The purpose of the signature support API is to help with creating signature requests, and processing signature responses, according to the technical framework specified by Sweden Connect (https://docs.swedenconnect.se/technical-framework/).
This document describes the technical details of the Signature Support Service API, and how to use it to implement digital signature workflow in an existing web application.
The library can be used within a maven project by adding the following dependency:
<dependency>
<groupId>se.signatureservice.support</groupId>
<artifactId>signservice-support-lib</artifactId>
<version>2401.1</version>
</dependency>The library is configured and initialized using builder pattern. The following gives a basic example of how to build an instance of the API:
SupportServiceAPI supportServiceAPI = new V2SupportServiceAPI.Builder()
.messageSecurityProvider(messageSecurityProvider)
.cacheProvider(cacheProvider)
.trustStore(trustedCertificateSource)
.build();|
Note
|
Complete description of all available configuration methods for the builder is available in the API Reference within this document. |
When creating an instance of the support service API a message security provider must be provided. The
message security provider is used when signing signature requests and when verifying signature responses.
A custom message security provider can be created by implementing org.certificateservices.messages.MessageSecurityProvider.
It is also possible to use a build-in simple message security provider. The following gives an example of how to
create a simple message security provider:
// Initialize XML security library. This is needed before creating the
// message security provider.
Init.init();
MessageSecurityProvider messageSecurityProvider = SupportLibraryUtils.createSimpleMessageSecurityProvider(
"/path/to/keystore.jks",
"keystore_password",
"keystore_alias",
"/path/to/truststore.jks",
"truststore_password"
);The API also requires a cache provider that will be used when storing transaction state information that needs
to be kept after creating a signature request and until processing the signature response. A custom cache provider
can be created by implementing se.signatureservice.support.common.cache.CacheProvider . It is also possible to use
a built-in simple cache provider that stores everything in memory. The following gives an example of how to create
a simple cache provider:
CacheProvider cacheProvider = new SimpleCacheProvider();The API needs a source of trusted certificates that will be used when validating signed documents. A custom implementation
of a trusted certificate source can be created by implementing eu.europa.esig.dss.spi.x509.CertificateSource. It is also
possible to use the existing KeyStoreCertificateSource that loads trusted certificates from a keystore file (JKS or PKCS#12):
CertificateSource certificateSource = new KeyStoreCertificateSource(
"/path/to/keystore.p12",
"PKCS12",
"somepassword"
)The API will be used to create signature requests that then needs to be sent to the central signature service
through an HTTP POST through the user browser. The central signature service will the re-direct the user to the
identity provider, and after successful authentication the user will be re-directed to a pre-determined consumer URL
through an HTTP POST with the signature request as parameter. The following gives an overview how the API is used
during these steps:
// Create user that is going to sign the document(s)
User user = new User.Builder()
// Specify user ID (required)
.userId("195207092072")
// Specify role (optional)
.role("testrole")
// Build user
.build();
// Create document requests to include in the transaction.
DocumentRequests documentRequests = new DocumentRequests.Builder()
.addXMLDocument("/path/to/document.xml")
.build();
// Generate the prepared signature request using the support service API.
PreparedSignatureResponse preparedSignature = supportServiceAPI.prepareSignature(
// Profile configuration (see below).
profileConfig,
// Docment(s) to request signature for.
documentRequests,
// Let the API generate transaction ID automatically.
null,
// Sign message or null if not used.
"Some sign message",
// User signing the document.
user,
// Entity ID of identity provider to use.
"https://idp.someorg.com/samlv2/idp/metadata",
// Consumer URL to receive the sign response.
"https://app.someorg.com/sign",
// No attributes.
null
);The PreparedSignatureResponse received from a successful call to prepareSignature contains the following information:
-
signRequest- Base64 encoded signature request data. -
actionURL- URL that the signature request should be sent to. -
transactionId- Transaction ID related to the signature request. -
profile- Name of related profile that was used.
An auto-submit form can be used in order to re-direct the user browser with the signature request. This form can be generated using a helper:
String formContent = SupportLibraryUtils.generateRedirectHtml(preparedSignature);
After a successful signature flow the signature response will be sent to the consumer URL. The library can then be used to create the complete signed document(s), shown through the following example:
// Process the sign response using the support service API.
