Excerpt
Description of federated authentication and authorization for Municipal Users using SEB and KOMBIT ConcextHandler.

Table of Contents

Authorization Flow

When a client starts an OIDC Authorization Code Flow for a municipal user, it uses SEB and KOMBIT Context Handler and goes through the following federation process.

...

The KOMBIT Context Handler - This service created a SAML AuthnResponse based on registrations stored in the KOMBIT user administration system KOMBIT STS Administration (STS Admin or DK Admin for short).
The eHealth Infrastructure-hosted SAML Proxy- This service does tasks like substituting and translating KOMBIT-flavor SAML Attributes to ensure uniform OIOSAML OIO-BPP Attributes are provided to SEB. It also enhances OIOSAML Attributes by adding the employee's CPR number, obtained from the KOMBIT FK Organisation system.
Sundhedsvæsenets Elektroniske Brugerstyring (SEB) - This is the shared user administration platform for the Danish healthcare sector.
The eHealth Authorization Service (KeyCloak) - When the KOMBIT NSIS Context Handler can connect directly with SEB and , the SAML-proxy is removed from the flow. The KeyCloak service shall then modify and adapt KOMBIT-style SAML Attributes to ensure they match the uniform OIOSAML OIO-BPP Attributes used.

...

KOMBIT Terms and Concepts

Note
The English terms used in the following do not constitute official, KOMBIT -vetted translations of the Danish terms used throughout KOMBIT documentation and systems. The Danish terms stem from section 3 in Brugervejledning til Administrationsmodulerne for leverandører.

The following terms are used in registrations in “Fælleskommunalt Administrationsmodul” (KOMBIT STS Admin in the KOMBIT external test environment):

Term

Description

User -faced system

(Danish: Brugervendt system)

A system directly or indirectly used by a user. Mostly if not always, this excludes KOMBIT services. A user-faced system is registered An IT system that provides an access-controlled user interface,
accessed via a browser. That is, a system directly used by an end-user.

A user system registered in the KOMBIT STS admin enables it to use KOMBIT systems for access control of end-users.

User system role

(Danish: Brugersystemrolle)

Grouping of rights or permissions that define access and access restrictions to a specific user-facing system

For eHealth Infrastructure, these are KOMBIT-flavored versions of the eHealth Infrastructure OIO BPP system roles. See the list of roles below.

Data constraint

(Danish: Dataafgrænsning)

Restriction of a “user system role”, which narrows the system role's field of action

Job function role

(Danish: Jobfunktionsrolle)

Grouping of user system roles for an authority (e.g. municipality) used by the authority to assign access to the user.

Each municipality shall maintain a set in KOMBIT STS Admin.

Concerning eHealth Infrastructure, these are:

SAML Proxy in eHealth Internal Test Environment (INTTEST)

SAML Proxy in eHealth External Test environment (EXTTEST)

SAML Proxy in

the job function role should comprise:

A collection of user system roles
An Organisation identifier
A possible CareTeam identifier

Registrations Required in Municipal KOMBIT Systems

eHealth Infrastructure as User-systems

The eHealth test environments use KOMBIT Context Handler for access control and therefore are registered as user-facing systems in the FK Administration system

The following eHealth environments are registered as user-facing systems in the KOMBIT external test:

Usersystem in FK Administration

System

1

FUT - SAML Proxy (devtest)

FUT saml-proxy for the internal Systematic Test Environment.

2

FUT - SAML Proxy (inttest)

FUT saml-proxy for the eHealth Internal Test Environment

3

FUT - SAML Proxy (exttest)

FUT saml-proxy for the eHealth External Test environment (exttest) and external development environment (devenvcgi).

4

FUT - SAML Proxy (test002)

FUT saml-proxy for the eHealth Education environment (TEST002)

5

FUT - SAML Proxy (preprod)

FUT saml-proxy for the eHealth pre-production environment

6

“T-SEB”

Note
They are being used in

eHealth External Development environment (DEVENVCGI)
SAML Proxy in eHealth pre-production environment (PREPROD)
Data constraint
(Danish: Dataafgrænsning)
A configuration item for a User-faced system maintained in KOMBIT STS Admin.
Concerning eHealth Infrastructure, these are:
CareTeam identifier (UUID) -
the future when SEB and ContextHandler are directly connected. The name is not known by Systematic.
T-SEB for all eHealth test (incl. pre-prod) environments.

