attributes needed to provide organizational identity information about a person. Should an attribute consumer require additional attributes, such as surname and given name, the personal identity number or an organizational unit name, this can be achieved by either requesting other attribute sets or by explicitly requesting individual attributes. See further section 6.2.1, “Attribute Release and Consuming Rules”, of “Deployment Profile for the Swedish eID Framework” ([EidDeployProf]).
    
-
    
-
    [*]: The displayName attribute MAY contain personal information such as the given name or surname, but it MAY also be used as an anonymized display name, for example, "Administrator 123". This is decided by the issuing organization.
    
-
    
-
    
-
    [**]: See section 3.2.5.
    
-
    
-
    
-
    [***]: The organizational identifier can always be derived from the mandatory orgAffiliation attribute, but an attribute provider supporting the "Organizational Identity for Natural Persons" attribute set SHOULD also release the organizationIdentifier attribute individually. 
    
-
    
-
    
-
    2.5. eIDAS Natural Person Attribute Set
    
-
    Attribute set identifier: ELN-AP-eIDAS-NatPer-01
    
-
    URI: http://id.elegnamnden.se/ap/1.0/eidas-natural-person-01
    
-
    The “eIDAS Natural Person Attribute Set” provides personal identity
-information for a subject that has been authenticated via the eIDAS
-Framework.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    Attribute requirementAttributes
    REQUIRED*prid (Provisional ID) 
     pridPersistence (Provisional ID persistence indicator) 
     eidasPersonIdentifier (Mapping of the eIDAS PersonIdentifier attribute) 
     dateOfBirth (Date of birth) 
     sn (Surname) 
     givenName (Given name) 
     c (Country code for the eIDAS country that authenticated the subject) 
    transactionIdentifier (ID of assertion issued by the member state node)**
    REQUIRED
    (if available)***    		birthName (Birth name) 
     placeOfBirth (Place of birth) 
     eidasNaturalPersonAddress (Address for natural person) 
     gender (Gender)
    RECOMMENDEDmappedPersonalIdentityNumber (Mapped national civic registration number) 
     personalIdentityNumberBinding (National civic registration number Binding(s))
    
-
    Typical use: In an attribute release policy implemented by an eIDAS
-connector that provides a complete set of attributes to a requesting
-Service Provider.
    
-
    Note: The mappedPersonalIdentityNumber and personalIdentityNumberBinding
-attributes will be part of the attribute release if the attribute
-provider has access to enough information to provide a binding
-between eIDAS attributes and a Swedish identity number (see section
-3.3.2).
    
-
    The eIDAS attribute set comprises of “added” and “converted” attributes.
    
-
    Added attributes: Attributes that are not provided by the member
-state node, but added by the
-Swedish eIDAS node in order to provide additional information about
-the authenticated subject obtained from relevant domestic attribute
-sources. The prid, pridPersistence and personalIdentityNumber
-attributes are “added attributes”.
    
-
    Converted attributes: Attributes that are the result of a
-conversion process where an eIDAS attribute is converted into a
-single-value string type attribute defined within the Swedish eID
-Framework (see section 3.3.3, “Conversion of eIDAS Attributes”). The
-reason for the conversion is to facilitate processing for attribute
-consumers. The eIDAS attributes are not simple string types, and this
-affects interoperability in a negative way since standard SAML
-software need to be modified to support these attributes. Therefore,
-the Swedish eID node will convert eIDAS attributes to their
-corresponding string value-typed attributes. The
-eidasPersonIdentifier, sn, givenName and dateOfBirth attributes are
-examples of “converted attributes”.
    
-
    
-
    [*]: Attributes “added” by the Swedish eID node and converted attributes for the mandatory attributes of the eIDAS minimum data set for natural persons.
    
-
    
-
    
-
    [**]: The transaction identifier attribute will contain the unique ID of the assertion that was issued by the member state node. This information together with the entityID of the member state node (found in the <saml2:AuthenticatingAuthority> element of an assertion) give a reference to the original assertion and authentication process.
    
-
    
-
    
-
    [***]: Converted attributes for the optional attributes of the eIDAS minimum data set for natural persons.
    
-
    
-
    
-
    2.6. Natural Person Identity with HSA-ID
    
-
    Attribute set identifier: DIGG-AP-HSAid-01
    
-
    URI: http://id.swedenconnect.se/ap/1.0/hsaid-01
    
-
    The “Natural Person Identity with HSA-ID” attribute set provides basic personal identity information including a HSA-ID of the subject (see [SambiAttr]).
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    Attribute requirementAttributes
    REQUIREDsn (Surname) 
     givenName (Given name) 
     displayName (Display name) 
     employeeHsaId (HSA-ID)
    RECOMMENDEDdateOfBirth (Date of birth)
    
-
    Typical use: In an attribute release policy that provides basic user name information together with the person’s HSA-ID.
    
-
    
-
    3. Attribute Definitions
    
-
    
-
    3.1. Attributes
    
-
    The following attributes are defined for use within the attribute profile for the Swedish eID Framework:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    Attribute abbreviationSAML attribute nameDescriptionUse within this specificationMulti-valuedScopedExample
    snurn:oid:2.5.4.4SurnameRegistered surname.NoNoLindeman
    givenNameurn:oid:2.5.4.42Given NameRegistered given name.NoNoValfrid
    displayNameurn:oid:2.16.840.1.
    113730.3.1.241    		Display NameA name in any preferred presentation format.NoNoValfrid Lindeman
    genderurn:oid:1.3.6.1.5.5.7.9.3GenderA one letter representation (“M”/”F”/”U” or “m”/“f”/”u”) representing the subject’s gender, where “M” represents male, “F” represents female and “U” is used for unspecified, or unknown, gender.NoNoM
    personalIdentity-
    Number    		urn:oid:1.2.752.29.4.13National civic registration number/codeSwedish ”personnummer” or ”samordningsnummer” according to SKV 704 and SKV 707. 12 digits without hyphen.NoNo195006262546
    previousPersonal-
    IdentityNumber    		urn:oid:1.2.752.201.3.15A user's previous national civic registration number, see section 3.2.6 below.See personalIdentityNumber above.NoNo197010632391
    dateOfBirthurn:oid:1.3.6.1.5.5.7.9.1Date of birthDate of birth expressed using the format YYYY-MM-DD.NoNo1950-06-26
    birthNameurn:oid:1.2.752.201.3.8Name at the time of birthFull name of a person at birth.NoNoValfrid Danielsson
    streeturn:oid:2.5.4.9Street addressStreet address.NoNoMosebacke torg 3
    postOfficeBoxurn:oid:2.5.4.18Post boxPost box.NoNoBox 1122
    postalCodeurn:oid:2.5.4.17Postal codePostal code.NoNo11826
    lurn:oid:2.5.4.7LocalityLocality.NoNoStockholm
    curn:oid:2.5.4.6CountryISO 3166-1 alpha-2 [ISO3166] two letter country code.NoNoSE
    placeOfBirthurn:oid:1.3.6.1.5.5.7.9.2Place of birthA string representing the place of birth.NoNoStockholm
    countryOfCitizenshipurn:oid:1.3.6.1.5.5.7.9.4Country of citizenshipISO 3166-1 alpha-2 [ISO3166] two letter country code representing a country of citizenship.YesNoSE
    countryOfResidenceurn:oid:1.3.6.1.5.5.7.9.5Country of ResidenceISO 3166-1 alpha-2 [ISO3166] two letter country code representing the country of residence.NoNoSE
    telephoneNumberurn:oid:2.5.4.20Telephone numberTelephone number.YesNo+46890510
    mobileurn:oid:0.9.2342.
    19200300.100.1.41    		Mobile numberMobile number.YesNo+46703419886
    mailurn:oid:0.9.2342.
    19200300.100.1.3    		E-mail addressE-mail address.YesYes/No*vfl@mosebackemonarki.se
    ourn:oid:2.5.4.10Organization nameRegistered organization name.NoNoSkatteverket
    ouurn:oid:2.5.4.11Organizational unit nameOrganizational unit name.YesNoIT-Avdelningen
    organizationIdentifierurn:oid:2.5.4.97Organizational identifier codeSwedish “organisationsnummer” according to SKV 709. 10 digits without hyphen.NoNo5562265719
    orgAffiliationurn:oid:1.2.752.201.3.1<uid>@<orgnr>Personal ID @ Swedish ”organisationsnummer” according to SKV 709. 10 digits without hyphen.YesYesvlindman@5562265719
    See section 3.2.5 below.
    transactionIdentifierurn:oid:1.2.752.201.3.2Transaction identifierTransaction identifier for an event, e.g. an authentication process.NoNo9878HJ6687 (arbitrary string)
    authContextParamsurn:oid:1.2.752.201.3.3Authentication Context Parameters.Key-value pairs from an authentication process. Defined by issuing entity.NoNoSee section 3.2.1 below.
    userCertificateurn:oid:1.2.752.201.3.10User certificateBase64-encoding of a user certificate.NoNoSee section 3.2.2 below.
    userSignatureurn:oid:1.2.752.201.3.11User signatureBase64-encoding of a signature object applied by the user.NoNoSee section 3.2.2 below.
    authServerSignatureurn:oid:1.2.752.201.3.13Authentication server signatureBase64-encoding of a authentication server signature.NoNoSee section 3.2.2 below.
    sadurn:oid:1.2.752.201.3.12Signature activation dataSignature activation data required by signature services.NoNoSee section 3.2.3 below.
    signMessageDigesturn:oid:1.2.752.201.3.14Sign message digestIncluded in assertions as a proof that a user sign message was displayed.NoNoSee section 3.2.4 below.
    pridurn:oid:1.2.752.201.3.4Provisional identifierUnique identifier for an authentication performed against the eIDAS Framework. See section 3.3.1 below.NoNoNO:5068907693
    pridPersistenceurn:oid:1.2.752.201.3.5Provisional identifier persistence indicatorIndicator for the expected persistence of the prid attribute. See section 3.3.1 below.NoNoA
    personalIdentity-
    NumberBinding    		urn:oid:1.2.752.201.3.6National civic registration number/code binding URIURI(s) identifying the binding process(es) performed of the mappedPersonalIdentityNumber attribute added by eIDAS connector. See section 3.3.2 below.NoNohttp://id.swedenconnect.se/
    id-binding/process/populationregister
    mappedPersonal-
    IdentityNumber    		urn:oid:1.2.752.201.3.16Mapped national civic registration numberA "mapped" personalIdentityNumber, see section 3.3.2.NoNo195006262546
    eidasPersonIdentifierurn:oid:1.2.752.201.3.7eIDAS uniqueness identifier for natural personsMaps the eIDAS PersonIdentifier attribute to a string attribute within the scope of the Swedish eID Framework attribute set.NoNoES/AT/02635542Y (Spanish eID number for an Austrian SP)
    eidasNatural-
    PersonAddress    		urn:oid:1.2.752.201.3.9eIDAS Natural Person AddressAttribute for converting the eIDAS CurrentAddress attribute into an attribute having a string type value.NoNoSee section 3.3.3.1 below.
    employeeHsaIdurn:oid:1.2.752.29.6.2.1HSA-IDPerson identifier used by Swedish health care organizations.NoNoSee [SambiAttr].
    
-
    
-
    [*]: The mail attribute should be regarded as a scoped attribute (see 3.1.3 below) if the attribute release policy in use has stated it as scoped. Such a policy can for example be that the attribute is part of an attribute set (see section 2) that documents the attribute as scoped. In all other cases the attribute is regarded as non-scoped.
    
-
    
-
    
-
    3.1.1. Attribute String Values
    
-
    All attributes, unless stated otherwise in this table, holds string values using the UTF-8 character set using the xs:string data type. Certain attributes such as mail, personalIdentityNumber, organizationIdentifier, telephoneNumber and mobile use a restricted character set according to its defined usage within this specification.
    
-
    All attributes use the “caseIgnoreMatch” matching rule as defined by X.520 [X.520]. That is, case-insensitive comparison where insignificant spaces are ignored.
    
-
    
-
    3.1.2. Multi-valued Attributes
    
-
    Attributes with a “No” value in the column "Multi-valued" MUST NOT have more than one <AttributeValue> sub-element. Attributes with a “Yes” value in the column "Multi-valued" MAY have one or more <AttributeValue> sub-elements.
    
-
    
-
    3.1.3. Scoped Attributes
    
-
    Attributes with a "Yes" value in the column "Scoped" are scoped attributes. A scoped attribute expresses values in a string-valued attribute of the form value@scope, where scope takes the form of a domain name or something similar such as an organizational identifier.
    
-
    An Identity Provider wishing to release scoped attributes must register the scopes with the federation operator. After the federation operator has authorized the Identity Provider for the given scopes, they are declared in the Identity Provider's metadata entry. See section 2.1.3.1 of [EidDeployProf] for details.    
    
-
    A Service Provider consuming a scoped attribute SHOULD assert that the issuing Identity Provider is authorized to issue attributes with the given scope by checking the Identity Provider's metadata entry as described in section 6.2.1 of [EidDeployProf].
    
-
    Note: The value part of a scoped attribute MAY contain a @-character, for example when the value part is an email address, or a User Principal Name (UPN). Therefore, consumers of scoped attributes MUST use the last @-character as a delimiting character when splitting a scoped attribute into its value and scope parts.
    
-
    
-
    3.2. SAML Attribute Format
    
-
    The <saml:Attribute> element representing an attribute in 3.1 SHALL comply with the following requirements:
    
-
      
-
    • The NameFormat attribute SHALL have the value urn:oasis:names:tc:SAML:2.0:attrname-format:uri.
      
-
      • 
-
    • The Name attribute SHALL hold a URI according to the table in section 3.1.
      
-
      • 
-
    • The FriendlyName attribute is OPTIONAL.
      
-
      • 
-
    • All <AttributeValue> sub-elements SHALL, unless stated otherwise in the table in section 3.1, have an xsi:type attribute specifying the type "xs:string".
      
-
      • 
-
    
-
    The following is an example of the surname attribute. Its name is “urn:oid:2.5.4.4”, its friendly name is “sn” and the value is represented using a string type.
    
-
    <saml2:Attribute xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-                           FriendlyName="sn"
-                           Name="urn:oid:2.5.4.4"
-                           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
-  <saml2:AttributeValue xsi:type="xs:string">Eriksson</saml2:AttributeValue>
-</saml2:Attribute>
    
-
    3.2.1. The authContextParams Attribute
    
-
    The attribute authContextParams holds key-value pairs. Its purpose is to store key-value pairs representing data from an authentication process. The data stored in this attribute is generally not defined by the Swedish eID Framework, but instead by the issuing party (i.e., the Identity Provider).
    
-
    The authContextParams attribute is a non-empty single-value attribute where the attribute value contains the key-value pairs separated by semicolons. The key and value of each pair is separated by a ‘=’ character and both the key and value MUST be URL-encoded.
    
-
    Below follows an example of how the authContextParams attribute is populated with two key-value pairs, "foo" that stores the value "ÅÄÖ", and "bar" that stores the value "123".
    
-
    ...
-<saml2:Attribute xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    
-                           FriendlyName="authContextParams"
-                           Name="urn:oid:1.2.752.201.3.3"
-                           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
-  <saml2:AttributeValue xsi:type="xs:string">foo=%C3%85%C3%84%C3%96;bar=123</saml2:AttributeValue>
-</saml2:Attribute>
-...
    
-
    3.2.2. The userCertificate, userSignature and authServerSignature Attributes
    
-
    Identity Providers that implement a PKI-based authentication method may
-make use of the userCertificate and userSignature attributes.
    
-
    The userCertificate attribute holds, as its value, a base64-encoding of
-the X.509 certificate presented by the subject during authentication.
    
-
    The userSignature attribute contains a base64-encoding of a signature
-object that was created by the subject during the authentication*
-process.
    
-
    The authServerSignature may be included in assertions in cases where there are requirements to include a digitally signed proof from the authentication server at which the end user authenticated. This is mainly useful in cases where the SAML Identity Provider delegates end user authentication to a subordinate authentication server.
    
-
    
-
    [*]: Note that an authentication process, may be “authentication for signature” as specified in section 7 of [EidDeployProf].
    
-
    
-
    
-
    3.2.3. The sad Attribute
    
-
    The sad attribute holds Signature Activation Data that is required by a
-signature service in order to service a signature request in accordance
-with CEN EN 419 241-2. The sad attribute holds a single string
-attribute value. The format of the string value is defined in the "Signature Activation Protocol 
-for Federated Signing" specification [SigSAP].
    
-
    
-
    3.2.4. The signMessageDigest Attribute
    
-
    The signMessageDigest attribute is included in an assertion as a proof that an Identity Provider displayed
-a sign message for the user and that the user actively confirmed acceptance of this sign message. This sign 
-message is the SignMessage extension that may be included in an authentication request by Signature Service 
-Service Providers. See section 7 of [EidDeployProf] for details.
    
-
    The attribute value format for the signMessageDigest attribute is digest-algorithm-identifier;sign-message-digest, where
-digest-algorithm-identifier is the XML Security algorithm URI identifier of the selected digest algorithm and
-sign-message-digest is base64(digest(msg)). The msg is the UTF-8 encoded bytes of the sign message that was displayed. It equals the csig:Message element value of the csig:SignMessage ([DSSExt]). Thus, if the csig:Message element is encrypted into a csig:EncryptedMessage, the element value after decryption should be used.
    
-
    Entities compliant with this specification MUST use http://www.w3.org/2001/04/xmlenc#sha256 as the digest algorithm, 
-unless the recipient of the signMessageDigest attribute has declared another digest algorithm as preferred in its
-metadata entry (see section 2.1.1.3 of [EidDeployProf]). In those cases this algorithm MAY be used.
    
-
    Example:
    
-
    Suppose that the unencrypted message is "I hereby confirm that I want to join example.com as a customer". This is
-represented as:
    
-
    <csig:Message>
-  SSBoZXJlYnkgY29uZmlybSB0aGF0IEkgd2FudCB0byBqb2luIGV4YW1wbGUuY29tIGFzIGEgY3VzdG9tZXI=
-</csig:Message>
    The input to the digesting operation is the value bytes of the csig:Message element which is UTF-8 encoded bytes
-of the actual sign message*.
    
-
    The signMessageDigest attribute for the above example will then be:
    
-
    <saml2:Attribute FriendlyName="signMessageDigest" Name="urn:oid:1.2.752.201.3.14"
-  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
-  <saml2:AttributeValue xsi:type="xsd:string">
-    http://www.w3.org/2001/04/xmlenc#sha256;0yKaSVsYeh+PX2Q6diqO2w89+a3Dm303tp3AVjgxwj0=
-  </saml2:AttributeValue>
-</saml2:Attribute>
    
-
    3.2.5. The orgAffiliation Attribute
    
-
    The orgAffiliation attribute is intended to be used as a primary identity attribute for personal organizational identities. It consists of a personal identifier and an organizational identifier code (organizationIdentifier). 
    
-
    This specification does not impose any specific requirements concerning the personal identifier part of the attribute other than that it MUST be unique for the given organization.
    
-
    Note: In the general case, an attribute consumer MUST NOT assume a particular format or meaning of the personal identifier part since different organizations may use different formats. An attribute consumer should also be aware that a personal identifier separated from its organizational identifier code can not be regarded as unique. 
    
-
    Note: The orgAffiliation is a scoped attribute meaning that producing and consuming such an attribute MUST follow the rules given in sections 2.1.3.1 and 6.2.1 of [EidDeployProf].
    
-
    
-
    3.2.6. The previousPersonalIdentityNumber Attribute
    
-
    The personalIdentityNumber attribute can contain a Swedish personal identity number (personnummer), [SKV704], or a Swedish coordination number (samordningsnummer), [SKV707]. All individuals born in Sweden or moving to Sweden with the intention 
-of staying one year or longer is assigned a personal identity number and registered in the
-population register. A coordination number may be assigned to a person that is not registered, 
-but has the need to communicate with various government authorities, healthcare institutions,
-higher education and banks.
    
