Versions Compared

Old Version 22

changes.mady.by.user Jens Kristian Villadsen

Saved on

compared with

New Version 23

changes.mady.by.user Erik Nielsen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Before a client system can interface with the eHealth Infrastructure a set of items must be carried out and complied with:

...

Federated clinical login flow

If there is already a session in SEB from the same browser, then a single-signon experience can be realized.

Citizen logins (first time)

...

Federated citizen login flow


Client systems for citizens will in their (initial) login be met by NemID, which is presented via a federated login service from NemLogin. If the client system is running on a platform that supports it, it will be possible to store the RT and apply this later to resume an authenticated session, based on either pin code or biometric data. Details of this is can be read on Key Service overview, but in essence it involves selecting a PIN, registering a user / device / PIN via the Key Service, and resuming the session based on stored data and calling the Key Service.

The aim of this is to make an alternative - but simpler - "authentication" available to citizens in a secure manner.

Authorization Server Endpoints

Current active environments:

Clinical:

Base urlhttps://saml.${environment}.ehealth.sundhed.dk/auth/realms/ehealth

Citizen:

Base urlhttps://saml.${environment}.ehealth.sundhed.dk/auth/realms/nemlogin

...

The first four parameters are required, and the remaining are optional. 'organization_id' and 'care_team_id' can be used individually or in combination. 'patient_id' and 'episode_of_care_id' can also be used individually or in combination, but requires that 'care_team_id' is also present. More details on context switching can be found at Switching Context.

Use of Access Token

The Access Token is sent as an HTTP header (See https://jwt.io/introduction/ for further introduction) in all service requests in this form (where "<access token>" is replaced by the specific Access Token):

Code Block
Authorization: Bearer <access token>
Info

Access Tokens and Refresh Tokens are so-called "opaque tokens" but may be in JWT format. Client systems must not assume this and the format of AT and RT may change without notice.

Logout

To end a session, use end_session_endpoint found in the openid-configuration of the environment (e. g. openid-configuration)

Example:

...