FUT-S has created similar registrations in the KOMBIT FK Admininistratino in the KOMBIT production environment. This only has the SAML Proxy for the eHealth Infrastructure production environment (PROD).

Data constraints (Danish: “data afgrænsninger”)

The data constraints narrow the user system role. In eHealth Infrastructure, there are two data constraints in use:

CareTeam - a system-specific data constraint identifying a CareTeam. The optional for some user system roles, required for others (see below)

...

Organisation—This is a cross-cutting (data constraint) identifying Organisation from KOMBIT FK Organisation

...

User system role

(Danish: Brugersystemrolle)

...

A system role defined by the system used by a user. Registered in KOMBIT STS Admin.

Concerning eHealth Infrastructure, these are KOMBIT-flavored versions of the eHealth Infrastructure OIO BPP system roles

...

Job function role

(Danish: Jobfunktionsrolle)

...

A named role usable in municipal IdPs comprising a collection of user system roles and data constraints. Each municipality shall maintain a set in KOMBIT STS Admin.

Concerning eHealth Infrastructure, these comprise:

a collection of KOMBIT-flavored user system roles
A possible CareTeam identifier
an Organisation identifier

Similar registrations must be made in KOMBIT STS Admin in KOMBIT environment PROD, only here the sole SAML Proxy is the one in eHealth Infrastructure environment PROD.

...

. This data constraint is defined and maintained outside eHealth.

The following screenshot shows the “Fælleskommunalt Administrationsmodul” user interface for creating data constraints and mandatory fields.

...

User-facing system

Data Constraint Name

EntityId

(domain + “/constraint/”+ filter + version)

Syntax validation

1

DEVTEST

Careteam

http://ehealth.sundhed.dk/constraints/careteam/1

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

2

INTTEST

Careteam

http://saml-proxy.inttest.ehealth.sundhed.dk/constraints/careteam/1

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

3

EXTTEST, DEVENVCGI

Careteam

http://saml-proxy.exttest.ehealth.sundhed.dk/constraints/careteam/1

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

4

TEST002

Careteam

http://saml-proxy.test002.ehealth.sundhed.dk/constraints/careteam/1

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

5

PREPROD

Careteam

http://saml-proxy.preprod.ehealth.sundhed.dk/constraints/careteam/1

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

6

“T-SEB”

Note
Name not known by Systematic.

Careteam

Note
Does SEB require Data Constraint's names to be prepended with “fut” or “eHealth”

http://exttest.ehealth.sundhed.dk/constraints/careteam/1

Note
We assume constraints can be reused and have been named as a “FUT exttest” user-facing system.

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

KOMBIT User system roles for the eHealth Infrastructure

The following screenshot shows the “Fælleskommunalt Administrationsmodul” user interface for creating user system roles and mandatory fields.

...

User system roles for the eHealth Infrastructure registered in KOMBIT STS Admin:

shall have an EntityId on the form: <namespace> <Domain> appended with <KOMBIT user system role name for the eHealth Infrastructure> and <version> (see below).
can have (and should have) a Danish name in Danish which is , the Danish designationhttps://docs.ehealth.sundhed.dk/latest-released/igfhir/CodeSystem-ehealth-oio-bpp-roles.html for the corresponding eHealth Infrastructure OIO BPP system role.

...

<Domain> shall reflect the eHealth Infrastructure environment for

...

registration

...

in the KOMBIT STS Admin. The

...

<Domain> shall be one of the following:

eHealth Infrastructure Environment

Domain<namespace>

1

INTTEST

saml-proxy.inttest.ehealth.sundhed.dk

2

EXTTEST, DEVENVCGI

saml-proxy.exttest.ehealth.sundhed.dk

3

TEST002

saml-proxy.test002.ehealth.sundhed.dk

4

PREPROD

saml-proxy.preprod.ehealth.sundhed.dk

5

PROD

ehealth.sundhed.dk

6

“T-SEB”

Note
Name not known by Systematic

ehealth.seb.dk

Note
Suggestion.