CompleteSignatureResponse completeSignature = supportServiceAPI.completeSignature(
profileConfig,
eidSignResponse,
transactionId
);
// Retrieve the signed document
Document signedDocument = (Document)completeSignature
.getDocuments().getDocuments().get(0);The API can be used in order to verify a signed document and to assure that the document has not been altered. The following example shows how to verify a signed document using the API:
VerifyDocumentResponse verifiedDocument = supportServiceAPI.verifyDocument(
profileConfig,
signedDocument
);
if(verifiedDocument.isVerifies()) {
// Document verified successfully.
} else {
// Document verification failed.
}The validation report is available within the verifiedDocument.getReportData().
When using the API a profile configuration instance (se.signatureservice.support.system.SupportAPIProfile) needs to be created and provided. The profile configuration contains
a lot of settings to control how the request is created and how the signature is performed. Profile configuration is
created using builder pattern. The following gives a basic example of how to create a profile configuration:
SupportAPIProfile profileConfig = new SupportAPIProfile.Builder()
// Entity ID of central signature service to use.
.signServiceId("https://sign.someorg.com/signservice-frontend/metadata")
// Request URL to send signature requests to.
.signServiceRequestURL("https://sign.someorg.com/signservice-frontend/request")
// Add identity provider that are trusted to be used by this profile.
.addTrustedAuthenticationService("Some idP", "https://idp.someorg.com/samlv2/idp/metadata", "Some Trusted iDP")
// Add requested certificate attribute that will be used within the request.
.addRequestedCertAttribute("givenName", "urn:oid:2.5.4.42", "2.5.4.42", true)
.addRequestedCertAttribute("sn", "urn:oid:2.5.4.4", "2.5.4.4", true)
.addRequestedCertAttribute("serialNumber", "urn:oid:1.2.752.29.4.13", "2.5.4.5", true)
.addRequestedCertAttribute("commonName", "urn:oid:2.16.840.1.113730.3.1.241", "2.5.4.3", false)
.addRequestedCertAttribute("displayName", "urn:oid:2.16.840.1.113730.3.1.241", "2.16.840.1.113730.3.1.241", false)
.addRequestedCertAttribute("c", "urn:oid:2.5.4.6", "2.5.4.6", false)
.addRequestedCertAttribute("gender", "urn:oid:1.3.6.1.5.5.7.9.3", "1.3.6.1.5.5.7.9.3", "sda", false)
// Add authorized consumer URL that can be used with this profile.
.addAuthorizedConsumerURL("https://app.someorg.com/sign")
// Specify identity of the application that generates the signature requests.
.signRequester("https://app.someorg.com/support/metadata")
// Specify a name for the profile.
.relatedProfile("rsaProfile")
// Enable Authn profile. This must match how the signature service is configured.
.enableAuthnProfile(true)
// Finally build the profile.
.build();|
Note
|
Complete description of all available configuration methods for the builder is available in the API Reference within this document. |
When using a profile that has been configured with a -T, -LT or -LTA signature level, a time stamp will be requested from a time stamp server. This applies for the following signature levels:
-
CAdES-BASELINE-T
-
CAdES-BASELINE-LT
-
CAdES-BASELINE-LTA
-
PAdES-BASELINE-T
-
PAdES-BASELINE-LT
-
PAdES-BASELINE-LTA
-
XAdES-BASELINE-T
-
XAdES-BASELINE-LT
-
XAdES-BASELINE-LTA
Time stamp configuration is performed by specifying timeStamp when building a profile (Only relevant parts are
included in the example):
// Create instance of timestamp configuration
TimeStampConfig timeStampConfig = new TimeStampConfig();
timeStampConfig.setUrl("http://timestamp.digicert.com");
SupportAPIProfile profileConfig = new SupportAPIProfile.Builder()
// Specify time stamp configuration
.timeStamp(timeStampConfig)
// Build the profile.
