Versions Compared

Old Version 6

changes.mady.by.user John Schneider

Saved on

compared with

New Version Current

changes.mady.by.user John Schneider

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Excerpt

The SAML proxy is a component relevant for Municipal IdP between the KOMBIT Context Handler and the eHealth Keycloak authorization server.

The service is an eHealth service and is responsible for enriching the SAML tokens form Municipal IdP :

  • Map SAML Attributes from the municipal KOMBIT Context Handler

  • Consolidate privileges

  • Enrich SAML Attributes with e.g., the employee's CPR number based on a lookup to the KOMBIT FK Organisation system.

Note

UNDER CONSTRUCTION

Indledning

SAML Proxy befinder sig imellem SEB og Context Handler i nedenstående figur.

...

Content

Table of Contents
minLevel1
maxLevel7

Dokumentation fra Digital

...

Identity

Digital Identity har udviklet den oprindelige udgave af SAML Proxy. Deres dokumentation er vedhæftet her:

View file
nameKonfiguration.docx

Udvidelser til SAML Proxy

De følgende beskrivelser udgør udvidelser til den oprindelige SAML Proxy-funktionalitet.

Mapning af privilegier og constraints

SAML Proxy mapper privilegier og følgende constraints fra KOMBIT format til det format, der benyttes i Ehealth infrastruktureneHealth-infrastrukturens OIO BPP SAML-attributter.

Kombit

KOMBIT format

Ehealth format

eHealth-infrastrukturens OIO BPP SAML-attributnavn

/constraints/careteam/1

urn:dk:sundhed:ehealth:careteam

/constraints/orgUnit/1

urn:dk:kombit:orgUnit

/constraints/orgenhed/1

urn:dk:kombit:orgUnit

/constraints/sorIdentifier/1

urn:dk:gov:saml:sorIdentifier

/constraints/sslOrg/1

urn:dk:kombit:sslOrg

/roles/usersystemrole/order_placer/1

urn:dk:sundhed:ehealth:role:order_placer

/roles/usersystemrole/citizen_enroller/1

urn:dk:sundhed:ehealth:role:citizen_enroller

/roles/usersystemrole/careteam_administrator/1

urn:dk:sundhed:ehealth:role:careteam_administrator

/roles/usersystemrole/incident_reporter/1

urn:dk:sundhed:ehealth:role:incident_reporter

/roles/usersystemrole/clinical_viewer/1

urn:dk:sundhed:ehealth:role:clinical_viewer

/roles/usersystemrole/clinical_supporter/1

urn:dk:sundhed:ehealth:role:clinical_supporter

/roles/usersystemrole/monitoring_assistor/1

urn:dk:sundhed:ehealth:role:monitoring_assistor

/roles/usersystemrole/monitoring_adjuster/1

urn:dk:sundhed:ehealth:role:monitoring_adjuster

/roles/usersystemrole/report_user/1

urn:dk:sundhed:ehealth:role:report_user

/roles/usersystemrole/clinical_administrator/1

urn:dk:sundhed:ehealth:role:clinical_administrator

/roles/usersystemrole/service_and_logistics/1

urn:dk:sundhed:ehealth:role:service_and_logistics

/roles/usersystemrole/questionnaire_editor/1

urn:dk:sundhed:ehealth:role:questionnaire_editor

/roles/usersystemrole/incident_manager/1

urn:dk:sundhed:ehealth:role:incident_manager

/roles/usersystemrole/terminology_administrator/1

urn:dk:sundhed:ehealth:role:terminology_administrator

/roles/usersystemrole/ssl_catalogue_responsible/1

urn:dk:sundhed:ehealth:role:ssl_catalogue_responsible

/roles/usersystemrole/ssl_catalogue_annotator/1

urn:dk:sundhed:ehealth:role:ssl_catalogue_annotator

/roles/usersystemrole/ssl_contract_responsible/1

urn:dk:sundhed:ehealth:role:ssl_contract_responsible

Mapningen understøtter følgende namespaces:

...

SAML Proxy mapper KOMBIT-udgaverne af brugersystemroller for eHealth-infrastrukturen nævnt i https://ehealth-dk.atlassian.net/wiki/spaces/EDTW/pages/2211577858/Federated+Authentication+and+Authorization+for+Municipal+Users#KOMBIT-flavored-user-system-roles-for-the-eHealth-Infrastructure , så en Constraint med navn:

Mapningen understøtter følgende namespaces:

  • eHealth-infrastrukturmiljø INTTEST: saml-proxy.inttest.ehealth.sundhed.dk

  • ExttesteHealth-infrastrukturmiljø EXTTEST: saml-proxy.exttest.ehealth.sundhed.dk

  • PreprodeHealth-infrastrukturmiljø PPREPROD: saml-proxy.preprod.ehealth.sundhed.dk

  • ProdeHealth-infrastrukturmiljø TEST002: saml-proxy.test002.ehealth.sundhed.dk

  • eHealth-infrastrukturmiljø PROD: ehealth.sundhed.dk

  • For orgenhed/orgUnit understøttes yderligere: sts.kombit.dk - TBD: Hvad er dette?

Konsolidering af rettigheder

...

Eksempel:

Input:

Code Block
languagexml
	<PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:29189714">
		<Privilege>http://ehealth.sundhed.dk/roles/usersystemrole/citizen_enroller/1</Privilege>
		<Constraint Name="http://ehealth.sundhed.dk/constraints/orgUnit/1">c3e836da-403a-4a44-99f9-d4c85a15b861</Constraint>
		<Constraint Name="http://ehealth.sundhed.dk/constraints/sorIdentifier/1">b91314d5-3954-45c2-8f24-b984d6d9fdb9</Constraint>
	</PrivilegeGroup>
	<PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:29189714">
		<Privilege>http://ehealth.sundhed.dk/roles/usersystemrole/careteam_administrator/1</Privilege>
		<Constraint Name="http://ehealth.sundhed.dk/constraints/orgUnit/1">c3e836da-403a-4a44-99f9-d4c85a15b861</Constraint>
		<Constraint Name="http://ehealth.sundhed.dk/constraints/sorIdentifier/1">b91314d5-3954-45c2-8f24-b984d6d9fdb9</Constraint>
	</PrivilegeGroup>

Output:

Code Block
languagexml
	<PrivilegeGroup xmlns="" Scope="urn:dk:gov:saml:cvrNumberIdentifier:29189714">
		<Constraint Name="urn:dk:gov:saml:sorIdentifier">b91314d5-3954-45c2-8f24-b984d6d9fdb9</Constraint>
		<Constraint Name="urn:dk:kombit:orgUnit">c3e836da-403a-4a44-99f9-d4c85a15b861</Constraint>
		<Privilege>urn:dk:sundhed:ehealth:role:citizen_enroller</Privilege>
		<Privilege>urn:dk:sundhed:ehealth:role:careteam_administrator</Privilege>
	</PrivilegeGroup>

...