Note
In case of change in what eHealth Infrastructure environments shall support municipal federation of authentication and authorization, the above list needs to be updated. In addition, such a change needs to be implemented in the mapping performed by the SAML Proxy.

...

Mapping between KOMBIT user system role, the corresponding OIO BPP roles

The KOMBIT user system role for has a different format than the eHealth Infrastructure > shall be one from the list below:The OIO BPP system roles. The following table shows the KOMBIT user system role , and the corresponding OIO BPP roles, and what data constraints are possible and which are mandatory.

KOMBIT user system roles for the eHealth Infrastructure	eHealth Infrastructure OIO BPP system roles

OIO Data constraints (eHealth Exttest)
STS Organisationsenhed

Careteam
OIO Data constraints (Prod)
Organisation
SOR OrganisationsenhedCareteam
SSL Organisationsenhed
/roles/usersystemrole/order_placer/1
urn:dk:sundhed:ehealth:role:order_placer
Mandatory
Mandatory
X
/roles/usersystemrole/citizen_enroller/1
urn:dk:sundhed:ehealth:role:citizen_enroller
Mandatory
Mandatory
Mandatory
x
x
/roles/usersystemrole/careteam_administrator/1
urn:dk:sundhed:ehealth:role:careteam_administrator
Mandatory
Mandatory
x
/roles/usersystemrole/incident_reporter/1
urn:dk:sundhed:eHealth:role:incident_reporter
Mandatory
Mandatory
Mandatory
x
x
/roles/usersystemrole/clinical_viewer/1
urn:dk:sundhed:eHealth:role:clinical_viewer
Mandatory
Mandatory
Mandatory
x
/roles/usersystemrole/clinical_supporter/1
urn:dk:sundhed:eHealth:role:clinical_supporter
Mandatory
Mandatory
Mandatory
x
/roles/usersystemrole/monitoring_assistor/1
urn:dk:sundhed:eHealth:role:monitoring_assistor
Mandatory
Mandatory
Mandatory
x
x
/roles/usersystemrole/monitoring_adjuster/1
urn:dk:sundhed:eHealth:role:monitoring_adjuster
Mandatory
Mandatory
Mandatory
x
X
/roles/usersystemrole/report_user/1
urn:dk:sundhed:ehealth:role:report_user
Mandatory
Mandatory
x
x
/roles/usersystemrole/clinical_administrator/1
urn:dk:sundhed:eHealth:role:clinical_administrator
Mandatory
Mandatory
x
/roles/usersystemrole/service_and_logistics/1
urn:dk:sundhed:eHealth:role:service_and_logistics
Mandatory
Mandatory
x
x
/roles/usersystemrole/questionnaire_editor/1
urn:dk:sundhed:eHealth:role:questionnaire_editor
Mandatory
Mandatory
x
/roles/usersystemrole/incident_manager/1
urn:dk:sundhed:eHealth:role:incident_manager
Mandatory
Mandatory
x
x
/roles/usersystemrole/terminology_administrator/1
urn:dk:sundhed:eHealth:role:terminology_administrator
Mandatory
/roles/usersystemrole/ssl_catalogue_responsible/1
urn:dk:sundhed:eHealth:role:ssl_catalogue_responsible
Mandatory
x
x
/roles/usersystemrole/ssl_catalogue_annotator/1
urn:dk:sundhed:eHealth:role:ssl_catalogue_annotator
Mandatory
x
x
/roles/usersystemrole/ssl_contract_responsible/1
urn:dk:sundhed:eHealth:role:ssl_contract_responsible

eHealth Infrastructure User system roles for FUT Proxy (exttest)

<KOMBIT role name for the eHealth Infrastructure> shall be one from the list below:

The table shows the KOMBIT user system role and the possible data constraints, which are mandatory for “FUT Proxy (exttest)”.