.build();The following table shows available settings that can be used. Each field within the table is specified using its setter.
| Field | Default value | Description |
|---|---|---|
url |
required |
URL to Time Stamp Authority (TSA) server to use. This is the only required value. |
username |
N/A |
Username to use if username/password-authentication should be performed when requesting time stamps. |
password |
N/A |
Password to use if username/password-authentication should be performed when requesting time stamps. |
keyStorePath |
N/A |
Key store to use in order to enable certificate-based TLS authentication when requesting time stamps. |
keyStorePassword |
N/A |
Password that protects the key store. Used if keyStorePath is specified. |
keyStoreType |
N/A |
Key store type. Supported values are JKS or PKCS12. |
trustStorePath |
N/A |
Trust store to use when requesting time stamp using TLS/SSL, in order to verify server certificate. |
trustStorePassword |
N/A |
Password that protects the trust store. Used if trustStorePath is specified. |
trustStoreType |
N/A |
Trust store type. Supported values are JKS or PKCS12. |
proxyHost |
N/A |
Hostname of proxy-server if requests should be sent through proxy. |
proxyScheme |
http |
Connection scheme. Used if proxyHost is specified. Ex: http or https. |
proxyPort |
80 |
TCP port to use when connecting to proxy-server. |
proxyUser |
N/A |
Username to use if username/password-authentication should be performed when connecting to proxy. |
proxyPassword |
N/A |
Password to use if username/password-authentication should be performed when connecting to proxy. |
proxyExcludedHosts |
N/A |
Comma-separated list of hostnames that should be excluded from proxy. |
sslProtocol |
TLS v1.2 |
SSL/TLS protocol to use when connecting to TSA-server. |
Visible signatures is a feature that can be enabled when signing PDF documents. It consists of an image and text element that is embedded into the document after it has been signed. The purpose is to give a visual indication that the document is digitally signed, and some information about the signature such as the name of the person that signed the document, the signature time.
|
Important
|
A visible signature does not replace the actual cryptographic signature within a digitally signed document. It should not be used as a way of verifying that a document has been signed, as it is easy to forge. |
Visible signatures are enabled by specifying a VisibleSignatureConfig when building a profile (Only relevant parts are included in the example):
// Create instance of visible signature configuration
VisibleSignatureConfig visibleSignatureConfig = new VisibleSignatureConfig()
visibleSignatureConfig.setEnable(true);
SupportAPIProfile profileConfig = new SupportAPIProfile.Builder()
// Specify visible signature configuration
.visibleSignatureConfig(visibleSignatureConfig)
// Build the profile.
.build();The following table shows available settings that can be used. Each field within the table is specified using its setter.
| Field | Default value | Description |
|---|---|---|
enable |
false |
If visible signature should be added to PDF documents or not. |
font |
Built-in / PT Serif Regular |
Path to true type font file to use (.ttf) when rendering text within the visible signature. The font file must be available either within the classpath or the file system, where classpath takes precedence. |
fontSize |
9 |
Font size to use when rendering text within the visible signature. |
fontColor |
#000000 |
Font color to use when rendering text within the visible signature. Color is specified "HTML-style" as RGB hex string. |
backgroundColor |
#ffffff |
Text background to use when rendering text within the visible signature. Color is specified "HTML-style" as RGB hex string. |
showLogo |
true |
If logo image should be displayed or not. |
logoImage |
CGI Signature service logo |
Path to logo image file to display within the visible signature. The image file must be available either within the classpath or the file system, where classpath takes precedence. |
showHeadline |
true |
If header text line should be displayed or not. |
headlineText |
Document Digital Signed |
Text to display in the first headline row, if shown. |
signerLabel |
Signer |
Prefix label to use on the second signer row that is displayed before the signatory name/ID. |
timeStampLabel |
Time |
Prefix label to use on the last timestamp row that is displayed before the signing time. |
timeStampFormat |
yyyy-MM-dd HH:mm:ss |
Format pattern to use for timestamp. List of available date and time patterns are available here: https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/text/SimpleDateFormat.html) |
textPadding |
50 |
Padding to use for text that is rendered within the visible signature. |
signatureTextTemplate |
N/A |
Template to use for text in visible signature. If a template is specified all other text-related settings are ignored (ex. showHeadline) as the template takes precedence. For information about the template format and available variables see the section regarding signature text template below. |
The signature text template is a string that can contain replacement variables and new-lines that
will be used in order to create the text element rendered within a visible signature. Variables
within the template must be specified using curly-bracket syntax, ex. {signerName}, and is case
sensitive. The following gives an example of a signature text template.
