Versions Compared

Old Version 17

changes.mady.by.user John Schneider

Saved on

compared with

New Version 18

changes.mady.by.user John Schneider

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added data contraints for production

...

When a client starts an OIDC Authorization Code Flow for a municipal user, it goes through the following federation process. Image Removed

...

The sequence diagram for clinicians' logins, explained in https://ehealth-dk.atlassian.net/wiki/spaces/EDTW/pages/101122074/Login#Clinical-logins, shows how the OIDC Authorization Code Flow is redirected through a series of steps involving OIOSAML-based AuthNRequest and AuthNResponse.

...

Note

The English terms used in the following do not constitute official, KOMBIT-vetted translations of the Danish terms used throughout KOMBIT documentation and systems. The Danish terms stem from section 3 in Brugervejledning til Administrationsmodulerne for leverandører.

Terms The following terms are used in registrations in KOMBIT STS Admin in the KOMBIT external test environment EXTTEST:

Term

Description

User-faced system

(Danish: Brugervendt system)

...

A system directly or indirectly used by a user. Mostly if not always, this excludes KOMBIT services. A user-faced system is registered in KOMBIT STS Admin.

Concerning eHealth Infrastructure, these are:

  • SAML Proxy in eHealth Internal Test Environment (INTTEST)

  • SAML Proxy in eHealth External Test environment (EXTTEST)

  • SAML Proxy in eHealth Education environment (TEST002)

  • SAML Proxy in eHealth External Development environment (DEVENVCGI)

  • SAML Proxy in eHealth pre-production environment (PREPROD)

Data constraint

(Danish: Dataafgrænsning)

...

A configuration item for a User-faced system maintained in KOMBIT STS Admin.

Concerning eHealth Infrastructure, these are:

  • CareTeam identifier (UUID) - optional for some user system roles, required for others

  • Organisation identifier (from KOMBIT FK Organisation)

User system role

(Danish: Brugersystemrolle)

...

A system role defined by the system used by a user. Registered in KOMBIT STS Admin.

Job function role

(Danish: Jobfunktionsrolle)

...

A named role usable in municipal IdPs comprising a collection of user system roles and data constraints. Each municipality

...

shall maintain a set in KOMBIT STS Admin.

Concerning eHealth Infrastructure, these comprise:

  • a collection of KOMBIT-flavored user system roles

  • A possible CareTeam identifier

  • an Organisation identifier

Similar registrations must be made in KOMBIT STS Admin in KOMBIT environment PROD, only here the sole SAML Proxy is the one in eHealth Infrastructure environment PROD.

...

The <namespace> shall reflect the eHealth Infrastructure environment for which a registration is made in the KOMBIT STS Admin. The <namespace> shall be one of the following:

eHealth Infrastructure Environment

<namespace>

INTTEST

saml-proxy.inttest.ehealth.sundhed.dk

EXTTEST

saml-proxy.exttest.ehealth.sundhed.dk

PREPROD

saml-proxy.preprod.ehealth.sundhed.dk

PROD

ehealth.sundhed.dk

Note

In case of change in what eHealth Infrastructure environments shall support municipal federation of authentication and authorization, the above list needs to be updated. In addition, such a change needs to be implemented in the mapping performed by the SAML Proxy.

The <KOMBIT user system role for the eHealth Infrastructure> Infrastructure> shall be one from the list below:

The table shows the KOMBIT user system role, the corresponding OIO BPP roles, and what data constraints are possible and which are mandatory.

KOMBIT user system roles for the eHealth Infrastructure

eHealth Infrastructure OIO BPP system roles

OIO Data constraints (eHealth Exttest)
STS Organisationsenhed



Careteam

OIO Data constraints (Prod)
Organisation



SOR Organisationsenhed



SSL Organisationsenhed



Careteam

/roles/usersystemrole/order_placer/1

urn:dk:sundhed:ehealth:role:order_placer

STS Organisationsenhed (Obligatorisk)

Mandatory

Mandatory

X

/roles/usersystemrole/citizen_enroller/1

urn:dk:sundhed:ehealth:role:citizen_enroller

  • Careteam (Obligatorisk)