KOMBIT user system roles for the eHealth Infrastructure	Data constraints (EXTTEST)
KOMBIT user system roles for the eHealth Infrastructure	STS Organisationsenhed	Careteam
`/roles/usersystemrole/order_placer/1`	Mandatory
`/roles/usersystemrole/citizen_enroller/1`	Mandatory	Mandatory
`/roles/usersystemrole/careteam_administrator/1`	Mandatory
`/roles/usersystemrole/incident_reporter/1`	Mandatory	Mandatory
`/roles/usersystemrole/clinical_viewer/1`	Mandatory	Mandatory
`/roles/usersystemrole/clinical_supporter/1`	Mandatory	Mandatory
`/roles/usersystemrole/monitoring_assistor/1`	Mandatory	Mandatory
`/roles/usersystemrole/monitoring_adjuster/1`	Mandatory	Mandatory
`/roles/usersystemrole/report_user/1`	Mandatory
`/roles/usersystemrole/clinical_administrator/1`	Mandatory
`/roles/usersystemrole/service_and_logistics/1`	Mandatory	Mandatory
`/roles/usersystemrole/questionnaire_editor/1`	Mandatory
`/roles/usersystemrole/incident_manager/1`	Mandatory	Mandatory
`/roles/usersystemrole/terminology_administrator/1`	Mandatory
`/roles/usersystemrole/ssl_catalogue_responsible/1`	Mandatory
`/roles/usersystemrole/ssl_catalogue_annotator/1`	Mandatory
`/roles/usersystemrole/ssl_contract_responsible/1`	Mandatory

eHealth Infrastructure User system roles for FUT Proxy (prod)

The table shows the KOMBIT user system role and the possible data constraints which are mandatory for “FUT Proxy (prod)”.

KOMBIT user system roles for the eHealth Infrastructure	Data constraints
KOMBIT user system roles for the eHealth Infrastructure	Organisation	SOR Organisationsenhed	SSL Organisationsenhed	Careteam
`/roles/usersystemrole/order_placer/1`	Mandatory	Optional
`/roles/usersystemrole/citizen_enroller/1`	Mandatory	Optional		Optional
`/roles/usersystemrole/careteam_administrator/1`	Mandatory	Optional
`/roles/usersystemrole/incident_reporter/1`	Mandatory	Optional		Optional
`/roles/usersystemrole/clinical_viewer/1`	Mandatory	Optional
`/roles/usersystemrole/clinical_supporter/1`	Mandatory	Optional
`/roles/usersystemrole/monitoring_assistor/1`	Mandatory	Optional		Optional
`/roles/usersystemrole/monitoring_adjuster/1`	Mandatory	Optional		Optional
`/roles/usersystemrole/report_user/1`	Mandatory	Optional		Optional
`/roles/usersystemrole/clinical_administrator/1`	Mandatory	Optional
`/roles/usersystemrole/service_and_logistics/1`			Optional	Optional
`/roles/usersystemrole/questionnaire_editor/1`	Mandatory	Optional
`/roles/usersystemrole/incident_manager/1`			Optional	Optional
`/roles/usersystemrole/terminology_administrator/1`
`/roles/usersystemrole/ssl_catalogue_responsible/1`			Optional	Optional
`/roles/usersystemrole/ssl_catalogue_annotator/1`			Optional	Optional
`/roles/usersystemrole/ssl_contract_responsible/1`			Optional	Optional

eHealth Infrastructure User system roles for T-SEB (consolidated)

The table shows the KOMBIT user system role, the corresponding OIO BPP roles, and what data constraints are possible and which are mandatory for “T-SEB”.

Note
When the SEB is used as a user-facing system, it may not contain underscore, and names may be prepended “eHealth” or “FUT”.

KOMBIT user system roles for the eHealth Infrastructure

Note
Likely to be changed. Remove underscores and repent with “ehealth” or “fut”.