-
    In some cases a person may hold a coordination number during a period before he or she is
-assigned a personal identity number. A typical use case is a person that seeks asylum and
-later is given a residence permit. In this case the person first may hold a coordination number
-and if a residence permit is given a personal identity number will be assigned.
    
-
    For a service provider this may lead to problems since the primary identifier for a person
-has changed. A login with the newly assigned identifier will not match the user account
-previously used by this individual.
    
-
    This profile defines the previousPersonalIdentityNumber attribute to enable matching a
-previously held identity number to a newly assigned identity number. The previousPersonalIdentityNumber attribute is typically released together with the "new" 
-personalIdentityNumber attribute in order to facilitate account matching at a service provider.
    
-
    This attribute is not part of any attribute sets defined in the profile. Attribute consumers
-wishing to receive the attribute should declare the these requirement in their metadata entries
-(using a <md:RequestedAttribute> element).
    
-
    
-
    3.3. Attributes for the eIDAS Framework
    
-
    
-
    3.3.1. The prid and pridPersistence Attributes
    
-
    Assertions (with attribute statements) issued from a member state eIDAS
-node contain a set of attributes identifying the authenticated subject.
-Attributes obtained from other conformant eIDAS nodes will provide an
-eIDAS unique identifier but it can not be ruled out that the Swedish
-eIDAS node may be adopted to accept authentication from non eIDAS
-compliant nodes, such as when accepting authentication from countries
-outside of EU such as the USA.
    
-
    Therefore, the Swedish eIDAS connector enriches attribute statements
-with the provisional ID (prid) and provisional ID persistence
-(pridPersistence) attributes.
    
-
    The prid attribute is designed to provide one common unique attribute of
-the user in a common format regardless of the composition of the
-original attributes received from the authenticating source. The prid
-attribute value is not stored in any registry, but derived from the
-received attributes at each authentication instant according to defined
-algorithms specified in [ConstructedAttr]. The algorithm ensures that
-each prid is unique for each authenticated entity, but does not ensure
-persistence. If the attributes received for an entity changes over time,
-the prid attribute may also change dependent on the defined prid
-generation algorithm for that attribute source.
    
-
    The pridPersistence attribute provides an indication of the expected
-persistence over time for a present prid attribute value. The value of
-this attribute is determined from the selected prid generation algorithm
-in combination with the attribute source. For example, a prid derived
-from a Norwegian eIDAS unique identifier has longer persistence
-expectancy than a prid derived from the same attribute from the UK or
-Germany. This attribute helps Service Providers to apply different UI
-and service functions for users with different persistence expectancy.
-This may assist users with low persistence expectancy to regain control
-of their user account, should their prid change in the future.
    
-
    The specification “eIDAS Constructed Attributes Specification for the
-Swedish eID Framework”, [ConstructedAttr], declares the details for
-how the prid and pridPersistence attributes are generated and how they
-should be processed.
    
-
    
-
    3.3.2. The mappedPersonalIdentityNumber and personalIdentityNumberBinding Attributes
    
-
    When an authentication for a natural person is performed against the
-eIDAS Framework, the Swedish eIDAS connector will query the Identity Binding Service
-for a binding between the attributes found in the assertion received from the foreign
-eIDAS-node and a Swedish personal identity number.  If such a mapping exists, and the user consents to it being used, the assertion will be extended with a mappedPersonalIdentityNumber attribute holding the "mapped" Swedish civic registration number ("personnummer" or "samordningsnummer").
    
-
    This mapping, or binding, can be performed using a number of different processes,
-each identified by a URI. Therefore, if the eIDAS connector extends an assertion with a 
-mappedPersonalIdentityNumber attribute, it MUST also include the personalIdentityNumberBinding attribute. This attribute contains a semicolon separated list of URI:s that identify the binding process applied to obtain the binding. See [ID-Binding] for the possible values.
    
-
    If these bindings are acceptable for a Service Provider processing an assertion (containing the mappedPersonalIdentityNumber attribute), the Service Provider MAY treat the contents of the mappedPersonalIdentityNumber attribute as it would have received the personalIdentityNumber attribute, otherwise the Service Provider SHOULD NOT use the identity found in the mappedPersonalIdentityNumber attribute to login the user.
    
-
    
-
    Note: The reason that an ordinary personalIdentityNumber attribute is not
-used to represent a mapped civic registration number is that it is essential that
-the consuming entity always verifies that the binding process under which the 
-mapping was performed is acceptable, before proceeding with the authentication 
-process.
    
-
    
-
    
-
    3.3.3. Conversion of eIDAS Attributes
    
-
    The attributes specified within eIDAS ([eIDAS_Attr]) does not use
-simple string type values. Instead each attribute is represented using
-its own dedicated XML data type. This affects interoperability in a
-negative way since most standard SAML software need to be modified to
-support these attributes. Therefore, the Swedish eID Framework defines
-mappings for all eIDAS attributes to attributes having definitions that
-are more suitable for processing using standard SAML software.
    
-
    Below follows a listing of how the attributes for the eIDAS minimum data
-set for Natural Persons are converted into attributes supported by the
-Swedish eID Framework.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    eIDAS attributeSwedish eID attribute
    PersonIdentifier 
     http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier    		eidasPersonIdentifier 
     urn:oid:1.2.752.201.3.7
    FamilyName 
     http://eidas.europa.eu/attributes/naturalperson/CurrentFamilyName    		sn 
     urn:oid:2.5.4.4
    FirstName 
     http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName    		givenName 
     urn:oid:2.5.4.42
    DateOfBirth 
     http://eidas.europa.eu/attributes/naturalperson/DateOfBirth    		dateOfBirth 
     urn:oid:1.3.6.1.5.5.7.9.1
    BirthName 
     http://eidas.europa.eu/attributes/naturalperson/BirthName    		birthName 
     urn:oid:1.2.752.201.3.8
    PlaceOfBirth 
     http://eidas.europa.eu/attributes/naturalperson/PlaceOfBirth    		placeOfBirth 
     urn:oid:1.3.6.1.5.5.7.9.2
    CurrentAddress 
     http://eidas.europa.eu/attributes/naturalperson/CurrentAddress    		eidasNaturalPersonAddress 
     urn:oid:1.2.752.201.3.9 
     See section 3.3.3.1 below.
    Gender 
     http://eidas.europa.eu/attributes/naturalperson/Gender    		gender 
     urn:oid:1.3.6.1.5.5.7.9.3
    Nationality
    http://eidas.europa.eu/attributes/naturalperson/Nationality    		countryOfCitizenship
    urn:oid:1.3.6.1.5.5.7.9.4
    CountryOfBirth
    http://eidas.europa.eu/attributes/naturalperson/CountryOfBirth    		Will be added as the last element of placeOfBirth (see above)
    TownOfBirth
    http://eidas.europa.eu/attributes/naturalperson/TownOfBirth    		Ignored if the eIDAS attribute PlaceOfBirth is assigned. Otherwise placed as first element of placeOfBirth.
    CountryOfResidence
    http://eidas.europa.eu/attributes/naturalperson/CountryOfResidence    		countryOfResidence
    urn:oid:1.3.6.1.5.5.7.9.5
    PhoneNumber
    http://eidas.europa.eu/attributes/naturalperson/PhoneNumber    		telephoneNumber
    urn:oid:2.5.4.20
    EmailAddress
    http://eidas.europa.eu/attributes/naturalperson/EmailAddress    		mail
    urn:oid:0.9.2342.19200300.100.1.3
    
-
    Note: When converting an eIDAS attribute that makes use of
-“transliteration” (as described in section 2.4 of [eIDAS_Attr])
-attribute values having the LatinScript attribute set to false will not
-be part of the resulting attribute.
    
-
    
-
    3.3.3.1. Conversion of eIDAS CurrentAddress
    
-
    The eIDAS attribute CurrentAddress is defined in section 2.2.9 of
-[eIDAS_Attr]. Its value is a Base64-encoding of an XML-structure of
-the type CurrentAddressStructuredType.
    
-
    <xsd:complexType name="CurrentAddressStructuredType">
-  <xsd:annotation>
-    <xsd:documentation>
-      Current address of the natural person.
-    </xsd:documentation>
-  </xsd:annotation>
-  <xsd:sequence>
-    <xsd:element name="PoBox" type="xsd:string" minOccurs="0" maxOccurs="1"/>
-    <xsd:element name="LocatorDesignator" type="xsd:string" minOccurs="0" maxOccurs="1"/>
-    <xsd:element name="LocatorName" type="xsd:string" minOccurs="0" maxOccurs="1"/>
-    <xsd:element name="CvaddressArea" type="xsd:string" minOccurs="0" maxOccurs="1"/>
-    <xsd:element name="Thoroughfare" type="xsd:string" minOccurs="0" maxOccurs="1"/>
-    <xsd:element name="PostName" type="xsd:string" minOccurs="0" maxOccurs="1"/>
-    <xsd:element name="AdminunitFirstline" type="xsd:string" minOccurs="0" maxOccurs="1"/>
-    <xsd:element name="AdminunitSecondline" type="xsd:string" minOccurs="0" maxOccurs="1"/>
-    <xsd:element name="PostCode" type="xsd:string" minOccurs="0" maxOccurs="1"/>
-  </xsd:sequence>
-</xsd:complexType>
    An example of an instance of a CurrentAddress attribute would look as
-follows:
    
-
    <saml2:Attribute xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-                           FriendlyName="CurrentAddress"
-                           Name="http://eidas.europa.eu/attributes/naturalperson/CurrentAddress"
-                           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
-  <saml2:AttributeValue xsi:type="eidas:CurrentAddressType">
-    PGVpZGFzOkxvY2F0b3JEZXNpZ25hdG9yPjIyPC9laWRhczpMb2NhdG9yRGVzaWduYX
-    Rvcj48ZWlkYXM6VGhvcm91Z2hmYXJlPkFyY2FjaWEgQXZlbnVlPC9laWRhczpUaG9y
-    b3VnaGZhcmU+DQo8ZWlkYXM6UG9zdE5hbWU+TG9uZG9uPC9laWRhczpQb3N0TmFtZT
-    4NCjxlaWRhczpQb3N0Q29kZT5TVzFBIDFBQTwvZWlkYXM6UG9zdENvZGU+
-  </saml2:AttributeValue>
-</saml2:Attribute>
    The value is the Base64-encoding of the following XML-snippet:
    
-
    <eidas:LocatorDesignator>22</eidas:LocatorDesignator>
-<eidas:Thoroughfare>Arcacia Avenue</eidas:Thoroughfare>
-<eidas:PostName>London</eidas:PostName>
-<eidas:PostCode>SW1A 1AA</eidas:Postcode>
    This is not easily processed by standard SAML-software, and requires
-several steps including XML-decoding of an incomplete XML-snippet.
-Therefore, the Swedish eID Framework defines the
-eidasNaturalPersonAddress attribute to be used when the Swedish eIDAS
-node converts the eIDAS CurrentAddress attribute.
    
-
    The eidasNaturalPersonAddress attribute is defined to be a non-empty
-single-value attribute containing key-value pairs separated by
-semicolons. The keys are element names from the
-CurrentAddressStructuredType type and the value-parts are their
-corresponding values. The key and value of each pair is separated by a
-‘=’ character and both the key and value MUST be URL-encoded.
    
-
    The eIDAS-attribute CurrentAddress above will thus be converted to the
-following attribute:
    
-
    <saml2:Attribute xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-                           FriendlyName="eidasNaturalPersonAddress"
-                           Name="urn:oid:1.2.752.201.3.9"
-                           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
-  <saml2:AttributeValue xsi:type="xs:string">
-    LocatorDesignator=22;Thoroughfare=Arcacia%20Avenue;PostName=London;PostCode=SW1A%201AA
-  </saml2:AttributeValue>
-</saml2:Attribute>
    
-
    4. References
    
-
    
-[RFC2119]
    
-
    
-
    Bradner, S., Key words for use in RFCs to Indicate Requirement
-Levels, March 1997.
    
-
    
-
    
-[SAML2Core]
    
-
    
-
    OASIS Standard, Assertions and Protocols for the OASIS Security
-Assertion Markup Language (SAML) V2.0, March
-2005.
    
-
    
-
    
-[SAML2SubjAttr]
    
-
    
-
    OASIS Standard, SAML V2.0 Subject Identifier Attributes Profile Version 1.0, January 2019.
    
-
    
-
    
-[SKV704]
    
-
    
-
    Skatteverket, SKV 704 Utgåva 8,
-Personnummer.
    
-
    
-
    
-[SKV707]
    
-
    
-
    Skatteverket, SKV 707, Utgåva 2,
-Samordningsnummer.
    
-
    
-
    
-[SKV709]
    
-
    
-
    Skatteverket, SKV 709, Utgåva 8, Organisationsnummer.
    
-
    
-
    
-[ID-Binding]
    
-
    
-
    Binding of eIDAS Attributes to Swedish Personal Identity Numbers
    
-
    
-
    
-[X.520]
    
-
    
-
    ITU-T X.520 - Open Systems Interconnection – The Directory: Selected attribute types.
    
-
    
-
    
-[SAML-XSD]
    
-
    
-
    S. Cantor et al., SAML assertions schema. OASIS SSTC, March 2005.
-Document ID saml-schema-assertion-2.0. See
-http://www.oasisopen.org/committees/security/.
    
-
    
-
    
-[XML-Schema]
    
-
    
-
    XML Schema Part 2: Datatypes Second Edition, W3C Recommendation, 28
-October 2004. See http://www.w3.org/TR/xmlschema-2/.
    
-
    
-
    
-[ISO3166]
    
-
    
-
    Codes for the representation of names of countries and their
-subdivisions Part 1: Country codes, ISO standard, ISO 3166-1.
    
-
    
-
    
-[SambiAttr]
    
-
    
-
    Sambi Attributspecifikation.
    
-
    
-
    
-[TillitRamv]
    
-
    
-
    Tillitsramverket för Svensk e-legitimation.
    
-
    
-
    
-[EidDeployProf]
    
-
    
-
    Deployment Profile for the Swedish eID Framework.
    
-
    
-
    
-[ConstructedAttr]
    
-
    
-
    eIDAS Constructed Attributes Specification for the Swedish eID Framework.
    
-
    
-
    
-[eIDAS_Attr]
    
-
    
-
    eIDAS SAML Attribute Profile, version 1.2, 21 May 2019.
    
-
    
-
    
-[SigSAP]
    
-
    
-
    Signature Activation Protocol for Federated Signing.
    
-
    
-
    
-[DSSExt]
    
-
    
-
    DSS Extension for Federated Central Signing Services.
    
-
    
-
    
-
    5. Changes between versions
    
-
    Changes between version 1.7 and version 1.8:
    
-
      
-
    • In section 3.1.3, "Scoped Attributes", a note about @-characters in scoped values was added.
      
-
      • 
-
    • Updated link to Sambi attribute specification.
      
-
      • 
-
    • Section 3.3.2, "The mappedPersonalIdentityNumber and personalIdentityNumberBinding Attributes", was updated.
      
-
      • 
-
    • Section 3.3.3, "Conversion of eIDAS Attributes", was extended to contain mappings for the optional eIDAS attributes: Nationality, CountryOfBirth, TownOfBirth, CountryOfResidence, PhoneNumber and EmailAddress.
      
-
      • 
-
    
-
    Changes between version 1.6 and version 1.7:
    
-
      
-
    • Section 2.4, "Organizational Identity for Natural Persons", was updated to define a minimum set of attributes for providing personal orgazational identity information.
      
-
      • 
-
    • Section 3.2.5, "The orgAffiliation Attribute", was introduced.
      
-
      • 
-
    • The concept of "scoped attributes" was introduced, see section 3.1.3.
      
-
      • 
-
    • The previousPersonalIdentityNumber attribute was added, see section 3.2.6.
      
-
      • 
-
    • The mappedPersonalIdentityNumber attribute was added (see section 3.3.2), and the
-attribute set "eIDAS Natural Person Attribute Set" (section 2.5) was changed so that
-a mappedPersonalIdentityNumber attribute is delivered instead of a 
-personalIdentityNumber attribute if the eIDAS identity can be mapped to a Swedish 
-identity number.
      
-
      • 
-
    
-
    Changes between version 1.5 and version 1.6:
    
-
      
-
    • References were updated to point at the latest versions of the "Tillitsramverk för Svensk e-legitimation" and "eIDAS SAML Attribute Profile" specifications.
      
-
      • 
-
    • Section 2.5, "eIDAS Natural Person Attribute Set", was updated so that the c (country) attribute is a required attribute for this attribute set.
      
-
      • 
-
    • The attribute signMessageDigest was introduced (see section 3.2.4).
      
-
      • 
-
    • The HSA-ID attribute was specified.
      
-
      • 
-
    
-
    Changes between version 1.4 and version 1.5:
    
-
      
-
    • Section 3.2.3 was updated with a reference to the SAP specification as source for defining the content of the sad attribute.
      • 
-
    • Fix of invalid links for SKV704 and SKV707.
      • 
-
    • Section 2.3, "Natural Personal Identity with Civic Registration Number (Personnummer)", was updated so that the dateOfBirth-attribute is listed as a recommended attribute for the attribute set http://id.elegnamnden.se/ap/1.0/pnr-01.
      • 
-
    
-
    Changes between version 1.3 and version 1.4:
    
-
      
-
    • Attributes for mapping eIDAS-attributes have been defined (section
-  3.1 and 3.3).
      
-
      • 
-
    • The eIDAS Natural Person Attribute Set has been defined (section
-  2.5).
      
-
      • 
-
    • The definition of the gender-attribute was extended to also include
-  “U” (for unspecified or unknown).
      
-
      • 
-
    • For interoperability and implementations reasons, the definition of
-  the dateOfBirth-attribute has been changed so that it is represented
-  as an xs:string type on the format YYYY-MM-DD, instead of the
-  xs:date type.
      
-
      • 
-
    •   Attributes userCertificate, userSignature, authServerSignature and sad were added.
      
-
      • 
-
    
-
    Changes between version 1.2 and version 1.3:
    
-
      
-
    • This specification no longer uses the term “attribute profile” for
-  named collections of attributes for different scenarios. Instead the
-  term “attribute set” is used.
      
-
      • 
-
    • Definitions of attribute sets (profiles) have been changed to be
-  more flexible and to focus only on which attributes that should be
-  included in an attribute release. Attribute set requirements now
-  include “required” and “recommended” attributes instead of
-  “required”, “allowed”, “if requested” and “prohibited”. See
-  section 2.
      
-
      • 
-
    • The contents of the previous chapter 2, “NameID”, were moved to the
-  “Deployment Profile for the Swedish eID Framework” document.
      
-
      • 
-
    • The attribute displayName is now specified as “required” for the
-  “Natural Personal Identity with Civic Registration Number
-  (Personnummer)” (ELN-AP-NaturalPerson-01) attribute set (profile).
-  See section 2.3.
      
-
      • 
-
    • The attributes o (Organization) and displayName are now specified as
-  “required” for the “Organizational Identity for Natural Persons”
-  (ELN-AP-OrgPerson-01) attribute set (profile). See section 2.4.
      
-
      • 
-
    • The attributes givenName and sn (surname) are now specified as
-  “required” for the “Natural Personal Identity without Civic
-  Registration Number” (ELN-AP-NaturalPerson-01) attribute set
-  (profile). See section 2.2.
      
-
      • 
-
    • The attributes transactionIdentifier and authContextParams were
-  introduced (see sections 3.1 and 3.2.1).
      
