Versions Compared

Old Version 21

changes.mady.by.user John Schneider

Saved on

compared with

New Version 22

changes.mady.by.user John Schneider

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added some text on T-SEB.

...

When a client starts an OIDC Authorization Code Flow for a municipal user, it uses SEB and KOMBIT Context Handler and goes through the following federation process.

...

Term

Description

User-facing system

(Danish: Brugervendt system)

An IT system that provides an access-controlled user interface,
accessed via a browser. That is, a system directly used by an enduser.

A user-facing system registered in the KOMBIT STS admin enables it to use KOMBIT systems for access control of end-users.

For the KOMBIT external test environment the following eHealth environments are registered as user-facing systems, and thereby use KOMBIT systems for access control:

  1. “FUT - SAML Proxy (devtest)” for the internal Systematic Test Environment

  2. “FUT - SAML Proxy (inttest)” for the eHealth Internal Test Environment

  3. “FUT - SAML Proxy (exttest)” for the eHealth External Test environment and external development environment (devenvcgi).

  4. “FUT - SAML Proxy (test002) for the eHealth Education environment (TEST002)

  5. “FUT - SAML Proxy (preprod)” for the eHealth pre-production environment

Similar registrations are made in the KOMBIT STS Admin in the KOMBIT production environment, only here the sole SAML Proxy is in eHealth Infrastructure production environment (PROD).

User system role

(Danish: Brugersystemrolle)

Grouping of rights or permissions that define access and access restrictions to a specific user-facing system

Data constraint

(Danish: Dataafgrænsning)

Restriction of a “user system role”, which narrows the system role's field of action

Concerning eHealth Infrastructure, these are:

System-specific data constraint

  • CareTeam - CareTeam identifier is optional for some user system roles, required for others (see below)

Cross-cutting (data constraint

  • Organisation - Organisation identifier from KOMBIT FK Organisation.

Job function role

(Danish: Jobfunktionsrolle)

Grouping of user system roles for an authority (e.g. municipality) used by the authority to assign access to the user.

Each municipality shall maintain a set in KOMBIT STS Admin.

Concerning eHealth Infrastructure, these the job function role should comprise:

  • A collection of user system roles

  • An Organisation identifier

  • A possible CareTeam identifier

User facing system

For the KOMBIT external test environment the following eHealth environments are registered as user-facing systems, and thereby use KOMBIT systems for access control:

User facing system in FK Administration

System

1

FUT - SAML Proxy (devtest)

FUT saml-proxy for the internal Systematic Test Environment

2

FUT - SAML Proxy (inttest)

FUT saml-proxy for the eHealth Internal Test Environment

3

FUT - SAML Proxy (exttest)

FUT saml-proxy for the eHealth External Test environment (exttest) and external development environment (devenvcgi).

4

FUT - SAML Proxy (test002)

FUT saml-proxy for the eHealth Education environment (TEST002)

5

FUT - SAML Proxy (preprod)

FUT saml-proxy for the eHealth pre-production environment

6

“T-SEB”

Note

name not known by Systematic, but being used in the future when SEB and and ContextHandler are configured

T-SEB for all eHealth test (incl. pre-prod) environments.

Similar registrations are made in the KOMBIT STS Admin in the KOMBIT production environment, only here the sole SAML Proxy is in the eHealth Infrastructure production environment (PROD).

Data constraints (Danish: “data afgrænsninger”)

...

  • CareTeam - a system-specific data constraint identifying a CareTeam. The optional for some user system roles, required for others (see below)

  • Organisation - Cross-cutting (data constraint) identifying Organisation from KOMBIT FK Organisation.

...

Usersystem

  • This data constraint is defined and maintained outside eHealth.

User facing system

Data Contraint Name

EntityId

Syntax validation

1

DEVTEST

Careteam

http://ehealth.sundhed.dk/constraints/careteam/1

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

2

INTTEST

Careteam

http://saml-proxy.inttest.ehealth.sundhed.dk/constraints/careteam/1

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

3

EXTTEST, DEVENVCGI

Careteam

http://saml-proxy.exttest.ehealth.sundhed.dk/constraints/careteam/1

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

4

TEST002

Careteam

http://saml-proxy.test002.ehealth.sundhed.dk/constraints/careteam/1

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

5

PREPROD

Careteam

http://saml-proxy.preprod.ehealth.sundhed.dk/constraints/careteam/1

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

6

“T-SEB”

Note

name not known by Systematic.

Careteam

Note

Does SEB require Data Constraint are prepended with “fut” or “eHealth”

http://exttest.ehealth.sundhed.dk/constraints/careteam/1

Note

We assume constraint can reuse and have name as “FUT exttest” user facing system.

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

STS Admin User system roles for the eHealth Infrastructure

...

