Versions Compared

Old Version 49

changes.mady.by.user Erik Nielsen

Saved on

compared with

New Version 50

changes.mady.by.user John Schneider

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: spelling + added table of content
Excerpt

The eHealth Infrastructure has two Authorization

...

Services (AS) configurations providing authentication and authorization for client systems and internal use.

Content

Table of Contents

Subpages

Child pages (Children Display)
excerptTypesimple

Authorization Service Configurations

The Authorization Service configurations support the following user types of the eHealth Infrastructure:

  • citizen

  • clinical and /or administrative employee

  • service, support & logistics (SSL) supplier employee

  • system users

  • system administrator users

The AS configurations consists consist of:

  • One KeyCloak with

    • realm ehealth - for clinical and /or administrative employee login

    • realm nemlogin - for citizen login

  • One SSL KeyCloak with

    • realm ssl SSL - SSL supplier employee login

System users and system administrator users exist in all the realms.

Authentication and Authorization Flow

...

Further details on the client’s initiation are described in Client Use. As a reaction, the Authorization Service initiates a federation of authentication and possibly authorization depending on the realm:

...

  • an ID token – information for the client system about the authenticated user.

  • an Access Token (AT) – a token with a relatively short period of validity (a few minutes), which the client systems must include in all service requests.

  • a Refresh Token (RT) – a token with a long validity, which can be used to renew the AT, thereby extending or resuming the session without the user having to authenticate again.

...

In general, modifying data requires the Episode of Care Context being to be set.

Info

Citizens that logs into the infrastructure using NemID are looked up as FHIR Patient resources with the social security number found in the SAML assertion. If a match is found, the FHIR Patient resource ID will be present in the Refresh Token handed back to the client. If no match to a FHIR Patient resource is found, no FHIR Patient resource ID will be present in the Refresh Token. This means that citizens that are not part of any treatment in the infrastructure will be allowed to login, but won't have any rights to read or write any data.

...