-
      • 
-
    
-
    Changes between version 1.1 and version 1.2:
    
-
      
-
    • Attribute Profiles are now also represented with valid URIs as well
-  as their textual identifiers.
      • 
-
    
-
    Changes between version 1.0 and version 1.1:
    
-
      
-
    • In chapter 3.4, “Organizational Identity for Natural Persons”, some
-  attributes were listed as both prohibited and allowed. This has been
-  fixed.
      • 
-
    
-    
    
-  
-
diff --git a/docs/updates/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html b/docs/updates/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html
new file mode 120000
index 0000000..2841068
--- /dev/null
+++ b/docs/updates/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html
@@ -0,0 +1 @@
+../december-2024/04_-_Attribute_Specification_for_the_Swedish_eID_Framework.html
\ No newline at end of file
diff --git a/docs/updates/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html b/docs/updates/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html
deleted file mode 100644
index 48ba5df..0000000
--- a/docs/updates/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html
+++ /dev/null
@@ -1,689 +0,0 @@
-
-
-  
-    
-    
-    Entity Categories for the Swedish eID Framework
-    
-    
-    
-    
-  
-  
-    
    
-
-
-
    
-
    
-
-
    
-
-
    Entity Categories for the Swedish eID Framework
    
-
    Version 1.9 - 2024-11-25 - Draft version
    
-
    Registration number: 2019-311
    
-
    
-
    
-Copyright © The Swedish Agency for Digital Government (Digg), 2015-2024. All Rights Reserved.
-
    
-
-
    Table of Contents
    
-
      
-
    1. Introduction
      
-
       1.1. Requirements Notation
      
-
       1.2. References to SAML 2.0 Standards and Profiles
      
-
       1.3. Consuming and Providing Services
      
-
       1.4. Use in Discovery
      
-
       1.5. Representation of Entity Categories in Metadata
      
-
      2. 
-
    2. Definitions for Service Entity Categories
      
-
       2.1. Natural Personal Identity with Civic Registration Number
      
-
       2.1.1. loa2-pnr
      
-
       2.1.2. loa3-pnr
      
-
       2.1.3. loa4-pnr
      
-
       2.1.4. eidas-pnr-delivery
      
-
       2.2. eIDAS Natural Person Attribute Set
      
-
       2.2.1. eidas-naturalperson
      
-
       2.3. Organizational Identity for Natural Persons
      
-
       2.3.1. loa2-orgid
      
-
       2.3.2. loa3-orgid
      
-
       2.3.3. loa4-orgid
      
-
       2.4. Natural Personal Identity without Civic Registration Number
      
-
       2.4.1. loa2-name
      
-
       2.4.2. loa3-name
      
-
       2.4.3. loa4-name
      
-
      3. 
-
    3. Definitions for Service Property Categories
      
-
       3.1. mobile-auth
      
-
       3.2. scal2
      
-
      4. 
-
    4. Definitions for Service Type Entity Categories
      
-
       4.1. sigservice
      
-
       4.2. public-sector-sp
      
-
       4.3. private-sector-sp
      
-
      5. 
-
    5. Service Contract Categories
      
-
      6. 
-
    6. General Entity Categories
      
-
       6.1. secure-authenticator-binding
      
-
       6.2. accepts-coordination-number
      
-
       6.3. supports-user-message
      
-
      7. 
-
    7. References
      
-
      8. 
-
    8. Changes between versions
      
-
      9. 
-
    
-
    
-
    
-
    1. Introduction
    
-
    This specification contains the Entity Category definitions that are
-defined for the Swedish eID Framework and that should be supported by
-Service Providers and Identity Providers that are part of the
-federation.
    
-
    The use of Entity Categories for the Swedish eID Framework is restricted
-to SAML metadata where Entity Categories are placed as SAML attributes
-under the <mdattr:EntityAttributes> element
-([SAML2MetaAttr]) for an <md:Extensions> element
-([SAML2Meta]).
    
-
    <md:EntityDescriptor entityID="https://eid.example.com/entityid">
-  <md:Extensions>
-    <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
-    ... 
-      <saml:Attribute Name="http://macedir.org/entity-category"
-                      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
-        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">
-          http://id.elegnamnden.se/ec/1.0/loa3-pnr
-        </saml:AttributeValue>    
-      </saml:Attribute>    
-    </mdattr:EntityAttributes>    
-  </md:Extensions>    
-  ...
    The Entity Category identifier
-http://id.elegnamnden.se/ec/1.0/loa3-pnr specified as an entity
-attribute for a Service Provider or Identity Provider.
    
-
    Five types of Entity Categories are used within the federation:
    
-
      
-
    • Service entity category – Identifiers for entity categories
-  representing sets of requirements.
      
-
      • 
-
    • Service property categories – Identifiers for defined service
-  properties.
      
-
      • 
-
    •   Service type categories – Identifiers for defined service types.
      
-
      • 
-
    •   Service contract categories - Identifiers for labelling entities based on contracts or business agreements.
      
-
      • 
-
    •    General categories - Identifiers defined within the Swedish eID Framework for miscellaneous purposes.
      
-
      • 
-
    
-
    
-
    1.1. Requirements Notation
    
-
    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-document are to be interpreted as described in [RFC2119].
    
-
    The use of SHOULD, SHOULD NOT, and RECOMMENDED reflects broad consensus
-on deployment practices intended to foster both interoperability and
-guarantees of security and confidentiality needed to satisfy the
-requirements of many organizations that engage in the use of federated
-identity. Deviating may limit a deployment's ability to technically
-interoperate without additional negotiation, and should be undertaken
-with caution.
    
-
    
-
    1.2. References to SAML 2.0 Standards and Profiles
    
-
    When referring to elements from the SAML 2.0 core specification
-[SAML2Core], the following syntax is used:
    
-
      
-
    • <saml2p:Element> – for elements from the SAML 2.0 Protocol
-  namespace.
      
-
      • 
-
    • <saml2:Element> – for elements from the SAML 2.0 Assertion
-  namespace.
      
-
      • 
-
    
-
    When referring to elements from the SAML 2.0 metadata specifications,
-the following syntax is used:
    
-
      
-
    •   <md:Element> – for elements defined in [SAML2Meta].
      
-
      • 
-
    •   <mdattr:Element> – for elements defined in [SAML2MetaAttr].
      
-
      • 
-
    
-
    
-
    1.3. Consuming and Providing Services
    
-
    Entity categories are mainly used for service matching. This allows
-matching of a consuming service with an appropriate providing service. A
-consuming service in this context is an assertion or attribute consuming
-service of a service provider (Service described through an
-<md:SPSSODescriptor> element in the federation metadata). A
-providing service in this context is a service, represented in the
-federation metadata, providing assertions to a service provider.
    
-
    The entity categories defined in this document have different meaning
-depending on whether they are declared by a consuming or a providing
-service. Further, different types of entity category identifiers defined
-in this document have different matching rules to determine whether
-particular providing service matches the requirements of a consuming
-service.
    
-
    These differences are outlined in the following table:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    EC typeConsuming serviceProviding serviceService matching rule
    Service Entity CategoryEach declared category represents a set of requirements for the service.Represents the ability to deliver assertions in accordance with each declared category.At least one of the service entity categories declared by the consuming service MUST be declared by the providing service.
    Service PropertyRepresents a property of this service.Represents the ability to deliver assertions to a consuming service that has the declared property.All properties declared by the consuming service MUST be declared by the providing service.
    Service TypeDeclares the type of service provided by this consuming service.Not applicable.No matching rule.
    Service ContractEach declared category represents a contract, or business agreement, that the service is affiliated to.Represents the contracts, or business agreements, under which the providing service may deliver services.At least one of the service contract identifiers declared by a providing service must be declared by the consuming service. A providing service that does not declare any service contract identifiers match all consuming services regarding service contract matching.
    GeneralAn entity category type for miscellaneous purposes.An entity category type for miscellaneous purposes.No general matching rule.
    However, the meaning of a general entity category may be such that it affects matching.
    
-
    
-
    1.4. Use in Discovery
    
-
    Entity Categories in metadata are declarations of requirements and
-capabilities of Service Providers and Identity Providers. A discovery
-process may make use of these declared Entity Categories when performing
-filtering, i.e., when deciding which Identity Providers to present for
-the end-user. The filtering algorithm is very simple:
    
-
    For a Service Provider requesting discovery its metadata entry is
-scanned for Entity Category identifiers of the type Service Entity
-Category, Service Contract and Service Property. The algorithm then iterates over all
-Identity Providers found in the metadata repository for the
-federation. The discovery process SHOULD display Identity Providers as
-a plausible choice, if and only if, the following conditions apply;
    
-
      
-
    • the Identity Provider declares at least of the Service Entity Category 
-  identifiers declared by the Service Provider,
      
-
      • 
-
    • if the Identity Provider declares at least one Service Contract identifier,
-  the Service Provider must declare at least one of declared identifiers, and,
      
-
      • 
-
    • all of the Service Property identifiers declared by the Service
-  Provider must be declared by the Identity Provider.
      
-
      • 
-
    
-
    
-
    1.5. Representation of Entity Categories in Metadata
    
-
    Entity categories defined in this document are placed in an entity’s
-metadata record as an attribute value within an entity category
-attribute (SAML attribute with name http://macedir.org/entity-category).
-If more than one entity category identifier is included in the metadata
-of a service, it MUST be placed as multiple attribute values within a
-single entity category attribute.
    
-
    <md:EntityDescriptor entityID="https://eid2.example.com/entityid">    
-  <md:Extensions>    
-    <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">    
-    ...    
-      <saml:Attribute Name="http://macedir.org/entity-category"
-                      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">    
-        <saml:AttributeValue xsi:type="xs:string">
-          http://id.elegnamnden.se/ec/1.0/loa3-pnr
-        </saml:AttributeValue>
-        <saml:AttributeValue xsi:type="xs:string">
-          http://id.swedenconnect.se/contract/sc/1.0/eidas
-        </saml:AttributeValue>    
-        <saml:AttributeValue xsi:type="xs:string">
-          http://id.elegnamnden.se/sprop/1.0/mobile-auth
-        </saml:AttributeValue>    
-      </saml:Attribute>    
-    </mdattr:EntityAttributes>    
-  </md:Extensions>    
-  ...
    Example of how entity categories are represented in metadata.
    
-
    
-
    2. Definitions for Service Entity Categories
    
-
    This section contains a listing of Service Entity Categories that are defined within 
-the Swedish eID Framework. This listing may not be complete, and the federation operator
-may define additional categories.
    
-
    All service entity category identifiers are prefixed with
-http://id.elegnamnden.se/ec or http://id.swedenconnect.se/ec (defined after Aug. 2018).
    
-
    A service entity category identifies an arbitrary set of requirements and conditions that is required by the consuming service and provided by the providing service. Each service entity category specifies its own set of requirements and conditions. Typically such requirements and conditions include requirements on level of assurance (LoA) and requirements on mandatory attributes. For contract- or business agreement requirements Service Contract Categories should be used.
    
-
    A providing service declaring a service entity category that consists of both a level of assurance requirement and an attribute set MUST guarantee that the release of the given attributes are consistent with the level of assurance requirement.
    
-
    This specification does not impose any other limitations on what requirements or conditions that can be identified by a service entity category and there are no defined technical mechanisms to ensure that any service correctly implement any of these requirements. The main purpose of the service entity category is service matching in accordance with section 1.3 and any requirements and conditions that serves this purpose are considered valid.
    
-
    Note: A providing service that does not comply with any of the defined service entity categories may define its own service entity category identifier in order to utilize the entity category matching rules. Any service entity category identifier defined outside of this specification should use the prefix http://id.swedenconnect.se/ec/<org>, where org is the defining organization's identifier.
    
-
    
-
    2.1. Natural Personal Identity with Civic Registration Number
    
-
    This section define Service Entity Categories that has attribute requirements 
-according to the "Natural Personal Identity with Civic Registration Number" 
-(http://id.elegnamnden.se/ap/1.0/pnr-01) attribute set as defined in section 2.3 
-of [EidAttributes].
    
-
    Note: The http://id.elegnamnden.se/ap/1.0/pnr-01 attribute set includes the personalIdentityNumber attribute. See section 6.2, "accepts-coordination-number", for specific requirements concerning delivering a coordination number in this attribute. 
    
-
    
-
    2.1.1. loa2-pnr
    
-
    URL: http://id.elegnamnden.se/ec/1.0/loa2-pnr
    
-
    Description: User authentication according to assurance level 2 [EidTillit] and attribute release according to the attribute set “Natural Personal Identity with Civic Registration Number”.
    
-
    LoA-identifier: http://id.elegnamnden.se/loa/1.0/loa2
    
-
    
-
    Or a corresponding LoA 2 URI (see section 3.1.1 of [EidRegistry].
    
-
    
-
    Attribute requirements: http://id.elegnamnden.se/ap/1.0/pnr-01
    
-
    
-
    2.1.2. loa3-pnr
    
-
    URL: http://id.elegnamnden.se/ec/1.0/loa3-pnr
    
-
    Description: User authentication according to assurance level 3 [EidTillit] and attribute release according to the attribute set “Natural Personal Identity with Civic Registration Number”.
    
-
    LoA-identifier: http://id.elegnamnden.se/loa/1.0/loa3
    
-
    
-
    Or a corresponding LoA 3 URI (see section 3.1.1 of [EidRegistry].
    
-
    
-
    Attribute requirements: http://id.elegnamnden.se/ap/1.0/pnr-01
    
-
    
-
    2.1.3. loa4-pnr
    
-
    URL: http://id.elegnamnden.se/ec/1.0/loa4-pnr
    
-
    Description: User authentication according to assurance level 4 [EidTillit] and attribute release according to the attribute set “Natural Personal Identity with Civic Registration Number”.
    
-
    LoA-identifier: http://id.elegnamnden.se/loa/1.0/loa4
    
-
    Attribute requirements: http://id.elegnamnden.se/ap/1.0/pnr-01
    
-
    
-
    2.1.4. eidas-pnr-delivery
    
-
    URL: http://id.elegnamnden.se/ec/1.0/eidas-pnr-delivery
    
-
    Description: For asserting a Swedish identity to a foreign service provider via the Swedish eIDAS Proxy Service. This entity category MUST NOT be set by any entities other than Identity Providers providing identity assertions to the Swedish eIDAS Proxy Service and by the Swedish eIDAS Proxy Service itself.
    
-
    Attribute release is based on the "Natural Personal Identity with Civic Registration Number" attribute set with the addition of a mandatory dateOfBirth-attribute (urn:oid:1.3.6.1.5.5.7.9.1). The reason for the mandatory dateOfBirth-attribute is that this information is required by the eIDAS minimum dataset and therefore must be obtained by the receiving eIDAS Proxy Service. Date of birth can not always reliably be derived from the personalIdentityNumber attribute.
    
-
    It is the responsibility of the Swedish eIDAS Proxy Service to transform these attributes into eIDAS attributes.
    
-
    LoA-identifier: Not applicable
    
-
    
-
    An Identity Provider delivering assertions to the eIDAS framework is obliged to announce which levels that it supports by including the corresponding eIDAS authentication context URIs defined in section 3.1.1 of [EidRegistry] as assurance certification attributes in its metadata as described in section 2.1.3 of [EidDeploy].
    
-
    
-
    Attribute requirements: http://id.elegnamnden.se/ap/1.0/pnr-01 where the dateOfBirth attribute (urn:oid:1.3.6.1.5.5.7.9.1) is mandatory.
    
-
    
-
    2.2. eIDAS Natural Person Attribute Set
    
-
    
-
    2.2.1. eidas-naturalperson
    
-
    URL: http://id.elegnamnden.se/ec/1.0/eidas-naturalperson
    
-
    Description: User authentication according to any of the eIDAS assurance levels and attribute release according to “eIDAS Natural Person Attribute Set” (see section 2.5 of [EidAttributes]).
    
-
    LoA-identifier:   Not applicable
    
-
    
-
    It does not make sense to specify the level of assurance for a Service
-Entity Categories intended for eIDAS since this information is not known
-to the Swedish eIDAS-node.
    
-
    
-
    Attribute requirements: http://id.elegnamnden.se/ap/1.0/eidas-natural-person-01
    
-
    Note: Attribute release according to the http://id.elegnamnden.se/ap/1.0/eidas-natural-person-01 attribute set may include the mappedPersonalIdentityNumber attribute. See section 6.2, "accepts-coordination-number", for specific requirements concerning delivering a coordination number in this attribute.
    
-
    
-
    2.3. Organizational Identity for Natural Persons
    
-
    This section define Service Entity Categories that has attribute requirements 
-according to the "Organizational Identity for Natural Persons" 
-(http://id.elegnamnden.se/ap/1.0/org-person-01) attribute set as defined in section 2.4 
-of [EidAttributes].
    
-
    
-
    2.3.1. loa2-orgid
    
-
    URL: http://id.swedenconnect.se/ec/1.0/loa2-orgid
    
-
    Description: User authentication according to assurance level 2 [EidTillit] and attribute release according to the attribute set “Organizational Identity for Natural Persons”.
    
-
    LoA-identifier: http://id.elegnamnden.se/loa/1.0/loa2
    
-
    
-
    Or a corresponding LoA 2 URI (see section 3.1.1 of [EidRegistry].
    
-
    
-
    Attribute requirements: http://id.elegnamnden.se/ap/1.0/org-person-01
    
-
    
-
    2.3.2. loa3-orgid
    
-
    URL: http://id.swedenconnect.se/ec/1.0/loa3-orgid
    
-
    Description: User authentication according to assurance level 3 [EidTillit] and attribute release according to the attribute set “Organizational Identity for Natural Persons”.
    
-
    LoA-identifier: http://id.elegnamnden.se/loa/1.0/loa3
    
-
    
-
    Or a corresponding LoA 3 URI (see section 3.1.1 of [EidRegistry].
    
-
    
-
    Attribute requirements: http://id.elegnamnden.se/ap/1.0/org-person-01
    
-
    
-
    2.3.3. loa4-orgid
    
-
    URL: http://id.swedenconnect.se/ec/1.0/loa4-orgid
    
-
    Description: User authentication according to assurance level 4 [EidTillit] and attribute release according to the attribute set “Organizational Identity for Natural Persons”.
    
-
    LoA-identifier: http://id.elegnamnden.se/loa/1.0/loa4
    
-
    
-
    Or a corresponding LoA 4 URI (see section 3.1.1 of [EidRegistry].
    
-
    
-
    Attribute requirements: http://id.elegnamnden.se/ap/1.0/org-person-01
    
-
    
-
    2.4. Natural Personal Identity without Civic Registration Number
    
-
    This section define Service Entity Categories that has attribute requirements 
-according to the "Natural Personal Identity without Civic Registration Number" 
-(http://id.elegnamnden.se/ap/1.0/natural-person-01) attribute set as defined in section 2.2 
-of [EidAttributes].
    
-
    
-
    2.4.1. loa2-name
    
-
    URL: http://id.swedenconnect.se/ec/1.0/loa2-name
    
-
    Description: User authentication according to assurance level 2 [EidTillit] and attribute release according to the attribute set “Natural Personal Identity without Civic Registration Number”.
    
-
    LoA-identifier: http://id.elegnamnden.se/loa/1.0/loa2
    
-
    
-
    Or a corresponding LoA 2 URI (see section 3.1.1 of [EidRegistry].
    
-
    
-
    Attribute requirements: http://id.elegnamnden.se/ap/1.0/natural-person-01
    
-
    
-
    2.4.2. loa3-name
    
-
    URL: http://id.swedenconnect.se/ec/1.0/loa3-name
    
-
    Description: User authentication according to assurance level 3 [EidTillit] and attribute release according to the attribute set “Natural Personal Identity without Civic Registration Number”.
    
-
    LoA-identifier: http://id.elegnamnden.se/loa/1.0/loa3
    
-
    
-
    Or a corresponding LoA 3 URI (see section 3.1.1 of [EidRegistry].
    
-
    
-
    Attribute requirements: http://id.elegnamnden.se/ap/1.0/natural-person-01
    
-
    
-
    2.4.3. loa4-name
    
-
    URL: http://id.swedenconnect.se/ec/1.0/loa4-name
    
-
    Description: User authentication according to assurance level 4 [EidTillit] and attribute release according to the attribute set “Natural Personal Identity without Civic Registration Number”.
    
-
    LoA-identifier: http://id.elegnamnden.se/loa/1.0/loa4
    
-
    
-
    Or a corresponding LoA 4 URI (see section 3.1.1 of [EidRegistry].
    
-
    
-
    Attribute requirements: http://id.elegnamnden.se/ap/1.0/natural-person-01
    
-
    
-
    3. Definitions for Service Property Categories
    
-
    A Service Property Entity Category identifier is specified as an
-attribute value in the entity category attribute in the federation
-metadata and has the purpose of representing a particular service
-property.
    
