Common for both municipal and regional users is that:
The Infrastructure Authorization Service (AS) redirects a login as SAML AuthNRequest to SEB
SEB forwards the SAML AuthNRequest to municipal and regional Identity Providers (IdP), respectively.
As apparent in Federated Authentication and Authorization for Municipal Users and Federated Authentication and Authorization for Regional Users there are differences in what systems are involved.
What is returned to SEB and the Infrastructure AS is a SAML AuthNResponse conforming to OIO BPP
| Info |
|---|
Technically speaking, authorization is performed in the Infrastructure Authorization Service while the municipal and regional IdP provide claims. In effect, however, the IdPs provide the decisions behind the authorization in the form of system roles. |
...
The PrivilegeGroups provided in the OIO BPP must be unique in accordance with by the following scheme:
The combination of CVR number (scope) sorIdentifer(regional)/orgUnit(municipal) (and careteam must be unique). Failing to comply with this may result in errors. This scheme is to ensure that users cannot have multiple different privileges stated differently. Do note that it is possible to list multiple (valid) privileges in any given PrivilegeGroup.