Data constraints

Organisation

http://sts.kombit.dk/constraints/orgenhed/1

Careteam

/roles/usersystemrole/order_placer/1

Mandatory

/roles/usersystemrole/citizen_enroller/1

Mandatory

/roles/usersystemrole/careteam_administrator/1

Mandatory

Optional

/roles/usersystemrole/incident_reporter/1

Mandatory

Optional

/roles/usersystemrole/clinical_viewer/1

Mandatory

/roles/usersystemrole/clinical_supporter/1

Mandatory

Optional

/roles/usersystemrole/monitoring_assistor/1

Mandatory

/roles/usersystemrole/monitoring_adjuster/1

Mandatory

/roles/usersystemrole/report_user/1

Mandatory

Optional

/roles/usersystemrole/clinical_administrator/1

Mandatory

Optional

/roles/usersystemrole/service_and_logistics/1

Mandatory

Optional

/roles/usersystemrole/questionnaire_editor/1

Mandatory

Optional

/roles/usersystemrole/incident_manager/1

Mandatory

Optional

/roles/usersystemrole/terminology_administrator/1

Mandatory

Optional

/roles/usersystemrole/ssl_catalogue_responsible/1

Mandatory

Optional

/roles/usersystemrole/ssl_catalogue_annotator/1

Mandatory

x

x
Optional
/roles/usersystemrole/ssl_contract_responsible/1
Mandatory
Optional

Note

If the OIO BPP system roles system listed above deviate from the list in eHealth Infrastructure OIO BPP system rolesdescribed inhttps://ehealth-dk.atlassian.net/wiki/spaces/EDTW/pages/291176482/Tokens+Roles+and+RBAC+ABAC#Privilege-Roles, the above list needs to be updated.

In addition, such a change needs to be implemented in the mapping https://ehealth-dk.atlassian.net/wiki/spaces/EDTW/pages/2172125189/SAML+Proxy#Mapning-af-privilegier-og-constraintsperformed by the SAML Proxy.

Getting municipal employee CPR

To allow regional and municipal employees to access national healthcare solutions from the FUT Infrastructure their CPR information is required. The Infrastructure receive CPR for regional employees directly from SEB, however, for municipal employees, CPR must be obtained from Kombit FK Org. This is done through the internal OS2Sync service* running on the Infrastructure. OS2Sync uses BrugerService and PersonService version 6 of Kombit FK Org Version 3.2.

*The image used on the FUT Infrastructure can be found on dockerhub and the source code on GitHub OS2Sync.

Versions Compared

Old Version 18

New Version Current

Key

Authorization Flow

KOMBIT Terms and Concepts

Registrations Required in Municipal KOMBIT Systems

eHealth Infrastructure as User-systems

Data constraints (Danish: “data afgrænsninger”)

KOMBIT User system roles for the eHealth Infrastructure

Mapping between KOMBIT user system role, the corresponding OIO BPP roles

eHealth Infrastructure User system roles for FUT Proxy (exttest)

eHealth Infrastructure User system roles for FUT Proxy (prod)

eHealth Infrastructure User system roles for T-SEB (consolidated)

Getting municipal employee CPR


`/roles/usersystemrole/careteam_administrator/1`	`urn:dk:sundhed:ehealth:role:careteam_administrator`


`/roles/usersystemrole/clinical_supporter/1`	`urn:dk:sundhed:eHealth:role:clinical_supporter`


`/roles/usersystemrole/report_user/1`	`urn:dk:sundhed:ehealth:role:report_user`


`/roles/usersystemrole/questionnaire_editor/1`	`urn:dk:sundhed:eHealth:role:questionnaire_editor`


`/roles/usersystemrole/ssl_catalogue_annotator/1`	`urn:dk:sundhed:eHealth:role:ssl_catalogue_annotator`

Page Comparison

Versions Compared

Old Version 18

New Version Current

Key

Authorization Flow

KOMBIT Terms and Concepts

Registrations Required in Municipal KOMBIT Systems

eHealth Infrastructure as User-systems

Data constraints (Danish: “data afgrænsninger”)

KOMBIT User system roles for the eHealth Infrastructure

Mapping between KOMBIT user system role, the corresponding OIO BPP roles

eHealth Infrastructure User system roles for FUT Proxy (exttest)

eHealth Infrastructure User system roles for FUT Proxy (prod)

eHealth Infrastructure User system roles for T-SEB (consolidated)

Getting municipal employee CPR