"Document signed by: {signerName}\nTime: {timestamp}"The following table shows supported template variables that can be used.
| Variable name | Description |
|---|---|
signerName |
Name of the signer which can be either the full name or a personal identification number depending on the configuration and the given user attributes that was used in the signing process. |
timestamp |
Time that the document was signed. The timestamp is formatted according to the visible signature field timeStampFormat specified in the visible signature configuration. |
headline |
Will be replaced by the field headlineText in the visible signature configuration. |
signatureAttribute.<key> |
Will be replaced by signature attribute value with the specified key. For example to use the value of a signature attribute named department the variable in the template is specified as {signatureAttribute.department}. |
There are a number of signature parameters that can be used in order to control visible signatures. These attributes are specified
in the initial call to prepareSignature(…) and can be specified either for all documents or for individual documents. The
following table shows available signature attributes related to visible signatures.
| Attribute key | Default value | Description |
|---|---|---|
visible_signature_position_x |
20 |
Horizontal position of visible signature. |
visible_signature_position_y |
20 |
Vertical position of visible signature. |
visible_signature_width |
Automatically calculated |
Width of visible signature including text and optional image. It is recommended to let the library calculate this. |
visible_signature_height |
Automatically calculated |
Height of visible signature including text and optional image. It is recommended to let the library calculate this. |
visible_signature_page |
1 |
Page of PDF-document that the visible signature will be rendered on. If this number is greater than the number of pages it will be rendered on the last page. |
visible_signature_logo_image |
n/a |
Image to use in the visible signature represented as a Base64-encoded string. The image must include metadata information about the mimetype and/or filename (ex. XMP dc:format). |
This section gives detailed information about important classes and methods that are used within the library when creating and validating signatures.
The library is using builder pattern in order to perform configuration of the library API and profiles that can be used.
Method |
Description |
addAuthContextMapping(String name, String context, String loa) |
Add mapping between authentication context and level of assurance. |
addSignMessageRecipient(String authenticationServiceId, java.security.cert.X509Certificate recipient) |
Add recipient certificate to use when generating encrypted sign messages. |
addSignMessageRecipients(String authenticationServiceId, java.util.List<java.security.cert.X509Certificate> recipients) |
Add list of recipient certificates to use when generating encrypted sign messages. |
cacheProvider(se.signatureservice.configuration.common.cache.CacheProvider cacheProvider) |
Specify cache provider to use for temporary storage. |
certificateVerifier(eu.europa.esig.dss.validation.CertificateVerifier certificateVerifier) |
Specify certificate verifier to use when verifying certificates. |
defaultTimeStampSource(eu.europa.esig.dss.spi.x509.tsp.TSPSource timeStampSource) |
Specify default time stamp source to use if time stamp configuration is missing in signature profile. |
ignoreMissingRevocationData(boolean ignoreMissingRevocationData) |
Specify if missing revocation data should be ignored during validation. |
messageSecurityProvider(org.certificateservices.messages.MessageSecurityProvider messageSecurityProvider) |
Specify a message security provider to use when signing requests and when verifying responses from central system. |
messageSource(org.springframework.context.MessageSource messageSource) |
Specify a custom message source to use when resolving error messages. |
simpleValidationReport(boolean simpleReport) |
Specify if simple validation report should be generated or not. |
trustedCertificateSource(eu.europa.esig.dss.spi.x509.CertificateSource certificateSource) |
Specify certificate source for trusted certificates that are used during validation of documents. |
validationCacheExpirationTimeMS(long expirationTimeMS) |
Set expiration time in milliseconds of cache used during validation to store revocation data. |
validationPolicyDirectory(String validationPolicyDirectory) |
Path to directory containing validation policy files. |
validationProxy(String host, int port) |