    • STS Organisationsenhed (Obligatorisk)

    Mandatory

    Mandatory

    Mandatory

    x

    x

    /roles/usersystemrole/careteam_administrator/1

    urn:dk:sundhed:ehealth:role:careteam_administrator

    STS Organisationsenhed (Obligatorisk)

    Mandatory

    Mandatory

    x

    /roles/usersystemrole/incident_reporter/1

    urn:dk:sundhed:eHealth:role:incident_reporter

  • Careteam (Obligatorisk)

    • STS Organisationsenhed (Obligatorisk)

    Mandatory

    Mandatory

    Mandatory

    x

    x

    /roles/usersystemrole/clinical_viewer/1

    urn:dk:sundhed:eHealth:role:clinical_viewer

  • Careteam (Obligatorisk)

    • STS Organisationsenhed (Obligatorisk)

    Mandatory

    Mandatory

    Mandatory

    x

    /roles/usersystemrole/clinical_supporter/1

    urn:dk:sundhed:eHealth:role:clinical_supporter

  • Careteam (Obligatorisk)

    • STS Organisationsenhed (Obligatorisk)

    Mandatory

    Mandatory

    Mandatory

    x

    /roles/usersystemrole/monitoring_assistor/1

    urn:dk:sundhed:eHealth:role:monitoring_assistor

  • Careteam (Obligatorisk)

    • STS Organisationsenhed (Obligatorisk)

    Mandatory

    Mandatory

    Mandatory

    x

    x

    /roles/usersystemrole/monitoring_adjuster/1

    urn:dk:sundhed:eHealth:role:monitoring_adjuster

  • Careteam (Obligatorisk)

    • STS Organisationsenhed (Obligatorisk)

    Mandatory

    Mandatory

    Mandatory

    x

    X

    /roles/usersystemrole/report_user/1

    urn:dk:sundhed:ehealth:role:report_user

    STS Organisationsenhed (Obligatorisk)

    Mandatory

    Mandatory

    x

    x

    /roles/usersystemrole/clinical_administrator/1

    urn:dk:sundhed:eHealth:role:clinical_administrator

    		STS Organisationsenhed (Obligatorisk)

    Mandatory

    Mandatory

    x

    /roles/usersystemrole/service_and_logistics/1

    urn:dk:sundhed:eHealth:role:service_and_logistics

  • Careteam (Obligatorisk)

    • STS Organisationsenhed (Obligatorisk)

    Mandatory

    Mandatory

    x

    x

    /roles/usersystemrole/questionnaire_editor/1

    urn:dk:sundhed:eHealth:role:questionnaire_editor

    STS Organisationsenhed (Obligatorisk)

    Mandatory

    Mandatory

    x

    /roles/usersystemrole/incident_manager/1

    urn:dk:sundhed:eHealth:role:incident_manager

  • Careteam (Obligatorisk)

    • STS Organisationsenhed (Obligatorisk)

    Mandatory

    Mandatory

    x

    x

    /roles/usersystemrole/terminology_administrator/1

    urn:dk:sundhed:eHealth:role:terminology_administrator

    		STS Organisationsenhed (Obligatorisk)

    Mandatory

    /roles/usersystemrole/ssl_catalogue_responsible/1

    urn:dk:sundhed:eHealth:role:ssl_catalogue_responsible

    		STS Organisationsenhed (Obligatorisk)

    Mandatory

    x

    x

    /roles/usersystemrole/ssl_catalogue_annotator/1

    urn:dk:sundhed:eHealth:role:ssl_catalogue_annotator

    STS Organisationsenhed (Obligatorisk)

    Mandatory

    x

    x

    /roles/usersystemrole/ssl_contract_responsible/1

    urn:dk:sundhed:eHealth:role:ssl_contract_responsible

    		STS Organisationsenhed (Obligatorisk)

    Mandatory

    x

    x

    Note

    If the OIO BPP system roles system listed above deviate from the list in eHealth Infrastructure OIO BPP system roles, the above list needs to be updated. In addition, such a change needs to be implemented in the mapping performed by the SAML Proxy.

    ...