Versions Compared

Old Version 2

changes.mady.by.user Jens Kristian Villadsen

Saved on

compared with

New Version Current

changes.mady.by.user John Schneider

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: minor changes to links
Note

The KOMBIT Context handler implementation currently only support privileges and constraints addressed in the form http: and not also in the urn: form as stated in the OIO-BPP documentation (section “Representation and processing of Privileges (normative)“).

Because of this and the fact that roles in the eHealth Infrastructure has been stated in the urn: form the following precautions must be taken in the OIO-BPP block when constructed by the local IdP in the municipalities situated behind the KOMBIT Context handler.

Note

OIO BPP block below illustrates an example of what is expected by the eHealth Infrastructure:

Code Block
<?xml version="1.0" encoding="UTF-8"?>
<bpp:PrivilegeList
    xmlns:bpp="http://itst.dk/oiosaml/basic_privilege_profile"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
    <PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:29190925">
        <Constraint Name="urn:dk:kombit:orgUnit">12345678-37a5-43c3-8e58-8b9ec5222b1c</Constraint>
        <Constraint Name="urn:dk:sundhed:ehealth:careteam">95c7aef7-ec7f-487b-9687-6e6624d25fdb</Constraint>
        <Privilege>urn:dk:sundhed:ehealth:role:monitoring_assistor</Privilege>
    </PrivilegeGroup>
</bpp:PrivilegeList>
Note

The following is how local IdP administrators should express it:

Code Block
<?xml version="1.0" encoding="UTF-8"?>
<bpp:PrivilegeList
    xmlns:bpp="http://itst.dk/oiosaml/basic_privilege_profile"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
    <PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:29190925">
        <Constraint Name="http://ehealth.sundhed.dk/contraints/orgUnit">12345678-37a5-43c3-8e58-8b9ec5222b1c</Constraint>
        <Constraint Name="http://ehealth.sundhed.dk/contraints/careteam">95c7aef7-ec7f-487b-9687-6e6624d25fdb</Constraint>
        <Privilege>http://sundhed.dk/ehealth/role/monitoring_assistor</Privilege>
    </PrivilegeGroup>
</bpp:PrivilegeList>
Note

Notice how the value of Constraint Name and the value of Privilege differ as they are expressed in the form http:

The eHealth service SAML proxy (SAML Proxy ) is responsible for the conversion to the form expected by the eHealth Infrastructure.

See also general rules for BPP here: Basic Privilege Profile - eHealth Infrastructure Wiki - Confluence (atlassian.net)