Note

  • When the SEB is used a user facing system, may not contain underscore

The <namespace> shall reflect the eHealth Infrastructure environment for registration in the KOMBIT STS Admin. The <namespace> shall be one of the following:

eHealth Infrastructure Environment

<namespace>Namespace

1

INTTEST

saml-proxy.inttest.ehealth.sundhed.dk

2

EXTTEST, DEVENVCGI

saml-proxy.exttest.ehealth.sundhed.dk

3

TEST002

saml-proxy.test002.ehealth.sundhed.dk

4

PREPROD

saml-proxy.preprod.ehealth.sundhed.dk

5

PROD

ehealth.sundhed.dk

6

“T-SEB”

Note

name not known by Systematic

exttest.ehealth.sundhed.dk

Note

Suggestion.

Note

In case of change in what eHealth Infrastructure environments shall support municipal federation of authentication and authorization, the above list needs to be updated. In addition, such a change needs to be implemented in the mapping performed by the SAML Proxy.

...

Data constraints (Prod)

KOMBIT user system roles for the eHealth Infrastructure

eHealth Infrastructure OIO BPP system roles

Data constraints (EXTTEST)

Data constraints
FUT - Saml proxy (PROD)

STS Organisationsenhed

Careteam

Organisation

SOR Organisationsenhed

SSL Organisationsenhed

Careteam

/roles/usersystemrole/order_placer/1

urn:dk:sundhed:ehealth:role:order_placer

Mandatory

Mandatory

XOptional

/roles/usersystemrole/citizen_enroller/1

urn:dk:sundhed:ehealth:role:citizen_enroller

Mandatory

Mandatory

Mandatory

xOptionalx

Optional

/roles/usersystemrole/careteam_administrator/1

urn:dk:sundhed:ehealth:role:careteam_administrator

Mandatory

Mandatory

xOptional

/roles/usersystemrole/incident_reporter/1

urn:dk:sundhed:eHealth:role:incident_reporter

Mandatory

Mandatory

Mandatory

xOptionalx

Optional

/roles/usersystemrole/clinical_viewer/1

urn:dk:sundhed:eHealth:role:clinical_viewer

Mandatory

Mandatory

Mandatory

xOptional

/roles/usersystemrole/clinical_supporter/1

urn:dk:sundhed:eHealth:role:clinical_supporter

Mandatory

Mandatory

Mandatory

xOptional

/roles/usersystemrole/monitoring_assistor/1

urn:dk:sundhed:eHealth:role:monitoring_assistor

Mandatory

Mandatory

Mandatory

xOptionalx

Optional

/roles/usersystemrole/monitoring_adjuster/1

urn:dk:sundhed:eHealth:role:monitoring_adjuster

Mandatory

Mandatory

Mandatory

xOptional

XOptional

/roles/usersystemrole/report_user/1

urn:dk:sundhed:ehealth:role:report_user

Mandatory

Mandatory

xOptionalx

Optional

/roles/usersystemrole/clinical_administrator/1

urn:dk:sundhed:eHealth:role:clinical_administrator

Mandatory

Mandatory

xOptional

/roles/usersystemrole/service_and_logistics/1

urn:dk:sundhed:eHealth:role:service_and_logistics

Mandatory

Mandatory

xOptionalx

Optional

/roles/usersystemrole/questionnaire_editor/1

urn:dk:sundhed:eHealth:role:questionnaire_editor

Mandatory

Mandatory

xOptional

/roles/usersystemrole/incident_manager/1

urn:dk:sundhed:eHealth:role:incident_manager

Mandatory

Mandatory

xOptionalx

Optional

/roles/usersystemrole/terminology_administrator/1

urn:dk:sundhed:eHealth:role:terminology_administrator

Mandatory

/roles/usersystemrole/ssl_catalogue_responsible/1

urn:dk:sundhed:eHealth:role:ssl_catalogue_responsible

Mandatory

xOptionalx

Optional

/roles/usersystemrole/ssl_catalogue_annotator/1

urn:dk:sundhed:eHealth:role:ssl_catalogue_annotator

Mandatory

xOptionalx

Optional

/roles/usersystemrole/ssl_contract_responsible/1

urn:dk:sundhed:eHealth:role:ssl_contract_responsible

Mandatory

xOptionalx

Optional

Note

If the OIO BPP system roles system listed above deviate from the list in eHealth Infrastructure OIO BPP system roles https://ehealth-dk.atlassian.net/wiki/spaces/EDTW/pages/291176482/Tokens+Roles+and+RBAC+ABAC#Privilege-Roles , the above list needs to be updated.

In addition, such a change needs to be implemented in the mapping https://ehealth-dk.atlassian.net/wiki/spaces/EDTW/pages/2172125189/SAML+Proxy#Mapning-af-privilegier-og-constraints performed by the SAML Proxy.

...