Versions Compared

Old Version 6

changes.mady.by.user John Schneider

Saved on

compared with

New Version 7

changes.mady.by.user John Schneider

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Excerpt

Description of the required SAML attributes for municipal and regional users.

Common for both municipal and regional users is that:

...

Clinical access to the eHealth Infrastructure goes through SEB. SEB provides a SAML AuthNResponse containing a set of SAML attributes in a SAML assertion which is used to identify the clinical user.

Attribute

Description

urn:oid:2.5.4.10

Organization name

dk:gov:saml:attribute:CprNumberIdentifier

Required from SEB. Civil registration number (CPR)

dk:gov:saml:attribute:CvrNumberIdentifier

CVR number

dk:gov:saml:attribute:RidNumberIdentifier

RID number from certificate

dk:gov:saml:attribute:AssuranceLevel

AssuranceLevel (must be 4)

urn:oid:2.5.4.3

Required from SEB. Common name (full name)

urn:liberty:disco:2006-08:DiscoveryEPR

IDCard

dk:healthcare:saml:attribute:HasUserAuthorization

A boolean saying if the user has any healthcare authorizations

dk:healthcare:saml:attribute:UserAuthorizations

A list of the users healthcare authorizations

urn:oid:0.9.2342.19200300.100.1.1

Required from SEB. The globally unique ID of the user within his/her organization. (also known as UID)

dk:gov:saml:attribute:Privileges_intermediate

Required from SEB. A base64-encoded XML structure in OIO BPP format, listing privileges. If an employee should have any permissions, this attribute should define one or more roles in scope of an organizational unit or careteam, e.g. a SOR number, STS Organisation or careteam reference. See general structure in documentation[1].

[1] https://digst.dk/media/19020/oiosaml-basic-privilege-profile-1_1.pdf

dk:healthcare:ehealth:saml:attribute:scopingOIOBPPContext

Optional. Can be used to limit scopes expressed in the OIO BPP structure, by adding it as a constraint in each PrivilegeGroup. Only PriviledgeGroups with the constraint matching the value of scopingOIOBPPContext will be available for the user.

Note

The scopingOIOBPPContext is not yet processed by the Infrastructure Authorization Server and is ignored. It can be used to support multi affiliation in the future.

The attributes used are the CPR number (dk:gov:saml:attribute:CprNumberIdentifier), the UID and the OIO BPP format (dk:gov:saml:attribute:Privileges_intermediate). The CPR number is primarily used for delivering data to the central NSP MinLog2 service. The UID uniquely identifies the user in the eHealth Infrastructure and the OIO BPP provides the roles and careteams that are accessible to the user.

...

The structure of the OIO BPP, used in Privileges_intermediate, is capable of expressing multiple careteam- and organization affiliations. If only a single careteam is expressed in the OIO BPP it is automatically set in the context of the user. In the case where the user is part of multiple careteams, the user needs to set the wanted careteam in context (see Switching Context). Once a careteam is set into context, the roles under that careteam apply to the user - expressed in the JWT (the internal access token of the eHealth Infrastructure).

An example:

OIO BPP

Code Block
languagexml
<?xml version="1.0" encoding="UTF-8"?>
<bpp:PrivilegeList
    xmlns:bpp="http://itst.dk/oiosaml/basic_privilege_profile"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
    <PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:29190925">
        <Constraint Name="urn:dk:gov:saml:sorIdentifier">440711000016004</Constraint>
        <Constraint Name="urn:dk:sundhed:ehealth:careteam">95c7aef7-ec7f-487b-9687-6e6624d25fdb</Constraint>
        <Privilege>urn:dk:sundhed:ehealth:role:monitoring_assistor</Privilege>
    </PrivilegeGroup>
</bpp:PrivilegeList>

...

Since the OIO BPP states what privileges are available to the user, it is up to the IdP to construct the correct OIO BPPs. Valid privileges and what they map to can be seen at Tokens, Roles and RBAC/ABAC.

Enhanced example:

Enhanced OIO BPP

Code Block
languagexml
<?xml version="1.0" encoding="UTF-8"?>
<bpp:PrivilegeList
    xmlns:bpp="http://itst.dk/oiosaml/basic_privilege_profile"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
    <PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:29190925">
        <Constraint Name="urn:dk:gov:saml:sorIdentifier">440711000016004</Constraint>
        <Constraint Name="urn:dk:sundhed:ehealth:careteam">95c7aef7-ec7f-487b-9687-6e6624d25fdb</Constraint>
        <Privilege>urn:dk:sundhed:ehealth:role:monitoring_assistor</Privilege>
	<Privilege>urn:dk:sundhed:ehealth:role:citizen_enroller</Privilege>
    </PrivilegeGroup>
    <PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:29190925">
        <Constraint Name="urn:dk:kombit:orgUnit">48df8b3d-56be-4f3a-bd0f-d3ade05348dd</Constraint>
        <Privilege>urn:dk:sundhed:ehealth:role:clinical_administrator</Privilege>
        <Privilege>urn:dk:sundhed:ehealth:role:questionnaire_editor</Privilege>
    </PrivilegeGroup>
</bpp:PrivilegeList>

...