-
    All Service Type identifiers are prefixed with
-http://id.elegnamnden.se/sprop.
    
-
    
-
    3.1. mobile-auth
    
-
    URL: http://id.elegnamnden.se/sprop/1.0/mobile-auth
    
-
    Description: A service property declaring that the service is adapted to mobile clients and MUST allow users to authenticate using a mobile device that is used to access such service.
    
-
    For a providing service, i.e. an Identity Provider, inclusion of the
-mobile-auth category states that the Identity Provider supports
-authentication using mobile devices, and that the end-user interface
-of the Identity Provider is adapted for mobile clients.
    
-
    Note that an Identity Provider may of course support authentication for
-both desktop and mobile users. In these cases the service must be able
-to display end user interfaces for both types of clients.
    
-
    A discovery process will use this Service Property when performing
-filtering of possible Identity Providers, as described in 1.4, “Use in
-Discovery”. This means that a consuming service may include the
-mobile-auth category in its metadata in order to have the discovery
-process especially displaying Identity Providers that offer
-authentication using mobile devices.
    
-
    
-
    3.2. scal2
    
-
    URL: http://id.elegnamnden.se/sprop/1.0/scal2
    
-
    Description: A service property declaring that the service is adapted to support Sole Control Assurance Level 2 (SCAL2) in accordance with [SigSAP]. 
    
-
    For a providing service, i.e. an Identity Provider, inclusion of the
-scal2 service property states that the Identity Provider will return a "SAD" in response to a SADRequest in an authentication requests from a signing service.
    
-
    For consuming services, Signature Services MAY include this service property if all authentication requests from the 
-particular Signature Service include a SADRequest extension. A Service Provider that is not declared as a Signature Service MUST NOT include this service property in its metadata.
    
-
    
-
    4. Definitions for Service Type Entity Categories
    
-
    A Service Type Entity Category identifier is specified as an entity
-attribute in the federation metadata and has the purpose of representing
-a particular service type.
    
-
    All Service Type identifiers are prefixed with
-http://id.elegnamnden.se/st.
    
-
    
-
    4.1. sigservice
    
-
    URL: http://id.elegnamnden.se/st/1.0/sigservice
    
-
    Description:  A service type for a Service Provider that provides electronic signature services within the Swedish eID framework.
    
-
    
-
    4.2. public-sector-sp
    
-
    URL: http://id.elegnamnden.se/st/1.0/public-sector-sp
    
-
    Description: A service type that indicates that a Service Provider is a "public sector" SP. This category MUST be used by public sector Service Providers wishing to use eIDAS authentication so that the Swedish eIDAS connector may include this information in the eIDAS authentication request. For other types of Service Providers its use is determined by the federation policy.
    
-
    
-
    4.3. private-sector-sp
    
-
    URL: http://id.elegnamnden.se/st/1.0/private-sector-sp
    
-
    Description: A service type that indicates that a Service Provider is a "private sector" SP. This category MUST be used by private sector Service Providers wishing to use eIDAS authentication so that the Swedish eIDAS connector may include this information in the eIDAS authentication request. For other types of Service Providers its use is determined by the federation policy.
    
-
    
-
    5. Service Contract Categories
    
-
    Service Contract Entity Category identifiers are indented for performing service matching based on contracts, or business agreements, between providing and consuming services.
    
-
    All Service Contract identifiers are prefixed with http://id.swedenconnect.se/contract/<org>, where org is identifier for the defining organization.
    
-
    The meaning of different contracts and business agreements are out of scope for this specification. Instead the federation operator, or other parties, may define identifiers suitable for representing how consuming and providing services should be matched based on their respective agreements.
    
-
    
-
    6. General Entity Categories
    
-
    An entity category of the General Entity Category type is a category that does not fit into any of the other category types regarding definitions and matching rules.
    
-
    General category identifiers are prefixed with http://id.swedenconnect.se/general-ec.
    
-
    
-
    6.1. secure-authenticator-binding
    
-
    URL: http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding
    
-
    Description: Some authentication schemes use an authentication device (authenticator) that 
-is external, i.e., not bound to the user agent. These types of authentication schemes may be
-vulnerable to certain types of phishing attacks where a fraudster who controls the user agent can
-trick, or persuade, the user to initiate an operation on the authentication device. 
    
-
    A typical example of the threat described above is where an Identity Provider implements an
-authentication scheme that uses a mobile app as the authenticator. In those cases the user
-normally enters some input (often the user identity) in the web browser (user agent) that is
-then used by the Identity Provider to initiate an authentication session against the app running
-on the user's mobile device. The problem here is that there is no way we can now that the
-person initiating the operation in the web browser by entering a user identity is the same 
-person who opens, and performs the authentication in the app. 
    
-
    In order to prevent attacks of this type many authentication schemes offer alternative ways
-of initiating authentication (or signature) sessions, where some sort of binding between the
-user agent and the authentication device is performed. An good example of this is when 
-Identity Providers prompt the user to scan a QR-code displayed in the web browser using the 
-authentication app instead of prompting for the user identity. This effectively binds the
-user agent to the same physical location as the authentication device, and in practice
-makes the attacks described above impossible.
    
-
    This profile defines the http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding 
-entity category to be declared by Service Providers that require that a secure authenticator
-binding is performed by the Identity Providers supporting this.
    
-
    An Identity Provider that supports different methods of initiating authentication, or signature,
-operations, and where at least one of these methods is a "secure authenticator binding" SHOULD
-declare the http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding entity
-category in its metadata.
    
-
    An Identity Provider that has declared the http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding category in its metadata MUST perform a secure authenticator binding for requests sent
-from Service Providers that have declared this entity category in their metadata entries.
    
-
    
-
    6.2. accepts-coordination-number
    
-
    URL: http://id.swedenconnect.se/general-ec/1.0/accepts-coordination-number
    
-
    Description: A special purpose entity category that is declared by Service Providers
-to announce that they accept a Swedish coordination number (samordningsnummer), [SKV707], being delivered in the personalIdentityNumber (urn:oid:1.2.752.29.4.13) attribute.
    
-
    The personalIdentityNumber is defined in section 3.1 of [EidAttributes] to contain either a Swedish personal identity number, [SKV704], or a Swedish coordination number, [SKV707]. However, how to utilize coordination numbers in
-electronic services is, or has been, unclear. Not all Service Providers want, or are able to, use these types of identifiers. Therefore, this specification defines the "accepts coordination
-number" category as an opt-in feature for those Service Providers that can accept a personalIdentityNumber attribute to contain a coordination number as well as a personal identity number.
    
-
    An Identity Provider conformant with this specification MUST NOT deliver a coordination number
-in the personalIdentityNumber attribute unless the receiving Service Provider has declared 
-the http://id.swedenconnect.se/general-ec/1.0/accepts-coordination-number entity category
-in its metadata.
    
-
    Note: This entity category does not apply to the eIDAS specific attribute
-mappedPersonalIdentityNumber, see section 3.3.2 of [EidAttributes].
-Thus, a coordination number may be included in this attribute even if the Service Provider
-has not declared the entity category. 
    
-
    
-
    6.3. supports-user-message
    
-
    URL: http://id.swedenconnect.se/general-ec/1.0/supports-user-message
    
-
    Description: Service Providers may include the <umsg:UserMessage> extension in authentication requests for the purpose of displaying a custom "user message" for the authentication users, see [UserMessageExt]. An Identity Provider announces support for this extension by declaring the http://id.swedenconnect.se/general-ec/1.0/supports-user-message entity category.
    
-
    
-
    7. References
    
-
    
-[RFC2119]
    
-
    
-
    Bradner, S., Key words for use in RFCs to Indicate Requirement
-Levels, March 1997.
    
-
    
-
    
-[SAML2Core]
    
-
    
-
    OASIS Standard, Assertions and Protocols for the OASIS Security
-Assertion Markup Language (SAML) V2.0, March
-2005.
    
-
    
-
    
-[SAML2Meta]
    
-
    
-
    OASIS Standard, Metadata for the OASIS Security Assertion Markup
-Language (SAML) V2.0, March
-2005.
    
-
    
-
    
-[SAML2MetaAttr]
    
-
    
-
    OASIS Committee Specification, SAML V2.0 Metadata Extension for
-Entity Attributes Version 1.0, August
-2009.
    
-
    
-
    
-[EntCat]
    
-
    
-
    RFC8409 - The Entity Category Security Assertion Markup Language (SAML) Attribute Types.
    
-
    
-
    
-[SKV704]
    
-
    
-
    Skatteverket, SKV 704 Utgåva 8,
-Personnummer.
    
-
    
-
    
-[SKV707]
    
-
    
-
    Skatteverket, SKV 707, Utgåva 2,
-Samordningsnummer.
    
-
    
-
    
-[EidTillit]
    
-
    
-
    Tillitsramverket för Svensk e-legitimation.
    
-
    
-
    
-[EidDeploy]
    
-
    
-
    Deployment Profile for the Swedish eID Framework.
    
-
    
-
    
-[EidRegistry]
    
-
    
-
    Swedish eID Framework - Registry for identifiers.
    
-
    
-
    
-[EidAttributes]
    
-
    
-
    Attribute Specification for the Swedish eID Framework.
    
-
    
-
    
-[SigSAP]
    
-
    
-
    Signature Activation Protocol for Federated Signing.
    
-
    
-
    
-[UserMessageExt]
    
-
    
-
    User Message Extension in SAML Authentication Requests.
    
-
    
-
    
-
    8. Changes between versions
    
-
    Changes between version 1.8 and version 1.9:
    
-
      
-
    • Fixed some broken links.
      
-
      • 
-
    • Section 6.2, "accepts-coordination-number", was updated with changed logic for
-the mappedPersonalIdentityNumber attribute.
      
-
      • 
-
    • Added section 6.3, "supports-user-message", with a definition for the http://id.swedenconnect.se/general-ec/1.0/supports-user-message entity category.
      
-
      • 
-
    
-
    Changes between version 1.7 and version 1.8:
    
-
      
-
    • Section 2 was re-structured where new entity categories for loaX-orgid and loaX-name.
      
-
      • 
-
    • The Service Entity Category loa3-hsaid was removed. Its use is out of scope for 
-the Swedish eID Framework. However, it may be defined by the federation operator.
      
-
      • 
-
    • Section 6.2, accepts-coordination-number, defining the general entity category 
-http://id.swedenconnect.se/general-ec/1.0/accepts-coordination-number was added.
-This category introduces an opt-in feature for accepting Swedish coordination numbers
-delivered in the personalIdentityNumber attribute.
      
-
      • 
-
    • For many services entity categories we have added the following text under the "LoA-identifier" requirement: "Or a corresponding LoA X URI". This means that the service entity category
-also applies to variants to the official LoA URI (defined in [EidRegistry]).
      
-
      • 
-
    
-
    Changes between version 1.6 and version 1.7:
    
-
      
-
    • A new entity category type, Service Contract, was added to section 5.
      
-
      • 
-
    • The reference [EntCat] now refers to RFC-8409 instead of 
-https://tools.ietf.org/html/draft-young-entity-category.
      
-
      • 
-
    • Chapter 6, "General Entity Categories", introduced a general entity category type for miscellaneous purposes.
      
-
      • 
-
    • Section 6.1, "secure-authenticator-binding", was added defining the http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding entity category.
      
-
      • 
-
    • Section 2.6, "loa3-hsaid", was added. This section defines a service entity category for LoA3 where HSA-ID is the primary identity attribute.
      
-
      • 
-
    
-
    Changes between version 1.5 and version 1.6:
    
-
      
-
    • The Service Property Category "scal2" was added to section 3.2.
      
-
      • 
-
    • Section 2.5, "eidas-pnr-delivery", was updated to also require attribute release of the dateOfBirth-attribute.
      
-
      • 
-
    • Section 2.1, "loa3-pnr", was updated with a restriction stating that the personalIdentityNumber only may contain a Swedish personal identity number ("personnummer") and not a coordination number ("samordningsnummer"), if attribute release is made in loa3-pnr scope.
      
-
      • 
-
    • The loa3-hsaid Service Entity Category was defined in section 2.6.
      
-
      • 
-
    
-
    Changes between version 1.4 and version 1.5:
    
-
      
-
    • Introduced the Service Entity Category “eidas-naturalperson”
-  (section 2.4) for support of authentication against the eIDAS
-  Framework.
      
-
      • 
-
    • Introduced the Service Entity Category "eidas-pnr-delivery" (section 2.5) for use by Swedish Identity Providers delivering assertions to Service Providers within the eIDAS federation.
      
-
      • 
-
    •   Added the Service Type Entity Categories "public-sector-sp" and "private-sector-sp" to section 4.
      
-
      • 
-
    •   Minor changes regarding discovery.
      
-
      • 
-
    •   Updates to explanatory text in chapter 2 about usage of service entity categories.
      
-
      • 
-
    
-
    Changes between version 1.3 and version 1.4:
    
-
      
-
    • Version 1.3 of [Eid2Attributes] changed the terms “attribute
-  profiles” to “attribute sets”. This specification has therefore been
-  updated to reflect these changes.
      
-
      • 
-
    • Chapter 1.5, “Representation of Entity Categories in Metadata”, was
-  added to illustrate how entity categories are represented in
-  metadata.
      
-
      • 
-
    • Clarifications regarding the definition of Service Entity Categories
-  were made to chapter 2.
      
-
      • 
-
    
-
    Changes between version 1.2 and version 1.3:
    
-
      
-
    • In chapter 1.4, “Use in Discovery Services”, the text that referred
-  to the Discovery Service usage of Service Property Entity Categories
-  when rendering user interfaces was removed.
      
-
      • 
-
    • In chapter 3.1, “mobile-auth”, changes were made to reflect that the
-  use of mobile-auth no longer governs which type of end user
-  interface the Discovery Service should render.
      
-
      • 
-
    • In chapter 2, “Definitions for Service Entity Categories”, URIs for
-  attribute profiles were added in definitions of the service entity
-  categories.
      
-
      • 
-
    
-
    Changes between version 1.1 and version 1.2:
    
-
      
-
    • In chapter 2, “Definitions for Service Entity Categories”, two new
-  service entity categories have been defined, loa2-pnr and loa4-pnr.
      • 
-
    
-
    Changes between version 1.0 and version 1.1:
    
-
      
-
    •   The service property category mobile-auth was added.
      
-
      • 
-
    • Changes was made to chapter 1.4, “Use in Discovery Services”, where
-  mobile-auth was referred.
      
-
      • 
-
    
-    
    
-  
-
diff --git a/docs/updates/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html b/docs/updates/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html
new file mode 120000
index 0000000..4cd40cf
--- /dev/null
+++ b/docs/updates/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html
@@ -0,0 +1 @@
+../december-2024/06_-_Entity_Categories_for_the_Swedish_eID_Framework.html
\ No newline at end of file
diff --git a/docs/updates/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html b/docs/updates/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html
index f88a8a9..9dca9cc 120000
--- a/docs/updates/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html
+++ b/docs/updates/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html
@@ -1 +1 @@
-../november-2021/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html
\ No newline at end of file
+../december-2024/07_-_Implementation_Profile_for_using_DSS_in_Central_Signing_Services.html
\ No newline at end of file
diff --git a/docs/updates/08_-_Certificate_Profile_for_Central_Signing_Services.html b/docs/updates/08_-_Certificate_Profile_for_Central_Signing_Services.html
index cf8774d..d4381da 120000
--- a/docs/updates/08_-_Certificate_Profile_for_Central_Signing_Services.html
+++ b/docs/updates/08_-_Certificate_Profile_for_Central_Signing_Services.html
@@ -1 +1 @@
-../november-2021/08_-_Certificate_Profile_for_Central_Signing_Services.html
\ No newline at end of file
+../december-2024/08_-_Certificate_Profile_for_Central_Signing_Services.html
\ No newline at end of file
diff --git a/docs/updates/09_-_DSS_Extension_for_Federated_Signing_Services.html b/docs/updates/09_-_DSS_Extension_for_Federated_Signing_Services.html
index 8682a61..86f50f6 120000
--- a/docs/updates/09_-_DSS_Extension_for_Federated_Signing_Services.html
+++ b/docs/updates/09_-_DSS_Extension_for_Federated_Signing_Services.html
@@ -1 +1 @@
-../november-2021/09_-_DSS_Extension_for_Federated_Signing_Services.html
\ No newline at end of file
+../december-2024/09_-_DSS_Extension_for_Federated_Signing_Services.html
\ No newline at end of file
diff --git a/docs/updates/11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html b/docs/updates/11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html
index d10a54f..8ef2f45 120000
--- a/docs/updates/11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html
+++ b/docs/updates/11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html
@@ -1 +1 @@
-../november-2021/11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html
\ No newline at end of file
+../december-2024/11_-_eIDAS_Constructed_Attributes_Specification_for_the_Swedish_eID_Framework.html
\ No newline at end of file
diff --git a/docs/updates/12_-_BankID_Profile_for_the_Swedish_eID_Framework.html b/docs/updates/12_-_BankID_Profile_for_the_Swedish_eID_Framework.html
index 79304ff..a02897a 120000
--- a/docs/updates/12_-_BankID_Profile_for_the_Swedish_eID_Framework.html
+++ b/docs/updates/12_-_BankID_Profile_for_the_Swedish_eID_Framework.html
@@ -1 +1 @@
-../november-2021/12_-_BankID_Profile_for_the_Swedish_eID_Framework.html
\ No newline at end of file
+../december-2024/12_-_BankID_Profile_for_the_Swedish_eID_Framework.html
\ No newline at end of file
diff --git a/docs/updates/13_-_Signature_Activation_Protocol.html b/docs/updates/13_-_Signature_Activation_Protocol.html
deleted file mode 100644
index 17fd02f..0000000
--- a/docs/updates/13_-_Signature_Activation_Protocol.html
+++ /dev/null
@@ -1,496 +0,0 @@
-
-
-  
-    
-    
-    Signature Activation Protocol for Federated Signing
-    
-    
-    
-    
-  
-  
-    
    
-
-
-
    
-
    
-
-
    
-
-
    Signature Activation Protocol for Federated Signing
    
-
    Version 1.2 - 2022-12-20 - Draft version
    
-
    Registration number: 2019-317
    
-
    
-
    
-Copyright © The Swedish Agency for Digital Government (DIGG), 2015-2022. All Rights Reserved.
-
    
-
-
    Table of Contents
    
-
      
-
    1. Introduction
      
-
       1.1. Requirement key words
      
-
       1.2. XML namespace references
      
-
       1.3. Structure
      
-
      2. 
-
    2. Signature Activation Protocol
      
-
       2.1. Scope
      
-
       2.2. Data Exchange
      
-
      3. 
-
    3. Data elements
      
-
       3.1. SADRequest
      
-
       3.1.1. Syntax
      
-
       3.1.2. Example
      
-
       3.2. Signature Activation Data
      
-
       3.2.1. SAD JSON Web Token
      
-
       3.2.1.1. Registered JWT Claims
      
-
       3.2.1.2. SAD Extension Claim
      
-
       3.2.2. Example
      
-
       3.2.3 Verification of a SAD
      
-
      4. 
-
    4. Schemas
      
-
      5. 
-
    5. Normative References
      
-
      6. 
-
    6. Changes between versions
      
-
      7. 
-
    
-
    
-
    1. Introduction
    
-
    This document specifies a Signature Activation Protocol (SAP) and its data elements for implementation of Sole Control Assurance Level 2 (SCAL2) according the European standards prEN 419241 - Trustworthy Systems Supporting Server Signing - Part 1 and 2 (prEN 419 241-1 [RSIG-PP-1] and prEN 419 241-2 [RSIG-PP-2]).
    
-
    The Signature Activation Protocol (SAP) defined in this document is used to exchange data between a signature service and a delegated authenticating authority such as a SAML Identity Provider. The function of the SAP is to authenticate the intent of a signer to sign a particular document, or collection of documents, through exchange of the following data elements.
    
-
      
-
    • Signature Activation Data (SAD) - Signed data, asserting the signer's agreement to sign specific data.
      • 
-
    • SADRequest - Request for a SAD.
      • 
-
    
-
    The SAP specified in this document is specifically designed to be used with a signing service operating in accordance with the federated signing specification [DSS-Ext].
    