Specify proxy settings to use during document validation when fetching revocation data. |
validationProxy(String host, int port, String user, String password) |
Specify proxy settings to use during document validation when fetching revocation data. |
validationProxy(String host, int port, String user, String password, java.util.List<String> excludedHosts) |
Specify proxy settings to use during document validation when fetching revocation data. |
validationProxy(String host, int port, java.util.List<String> excludedHosts) |
Specify proxy settings to use during document validation when fetching revocation data. |
build() |
Build the Support Service API. |
Method |
Description |
addAuthorizedCentralServiceEntityId(String authorizedCentralServiceEntityId) |
Add Meta Data Entity Id of trusted central service that might send signature responses to application using the library. |
addAuthorizedConsumerURL(String authorizedConsumerURL) |
Add authorized consumer URLs that can be specified when using the profile. |
addDefaultAuthnContextClassRef(String defaultAuthnContextClassRef) |
Add default Type/level of authentication to request in the signature process. |
addRequestedCertAttribute(String name, String samlAttributeName, String certAttributeRef, boolean required) |
Add requests for subject attributes in a signer certificate that is associated with the signer of the generated signature as a result of the sign request. |
addRequestedCertAttribute(String name, String samlAttributeName, String certAttributeRef, String certNameType, boolean required) |
Add requests for subject attributes in a signer certificate that is associated with the signer of the generated signature as a result of the sign request. |
addSignerAttribute(String name, String samlAttributeName, String userAttributeMapping, boolean required) |
Add attribute to be included in the signer element within the sign request, in addition to the mandatory userId attribute (see defaultUserIdAttributeMapping) that is always included as a signer attribute. |
addTrustedAuthenticationService(String name, String entityId, String defaultDisplayName) |
Add trusted authentication services/identity providers that can be used for the given profile. |
addTrustedAuthenticationService(String name, String entityId, String defaultDisplayName, String authnContextClassRef, String userIdAttributeMapping) |
Add trusted authentication services/identity providers that can be used for the given profile. |
addTrustedAuthenticationService(String name, String entityId, String defaultDisplayName, java.util.List<String> authnContextClassRefs, String userIdAttributeMapping) |
Add trusted authentication services/identity providers that can be used for the given profile. |
allowSignWithExpiredCertificate(boolean allowSignWithExpiredCertificate) |
Flag indicating if it should be possible to create a signed document using an expired certificate. |
authorizedCentralServiceEntityIds(java.util.List<String> authorizedCentralServiceEntityIds) |
Specify list of meta Data entity Id of all trusted central services that might send signature responses to the library. |
authorizedConsumerURLs(java.util.List<String> authorizedConsumerURLs) |
Specify list of authorized consumer URLs that can be specified by the driving application. |
cadesSignatureLevel(String cadesSignatureLevel) |
CAdES Signature level. Supported values: CMS-NOT-ETSI, CAdES-BASELINE-B, CAdES-BASELINE-T, CAdES-BASELINE-LT, CAdES-BASELINE-LTA |
cadesSignaturePacking(String cadesSignaturePacking) |
CAdES Signature packing setting. Supported values: DETACHED, ENVELOPING |
certificateType(String certificateType) |
Type of certificate to request in the signature process. Supported values: PKC, QC, QC/SSCD |
defaultAuthnContextClassRef(String defaultAuthnContextClassRef) |
Default Type/level of authentication to request in the signature process. |
defaultAuthnContextClassRefs(java.util.List<String> defaultAuthnContextClassRefs) |
List of default Type/level of authentication to request in the signature process. |
defaultUserIdAttributeMapping(String defaultUserIdAttributeMapping) |
SAML Attribute name that will map against user ID if not specified in the identity provider configuration (trustedAuthenticationServices). |
defaultUserIdAttributeMappingValues(java.util.List<String> defaultUserIdAttributeMappingValues) |
List of SAML Attribute names that will map against user ID if not specified in the identity provider configuration (trustedAuthenticationServices). |
enableAuthnProfile(boolean enableAuthnProfile) |
Flag indicating if AuthnProfile element should be used or not in the generated sign request. If enable the AuthnProfile will be set to the related signature profile that was being used when generating the signature request. |
