...
The KOMBIT Context Handler created a SAML AuthnResponse based on registrations stored in the KOMBIT user administration system KOMBIT STS Administration (STS Admin or DK Admin for short).
The eHealth Infrastructure-hosted SAML Proxy- This service does tasks like substituting and translating KOMBIT-flavor SAML Attributes to ensure uniform OIOSAML OIO-BPP Attributes are provided to SEB. It also enhances OIOSAML Attributes by adding the employee's CPR number, obtained from the KOMBIT FK Organisation system.
Sundhedsvæsenets Elektroniske Brugerstyring (SEB) - This is the shared user administration platform for the Danish healthcare sector.
The eHealth Authorization Service (KeyCloak) - When the KOMBIT NSIS Context Handler can connect directly with SEB and , the SAML-proxy is removed from the flow. The KeyCloak service shall then modify and adapt KOMBIT-style SAML Attributes to ensure they match the uniform OIOSAML OIO-BPP Attributes used.
...
KOMBIT Terms and Concepts
...
The following terms are used in registrations in “Fælleskommunalt Administrationsmodul” (KOMBIT STS Admin):
Term | Description |
|---|---|
Usersystem User system (Danish: Brugervendt system) | An IT system that provides an access-controlled user interface, A user - system registered in the KOMBIT STS admin enables it to use KOMBIT systems for access control of end-users. |
Usersystem User system role (Danish: Brugersystemrolle) | Grouping of rights or permissions that define access and access restrictions to a specific user-facing system
|
Data constraint (Danish: Dataafgrænsning) | Restriction of a “user system role”, which narrows the system role's field of action |
Job function role (Danish: Jobfunktionsrolle) | Grouping of user system roles for an authority (e.g. municipality) used by the authority to assign access to the user. Each municipality shall maintain a set in KOMBIT STS Admin. Concerning eHealth Infrastructure, the job function role should comprise:
|
Registrations Required in Municipal KOMBIT Systems
eHealth Infrastructure as User-systems
For the KOMBIT external test environment the following eHealth environments The eHealth test environments use KOMBIT Context Handler for access control and therefore are registered as user-facing systems , and thereby use KOMBIT systems for access control:
...
in the FK Administration
...
System
system
The following eHealth environments are registered as user-facing systems in the KOMBIT external test:
Usersystem in FK Administration | System | |||
|---|---|---|---|---|
| 1 | FUT - SAML Proxy (devtest) | FUT saml-proxy for the internal Systematic Test Environment. | ||
| 2 | FUT - SAML Proxy (inttest) | FUT saml-proxy for the eHealth Internal Test Environment | ||
| 3 | FUT - SAML Proxy (exttest) | FUT saml-proxy for the eHealth External Test environment (exttest) and external development environment (devenvcgi). | ||
| 4 | FUT - SAML Proxy (test002) | FUT saml-proxy for the eHealth Education environment (TEST002) | ||
| 5 | FUT - SAML Proxy (preprod) | FUT saml-proxy for the eHealth pre-production environment | ||
| 6 | “T-SEB”
| T-SEB for all eHealth test (incl. pre-prod) environments. |
Similar registrations are made FUT-S has created similar registrations in the KOMBIT STS Admin FK Admininistratino in the KOMBIT production environment, . This only here has the sole SAML Proxy is in for the eHealth Infrastructure production environment (PROD).
Data constraints (Danish: “data afgrænsninger”)
The data constraints are which narrow the user system role. In eHealth Infrastructure, there are two data constraints in use:
CareTeam - a system-specific data constraint identifying a CareTeam. The optional for some user system roles, required for others (see below)
Organisation - CrossOrganisation—This is a cross-cutting (data constraint) identifying Organisation from KOMBIT FK Organisation. This data constraint is defined and maintained outside eHealth.
...
User-facing system | Data Constraint Name | EntityId (domain + “/constraint/”+ filter + version) | Syntax validation | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | DEVTEST | Careteam |
| ([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})* | |||||||
| 2 | INTTEST | Careteam |
| ([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})* | |||||||
| 3 | EXTTEST, DEVENVCGI | Careteam |
| ([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})* | |||||||
| 4 | TEST002 | Careteam |
| ([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})* | |||||||
| 5 | PREPROD | Careteam |
| ([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})* | |||||||
| 6 | “T-SEB”
| Careteam
|
| ([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})* |
...
shall have an EntityId on the form:
<Domain>appended with<KOMBIT role name for the eHealth Infrastructure>and<version>(see below).can have (and should have) a Danish name, the Danish designationhttps://docs.ehealth.sundhed.dk/latest-released/ig/fhir/CodeSystem-ehealth-oio-bpp-roles.html for the corresponding eHealth Infrastructure OIO BPP system role.
<Domain>shall reflect the eHealth Infrastructure environment for registration in the KOMBIT STS Admin. The<Domain>shall be one of the following:
eHealth Infrastructure Environment | Domain | |||||
|---|---|---|---|---|---|---|
| 1 | INTTEST |
| ||||
| 2 | EXTTEST, DEVENVCGI |
| ||||
| 3 | TEST002 |
| ||||
| 4 | PREPROD |
| ||||
| 5 | PROD |
| ||||
| 6 | “T-SEB”
|
|
| Note |
|---|
In case of change in what eHealth Infrastructure environments shall support municipal federation of authentication and authorization, the above list needs to be updated. In addition, such a change needs to be implemented in the mapping performed by the SAML Proxy. |
...
The table shows the KOMBIT user system role, the corresponding OIO BPP roles, and what data constraints are possible and which are mandatory for “T-SEB”.
| Note |
|---|
When the SEB is used as a user-facing system, it may not contain underscore, and names may be prepended “eHealth” or “FUT”. |
...
| Note |
|---|
If the OIO BPP system roles system listed above deviate from the list described inhttps://ehealth-dk.atlassian.net/wiki/spaces/EDTW/pages/291176482/Tokens+Roles+and+RBAC+ABAC#Privilege-Roles, the above list needs to be updated. In addition, such a change needs to be implemented in the https://ehealth-dk.atlassian.net/wiki/spaces/EDTW/pages/2172125189/SAML+Proxy#Mapning-af-privilegier-og-constraintsperformed by the SAML Proxy. |
Getting municipal employee CPR
To allow regional and municipal employees to access national healthcare solutions from the FUT Infrastructure their CPR information is required. The Infrastructure receive CPR for regional employees directly from SEB, however, for municipal employees, CPR must be obtained from Kombit FK Org. This is done through the internal OS2Sync service* running on the Infrastructure. OS2Sync uses BrugerService and PersonService version 6 of Kombit FK Org Version 3.2.
*The image used on the FUT Infrastructure can be found on dockerhub and the source code on GitHub OS2Sync.