-
    
-
    1.1. Requirement key words
    
-
    The key words MUST, MUST NOT, REQUIRED, SHALL,
-SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED,
-MAY, and OPTIONAL are to be interpreted as described in
-[RFC2119].
    
-
    These keywords are capitalized when used to unambiguously specify
-requirements over protocol features and behavior that affect the
-interoperability and security of implementations. When these words are
-not capitalized, they are meant in their natural-language sense.
    
-
    
-
    1.2. XML namespace references
    
-
    The prefix sap: stands for the Signature Activation Protocol XML Schema namespace http://id.elegnamnden.se/csig/1.1/sap/ns (https://docs.swedenconnect.se/schemas/csig/1.1/EidCsigSAP-1.1.xsd).
    
-
    The prefix saml2: stands for the OASIS SAML 2 Assertion Schema namespace urn:oasis:names:tc:SAML:2.0:assertion.
    
-
    The prefix saml2p: stands for the OASIS SAML 2 Protocol Schema namespace urn:oasis:names:tc:SAML:2.0:protocol.
    
-
    
-
    1.3. Structure
    
-
    This specification uses the following typographical conventions in text:
-<Eid2Element>, <ns:ForeignElement>, Attribute, Datatype,
-OtherCode.
    
-
    
-
    2. Signature Activation Protocol
    
-
    
-
    2.1. Scope
    
-
    The scope of the Signature Activation Protocol (SAP) is to support request for and delivery of the Signature Activation Data (SAD) to the Signature Activation Module (SAM). The SAM is a tamper resistant module inside the Remote Signing Service which validates the SAD in order to ensure that:
    
-
      
-
    • the signer is properly authenticated,
      • 
-
    • the signer agrees to sign the data to be signed, and,
      • 
-
    • the correct signing key for this signer and this instance of signing is properly identified.
      • 
-
    
-
    The federated signing model does not use pre-assigned signing keys. Instead, a new signing key is generated for each sign request and then permanently deleted. This particular use-case is recognised by prEN 419 241-1 [RSIG-PP-1] and prEN 419 241-2 [RSIG-PP-2], which under these conditions allows the signature key reference to be implicit and derived from the signer's identity. For the present implementation of the SAP the following data is included in the SAD:
    
-
      
-
    • the signer's identity,
      • 
-
    • information about how the signer was authenticated and by whom, and,
      • 
-
    • reference to the signature request, binding this instance of authentication to the specific instance of signing, the data being signed and the agreement to sign.
      • 
-
    
-
    This implements the scenario where the Identity Provider is the sole entity which can verify the signer's private credentials via the SIC (Signer’s Interaction Component). This instance of authentication is used by the Identity Provider to generate the SAD in accordance with section 5.10 of [RSIG-PP-1].
    
-
    
-
    2.2. Data exchange
    
-
    This document specifies exchange of two data elements:
    
-
      
-
    • SADRequest
      • 
-
    • SAD
      • 
-
    
-
    The SADRequest SHALL have the format defined in section 3.1. When a Remote Signing Service request a SAD from the Identity Provider, it MUST include the SADRequest element as an request extension by including it as a child element to a <saml2p:Extensions> element in the <saml2p:AuthnRequest>.
    
-
    When an Identity Provider returns a SAD, as defined in section 3.2, in a SAML Assertion, it MUST be included as a single string value of a sad attribute identified by the attribute name urn:oid:1.2.752.201.3.12 as defined in the attribute specification [EidAttributes].
    
-
    
-
    3. Data elements
    
-
    The SAD requested in the SAP binds the documents to be signed to the intent by the signer to sign. This is accomplished by the interaction of a number of independent information attributes and elements as follows:
    
-
      
-
    • Sign request ID. Identifies the sign request for signing specific documents. This sign request is sent to the signing service from the service provider requesting the signature. The sign request bound by this identifier contains all detailed data about what is being signed.
      • 
-
    • LoA. The level of assurance declaration asserting the level of security used to authenticate the user.
      • 
-
    • Number of documents to sign. Ensures that the user is aware whether more than one document is being signed. This allows adaptations of the signing UI displayed by the Identity Provider.
      • 
-
    • Identity of the signer. Allows verification that the signature is bound to the appropriate signer.
      • 
-
    • SAD Request ID. Unique identifier for the SADRequest element. This identifier is later included in the SAD in order to accomplish a binding between the request and the issued SAD.
      • 
-
    
-
    The SAD request and the SAD specified in this section specifies the data that needs to be exchanged in addition to other protocol elements specified by SAML as well as the federated signing specification [DSS-Ext].
    
-
    
-
    3.1. SADRequest
    
-
    
-
    3.1.1. Syntax
    
-
    The SAD Request is provided in a <sap:SADRequest> element. The element has the following elements and attributes:
    
-
    <RequesterID> [Required]
    
-
    
-
    Specifies the SAML entityID of the requesting entity. The value for this element should be the same identifier as given in the <saml2:Issuer> element of the <saml2p:AuthnRequest> that encapsulates the <sap:SADRequest> extension.
    
-
    
-
    <SignRequestID> [Required]
    
-
    
-
    Specifies the value of the RequestID attribute of the associated SignRequest.
    
-
    
-
    <DocCount> [Required]
    
-
    
-
    The number of requested signatures in the associated sign request.
    
-
    
-
    <RequestedVersion> [Optional Default="1.0"]
    
-
    
-
    The requested version of the SAD.
    
-
    
-
    <RequestParams> [Optional]
    
-
    
-
    Optional parameters provided as name-value pairs. This specification does not define any parameters. The use of parameters may be defined in profiles of this specification or may be negotiated by other means between a remote signing service and an Identity Provider.
    
-
    
-
    ID [Required]
    
-
    
-
    Attribute holding an unique identifier for the SADRequest.
    
-
    
-
    The following schema fragment defines the <sap:SADRequest> element:
    
-
    <xs:element name="SADRequest" type="sap:SADRequestType" />
-
-<xs:complexType name="SADRequestType">
-  <xs:sequence>
-    <xs:element name="RequesterID" type="xs:string" />
-    <xs:element name="SignRequestID" type="xs:string" />
-    <xs:element name="DocCount" type="xs:int" />
-    <xs:element name="RequestedVersion" type="xs:string" minOccurs="0" default="1.0" />
-    <xs:element name="RequestParams" minOccurs="0">
-      <xs:complexType>
-        <xs:sequence>
-          <xs:element name="Parameter" type="sap:ParameterType" minOccurs="0" maxOccurs="unbounded" />
-        </xs:sequence>
-      </xs:complexType>
-    </xs:element>
-  </xs:sequence>
-  <xs:attribute name="ID" type="xs:ID" use="required" />
-</xs:complexType>
-
-<xs:complexType name="ParameterType">
-  <xs:simpleContent>
-    <xs:extension base="xs:string">
-      <xs:attribute name="name" type="xs:string" use="required" />
-    </xs:extension>
-  </xs:simpleContent>
-</xs:complexType>
    
-
    3.1.2. Example
    
-
    <sap:SADRequest ID="_a74a068d0548a919e503e5f9ef901851" xmlns:sap="http://id.elegnamnden.se/csig/1.1/sap/ns">
-  <sap:RequesterID>http://www.example.com/sigservice</sap:RequesterID>
-  <sap:SignRequestID>f6e7d061a23293b0053dc7b038a04dad</sap:SignRequestID>
-  <sap:DocCount>1</sap:DocCount>
-  <sap:RequestedVersion>1.0</sap:RequestedVersion>
-  <sap:RequestParams>
-    <sap:Parameter name="ParamName">paramValue</sap:Parameter>
-  </sap:RequestParams>
-</sap:SADRequest>
    Example of a SADRequest.
    
-
    
-
    3.2. Signature Activation Data
    
-
    
-
    3.2.1. SAD JSON Web Token
    
-
    This section specifies a JSON Web Token (JWT) in accordance with [RFC7519] as the SAD container, binding the data as defined in section 2.1.
    
-
    The SAD JWT MUST have the form of a signed JWS (JSON Web Signature).
    
-
    
-
    3.2.1.1. Registered JWT Claims
    
-
    The data signed by the SAD JWT is carried in the JWS payload in the form of JWT claims using registered claim names (as specified in [RFC7519]) in addition to one private claim name (seElnSadext) specified in section 3.2.1.2. The following table defines the use of registered claims.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    nameContent
    subSubject - holds the attribute value of the signer's unique identifier.
    audAudience - holds the entityID of the Signature Service which is the legitimate recipient of this SAD. This value corresponds to the <sap:RequesterID> element of the SAD request.
    issIssuer - holds the entityID of the IdP that generated this SAD.
    expExpiry - specifies the time when this SAD is no longer valid (epoch time/seconds since 1970-01-01).
    iatIssued At - specifies the time when this SAD was issued (epoch time/seconds since 1970-01-01).
    jtiUnique identifier of this SAD.
    
-
    
-
    3.2.1.2. SAD Extension Claim
    
-
    A private claim name is defined in this specification which extends the registered claims with additional SAD data:
    
-
    
-
    seElnSadext
    
-
    
-
    The claim identified by this name has the value of a JSON object holding name-value pairs in accordance with the following table:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    NameTypeContent
    verStringThe version of this claim, default 1.0 (Optional).
    irtStringIn Response To - holds the identifier of the SAD request (ID attribute) that was used to request this SAD.
    attrStringAttribute - holds the URI identifier of the attribute specifying the users unique identifier value.
    loaStringLevelOfAssurance - holds the URI identifier of the level of assurance (LoA) used to authenticate the signer.
    reqidStringRequestID - holds the ID of the sign request associated with this SAD. Inclusion of this ID assert that the authenticated subject agrees to sign the docuements identified by this sign reqeust.
    docsIntegerSpecifies the number of documents to be signed in the associated sign request.
    
-
    
-
    3.2.2. Example
    
-
    The following example illustrates a claim binding the following claim values:
    
-
    Registered Claims
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    NameValue
    sub197802031877
    audhttps://sandbox.swedenconnect.se/eid2cssp
    isshttp://dev.test.swedenconnect.se/idp
    exp1666128029 (Oct 18, 2022, 23:20:29 CET)
    iat1666127729 (Oct 18, 2022, 23:15:29 CET)
    jtiNbnmpGA1gwtL3AgtKPfe77Ia
    
-
    seElnSadext Claim
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    NameValue
    ver1.0
    irt752c30b3-30c1-49f0-ab04-a28909dc3b67
    attrurn:oid:1.2.752.29.4.13
    loahttp://id.elegnamnden.se/loa/1.0/loa3
    reqid70fabf30-d474-4d21-8463-2c6811005ce0
    docs4
    
-
    JWS Header
    
-
    The Header of the JWS specifies that it is a JWT by the "typ" parameter and the signature algoritm through the "alg" parameter. In this example the header is {"typ":"JWT","alg":"RS256"}. The Base64 URL-encoded header is:
    
-
    
-
    eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9
    
-
    
-
    JWS Payload
    
-
    The JWS payload holding the JWT claims is represented by the following JSON object:
    
-
    {
-    "sub": "197802031877",
-    "aud": "https://sandbox.swedenconnect.se/eid2cssp",
-    "iss": "http://dev.test.swedenconnect.se/idp",
-    "exp": 1666128029,
-    "iat": 1666127729,
-    "jti": "NbnmpGA1gwtL3AgtKPfe77Ia",
-    "seElnSadext": {
-        "ver": "1.0",
-        "irt": "752c30b3-30c1-49f0-ab04-a28909dc3b67",
-        "attr": "urn:oid:1.2.752.29.4.13",
-        "loa": "http://id.elegnamnden.se/loa/1.0/loa3",
-        "reqid": "70fabf30-d474-4d21-8463-2c6811005ce0",
-        "docs": 4
-    }
-}
    This payload is represented by the following Base64 URL-encoded string:
    
-
    
-
    eyJzdWIiOiIxOTc4MDIwMzE4NzciLCJhdWQiOiJodHRwczovL3NhbmRib3guc3dlZGVuY29ubmVjdC5zZS9laWQyY3NzcCIsImlzcyI6Imh0dHA6Ly9kZXYudGVzdC5zd2VkZW5jb25uZWN0LnNlL2lkcCIsImV4cCI6MTY2NjEyODAyOSwiaWF0IjoxNjY2MTI3NzI5LCJqdGkiOiJOYm5tcEdBMWd3dEwzQWd0S1BmZTc3SWEiLCJzZUVsblNhZGV4dCI6eyJ2ZXIiOiIxLjAiLCJpcnQiOiI3NTJjMzBiMy0zMGMxLTQ5ZjAtYWIwNC1hMjg5MDlkYzNiNjciLCJhdHRyIjoidXJuOm9pZDoxLjIuNzUyLjI5LjQuMTMiLCJsb2EiOiJodHRwOi8vaWQuZWxlZ25hbW5kZW4uc2UvbG9hLzEuMC9sb2EzIiwicmVxaWQiOiI3MGZhYmYzMC1kNDc0LTRkMjEtODQ2My0yYzY4MTEwMDVjZTAiLCJkb2NzIjo0fX0
    
-
    
-
    JWT
    
-
    The complete SAD JWT including signature:
    
-
    
-
    eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIxOTc4MDIwMzE4NzciLCJhdWQiOiJodHRwczovL3NhbmRib3guc3dlZGVuY29ubmVjdC5zZS9laWQyY3NzcCIsImlzcyI6Imh0dHA6Ly9kZXYudGVzdC5zd2VkZW5jb25uZWN0LnNlL2lkcCIsImV4cCI6MTY2NjEyODAyOSwiaWF0IjoxNjY2MTI3NzI5LCJqdGkiOiJOYm5tcEdBMWd3dEwzQWd0S1BmZTc3SWEiLCJzZUVsblNhZGV4dCI6eyJ2ZXIiOiIxLjAiLCJpcnQiOiI3NTJjMzBiMy0zMGMxLTQ5ZjAtYWIwNC1hMjg5MDlkYzNiNjciLCJhdHRyIjoidXJuOm9pZDoxLjIuNzUyLjI5LjQuMTMiLCJsb2EiOiJodHRwOi8vaWQuZWxlZ25hbW5kZW4uc2UvbG9hLzEuMC9sb2EzIiwicmVxaWQiOiI3MGZhYmYzMC1kNDc0LTRkMjEtODQ2My0yYzY4MTEwMDVjZTAiLCJkb2NzIjo0fX0.Qn-K-5V5-979GMITVSXgqWOrSVQfYFUMLv0P8PLUMSZzF6s6Zk05SOztH3XGN-4AjmjQeBHcqylpzoqG26eIXW7kuJZB9zodhAyTcvOogQj62XUFsoun5wfWpou8v8-Cpw1G4cwFZdMKt-oRbN43ViZ8u7EIZHBjzYMxfJNgMv2YGmzMQDPQLmtIW-f_O0nE_NPcFsaweYGJXcEWxi7fE3wzNnOR2rPBgQ3L0oehF2mP9dhenlptKrugH6Ru6eLZH66yFaAtR5RRA2m1wh2fXnwXJWO0-8jrvIZiZ9GLDt9W0r1Hs5Le--KPeuPcStli0nIi5YVLoAiGUaHc-Eb_DILwdqYpHS6mxJL3lb8j8u5JsIdEj9FEpqD8MlCbVM4HaWDL_wIiU16QVUOrxPUjoo3wyxLYhW6x3WnQ2an8fhIgahck7m9gS6_rVHKG1OAL_jn4h5jZzP-gX9yZeNcfTmhSiEdwrObydZ4dKx7JGEbmKn4EK1-8Pc65SOj9Zg5jTsRsl6uo9dMoJ-35Tb-x5IKsGs9Y1_94NCuqJH_a7HgC8nORfHBDOTPjzG008FLEFHSRmql6hYSYEd9F3kvR5816KixZpLT_BEED1m4RNdufa8nYEgEroi6X_AvmjpZKiwXCgnJyW6_80IIV89EMViiQ-BjTSSt8AK5KxxpTLkA
    
-
    
-
    
-
    3.2.3. Verification of a SAD
    
-
    The recipient of a requested SAD MUST verify it as part of the SAML response processing by asserting the following:
    
-
      
-
    • That the signature of the SAD JWT verifies correctly using the signature certificate of the issuing Identity Provider (found in the Identity Provider metadata).
      • 
-
    • That the version of the SAD (seElnSadext.ver) matches the <sap:RequestedVersion> element of the <sap:SADRequest>.
      • 
-
    • That the audience (aud) matches the entityID of the recipient, i.e., matches the <sap:RequesterID> element from the <sap:SADRequest>.
      • 
-
    • That the issuer (iss) value matches the issuer entityID of the assertion containing the SAD (*).
      • 
-
    • That the SAD is valid by checking the expiry (exp) and issued-at (iat) values (allowing for a reasonable clock skew).
      • 
-
    • That the in-response-to (seElnSadExt.irt) value matches that ID of the corresponding <sap:SADRequest>.
      • 
-
    • That the subject (sub) value is also represented in the SAML assertion as an attribute having the name given by the seElnSadExt.attr field.
      • 
-
    • That the level of assurance (seElnSadEx.loa) value matches the value given in the <saml2:AuthnContextClassRef> element of the assertion.
      • 
-
    • That the request ID (seElnSadEx.reqid) value matches the ID for the sign request (which is passed in the <sap:SignRequestID> element of the <sap:SADRequest>).
      • 
-
    • That the number of documents specified in the SAD (seElnSadEx.docs) matches the <sap:DocCount> element of the <sap:SADRequest>.
      • 
-
    
-
    If any of the above verification steps fail, the Signature Service MUST reject the assertion.
    
-
    
-
    [*]: In the case where a Signature Service communicates with a Proxy Identity Provider that forwards requests to an authenticating Identity Provider that issues a SAD, the iss-value of the SAD will differ from the issuer of the assertion that is received by the Signature Service. In these cases the Signature Service should compare the iss-value with the value found in the <saml2:AuthenticatingAuthority> element of the assertion, or with relevant local policy and out-of-band configuration data.
    
-
    
-
    
-
    4. Schemas
    
-
    The following XML schema defines the http://id.elegnamnden.se/csig/1.1/sap/ns name space:
    
-
    <?xml version="1.0" encoding="UTF-8"?>
-<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
-    targetNamespace="http://id.elegnamnden.se/csig/1.1/sap/ns"
-    xmlns:sap="http://id.elegnamnden.se/csig/1.1/sap/ns">
-
-  <xs:annotation>
-    <xs:documentation>
-      Schema location URL: https://docs.swedenconnect.se/schemas/csig/1.1/EidCsigSAP-1.1.xsd
-    </xs:documentation>
-  </xs:annotation>
-
-  <xs:element name="SADRequest" type="sap:SADRequestType" />
-
-  <xs:complexType name="SADRequestType">
-    <xs:sequence>
-      <xs:element name="RequesterID" type="xs:string" />
-      <xs:element name="SignRequestID" type="xs:string" />
-      <xs:element name="DocCount" type="xs:int" />
-      <xs:element name="RequestedVersion" type="xs:string" minOccurs="0" default="1.0" />
-      <xs:element minOccurs="0" name="RequestParams">
-        <xs:complexType>
-          <xs:sequence>
-            <xs:element name="Parameter" type="sap:ParameterType" minOccurs="0" maxOccurs="unbounded" />
-          </xs:sequence>
-        </xs:complexType>
-      </xs:element>
-    </xs:sequence>
-    <xs:attribute name="ID" type="xs:ID" use="required" />
-  </xs:complexType>
-
-  <xs:complexType name="ParameterType">
-    <xs:simpleContent>
-      <xs:extension base="xs:string">
-        <xs:attribute name="name" type="xs:string" use="required" />
-      </xs:extension>
-    </xs:simpleContent>
-  </xs:complexType>
-</xs:schema>
    
-
    5. Normative References
    
-
    
-[RFC2119]
    
-
    
-
    Bradner, S., Key words for use in RFCs to Indicate Requirement
-Levels, March 1997.
    