enableAutomaticValidation(boolean enableAutomaticValidation) |
Flag indicating if signed documents should be automatically validated before returned from the support service. If enabled, validation information will be included in the response from completeSignature API call. |
enableEnhancedLogging(boolean enableEnhancedLogging) |
Flag indicating if enhanced logging should be enabled or not. If enhanced logging is enabled the following details will be written to the logfile using INFO-level: Subject of certificate that was used for signing, Signing time of document(s), Reference information of document(s) that were signed, Name of document(s) that were signed, Issuer of certificate that was used for signing, Information about which authentication performed prior to signing (assurance level), Complete signature response received from central signature service during signature flow. NOTE: By enabling this feature sensitive information might be written to the logfile. |
encryptionAlgorithmScheme(String encryptionAlgorithmScheme) |
Algorithm scheme to use when encrypting data. Used i.e. if encrypted sign messages are enabled through the setting 'useEncryptedSignMessage'. Available values: RSA_PKCS1_5_WITH_AES128, RSA_OAEP_WITH_AES128, RSA_PKCS1_5_WITH_AES192, RSA_OAEP_WITH_AES192, RSA_PKCS1_5_WITH_AES256, RSA_OAEP_WITH_AES256 |
fetchAuthnContextClassRefFromMetaData(boolean fetchAuthnContextClassRefFromMetaData) |
If AuthnContextClassRef should be fetched and parsed from metadata. |
fetchCertAttributesFromMetaData(boolean fetchCertAttributesFromMetaData) |
If requestedCertAttributes should be fetched and parsed from metadata. |
metadataCustomCertAttribute(Map<String,Map<String,Object>> metadataCustomCertAttribute) |
Map containing custom attributes to be mapped to it’s corresponding metadata for requestedCertAttributes. This is a complex setting that is described in a separate section below (Configuration value: metadataCustomCertAttribute). |
padesSignatureLevel(String padesSignatureLevel) |
PAdES Signature level. Supported values: PDF-NOT-ETSI, PAdES-BASELINE-B, PAdES-BASELINE-T, PAdES-BASELINE-LT, PAdES-BASELINE-LTA |
padesSignaturePacking(String padesSignaturePacking) |
PAdES Signature packing setting. Supported values: DETACHED, ENVELOPED, ENVELOPING |
relatedProfile(String relatedProfile) |
The name of the related profile, set automatically by configuration manager. |
requestedCertAttributes(Map<String,Map<String,Object>> requestedCertAttributes) |
Map containing Requests for subject attributes in a signer certificate that is associated with the signer of the generated signature as a result of the sign request. This is a complex setting that is described in a separate section below (Configuration value: requestedCertAttributes). |
signatureAlgorithm(String signatureAlgorithm) |
Signature algorithm in Java-form to use. |
signatureValidityMinutes(int signatureValidityMinutes) |
Signature certificate validity in minutes to request |
signatureValidityOverlapMinutes(int signatureValidityOverlapMinutes) |
Overlap in minutes to overcome problems with time synchronization. Signing certificate ValidFrom date will be set to current time minus the specified overlap. |
signerAttributes(Map<String,Map<String,Object>> signerAttributes) |
Specify attributes to be included in the signer element within the sign request, in addition to the mandatory userId attribute (see defaultUserIdAttributeMapping) that is always included as a signer attribute. This is a complex setting that is described in a separate section below (Configuration value: signerAttributes). |
signMessageMimeType(String signMessageMimeType) |
Mimetype of sign message. Supported values: 'TEXT', 'HTML' or 'MARKDOWN' |
signMessageMustShow(boolean signMessageMustShow) |
Flag indicating if the sign message must be shown for a valid signature. |
signRequester(String signRequester) |
Name of signature requesting entity/organisation. |
signRequestExtensionVersion(String signRequestExtensionVersion) |
Setting indicating the version that should be set in the SignRequestExtension. Default is "1.5" that supports multiple authn context class references. |
signServiceId(String signServiceId) |
Signature service (frontend) SAML identity to specify in generated EID Sign Requests (ex.https://esign.v2.st.signatureservice.se/signservice-frontend/metadata) |
signServiceRequestURL(String signServiceRequestURL) |
Signature service (frontend) URL to redirect the user to with the generated EID sign request (ex. https://esign.v2.st.signatureservice.se/signservice-frontend/request/4321a583928) |
