The eHealth Infrastructure has two Autorization Authorization Service (AS) instances configurations providing authentication and authorization for client systems and internal use.
The Authorization Service configurations support the following user types of the eHealth Infrastructure:
citizen
clinical and/or administrative employee
service, support & logistics (SSL) supplier employee
system users
system administrator users
The AS configurations consists of:
One KeyCloak with
realm ehealth - for clinical and/or administrative employee login
realm nemlogin - for citizen login
One SSL KeyCloak with
realm ssl - SSL supplier employee login
System users and system administrator users exist in all the realms.
Whether authentication and authorization is federated and to which IdP does not strictly depend on the user type, but in the production environment:
citizen login is performed in realm nemlogin federated to Nemlogin
clinical and/or administrative employee login is performed in realm ehealth federated to SEB (in Danish: Sundhedsvæsenets Elektroniske Brugerstyring shortened SEB) which is a common platform for user administration of the solutions provided by the National Health Data Authority
SSL supplier employee login is performed in realm ssl, likely federated to SSL suppliers' IdPs
In non-production environments, these can be simulated using so-called mocked users which are authenticated (and authorized depending on variant) in the eHealth Authentication Services.
The login protocol between the client systems and the login component is the OpenID Authentication Code Flow of OpenID Connect 1.0.
...