-
    
-
    
-[RFC7519]
    
-
    
-
    Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015.
    
-
    
-
    
-[EidAttributes]
    
-
    
-
    Attribute Specification for the Swedish eID Framework.
    
-
    
-
    
-[DSS-Ext]
    
-
    
-
    DSS Extension for Federated Central Signing Services.
    
-
    
-
    
-[RSIG-PP-1]
    
-
    
-
    European Standard prEN 419241-1 - Trustworthy Systems Supporting Server Signing - Part 1:
-General System Security Requirements
    
-
    
-
    
-*[RSIG-PP-2]s
    
-
    
-
    European Standard prEN 419241-2 - Trustworthy Systems Supporting Server Signing - Part 2:
-Protection profile for QSCD for Server Signing
    
-
    
-
    
-
    6. Changes between versions
    
-
    Changes between version 1.1 and 1.2:
    
-
      
-
    • The protocol logic was clarified by removing references to sign message (which was never present in the actual protocol) and replacing this with a clarification of the semantics of including the the Sign Request ID in SAD to assert the acceptance to sign the documents referenced in that Sign Request.
      
-
      • 
-
    • Updated examples where the use of "signmessage" LoA URI:s was removed.
      
-
      • 
-
    • Updated broken links.
      
-
      • 
-
    
-
    Changes between version 1.0 and 1.1:
    
-
      
-
    • The RequestedVersion element of the SADRequestType is now marked as optional in the schema definition.
      • 
-
    
-    
    
-  
-
diff --git a/docs/updates/13_-_Signature_Activation_Protocol.html b/docs/updates/13_-_Signature_Activation_Protocol.html
new file mode 120000
index 0000000..0f17b6d
--- /dev/null
+++ b/docs/updates/13_-_Signature_Activation_Protocol.html
@@ -0,0 +1 @@
+../december-2024/13_-_Signature_Activation_Protocol.html
\ No newline at end of file
diff --git a/docs/updates/14_-_Principal_Selection_in_SAML_Authentication_Requests.html b/docs/updates/14_-_Principal_Selection_in_SAML_Authentication_Requests.html
index f80c2ae..c843de4 120000
--- a/docs/updates/14_-_Principal_Selection_in_SAML_Authentication_Requests.html
+++ b/docs/updates/14_-_Principal_Selection_in_SAML_Authentication_Requests.html
@@ -1 +1 @@
-../november-2021/14_-_Principal_Selection_in_SAML_Authentication_Requests.html
\ No newline at end of file
+../december-2024/14_-_Principal_Selection_in_SAML_Authentication_Requests.html
\ No newline at end of file
diff --git a/docs/updates/15_-_Signature_Validation_Token.html b/docs/updates/15_-_Signature_Validation_Token.html
deleted file mode 100644
index be74dc9..0000000
--- a/docs/updates/15_-_Signature_Validation_Token.html
+++ /dev/null
@@ -1,726 +0,0 @@
-
-
-  
-    
-    
-    Signature Validation Token
-    
-    
-    
-    
-  
-  
-    
    
-
-
-
    
-
    
-
-
    
-
-
    Signature Validation Token
    
-
    Version 1.0 - 2020-12-16 - Draft version
    
-
    Registration number: 2020-60
    
-
    
-
    
-Copyright © The Swedish Agency for Digital Government (DIGG), 2015-2020. All Rights Reserved.
-
    
-
-
    Table of Contents
    
-
      
-
    1. Introduction
      
-
       1.1. Requirements Notation
      
-
       1.2. Definitions
      
-
      2. 
-
    2. Signature validation token
      
-
       2.1. Function
      
-
       2.2. Signature Validation Token Syntax
      
-
       2.2.1. Data Types
      
-
       2.2.2. Signature Validation Token JWT Claims
      
-
       2.2.3. Claim Object Classes
      
-
       2.2.3.1. The SigValidation Object
      
-
       2.2.3.2. The Signature Claims Object
      
-
       2.2.3.3. The SigReference Claims Object
      
-
       2.2.3.4. The SignedData Claims Object
      
-
       2.2.3.5. The PolicyValidation Claims Object
      
-
       2.2.3.6. The TimeValidation Claims Object
      
-
       2.2.3.7. The CertReference Claims Object
      
-
       2.2.4. SVT JOSE Header
      
-
      3. 
-
    3. Profiles
      
-
      4. 
-
    4. Signature Validation with Signature Validation Token
      
-
      5. 
-
    5. Examples
      
-
      6. 
-
    6. Normative References
      
-
      7. 
-
    
-
    
-
    
-
    1. Introduction
    
-
    Electronic signatures have a limited lifespan regarding when they can be validated and determined to be authentic. Many factors make it more difficult to validate electronic signatures over time. For example:
    
-
      
-
    • Trusted information about the validity of the signing certificate is not available.
      • 
-
    • No proof of time when the signature was actually created is available.
      • 
-
    • Algorithms used to create the signature is no longer considered secure.
      • 
-
    • Services necessary to validate the signature are no longer available.
      • 
-
    • Inability to verify supporting evidence such as, CA certificates, OCSP responses, revocation lists or timestamps.
      • 
-
    
-
    The challenge to validate an electronic signature is increasing over time up until the point when it is simply impossible to verify the signature with a sufficient level of assurance.
    
-
    Current existing standards such as the ETSI AdES profiles for CMS, XML and PDF signatures can be used to prolong the lifetime of a signature by storing data that supports validation of the signature beyond the lifetime of the signing certificate. The problem with this approach is that the amount of information that must be stored along with the signature is constantly growing over time. The increasing amount of information and signed objects that must be validated in order to verify the original signature is growing in complexity to the point where it may become infeasible to validate the original signature.
    
-
    The Signature Validation Token (SVT) defined in this specification takes a fundamentally different approach to the problem by providing an evidence that asserts the validity of a signature. The SVT is issued by a trusted authority, and asserts that a particular signature was successfully validated according to defined procedures at a certain time. The basic idea and intent behind the SVT is that once the SVT is issued by a trusted authority, any future validation of that signature is satisfied by validating the SVT without any need to also validate the original signature.
    
-
    This approach drastically reduces the complexity of signature validation of older signatures for the simple reason that validating the SVT just requires validation of the signature over the SVT. The SVT can be signed with keys and algorithms that makes it valid for a considerable time in the future and it can be re-issued with fresh keys and signatures to extend the lifetime of the original signature validity, if necessary.
    
-
    
-
    1.1. Requirements Notation
    
-
    The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
    
-
    These keywords are capitalized when used to unambiguously specify requirements over protocol features and behavior that affect the interoperability and security of implementations. When these words are not capitalized, they are meant in their natural-language sense.
    
-
    
-
    1.2. Definitions
    
-
    This document use the following defined terms:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    TermMeaning
    Signed DataThe data covered by a particular signature. This is typically equivalent to the signed document and represents the data that the signer intended to sign. In some cases, such as in some XML signatures, the signed data can be the collection of several data fragments each referenced by the signature. In the case of PDF, this is the data covered by the "ByteRange" parameter in the signature dictionary.
    Signed BytesThese are the actual bytes of data that was hashed and signed by the signature algorithm. In most cases this is not the actual Signed Data, but a collection of signature metadata that includes references (hash) of the Signed Data as well as information about algorithms and other data bound to a signature. In XML this is the canonicalized SignedInfo element and in CMS/PDF signatures this is the DER encoded SignedAttributes structure.
    
-
    When these terms are used in their defined meaning, they appear with a capitalized first letter as shown in the table.
    
-
    
-
    2. Signature Validation Token
    
-
    
-
    2.1. Function
    
-
    The function of the Signature Validation Token (SVT) is to capture evidence of signature validity at one instance of secure signature validation process and to use that evidence to eliminate the need to perform any repeated cryptographic validation of the original signature value, as well as reliance on any hash values bound to that signature. The SVT achieves this by binding the following information to a specific electronic signature:
    
-
      
-
    • A unique identification of the signature.
      • 
-
    • The data and metadata signed by the signature.
      • 
-
    • The signer's certificate that was validated as part of signature validation.
      • 
-
    • The certificate chain that was used to validate the signer's certificate.
      • 
-
    • An assertion providing evidence of that the signature was validated, when in time the validation was performed, which procedures that was used to validate the signature, and the outcome of the validation.
      • 
-
    • An assertion providing evidence of the point in time at which the signature is known to have existed, which procedures that was used to validate the time of existence and the outcome of the validation.
      • 
-
    
-
    Using an SVT is equivalent to validating a signed document in a system once and then using that document multiple times without revalidating the signature for each usage. Such procedures are common in systems where the document is residing in a safe and trusted environment where it is protected against modification. The SVT allows the time and environment where the document can be stored and used to expand beyond a locally controlled environment and a short instance of time.
    
-
    Using the SVT, the signed document can be validated once using a reliable trusted service and after that the SVT can be used to extend reliance of that secure validation process. The SVT is therefore not only a valuable tool to extend the lifetime of a signed document, but also useful since a single secure validation service can be deployed, instead of having to maintain close integrations between signature validations and document usage.
    
-
    
-
    2.2. Signature Validation Token Syntax
    
-
    The SVT is carried in a JSON Web Token (JWT) in accordance with [RFC7519].
    
-
    
-
    2.2.1. Data Types
    
-
    The contents of claims in an SVT are specified using the claims data types in the following table:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    Claims Data TypeJSON Data TypeDescription
    StringstringAn arbitrary case sensitive string value.
    Base64BinarystringString representation of Base64 encoded byte array of binary data.
    StringOrURIstringAs defined in [RFC7519].
     A JSON string value, with the additional requirement that while arbitrary string values MAY be used, any value containing a ":" character MUST be a URI.
    URIstringA valid URI.
    IntegernumberA 32-bit signed integer value (from -231 to 231 - 1).
    LongnumberA 64-bit signed integer value (from -263 to 263 - 1).
    NumericDatenumberAs defined in [RFC7519].
    A JSON numeric value representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds.
    BooleanbooleanThe explicit value true or false.
    Object<Class>objectA JSON object holding a claims object of a class defined in this specification (see section 2.2.2).
    Map<Type>objectA JSON object with name-value pairs where the value is an object of the specified Type in the notation.
    Example: Map<String> according to this notation is a JSON object with name value pairs where all values are of type String.
    ArrayarrayAn array of values of a specific data type as defined in this table. An array is expressed in this specification by square brackets. For example: [String] indicates an array of String values and [Object<DocHash>] indicates an array of DocHash objects.
    NullnullRepresenting an absent value. A claim with a null value is equivalent with an absent claim in this specification.
    
-
    
-
    2.2.2. Signature Validation Token JWT Claims
    
-
    The signature validation token JWT SHALL contain claims according to the following table.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    NameData TypeValuePresence
    jtiStringA "JWT ID" registered claim according to [RFC7519]. It is RECOMMENDED that the identifier holds a hexadecimal string representation of a 128-bit unsigned integer.MANDATORY
    issStringOrURIAn "Issuer" registered claim according to [RFC7519]. An arbitrary unique identifier of the SVT issuer. This value SHOULD have the value of an URI identifier based on a domain owned by the issuer.MANDATORY
    iatNumericDateAn "Issued At" registered claim according to [RFC7519] expressing the time when this SVT was issued.MANDATORY
    aud[StringOrURI] or StringOrURIAn "Audience" registered claim according to [RFC7519]. The audience claim is an array of one or more identifiers, identifying intended recipients of the SVT. Each identifier MAY identify a single entity, a group of entities or a common policy adopted by a group of entities. If only one value is provided it MAY be provided as a single StringOrURI value instead of as an array of values.OPTIONAL
    expNumericDateAn "Expiration Time" registered claim according to [RFC7519] expressing the time when services and responsibilities related to this SVT is no longer provided by the SVT issuer. The precise meaning of the expiration time claim is defined by local policies. See implementation note below.OPTIONAL
    sig_val_claimsObject<SigValidation>Signature validation claims for this SVT extending the standard registered JTW claims above.MANDATORY
    
-
    
-
    Note: An SVT asserts that a certain validation process was undertaken at a certain instance of time. This fact never changes and never expires. However, some aspects of the SVT such as liability for false claims or service provision related to a specific SVT may expire after a certain period of time, such as a service where an old SVT can be upgraded to a new SVT signed with fresh keys and algorithms.
    
-
    
-
    
-
    2.2.3. Claim Object Classes
    
-
    
-
    2.2.3.1. The SigValidation Object
    
-
    The SigValidation claims object holds all custom claims of the SVT JWT and contains the following parameters:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    NameData TypeValuePresence
    verStringVersion. This version is indicated by the value "1.0".MANDATORY
    profileStringOrURIName of a profile applied to this specification that defines conventions of content of specific claims and extension points.OPTIONAL
    hash_algoURIThe URI identifier of the hash algorithm used to provide hash values within the SVT. The URI identifier SHALL be one defined in [RFC6931] or in the IANA registry defined by this RFC.MANDATORY
    sig[Object<Signature>]Information about validated signatures as an array of Signature objects. If the SVT contains signature validation evidence for more than one signature, then each signature is represented by a separate Signature object. At least one Signature object MUST be present.MANDATORY
    extMap<String>Extension point for additional claims related to the SVT. Extension claims are added at the discretion of the SVT issuer but MUST follow any conventions defined in a profile of this specification (see section 3).OPTIONAL
    
-
    
-
    2.2.3.2. The Signature Claims Object
    
-
    The Signature object contains claims related to signature validation evidence for one signature and contains the following parameters:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    NameData TypeValuePresence
    sig_refObject<SigReference>Reference information identifying the target signature.MANDATORY
    sig_data[Object<SignedData>]Array of references to Signed Data signed by the target signature.MANDATORY
    signer_cert_refObject<CertReference>Reference to signer certificate and optionally reference to a supporting certificate chain that was used to validate the target signature.MANDATORY
    sig_val[Object<PolicyValidation>]Array of results of signature validation according to defined validation procedures.MANDATORY
    time_val[Object<TimeValidation>]Array of results of time verification validating proof that the target signature has existed at specific instances of time in the past.OPTIONAL
    extMAP<String>Extension point for additional claims related to the target signature. Extension claims are added at the discretion of the SVT Issuer but MUST follow any conventions defined in a profile of this specification (see section 3).OPTIONAL
    
-
    
-
    2.2.3.3. The SigReference Claims Object
    
-
    The SigReference claims object provides information used to match the Signature claims object to a specific target signature and to verify the integrity of the target signature value and Signed Bytes.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    NameData TypeValuePresence
    idStringOptional identifier assigned to the target signature.OPTIONAL
    sig_hashBase64BinaryHash value of the target signature value.MANDATORY
    sb_hashBase64BinaryHash value of the Signed Bytes of the target signature.MANDATORY
    
-
    
-
    2.2.3.4. The SignedData Claims Object
    
-
    The SignedData claims object provides information used to verify the target signature references to Signed Data as well as to verify the integrity of all data signed by the target signature.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    NameData TypeValuePresence
    refStringReference identifier identifying the data or data fragment covered by the target signature.MANDATORY
    hashBase64BinaryHash of the data covered by the target signature.MANDATORY
    
-
    
-
    2.2.3.5. The PolicyValidation Claims Object
    
-
    The PolicyValidation claims object provide information about the result of a validation process according to a spefific policy.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    NameData TypeValuePresence
    polStringOrURIIdentifier of the policy governing the validation process.MANDATORY
    resStringResult of the validation process. The value MUST be one of "PASSED", "FAILED" or "INDETERMINATE" as defined by [ETSI EN 319 102-1].MANDATORY
    msgStringAn optional message describing the result.OPTIONAL
    extMap<String>Extension for additional information about the validation result.OPTIONAL
    
-
    
-
    2.2.3.6. The TimeValidation Claims Object
    
-
    The TimeValidation claims object provide information about the result of validating time evidence asserting that the target signature existed at a particular time in the past.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    NameData TypeValuePresence
    timeNumericDateThe verified time.MANDATORY
    typeStringOrURIIdentifier of the type of evidence of time.MANDATORY
    issStringOrURIIdentifier of the entity that issued the evidence of time.MANDATORY
    idStringUnique identifier assigned to the evidence of time.OPTIONAL
    val[Object<PolicyValidation>]Array of results of validation of the time evidence according to defined validation procedures.OPTIONAL
    extMap<String>Extension for additional information about the signature validation result.OPTIONAL
    
-
    
-
    2.2.3.7. The CertReference Claims Object
    
-
    The CertReference claims object allows reference to a single X.509 certificate or a chain of X.509 certificates, either by providing the actual certificate data or by providing a hash reference for certificates that can be located in the target signature.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    NameData TypeValuePresence
    typeStringOrURIAn identifier of the type of reference provided in the ref claim. The type identifier MUST be either one of the identifiers defined below, an identifier specified by the selected profile, or a URI identifier.MANDATORY
    ref[String]An array of string parameters according to conventions defined by the type identifier.MANDATORY
    
-
    The following type identifiers are defined:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    IdentiferRef Data Content
    chainArray of Base64 encoded X.509 certificates [RFC5280]. The certificates MUST be stored in the order starting with the end entity certificate. Any following certificate must be able to validate the signature on the previous certificate in the array.
    chain_hashThe ref contains an array of one or more Base64 encoded hash values where each hash value is a hash over a X.509 certificate [RFC5280] used to validate the signature. The certificates MUST be provided in the order starting with the end entity certificate. Any following certificate must be able to validate the signature on the previous certificate in the array. This option MUST NOT be used unless all hashed certificates are present in the target electronic signature.
    
-
    
-
    Note: All certificates referenced using the identifiers above are X.509 certificates. Profiles of this specification MAY define alternative types of public key containers. It should be noted however that a major function of these referenced certificates is not just to reference the public key, but also to provide the identity of the signer. It is therefore important for the full function of an SVT that the referenced public key container also provides the means to identify of the signer.
    
-
    
-
    
-
    2.2.4. SVT JOSE Header
    
-
    The SVT JWT MUST contain the following JOSE header parameters in accordance with section 5 of [RFC7519].
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    JOSE HeaderValue
    typThis parameter MUST have the string value "JWT" (upper case).
    algSpecifying the algorithm used to sign the SVT JWT using a value specified in [RFC7518]. The specified signature hash algorithm MUST be identical to the hash algorithm specified in the SigValAssertion claims object hash_algo claim.
    
-
    The SVT header MUST contain a public key or a reference to a public key used to verify the signature on the SVT in accordance with [RFC7515]. Each profile (See section 3.) MUST define the requirements for how the key or key reference is included in the header.
    
-
    
-
    3. Profiles
    
-
    Each signed document and signature type will have to define the precise content and use of several claims in the SVT.
    
-
    Each profile MUST as a minimum define:
    
-
      
-
    • How to specify reference to Signed Data content of the signed document.
      • 
-
    • How to make reference to the target signature and the Signed Bytes of the signature.
      • 
-
    • How references should be made to certificates supporting each siganture.
      • 
-
    • How public keys or reference to public keys supporting validation of the signed SVT is included in the SVT.
      • 
-
    • Whether each signature is supported by it's own SVT, or whether one SVT may support multiple signatures of the same document.
      • 
-
    • Explicit information on how to perform signature validation based on an SVT, if applicable.
      • 
-
    • How to attach an SVT to a document signature or signed document, if applicable.
      • 
-
    
-
    
-
    4. Signature Validation with Signature Validation Token
    
-
    Signature validation based on an SVT SHALL follow the following basic steps:
    
-
      
-
    1. Locate all available tokens available for the signed document that is relevant for the target signature.
      
-
      2. 
-
    2. Select the most recent SVT that can be successfully validated and meets the requirement of the relying party.
      
-
      3. 
-
    3. Verify the integrity of the signature and the Signed Bytes of the target signature using the sig_ref claim.
      
-
      4. 
-
    4. Verify that the Signed Data reference in the original signature matches the reference values in the sig_data_ref claim.
      
-
      5. 
-
    5. Verify the integrity of referenced Signed Data using provided hash values in the sig_data_ref claim.
      
-
      6. 
-
    6. Obtain the verified certificates supporting the asserted signature validation through the signer_cert_ref claim.
      
-
      7. 
-
    7. Verify that signature validation policy results satisfy the requirements of the relying party.
      
-
      8. 
-
    8. Verify that verified time results satisfy the context within which the signed document is used.
      
-
      9. 
-
    
-
    After validating these steps, signature validity is established as well as the trusted signer certificate binding the identity of the signer to the signature.
    
-
    
-
    5. Examples
    
-
    The following example illustrates a basic SVT according to this specification issued for a signed PDF document.
    
-
    Signature validation token JWT:
    
-
    eyJraWQiOiJPZW5JKzQzNEpoYnZmRG50ZlZcLzhyT3hHN0ZrdnlqYUtWSmFWcUlGQlhvaFZoQWU1Zks4YW5vdjFTNjg4
-cjdLYmFsK2Z2cGFIMWo4aWJnNTJRQnkxUFE9PSIsInR5cCI6IkpXVCIsImFsZyI6IlJTNTEyIn0.eyJhdWQiOiJodHRw
-OlwvXC9leGFtcGxlLmNvbVwvYXVkaWVuY2UxIiwiaXNzIjoiaHR0cHM6XC9cL3N3ZWRlbmNvbm5lY3Quc2VcL3ZhbGlk
-YXRvciIsImlhdCI6MTU4MjczMDY0NSwianRpIjoiZTIyYzViZTZkZDZjYzZkYjgzNGJjY2QwNjZmNWUyZTMiLCJzaWdf
-dmFsX2NsYWltcyI6eyJzaWciOlt7ImV4dCI6bnVsbCwic2lnX3ZhbCI6W3sibXNnIjoiSW52YWxpZCBzaWduYXR1cmUi
-LCJleHQiOm51bGwsInJlcyI6IkZBSUxFRCIsInBvbCI6Imh0dHA6XC9cL2lkLnN3ZWRlbmNvbm5lY3Quc2VcL3N2dFwv
-c2lndmFsLXBvbGljeVwvY2hhaW5cLzAxIn1dLCJzaWdfcmVmIjp7InNpZ19oYXNoIjoiQmh1RTlCQ1lkcUxneW93bDJQ
-Ym1uSzlkSkFtaVZ0VDF1OVZnaUY5OWgyaFZQekU0WExXdmJDUGU0YUNKM0l6RmZvTDlrM3RXcjBXK3d5OUJlcWlyY1E9
-PSIsImlkIjpudWxsLCJzYl9oYXNoIjoiYnVlcTVIVE8xYnRwQ3JYUlg3VHpFS1VyTkpRaEdHOHFCaDR3eEVTcVJMM0J6
-bjRjbHZLMzdqWXUwS2pNTWtnSlFFTWZBMWIzaW1peTc5dDdoK1loOHc9PSJ9LCJzaWduZXJfY2VydF9yZWYiOnsicmVm
-IjpbIk5TdUZNXC92SitiZUJsUXRRVHptY1loNXg3TDhXQzlFMUtQSFJBMWlvTk9sS1ZHYmxhOVVSelljc2lzQXgyYmNz
-cU9oa3ZWVGMzbUs5RTZhZzA3aGZhdz09Il0sInR5cGUiOiJjaGFpbl9oYXNoIn0sInNpZ19kYXRhX3JlZiI6W3sicmVm
-IjoiMCAxMjI5MzUgMTI3OTM3IDI3NDMwIiwiaGFzaCI6Imt1VWI4NkZzTU5tSmwzdjRiUUswOUZrUWd2bzlReDAxbk5S
-eVFLVVppaEdFdW1kVnF0dUJLTlBxWkkxVHpDUWV3Nm44b0ZNak5oQjhDMFhNSmxrRE9RPT0ifV0sInRpbWVfdmFsIjpb
-XX1dLCJleHQiOnsibmFtZTIiOiJ2YWwyIiwibmFtZTEiOiJ2YWwxIn0sInZlciI6IjEuMCIsInByb2ZpbGUiOiJQREYi
-LCJoYXNoX2FsZ28iOiJodHRwOlwvXC93d3cudzMub3JnXC8yMDAxXC8wNFwveG1sZW5jI3NoYTUxMiJ9fQ.DhrCRxT_U
-8LeqK1BU9-5Bqui2cs5n21PrSqPnDtVa7mxUtqTnouOXjVfuWR0lfNAjEkc1y2QSX5x2dmMdCpNLWX127UHYiAm8NzeY
-uoWqdnxKiy61hZ1l0Jldnk52ngG_2UNDnrCGBo9OgC90kG2bFQimZB3WgVtE7ad_HAwIXwd-vEHt6Sf2yWXlUTYqQ1Dx
-gq6pTKQnuf5ahsHVyeDihgNeix8-cGx1MEvvHNUpCcIXBx67BEcZ-SrqRoIZkVqEcW83KFMgqKWmWDgp4z_CKM5ix2dV
-zwp1GvYOM6M3QUKYgmiNA6dMWJvXeJZ-KKi5A-6gEqfgOsixuZechcDon_3nMzEeNBSJFXU7ohkvxIJN9LXNFAxzAT2U
-mASxrL9wvaQMmJHYMeet-vUsOPWcsq07eKO5bnsYwrs9igYeotgcT_Nl74Rmf9uMye_IgyzlS_NLL4xq9Aaf6LPXWZ0S
-_plugvfzv7HuzXNOY994voq8sOpO9xKYhqYnzbdDFKU
    Decoded JWT Header:
    
-
    {
-  "kid":"OenI+434JhbvfDntfV\/8rOxG7FkvyjaKVJaVqIFBXohVhAe5fK8anov1S688r7Kbal+fvpaH1j8ibg52QB
-         y1PQ==",
-  "typ" : "JWT",
-  "alg" : "RS512"
-}
    Decoded JWT Claims:
    
-
    {
-  "aud" : "http://example.com/audience1",
-  "iss" : "https://swedenconnect.se/validator",
-  "iat" : 1582730645,
-  "jti" : "e22c5be6dd6cc6db834bccd066f5e2e3",
-  "sig_val_claims" : {
-    "sig" : [ {
-      "ext" : null,
-      "sig_val" : [ {
-        "msg" : "Invalid signature",
-        "ext" : null,
-        "res" : "FAILED",
-        "pol" : "http://id.swedenconnect.se/svt/sigval-policy/chain/01"
-      } ],
-      "sig_ref" : {
-        "sig_hash" : "BhuE9BCYdqLgyowl2PbmnK9dJAmiVtT1u9VgiF99h2hVPzE4XLWvbCPe4aCJ3IzFfoL9k3
-                      tWr0W+wy9BeqircQ==",
-        "id" : null,
-        "sb_hash" : "bueq5HTO1btpCrXRX7TzEKUrNJQhGG8qBh4wxESqRL3Bzn4clvK37jYu0KjMMkgJQEMfA1b
-                     3imiy79t7h+Yh8w=="
-      },
-      "signer_cert_ref" : {
-        "ref" : [ "NSuFM/vJ+beBlQtQTzmcYh5x7L8WC9E1KPHRA1ioNOlKVGbla9URzYcsisAx2bcsqOhkvVTc3
-                   mK9E6ag07hfaw==" ],
-        "type" : "chain_hash"
-      },
-      "sig_data_ref" : [ {
-        "ref" : "0 122935 127937 27430",
-        "hash" : "kuUb86FsMNmJl3v4bQK09FkQgvo9Qx01nNRyQKUZihGEumdVqtuBKNPqZI1TzCQew6n8oFMjNh
-                  B8C0XMJlkDOQ=="
-      } ],
-      "time_val" : [ ]
-    } ],
-    "ext" : {
-      "name2" : "val2",
-      "name1" : "val1"
-    },
-    "ver" : "1.0",
-    "profile" : "PDF",
-    "hash_algo" : "http://www.w3.org/2001/04/xmlenc#sha512"
-  }
-}
    
-
    Note: Line breaks in the decoded example are inserted for readablilty. These are not allowed in valid JSON data.
    
-
    
-
    
-
    6. Normative References
    
-
    
-[RFC2119]
    
-
    
-
    Bradner, S., Key words for use in RFCs to Indicate Requirement
-Levels, March 1997.
    
-
    
-
    
-[RFC5280]
    
-
    
-
    D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk, Internet
-X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL)
-Profile, May 2008.
    
-
    
-
    
-[RFC6931]
    
-
    
-
    Eastlake 3rd, D., Additional XML Security Uniform Resource Identifiers
-(URIs), April 2013.
    
-
    
-
    
-[RFC7515]
    
-
    
-
    Jones, M., Bradley, J., Sakimura, N., JSON Web Signature (JWS), May 2015.
    
-
    
-
    
-[RFC7518]
    
-
    
-
    Jones, M., JSON Web Algorithms (JWA), May 2015.
    
-
    
-
    
-[RFC7519]
    
-
    
-
    Jones, M., Bradley, J., Sakimura, N., JSON Web Token (JWT), May 2015.
    
-
    
-
    
-[RFC8174]
    
-
    
-
    Leiba, B., Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words, May 2017.
    
-
    
-
    
-[ETSI EN 319 102-1]
    
-
    
-
    ETSI - Electronic Signatures and Infrastructures (ESI); Procedures for
-Creation and Validation of AdES Digital Signatures; Part 1: Creation and
-Validation.
    
-
    
-    
    
-  
-
diff --git a/docs/updates/16_-_PDF_Profile_for_Signature_Validation_Tokens.html b/docs/updates/16_-_PDF_Profile_for_Signature_Validation_Tokens.html
deleted file mode 100644
index d4f8615..0000000
--- a/docs/updates/16_-_PDF_Profile_for_Signature_Validation_Tokens.html
+++ /dev/null
@@ -1,215 +0,0 @@
-
-
-  
-    
-    
-    PDF Profile for Signature Validation Tokens
-    
-    
-    
-    
-  
-  
-    
    
-
-
-
    
-
    
-
-
    
-
-
    PDF Profile for Signature Validation Tokens
    
-
    Version 1.0 - 2020-12-16 - Draft version
    
-
    Registration number: 2020-61
    
-
    
-
    
-Copyright © The Swedish Agency for Digital Government (DIGG), 2015-2020. All Rights Reserved.
-
    
-
-
    Table of Contents
    
-
      
-
    1. Introduction
      
-
       1.1. Requirements Notation
      
-
       1.2. Definitions
      
-
      2. 
-
    2. SVT in PDF Documents
      
-
       2.1. SVT Extension to Timestamp Tokens
      
-
      3. 
-
    3. SVT Claims
      
-
       3.1. Signature Reference Data
      
-
       3.2. Signed Data Reference Data
      
-
       3.3. Signer Certificate References
      
-
      4. 
-
    4. JOSE Header
      
-
       4.1. SVT Signing Key Reference
      
-
      5. 
-
    5. Normative References
      
-
      6. 
-
    
-
    
-
    
-
    1. Introduction
    
-
    The "Signature Validation Token" specification [SVT] defines a basic token to support signature validation in a way that can significantly extend the lifetime of a signature.
    
-
    This specification defines a profile for implementing SVT with a signed PDF document, and defines the following aspects of SVT usage:
    
-
      
-
    • How to include reference data related to PDF signatures and PDF documents in an SVT.
      • 
-
    • How to add an SVT token to a PDF document.
      • 
-
    
-
    PDF document signatures are added as incremental updates to the signed PDF document and signs all data of the PDF document up until the current signature. When more than one signature is added to a PDF document the previous signature is signed by the next signature and can not be updated with additional data after this event.
    
-
    To minimize the impact on PDF documents with multiple signatures and to stay backwards compatible with PDF software that do not understand SVT, PDF documents add one SVT token for all signatures of the PDF as an extension to a document timestamp added to the signed PDF as an incremental update. This SVT covers all signatures of the signed SVT.
    
-
    
-
    1.1. Requirements Notation
    
-
    The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
    
-
    These keywords are capitalized when used to unambiguously specify requirements over protocol features and behavior that affect the interoperability and security of implementations. When these words are not capitalized, they are meant in their natural-language sense.
    
-
    
-
    1.2. Definitions
    
-
    The definitions in [SVT] apply also to this document.
    
-
    
-
    2. SVT in PDF Documents
    
-
    An SVT added to a signed PDF document SHALL be added to a document timestamp accordance with ISO 32000-2:2017 [PDF].
    
-
    The document timestamp contains an RFC 3161 timestamp token (TSTInfo) in EncapsulatedContentInfo of the CMS signature. The SVT SHALL be added to the timestamp token (TSTInfo) as an Extension object as defined in section 2.1.
    
-
    
-
    2.1. SVT Extension to Timestamp Tokens
    
-
    The SVT extension is an Extension suitable to be included in TSTInfo as defined by [RFC3161]*.
    
-
    The SVT extension is identified by the Object Identifier (OID) 1.2.752.201.5.2 as defined in [EidRegistry].
    
-
    This extension data (OCTET STRING) holds the bytes of SVT JWT, represented as a UTF-8 encoded string.
    
-
    This extension SHALL NOT be marked critical.
    
-
    
-
    [*]: Extensions in timestamp tokens according to [RFC3161] are imported from the definition of the X.509 certificate extensions defined in [RFC5280].
    
-
    
-
    
-
    3. SVT Claims
    
-
    
-
    3.1. Signature Reference Data
    
-
    The SVT SHALL contain a SigReference claims object that SHALL contain the following data:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    ClaimValue
    idAbsent or a Null value.
    sig_hashThe hash over the signature value bytes.
    sb_hashThe hash over the DER encoded SignedAttributes in SignerInfo.
    
-
    
-
    3.2. Signed Data Reference Data
    
-
    An SVT according to this profile SHALL contain exactly one instance of the SignedData claims object. The SignedData claims object shall contain the following data:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    ClaimValue
    refThe string representation of the ByteRange value of the PDF signature dictionary of the target signature. This is a sequence of integers separated by space where each integer pair specifies the start index and length of a byte range.
    hashThe hash of all bytes identified by the ByteRange value. This is the concatenation of all byte ranges identified by the ByteRange value.
    
-
    
-
    3.3. Signer Certificate References
    
-
    The SVT SHALL contain a CertReference claims object. The type claim of the CertReference claims object SHALL be either cert, chain, cert_hash or cert_and_chain_hash.
    
-
      
-
    • The chain type SHALL be used when signature validation was performed using one or more certificates where some or all of the certificates in the chain are not present in the target signature.
      • 
-
    • The chain_hash type SHALL be used when signature validation was performed using one or more certificates where all of the certificates are present in the target signature.
      • 
-
    
-
    Note: The cert type MUST NOT be used with a PAdES signatures (SubFiler in the signature dictionary is set to "ETSI.CAdES.detached") where the signing certificate in the target signature is bound to the signature through ESSCertID or ESSCertIDv2 [RFC5035].
    
-
    
-
    4. JOSE Header
    
-
    
-
    4.1. SVT Signing Key Reference
    
-
    The SVT JOSE header must contain one of the following header parameters in accordance with [RFC7515], for storing a reference to the public key used to verify the signature on the SVT:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    Header ParameterValue
    x5cHolds an X.509 certificate [RFC5280] or a chain of certificates. The certificate holding the public key that verifies the signature on the SVT MUST be the first certificate in the chain.
    kidA key identifier holding the Base64 encoded hash value of the certificate that can verify the signature on the SVT. The hash algorithm MUST be the same hash algorithm used when signing the SVT as specified by the alg header parameter. The referenced certificate SHOULD be the same certificate that was used to sign the document timestamp that contains the SVT.
    
-
    
-
    5. Normative References
    
-
    
-[RFC2119]
    
-
    
-
    Bradner, S., Key words for use in RFCs to Indicate Requirement
-Levels, March 1997.
    
-
    
-
    
-[RFC3161]
    
-
    
-
    Adams, C., Cain, P., Pinkas, D., Zuccherato, R., Internet X.509 Public Key
-Infrastructure Time-Stamp Protocol (TSP), August 2001.
    
-
    
-
    
-[RFC5280]
    
-
    
-
    D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk, Internet
-X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL)
-Profile, May 2008.
    
-
    
-
    
-[RFC5035]
    
-
    
-
    Shaad, J., Enhanced Security Services (ESS) Update: Adding CertID Algorithm
-Agility, August 2007.
    
-
    
-
    
-[RFC7515]
    
-
    
-
    Jones, M., Bradley, J., Sakimura, N., JSON Web Signature (JWS), May 2015.
    
-
    
-
    
-[RFC8174]
    
-
    
-
    Leiba, B., Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words,
-May 2017.
    
-
    
-
    
-[PDF]
    
-
    
-
    ISO 32000-2:2017, Document management - Portable Document Format - Part 2:
-PDF 2.0, July 2017.
    
-
    
-
    
-[EidRegistry]
    
-
    
-
    Swedish eID Framework - Registry for identifiers.
    
-
    
-
    
-[SVT]
    
-
    
-
    Signature Validation Token.
    
-
    
-    
    
-  
-
diff --git a/docs/updates/17_-_XML_Profile_for_Signature_Validation_Tokens.html b/docs/updates/17_-_XML_Profile_for_Signature_Validation_Tokens.html
deleted file mode 100644
index 12d1a52..0000000
--- a/docs/updates/17_-_XML_Profile_for_Signature_Validation_Tokens.html
+++ /dev/null
@@ -1,247 +0,0 @@
-
-
-  
-    
-    
-    XML Profile for Signature Validation Tokens
-    
-    
-    
-    
-  
-  
-    
    
-
-
-
    
-
    
-
-
    
-
-
    XML Profile for Signature Validation Tokens
    
-
    Version 1.0 - 2020-12-16 - Draft version
    
-
    Registration number: 2020-62
    
-
    
-
    
-Copyright © The Swedish Agency for Digital Government (DIGG), 2015-2020. All Rights Reserved.
-
    
-
-
    Table of Contents
    
-
      
-
    1. Introduction
      
-
       1.1. Requirements Notation
      
-
       1.2. Definitions
      
-
       1.2. Notation
      
-
       1.2.1 References to XML Elements from XML Schemas
      
-
      2. 
-
    2. SVT in XML Documents
      
-
       2.1.1. SignatureValidationToken Signature Property
      
-
       2.1.2. Multiple SVT in a signature
      
-
      3. 
-
    3. SVT Claims
      
-
       3.1. Signature Reference Data
      
-
       3.2. Signed Data Reference Data
      
-
       3.3. Signer Certificate References
      
-
      4. 
-
    4. JOSE Header
      
-
       4.1. SVT Signing Key Reference
      
-
      5. 
-
    5. Normative References
      
-
      6. 
-
    
-
    
-
    
-
    1. Introduction
    
-
    The "Signature Validation Token" specification [SVT] defines the basic token to support signature validation in a way that can significantly extend the lifetime of a signature.
    
-
    This specification defines a profile for implementing SVT with a signed XML document, and defines the following aspects of SVT usage:
    
-
      
-
    • How to include reference data related to XML signatures and XML documents in an SVT.
      • 
-
    • How to add an SVT token to a XML signature.
      • 
-
    
-
    XML documents can have any number of signature elements, signing an arbitrary number of fragments of XML documents. The actual signature element may be included in the signed XML document (enveloped), include the signed data (enveloping) or may be separate from the signed content (detached).
    
-
    To provide a generic solution for any type of XML signature an SVT is added to each XML signature element within the XML signature <ds:Object> element.
    
-
    
-
    1.1. Requirements Notation
    
-
    The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
    
-
    These keywords are capitalized when used to unambiguously specify requirements over protocol features and behavior that affect the interoperability and security of implementations. When these words are not capitalized, they are meant in their natural-language sense.
    
-
    
-
    1.2. Definitions
    
-
    The definitions in [SVT] apply also to this document.
    
-
    
-
    1.2. Notation
    
-
    
-
    1.2.1 References to XML Elements from XML Schemas
    
-
    When referring to elements from the W3C XML Signature namespace
-(http://www.w3.org/2000/09/xmldsig\#) the following syntax is used:
    
-
      
-
    • <ds:Signature>
      • 
-
    
-
    When referring to elements from the ETSI XAdES XML Signature namespace
-(http://uri.etsi.org/01903/v1.3.2#) the following syntax is used:
    
-
      
-
    • <xades:CertDigest>
      • 
-
    
-
    When referring to elements defined in this specification
-(http://id.swedenconnect.se/svt/1.0/sig-prop/ns) the following syntax is used:
    
-
      
-
    • <svt:Element>
      • 
-
    
-
    
-
    2. SVT in XML Documents
    
-
    When SVT is provided for XML signatures then one SVT SHALL be provided for each XML signature.
    