timeStamp(se.signatureservice.configuration.support.system.TimeStampConfig timeStampConfig) |
Timestamp configuration. |
trustedAuthenticationServices(Map<String,Map<String,Object>> trustedAuthenticationServices) |
Map containing trusted authentication services/identity providers that can be used for the given profile. This is a complex setting that is described in a separate section below (Configuration value: trustedAuthenticationServices). |
useEncryptedSignMessage(boolean useEncryptedSignMessage) |
Flag to choose if sign message should be encrypted or not. If this is enabled the sign message will be encrypted using the public key of the identity provider. |
userDisplayNameAttribute(String userDisplayNameAttribute) |
User attribute key that will be used to fetch display name of user to use when performing signatures. If this setting is missing or if the specified attribute is missing the userId will be used. |
userIdAttributeMapping(String userIdAttributeMapping) |
SAML Attribute name that will map against user ID. Deprecated Use defaultUserIdAttributeMapping (since 2019-05-25). |
validationPolicy(String validationPolicy) |
Validation policy to use when verifying signed documents. Policy file must be present in the class path. (Default value: "/policy/basicpolicy.xml") |
visibleSignatureConfig(se.signatureservice.configuration.support.system.VisibleSignatureConfig config) |
Visible signature configuration. |
xadesCanonicalizationAlgorithmURI(String xadesCanonicalizationAlgorithmURI) |
XAdES canonicalization algorithm that will be used when calculating digests for SignedInfo and SignedProperties structures |
xadesSignatureLevel(String xadesSignatureLevel) |
XAdES Signature level. Supported values: XML-NOT-ETSI, XAdES-BASELINE-B, XAdES-BASELINE-T, XAdES-BASELINE-LT, XAdES-BASELINE-LTA |
xadesSignaturePacking(String xadesSignaturePacking) |
XAdES Signature packing setting. Supported values: DETACHED, ENVELOPED, ENVELOPING |
xadesXPathLocationString(String xadesXPathLocationString) |
XAdES XPath location string that defines the area where the signature will be added |
build() |
Build the SupportAPIProfile instance. |
Map containing custom attributes to be mapped to it’s corresponding metadata for requestedCertAttributes. Used in special cases when the Name in RequestedAttribute metadata don’t apply.
For each entry the following configuration keys are used:
-
samlAttributeName - The SAML attribute name to be matched against the Name for a RequestedAttribute in the metadata.
-
certAttributeRef - To which the samlAttributeName will be mapped to.
Example configuration 1:
metadataCustomCertAttribute:
givenName:
samlAttributeName: "http://sambi.se/attributes/1/givenName"
certAttributeRef: "2.5.4.42"Example configuration 2:
metadataCustomCertAttribute:
surName:
samlAttributeName:
-"http://sambi.se/attributes/1/surname"
-"urn:surname"
certAttributeRef: "2.5.4.4"
certNameType: "sda"
required: trueMap containing attributes to be included in the signer element within the sign request, in addition to the mandatory userId attribute (see defaultUserIdAttributeMapping) that is always included as a signer attribute.
For each entry the following configuration keys are used:
-
samlAttributeName - The SAML attribute name to use for the signer attribute.
-
userAttributeMapping - User attribute key to look for when populating the signer attribute value.
-
required - If set to true the user given user attribute must exist, or an error is generated. If set to false the signer attribute is set only if the user attribute exists.
Example configuration:
signerAttributes {
orgAffiliation {
samlAttributeName = "urn:oid:1.2.752.201.3.1"
userAttributeMapping = "orgAffiliation"
required = true
}
}Map containing trusted authentication services/identity providers that can be used for the given profile. Corresponding metadata for each trusted service must also be available in the metadata directory.
|
Note
|
defaultDisplayName will be used if display name is not available in metadata. |
Example configuration:
trustedAuthenticationServices {
iDPTest {
entityId = "https://idptest.someservice.se/samlv2/idp/metadata"
defaultDisplayName = "Test iDP ST"
authnContextClassRef = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
userIdAttributeMapping = "urn:oid:1.2.752.29.4.13"
}
}Map containing Requests for subject attributes in a signer certificate that is associated with the signer of the generated signature as a result of the sign request.
Example configuration:
requestedCertAttributes {
givenName {
samlAttributeName = "urn:oid:2.5.4.42"
certAttributeRef = "2.5.4.42"
required = true
}
}
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent