Versions Compared

Old Version 20

changes.mady.by.user John Schneider

Saved on

compared with

New Version 21

changes.mady.by.user John Schneider

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. The KOMBIT Context Handler - This service created a SAML AuthnResponse based on registrations stored in the KOMBIT user administration system KOMBIT STS Administration (STS Admin or DK Admin for short).

  2. The eHealth Infrastructure-hosted SAML Proxy- This service does tasks like substituting and translating KOMBIT-flavor SAML Attributes to ensure uniform OIOSAML OIO-BPP Attributes are provided to SEB. It also enhances OIOSAML Attributes by adding the employee's CPR number, obtained from the KOMBIT FK Organisation system.

  3. Sundhedsvæsenets Elektroniske Brugerstyring (SEB) - This is the shared user administration platform for the Danish healthcare sector.

  4. The eHealth Authorization Service (KeyCloak) - When the KOMBIT NSIS Context Handler can connect directly with SEB and the SAML-proxy is removed from the flow. The KeyCloak service shall then modify and adapt KOMBIT-style SAML Attributes to ensure they match the uniform OIOSAML OIO-BPP Attributes used.

...

Term

Description

User-facing system

(Danish: Brugervendt system)

An IT system that provides an access-controlled user interface,
accessed via a browser. That is, a system directly used by a an enduser.

A user-facing system registered in the KOMBIT STS admin enables it to user use KOMBIT systems for access control of end-users.

For the KOMBIT external test environment the following eHealth environments are registered as user-facing systemsystems, and thereby use KOMBIT systems for access control:

  1. “FUT - SAML Proxy (devtest)” for the internal Systematic Test Environment

  2. “FUT - SAML Proxy (inttest)” for the eHealth Internal Test Environment

  3. “FUT - SAML Proxy (exttest)” for the eHealth External Test environment and external development environment (devenvcgi).

  4. “FUT - SAML Proxy (test002) for the eHealth Education environment (TEST002)

  5. “FUT - SAML Proxy (preprod)” for the eHealth pre-production environment

Similar registrations are made in the KOMBIT STS Admin in the KOMBIT production environment, only here the sole SAML Proxy is the one in eHealth Infrastructure production environment (PROD).

User system role

(Danish: Brugersystemrolle)

Grouping of rights or permissions that define access and access restrictions to a specific user-facing system

Data constraint

(Danish: Dataafgrænsning)

Restriction of a “user system role”, which narrows the system role's field of action

Concerning eHealth Infrastructure, these are:

System-specific data constraint

  • CareTeam - CareTeam identifier is optional for some user system roles, required for others (see below)

Cross-cutting (data constraint

  • Organisation - Organisation identifier from KOMBIT FK Organisation.

Job function role

(Danish: Jobfunktionsrolle)

A named role usable in municipal IdPs comprising a collection Grouping of user system roles and data constraints. for an authority (e.g. municipality) used by the authority to assign access to the user.

Each municipality shall maintain a set in KOMBIT STS Admin.

Concerning eHealth Infrastructure, these comprise:

  • a A collection of KOMBIT-flavored user system roles

  • An Organisation identifier

  • A possible CareTeam identifier

  • an Organisation identifier

...

Data constraints (Danish: “data afgrænsninger”)

The data constraints are which narrow the user system role. In eHealth Infrastructure, there are two data constraints in use:

  • CareTeam - a system-specific data constraint identifying a CareTeam. The optional for some user system roles, required for others (see below)

  • Organisation - Cross-cutting (data constraint) identifying Organisation from KOMBIT FK Organisation.

Usersystem

Name

EntityId

Syntax validation

1

DEVTEST

Careteam

http://ehealth.sundhed.dk/constraints/careteam/1

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

2

INTTEST

Careteam

http://saml-proxy.inttest.ehealth.sundhed.dk/constraints/careteam/1

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

3

EXTTEST, DEVENVCGI

Careteam

http://saml-proxy.exttest.ehealth.sundhed.dk/constraints/careteam/1

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

4

TEST002

Careteam

http://saml-proxy.test002.ehealth.sundhed.dk/constraints/careteam/1

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

5

PREPROD

Careteam

http://saml-proxy.preprod.ehealth.sundhed.dk/constraints/careteam/1

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

STS Admin User system roles for the eHealth Infrastructure

User system roles for the eHealth Infrastructure registered in KOMBIT STS Admin:

...

The <namespace> shall reflect the eHealth Infrastructure environment for which registration is made in the KOMBIT STS Admin. The <namespace> shall be one of the following:

eHealth Infrastructure Environment

<namespace>

1

INTTEST

saml-proxy.inttest.ehealth.sundhed.dk

2

EXTTEST, DEVENVCGI

saml-proxy.exttest.ehealth.sundhed.dk

3

TEST002

saml-proxy.test002.ehealth.sundhed.dk

4

PREPROD

saml-proxy.preprod.ehealth.sundhed.dk

5

PROD

ehealth.sundhed.dk

Note

In case of change in what eHealth Infrastructure environments shall support municipal federation of authentication and authorization, the above list needs to be updated. In addition, such a change needs to be implemented in the mapping performed by the SAML Proxy.

...

The table shows the KOMBIT user system role, the corresponding OIO BPP roles, and what data constraints are possible and which are mandatory.

KOMBIT user system roles for the eHealth Infrastructure

eHealth Infrastructure OIO BPP system roles

OIO

Data constraints (

eHealth Exttest

EXTTEST)
STS Organisationsenhed



Careteam

OIO

Data constraints (Prod)
Organisation



SOR Organisationsenhed



SSL Organisationsenhed



Careteam

/roles/usersystemrole/order_placer/1

urn:dk:sundhed:ehealth:role:order_placer

Mandatory

Mandatory

X

/roles/usersystemrole/citizen_enroller/1

urn:dk:sundhed:ehealth:role:citizen_enroller

Mandatory

Mandatory

Mandatory

x

x

/roles/usersystemrole/careteam_administrator/1

urn:dk:sundhed:ehealth:role:careteam_administrator

Mandatory

Mandatory

x

/roles/usersystemrole/incident_reporter/1

urn:dk:sundhed:eHealth:role:incident_reporter

Mandatory

Mandatory

Mandatory

x

x

/roles/usersystemrole/clinical_viewer/1

urn:dk:sundhed:eHealth:role:clinical_viewer

Mandatory

Mandatory

Mandatory

x

/roles/usersystemrole/clinical_supporter/1

urn:dk:sundhed:eHealth:role:clinical_supporter

Mandatory

Mandatory

Mandatory

x

/roles/usersystemrole/monitoring_assistor/1

urn:dk:sundhed:eHealth:role:monitoring_assistor

Mandatory

Mandatory

Mandatory

x

x

/roles/usersystemrole/monitoring_adjuster/1

urn:dk:sundhed:eHealth:role:monitoring_adjuster

Mandatory

Mandatory

Mandatory

x

X

/roles/usersystemrole/report_user/1

urn:dk:sundhed:ehealth:role:report_user

Mandatory

Mandatory

x

x

/roles/usersystemrole/clinical_administrator/1

urn:dk:sundhed:eHealth:role:clinical_administrator

Mandatory

Mandatory

x

/roles/usersystemrole/service_and_logistics/1

urn:dk:sundhed:eHealth:role:service_and_logistics

Mandatory

Mandatory

x

x

/roles/usersystemrole/questionnaire_editor/1

urn:dk:sundhed:eHealth:role:questionnaire_editor

Mandatory

Mandatory

x

/roles/usersystemrole/incident_manager/1

urn:dk:sundhed:eHealth:role:incident_manager

Mandatory

Mandatory

x

x

/roles/usersystemrole/terminology_administrator/1

urn:dk:sundhed:eHealth:role:terminology_administrator

Mandatory

/roles/usersystemrole/ssl_catalogue_responsible/1

urn:dk:sundhed:eHealth:role:ssl_catalogue_responsible

Mandatory

x

x

/roles/usersystemrole/ssl_catalogue_annotator/1

urn:dk:sundhed:eHealth:role:ssl_catalogue_annotator

Mandatory

x

x

/roles/usersystemrole/ssl_contract_responsible/1

urn:dk:sundhed:eHealth:role:ssl_contract_responsible

Mandatory

x

x

Note

If the OIO BPP system roles system listed above deviate from the list in eHealth Infrastructure OIO BPP system roles, the above list needs to be updated. In addition, such a change needs to be implemented in the mapping performed by the SAML Proxy.

...