-
    An SVT embedded within the XML signature element SHALL be placed in a  <svt:SignatureValidationToken> element as defined in section 2.1.1.
    
-
    
-
    2.1.1. SignatureValidationToken Signature Property
    
-
    The <svt:SignatureValidationToken> element SHALL be placed in a <ds:SignatureProperty> element in accordance with [XMLDsig]. The <ds:SignatureProperty> element SHALL be placed inside a <ds:SignatureProperties> element inside a <ds:Object> element inside a <ds:Signature> element.
    
-
    Note: [XMLDsig] requires the Target attribute to be present in <ds:SignatureProperty>, referencing the signature targeted by this signature property. If an SVT is added to a signature that do not have an Id attribute, implementations SHOULD add an Id attribute to the <ds:Signature> element and reference that Id in the Target attribute. This Id attribute and Target attribute value matching is required by the [XMLDsig] standard, but it is redundant in the context of SVT validation as the SVT already contains information that uniquely identifies the target signature. Validation applications SHOULD not reject an SVT token because of Id and Target attribute mismatch, and MUST rely on matching against signature using signed information in the SVT itself.
    
-
    The <svt:SignatureValidationToken> element is defined by the following XML Schema:
    
-
    <?xml version="1.0" encoding="UTF-8"?>
-<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
-    targetNamespace="http://id.swedenconnect.se/svt/1.0/sig-prop/ns"
-    xmlns:svt="http://id.swedenconnect.se/svt/1.0/sig-prop/ns">
-
-  <xs:element name="SignatureValidationToken" type="svt:SignatureValidationTokenType" />
-
-  <xs:complexType name="SignatureValidationTokenType">
-    <xs:simpleContent>
-      <xs:extension base="xs:string">
-      </xs:extension>
-    </xs:simpleContent>
-  </xs:complexType>
-
-</xs:schema>
    The SVT token SHALL be included as a string representation of the SVT JWT. Note that this is the string representation of the JWT without further encoding. The SVT MUST NOT be represented by the Base64 encoded bytes of the JWT string.
    
-
    Example:
    
-
    <ds:Signature Id="MySignatureId">
-  ...
-  <ds:Object>
-    <ds:SignatureProperties>
-      <ds:SignatureProperty Target="#MySignatureId">
-        <svt:SignatureValidationToken>
-              eyJ0eXAiOiJKV1QiLCJhb...2aNZ
-        </svt:SignatureValidationToken>
-      </ds:SignatureProperty>
-    </ds:SignatureProperties>
-  </ds:Object>
-</ds:Signature>
    
-
    2.1.2 Multiple SVT in a signature
    
-
    If a new SVT is stored in a signature which already contains a previously issued SVT, implementations can choose to either replace the existing SVT or to store the new SVT in addition to the existing SVT.
    
-
    If the new SVT is stored in addition to the old SVT, it SHOULD be stored in a new <ds:SignatureProperty> element inside the existing <ds:SignatureProperties> element where the old SVT is located.
    
-
    For interoperability robustness, signature validation applications MUST be able to handle signatures where the new SVT is located in a new <ds:Object> element.
    
-
    
-
    3. SVT Claims
    
-
    
-
    3.1. Signature Reference Data
    
-
    The SVT SHALL contain a SigReference claims object that SHALL contain the following data:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    ClaimValue
    idThe Id-attribute of the XML signature, if present.
    sig_hashThe hash over the signature value bytes.
    sb_hashThe hash over the canonicalized <ds:SignedInfo> element (the bytes the XML signature algorithm has signed to generated the signature value).
    
-
    
-
    3.2. Signed Data Reference Data
    
-
    An SVT according to this profile SHALL contain one instance of the SignedData claims object for each <ds:Reference> element in the <ds:SignedInfo> element. The SignedData claims object shall contain the following data:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    ClaimValue
    refThe value of the URI attribute of the corresponding <ds:Reference> element.
    hashThe hash of all bytes identified corresponding <ds:Reference> element after applying all identified canonicalization and transformation algorithms. These are the same bytes that is hashed by the hash value in the <ds:DigestValue> element inside the <ds:Reference> element.
    
-
    
-
    3.3. Signer Certificate References
    
-
    The SVT SHALL contain a CertReference claims object. The type claim of the CertReference claims object SHALL be either chain or chain_hash.
    
-
      
-
    • The chain type SHALL be used when signature validation was performed using one or more certificates where some or all of the certificates in the chain are not present in the target signature.
      • 
-
    • The chain_hash type SHALL be used when signature validation was performed using one or more certificates where all of the certificates are present in the target signature.
      • 
-
    
-
    
-
    4. JOSE Header
    
-
    
-
    4.1. SVT Signing Key Reference
    
-
    The SVT JOSE header MUST contain one of the following header parameters in accordance with [RFC7515], for storing a reference to the public key used to verify the signature on the SVT:
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    Header ParameterValue
    x5cHolds an X.509 certificate [RFC5280] or a chain of certificates. The certificate holding the public key that verifies the signature on the SVT MUST be the first certificate in the chain.
    kidA key identifier holding the Base64 encoded hash value of the certificate that can verify the signature on the SVT. The hash algorithm MUST be the same hash algorithm used when signing the SVT as specified by the alg header parameter.
    
-
    
-
    5. Normative References
    
-
    
-[RFC2119]
    
-
    
-
    Bradner, S., Key words for use in RFCs to Indicate Requirement
-Levels, March 1997.
    
-
    
-
    
-[RFC5280]
    
-
    
-
    D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk, Internet
-X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL)
-Profile, May 2008.
    
-
    
-
    
-[RFC8174]
    
-
    
-
    Leiba, B., Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words,
-May 2017.
    
-
    
-
    
-[XMLDsig]
    
-
    
-
    XML Signature Syntax and Processing Version 1.1 - W3C Recommendation 11
-April 2013.
    
-
    
-
    
-[EidRegistry]
    
-
    
-
    Swedish eID Framework - Registry for identifiers.
    
-
    
-
    
-[SVT]
    
-
    
-
    Signature Validation Token.
    
-
    
-    
    
-  
-
diff --git a/docs/updates/18_-_User_Message_Extension_in_SAML_Authentication_Requests.html b/docs/updates/18_-_User_Message_Extension_in_SAML_Authentication_Requests.html
deleted file mode 100644
index 78bbaf5..0000000
--- a/docs/updates/18_-_User_Message_Extension_in_SAML_Authentication_Requests.html
+++ /dev/null
@@ -1,220 +0,0 @@
-
-
-  
-    
-    
-    User Message Extension in SAML Authentication Requests
-    
-    
-    
-    
-  
-  
-    
    
-
-
-
    
-
    
-
-
    
-
-
    User Message Extension in SAML Authentication Requests
    
-
    Version 1.0 - 2024-04-15 - Draft version
    
-
    Registration number: TBD
    
-
    
-
    
-Copyright © The Swedish Agency for Digital Government (DIGG), 2024. All Rights Reserved.
-
    
-
-
    Table of Contents
    
-
      
-
    1. Introduction
      
-
       1.1. Requirements Notation
      
-
       1.2. XML Namespace References
      
-
       1.3. Structure
      
-
      2. 
-
    2. Data elements
      
-
      3. 
-
    3. Usage Requirements
      
-
       3.1. Identity Provider Requirements
      
-
       3.2. Service Provider Requirements
      
-
      4. 
-
    4. Examples
      
-
      5. 
-
    5. Schemas
      
-
      6. 
-
    6. Normative References
      
-
      7. 
-
    7. Changes between versions
      
-
      8. 
-
    
-
    
-
    1. Introduction
    
-
    When a Service Provider requests authentication of a user, the Service Provider may want to pass a message along for the user to see during the authentication phase at the Identity Provider. Normally, an Identity Provider displays information about the requesting Service Provider for the user based on the registered presentation data from the SP's SAML metadata entry. This information is static and its purpose is to show for the user that he or she is still in the context of the Service Provider.
    
-
    By using dynamic user messages to be displayed at the Identity Provider side (possibly in an authentication device such as a mobile phone), the Service Provider may further strengthen the coupling to its current context. Examples of messages can be information about the purpose of the authentication or warnings and prompts for the user to not authenticate based on another person's request. 
    
-
    This specification defines the <umsg:UserMessage> element that may be included in the <saml2p:Extensions> element of a SAML <saml2p:AuthnRequest> where the requesting Service Provider can specify a message text that is to be displayed by the Identity Provider during the user authentication process.
    
-
    
-
    1.1. Requirements Notation
    
-
    The key words MUST, MUST NOT, REQUIRED, SHALL,
-SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED,
-MAY, and OPTIONAL are to be interpreted as described in
-[RFC2119].
    
-
    These keywords are capitalized when used to unambiguously specify requirements over protocol features and behaviour that affect the interoperability and security of implementations. When these words are not capitalized, they are meant in their natural-language sense.
    
-
    
-
    1.2. XML Namespace References
    
-
    The prefix umsg: stands for the User Message Extension XML schema namespace http://id.swedenconnect.se/authn/1.0/user-message/ns. 
    
-
    The prefix saml2: stands for the OASIS SAML 2 Assertion schema namespace urn:oasis:names:tc:SAML:2.0:assertion.
    
-
    The prefix saml2p: stands for the OASIS SAML 2 Protocol schema namespace urn:oasis:names:tc:SAML:2.0:protocol.
    
-
    The prefix md: stands for the OASIS SAML 2 Metadata schema namespace urn:oasis:names:tc:SAML:2.0:metadata.
    
-
    
-
    1.3. Structure
    
-
    This specification uses the following typographical conventions in text:
-<LocalElement>, <ns:ForeignElement>, Attribute, Datatype,
-OtherCode.
    
-
    
-
    2. Data elements
    
-
    This specification defines the element <UserMessage> to be included in the <Extensions> element of an AuthnRequest. 
    
-
    This element MAY included by a Service Provider asking the Identity Provider to display a given message for the user during the authentication phase. The element has the following elements and attributes:
    
-
    <Message> [One or more]
    
-
    
-
    Element that holds the user message for a specific language. See below.
    
-
    
-
    mimeType
    
-
    
-
    The MIME type for the text contained in all Message elements. This specification defines two possible values that are text/plain (where ;charset=UTF-8 is an implicit condition) and text/markdown1. If no value is given for this field, text/plain MUST be assumed. Other profiles MAY add support for additional MIME types.
    
-
    
-
    The following schema fragment defines the <UserMessage> element:
    
-
    <xs:element name="UserMessage" type="umsg:UserMessageType"/>
-
-<xs:complexType name="UserMessageType">
-  <xs:sequence>
-    <xs:element name="Message" type="umsg:MessageType" minOccurs="1" maxOccurs="unbounded"/>
-  </xs:sequence>
-  <xs:attribute name="mimeType" type="xs:string" default="text/plain">
-    <xs:annotation>
-      <xs:documentation>The format of the user message(s)</xs:documentation>
-    </xs:annotation>
-  </xs:attribute>
-  <xs:anyAttribute namespace="##any" processContents="lax"/>
-</xs:complexType>
    The <Message> element is defined by the following schema definition:
    
-
    <xs:complexType name="MessageType">
-  <xs:simpleContent>
-    <xs:extension base="xs:base64Binary">
-      <xs:attribute ref="xml:lang" use="required"/>
-      <xs:anyAttribute namespace="##any" processContents="lax"/>
-    </xs:extension>
-  </xs:simpleContent>
-</xs:complexType>
    The <Message> element contains the Base64-encoding of the UTF-8 string holding the message to display to the user for a specific language.
    
-
    The required xml:lang attribute contains the language tag for the message's language according to [BCP47].
    
-
    
-
    [1]: The Markdown dialect, and potential restrictions for tags, is not regulated in this specification. However, the Markdown SHOULD NOT contain HTML-tags for security reasons.
    
-
    
-
    
-
    3. Usage Requirements
    
-
    
-
    3.1. Identity Provider Requirements
    
-
    An Identity Provider that supports the <umsg:UserMessage> extension MUST declare this support in its metadata entry by declaring the http://id.swedenconnect.se/general-ec/1.0/supports-user-message entity category (see section 6.3 of [EidEntCat]).
    
-
    Identity Providers compliant with this specification MUST support the text/plain and text/markdown MIME types.
    
-
    An OpenID Provider MUST NOT display a user message unless the user is being authenticated. Thus, if the IsPassive-flag of the authentication request is set to true, the Identity Provider MUST NOT display the user message.
    
-
    An Identity Provider that receives a <umsg:UserMessage> extension containing user messages in several languages SHOULD display the message that best matches the user's current locale at the Identity Provider. If no message matches the user's current locale, the Identity Provider SHOULD select the first message from the list.
    
-
    An Identity Provider MUST refuse to display a message if it does not support a given MIME type. It MAY respond with an error if a non-supported MIME type is received.
    
-
    Should a message contain illegal characters, or any other constructs not accepted by the Identity Provider, the Identity Provider MAY choose not to display the message, or filter the message before displaying it.
    
-
    The Identity Provider MUST be able to handle messages containing line breaks.
    
-
    
-
    3.2. Service Provider Requirements
    
-
    A Service Provider SHOULD check whether an Identity Provider supports the <umsg:UserMessage> extension before including it in a <saml2p:AuthnRequest> element. This is done by checking the Identity Provider metadata entry for the presence of the http://id.swedenconnect.se/general-ec/1.0/supports-user-message entity category (see 3.1 above).
    
-
    A Service Provider MUST NOT supply user messages that contains integrity sensitive information. The message will be displayed for the user before he or she is authenticated.
    
-
    
-
    4. Examples
    
-
    Example of supplying a user message in Swedish ("Jag vill logga in till example.com") and in
-English ("I wish to login to example.com"):
    
-
    ...
-<saml2p:Extensions>
-  <umsg:UserMessage xmlns:umsg="http://id.swedenconnect.se/authn/1.0/user-message/ns"
-                    mimeType="text/plain">
-    <umsg:Message xml:lang="sv">
-      SmFnIHZpbGwgbG9nZ2EgaW4gdGlsbCBleGFtcGxlLmNvbQ==
-    </umsg:Message>
-    <umsg:Message xml:lang="en">
-      SSB3aXNoIHRvIGxvZ2luIHRvIGV4YW1wbGUuY29t
-    </umsg:Message>
-  </umsg:UserMessage>
-</saml2p:Extensions>
-...
    
-
    5. Schemas
    
-
    The following XML schema defines the http://id.swedenconnect.se/authn/1.0/user-message/ns namespace:
    
-
    <?xml version="1.0" encoding="UTF-8"?>
-<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
-           targetNamespace="http://id.swedenconnect.se/authn/1.0/user-message/ns"
-           xmlns:umsg="http://id.swedenconnect.se/authn/1.0/user-message/ns">
-
-  <xs:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/>
-
-  <xs:annotation>
-    <xs:documentation>
-      Schema location URL: https://docs.swedenconnect.se/schemas/authn/1.0/UserMessage-1.0.xsd
-    </xs:documentation>
-  </xs:annotation>
-
-  <xs:element name="UserMessage" type="umsg:UserMessageType"/>
-
-  <xs:complexType name="UserMessageType">
-    <xs:annotation>
-      <xs:documentation>List of user messages (in different languages)</xs:documentation>
-    </xs:annotation>
-    <xs:sequence>
-      <xs:element name="Message" type="umsg:MessageType" minOccurs="1" maxOccurs="unbounded"/>
-    </xs:sequence>
-    <xs:attribute name="mimeType" type="xs:string" default="text/plain">
-      <xs:annotation>
-        <xs:documentation>The MIME type of the user message(s)</xs:documentation>
-      </xs:annotation>
-    </xs:attribute>
-    <xs:anyAttribute namespace="##any" processContents="lax"/>
-  </xs:complexType>
-
-  <xs:complexType name="MessageType">
-    <xs:annotation>
-      <xs:documentation>
-        The Base64-encoding of UTF-8 string holding the user message.
-      </xs:documentation>
-    </xs:annotation>
-    <xs:simpleContent>
-      <xs:extension base="xs:base64Binary">
-        <xs:attribute ref="xml:lang" use="required"/>
-        <xs:anyAttribute namespace="##any" processContents="lax"/>
-      </xs:extension>
-    </xs:simpleContent>
-  </xs:complexType>
-
-</xs:schema>
    
-
    6. Normative References
    
-
    
-[RFC2119]
    
-
    
-
    Bradner, S., Key words for use in RFCs to Indicate Requirement
-Levels, March 1997.
    
-
    
-
    
-[BCP47]
    
-
    
-
    Tags for Identifying Languages, September 2009.
    
-
    
-
    
-[SAML2Core]
    
-
    
-
    OASIS Standard, Assertions and Protocols for the OASIS Security
-Assertion Markup Language (SAML) V2.0, March
-2005.
    
-
    
-
    
-[EidEntCat]
    
-
    
-
    Entity Categories for the Swedish eID Framework.
    
-
    
-
    
-
    7. Changes between versions
    
-
    This is the first version of this specification.
    
-    
    
-  
-
diff --git a/docs/updates/18_-_User_Message_Extension_in_SAML_Authentication_Requests.html b/docs/updates/18_-_User_Message_Extension_in_SAML_Authentication_Requests.html
new file mode 120000
index 0000000..38d335a
--- /dev/null
+++ b/docs/updates/18_-_User_Message_Extension_in_SAML_Authentication_Requests.html
@@ -0,0 +1 @@
+../december-2024/18_-_User_Message_Extension_in_SAML_Authentication_Requests.html
\ No newline at end of file
diff --git a/docs/updates/OpenID_Connect_Claims_and_Scopes_Specification.html b/docs/updates/OpenID_Connect_Claims_and_Scopes_Specification.html
new file mode 120000
index 0000000..1c38ad2
--- /dev/null
+++ b/docs/updates/OpenID_Connect_Claims_and_Scopes_Specification.html
@@ -0,0 +1 @@
+../december-2024/OpenID_Connect_Claims_and_Scopes_Specification.html
\ No newline at end of file
diff --git a/docs/updates/OpenID_Connect_Profile_for_Sweden_Connect.html b/docs/updates/OpenID_Connect_Profile_for_Sweden_Connect.html
new file mode 120000
index 0000000..2954279
--- /dev/null
+++ b/docs/updates/OpenID_Connect_Profile_for_Sweden_Connect.html
@@ -0,0 +1 @@
+../december-2024/OpenID_Connect_Profile_for_Sweden_Connect.html
\ No newline at end of file
diff --git a/scripts/release.sh b/scripts/release.sh
index ed49bd6..a6a94e5 100755
--- a/scripts/release.sh
+++ b/scripts/release.sh
@@ -2,7 +2,7 @@
 #
 # release.sh
 #
-# Author: Martin Lindstrm, Litsec AB
+# Author: Martin Lindström
 #
 
 INSTALL_DIR=$(dirname $0)
@@ -38,7 +38,10 @@ declare -a SPECIFICATIONS=("00 - Tekniskt ramverk - Introduktion"
     "11 - eIDAS Constructed Attributes Specification for the Swedish eID Framework"
     "12 - BankID Profile for the Swedish eID Framework"
     "13 - Signature Activation Protocol"
-    "14 - Principal Selection in SAML Authentication Requests")
+    "14 - Principal Selection in SAML Authentication Requests"
+    "18 - User Message Extension in SAML Authentication Requests"
+    "OpenID Connect Claims and Scopes Specification"
+    "OpenID Connect Profile for Sweden Connect")
 
 #
 # Produce HTML
@@ -60,8 +63,3 @@ done
 ${INSTALL_DIR}/tohtml.sh ${INSTALL_DIR}/templates/index.md ${OUTPUT_DIR} -o p
 
 exit 0
-
-
-
-
-