Grab and save the branch number from eHerkenning service restriction #4525
+36
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is really hard to test/try out because we don't have a real eherkenning setup with a branch service restriction as far as I can tell... However, piecing together the documentation on: https://afsprakenstelsel.etoegang.nl/Startpagina/v2/interface-specifications-dv-hm (which describes the interface between service provider and makelaar), we should get back the ServiceRestriction SAML attribute if information is available in the MR (machtigingsregister). The examples show that it would not be an encrypted attribute (it sits in the AttributeStatement element): <saml:Attribute Name=urn:etoegang:1.9:ServiceRestriction:Vestigingsnr> <saml:AttributeValue xsi:type=xs:string>123456789012</saml:AttributeValue> </saml:Attribute> The documentation says it would be one or more restriction, so we're assuming that it returns a list of strings of values after processing, similar to the urn:etoegang:core:ServiceID and urn:etoegang:core:ServiceUUID attributes. I checked our code in django-digid-eherkenning, and we already by default include the service restriction request in the catalogus request, so no extra work should be needed there, see: https://github.com/maykinmedia/django-digid-eherkenning/blob/0189aceea660d2f4774d238397365f17adeb354a/digid_eherkenning/models/eherkenning.py#L234
sergei-maertens
commented
Jul 15, 2024
| "urn:etoegang:1.9:ServiceRestriction:Vestigingsnr" | ||
| ): | ||
| logger.info("Got branch numbers: %r", branch_numbers) | ||
| request.session[EHERKENNING_BRANCH_NUMBERS_SESSION_KEY] = branch_numbers |
There was a problem hiding this comment.
this is pretty nasty and a setup similar to the OIDC variants where everything is scoped under a single session key would be better
|
@joeribekker we really need to test this with a representative test account that has a branch restriction |
|
Reached out to a SAAS customer to see if we can get "inspiration" for Signicat configuration for this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #3967
This is really hard to test/try out because we don't have a real eherkenning setup with a branch service restriction as far as I can tell...
However, piecing together the documentation on:
https://afsprakenstelsel.etoegang.nl/Startpagina/v2/interface-specifications-dv-hm (which describes the interface between service provider and makelaar), we should get back the ServiceRestriction SAML attribute if information is available in the MR (machtigingsregister). The examples show that it would not be an encrypted attribute (it sits in the AttributeStatement element):
The documentation says it would be one or more restriction, so we're assuming that it returns a list of strings of values after processing, similar to the urn:etoegang:core:ServiceID and urn:etoegang:core:ServiceUUID attributes.
I checked our code in django-digid-eherkenning, and we already by default include the service restriction request in the catalogus request, so no extra work should be needed there, see: https://github.com/maykinmedia/django-digid-eherkenning/blob/0189aceea660d2f4774d238397365f17adeb354a/digid_eherkenning/models/eherkenning.py#L234
Changes
Checklist
Check off the items that are completed or not relevant.
Impact on features
Release management
I have updated the translations assets (you do NOT need to provide translations)
./bin/makemessages_js.sh./bin/compilemessages_js.shCommit hygiene