| Excerpt |
|---|
Description of This page describes the required SAML attributes in the tokens for municipal and regional users. |
Common for both municipal and regional users is that:
Municipal and regional users' access to the eHealth Infrastructure goes through SEB.
The Infrastructure Authorization Service (AS) redirects a login to SEB (as SAML AuthNRequest to SEB).
SEB forwards redirected the SAML AuthNRequest to municipal and regional Identity Providers (IdP), respectively.
As apparent in From the SEB there are differences in what systems are involved in the login flow.
Federated Authentication and Authorization for Municipal Users and describes the flow for municipality users.
Federated Authentication and Authorization for Regional Users there are differences in what systems are involved.
describes the flow for regional users.
The SAML AuthNResponse returned to the SEB and the Infrastructure AS is a SAML AuthNResponse conforming must conform to OIO BPP
| Info |
|---|
Technically speaking, authorization is performed in the Infrastructure Authorization Service while the municipal and regional IdP provide claims. In effect, however, the IdPs provide the decisions behind the authorization in the form of system roles. |
Clinical SAML Attributes
Clinical access to the eHealth Infrastructure goes through SEB. SEB provides a SAML AuthNResponse containing a set The SAML AuthNResponse from the SEB shall contain a number of SAML attributes in a SAML assertion which is used the eHealth Infrastructure uses to identify the clinical user.
Attribute | Description | ||
|---|---|---|---|
| Organization name | ||
| Required from SEB. Civil registration number (CPR) | ||
| CVR number | ||
| RID number from certificate | ||
| AssuranceLevel (must be 4) | ||
| Required from SEB. Common name (full name) | ||
| IDCard | ||
| A boolean saying if the user has any healthcare authorizations | ||
dk:healthcare:saml:attribute:UserAuthorizations | A list of the users healthcare authorizations | ||
| Required from SEB. The globally unique ID of the user within his/her organization. (also known as UID) | ||
| Required from SEB. A base64-encoded XML structure in OIO BPP format, listing privileges. If an employee should have any permissions, this attribute should define one or more roles in scope of an organizational unit or careteam, e.g. a SOR number, STS Organisation or careteam reference. See general structure in documentation[1]. [1] https://digst.dk/media/19020/oiosaml-basic-privilege-profile-1_1.pdf | ||
| Optional. Can be used to limit scopes expressed in the OIO BPP structure, by adding it as a constraint in each PrivilegeGroup. Only PriviledgeGroups with the constraint matching the value of scopingOIOBPPContext will be available for the user.
|
The attributes used are
the CPR number (
dk:gov:saml:attribute:CprNumberIdentifier),the UID and
the OIO BPP format (
dk:gov:saml:attribute:Privileges_intermediate).
The CPR number is primarily used for delivering data to the central NSP MinLog2 service.
The UID uniquely identifies the user in the eHealth Infrastructure and the T
The OIO BPP provides the roles and careteams that are accessible to the user.
...
The structure of the OIO BPP, used in Privileges_intermediate, is capable of expressing multiple careteam- and organization affiliations. If only a single careteam is expressed in the OIO BPP it is automatically set in the user's context of the user. In the case where the user is part of multiple careteams, the user needs to set the wanted careteam in context (see Switching Context). Once a careteam is set into context, the roles under that careteam apply to the user - expressed in the JWT (the internal access token of the eHealth Infrastructure).
...