Versions Compared

Old Version 10

changes.mady.by.user John Schneider

Saved on

compared with

New Version Current

changes.mady.by.user John Schneider

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added examples of validation.
Excerpt

The eHealth infrastructure uses OIO OIOSAML Basic Privilege Profile 1.2_2 (digst.dk) to express user privileges as attributes in SAML Assertions.

Table of Contents

The infrastructure also supports version 1.1, the only difference being the XML namespace of the schema:

...

A PrivilegeList must contain at least one PrivilegeGroup with Scope="urn:dk:gov:saml:cvrNumberIdentifier:<some number>".

A PrivilegeGroup has the following elements:

...

  1. SOR organizations: 

    • Identified by Constraints with Name attribute = "urn:dk:gov:saml:sorIdentifier" and value = {sor-id}

    • Refers to Fhir Organization with Identifier.system = "urn:oid:1.2.208.176.1.1" and Identifier.value = {sor-id}

    • Example:

      • Constraint:

        • Code Block
          languagexml
          <Constraint Name="urn:dk:gov:saml:sorIdentifier">950531000016003</Constraint>

      • Refers to Organization with: 

        • Code Block
          languagejson
          "Identifier": [{"system": "urn:oid:1.2.208.176.1.1", "value": "950531000016003"}]

  2. STS organizations

    • Identified by Constraints with Name attribute = "urn:dk:kombit:orgUnit" and value = {sts-id}

    • Refers to Fhir Organization with Identifier.system = "https://www.kombit.dk/sts/organisation" and Identifier.value = {sts-id}

    • Example:

      • Constraint:

        • Code Block
          languagexml
          <Constraint Name="urn:dk:kombit:orgUnit">eeeeeeee-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>

      • Refers to Organization with: 

        • Code Block
          languagejson
          "Identifier": [{"system": "https://www.kombit.dk/sts/organisation", "value": "eeeeeeee-b760-11e9-a2a3-2a2ae2dbcce4"}]

  3. SSL organizations

    • Identified by Constraints with Name attribute =  "urn:dk:sundhed:ehealth:sslOrg"

    • Refers to Fhir Organization with Identifier.system = "http://ehealth.sundhed.dk/organization/ssl" and Identifier.value = {ssl-id}

    • Example:

      • Constraint:

        • Code Block
          <Constraint Name="urn:dk:sundhed:ehealth:sslOrg">aaaaaaaa-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>

      • Refers to Organization with: 

        • Code Block
          "Identifier": [{"system": "http://ehealth.sundhed.dk/organization/ssl", "value": "aaaaaaaa-b760-11e9-a2a3-2a2ae2dbcce4"}]

...

Example:

  • Constraint: 

    • Code Block
      languagexml
      <Constraint Name="urn:dk:sundhed:ehealth:careteam">cccccccc-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>

  • Refers to CareTeam with: 

    • Code Block
      languagejson
      "Identifier": [{"system": "urn:ietf:rfc:3986", "value": "urn:uuid:cccccccc-b760-11e9-a2a3-2a2ae2dbcce4"}]

...

See https://ehealth-dk.atlassian.net/wiki/spaces/EDTW/pages/291176482/Tokens+Roles+and+RBAC+ABAC#Privilege-Roles

Acceptance of PrivilegeList

This section describes different scenarios for eHealth Infrastructure acceptance of privilege lists:

Code Block
languagexml
<?xml version="1.0"?>
<PrivilegeList xmlns="http://itst.dk/oiosaml/basic_privilege_profile">
  <PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:20921897">
    <Constraint Name="urn:dk:gov:saml:sorIdentifier">eeeeeeee-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>
    <Constraint Name="urn:dk:sundhed:ehealth:careteam">cccccccc-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>
    <Privilege>urn:dk:sundhed:ehealth:role:monitoring_assistor</Privilege>
    <Privilege>urn:dk:sundhed:ehealth:role:citizen_enroller</Privilege>
  </PrivilegeGroup>
  <PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:20921897">
    ...
  </PrivilegeGroup>
</PrivilegeList>

In the same <PrivilegeList> there can be both valid and invalid PrivilegeGroups. The valid ones will still be able to be used even if the list also contains invalid ones.

The invalid group will be in a list of "warnings" in the response from Keycloak's /contexts endpoint to the calling system.

Scenario

Handling

1

Referenced Organization does not exist in the eHealth Infrastructure

Example Scope="urn:dk:gov:saml:cvrNumberIdentifier:20921897" cannot be found.

The entire <PrivilegeGroup> is ignored.

Other <PrivilegeGroup> are handled.

2

Unknown privilege in privilegegroup.

Eg. group contain privilege like

<Privilege>urn:dk:kombit:system_xyz:view_case</Privilege>

The entire <PrivilegeGroup> is ignored.

Other <PrivilegeGroup> are handled.

3

Unknown <Constraint> in <PrivilegeGroup>

E.g.

<Constraint Name="urn:dk:kombit:KLE">25.*</Constraint>

The <PrivilegeGroup> is ignored.

Other <PrivilegeGroup> are handled.

4

Referenced CareTeam does not exist

The entire <PrivilegeGroup> is ignored.

Other <PrivilegeGroup> are handled.

5

Referenced CareTeam is not active

The entire <PrivilegeGroup> is ignored.

Other <PrivilegeGroup> are handled.

6

Refrence CareTeam “from date” is in the future.

The <PrivilegeGroup> becomes a valid context in Keycloak's /contexts endpoint

7

Referenced sorIdentifier does not exist

<Constraint Name="urn:dk:gov:saml:sorIdentifier">eeeeeeee-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>

The entire <PrivilegeGroup> is ignored.

Other <PrivilegeGroup> are handled.