| Excerpt |
|---|
The eHealth infrastructure uses |
...
...
_2 (digst.dk) to express user privileges as attributes in SAML Assertions. |
| Table of Contents |
|---|
The infrastructure also supports version 1.1, the only difference being the xml-XML namespace of the schema:
Version | Namespace |
|---|---|
1.1 |
|
1.2 |
|
Examples of PrivilegeList:
|
Example of PrivilegeList without careteam
| Code Block | ||
|---|---|---|
| ||
<?xml version="1.0"?> <bpp:PrivilegeList xmlns:bpp="http://itst.dk/oiosaml/basic_privilege_profile" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:29190925"> <Constraint Name="urn:dk:kombit:orgUnit">48df8b3d-56be-4f3a-bd0f-d3ade05348dd</Constraint> <Privilege>urn:dk:sundhed:ehealth:role:clinical_administrator</Privilege> <Privilege>urn:dk:sundhed:ehealth:role:questionnaire_editor</Privilege> </PrivilegeGroup> </bpp:PrivilegeList> |
Contents of a PrivilegeList
| Note |
|---|
Municipalities MUST follow the guidelines located here: OIO-BPP URI naming precautions for municipalities |
A PrivilegeList must contain at least one PrivilegeGroup with Scope="urn:dk:gov:saml:cvrNumberIdentifier:<some number>".
A PrivilegeGroup has the following elements:
Exactly one Constraint specifying an organization identifier (see Organization Constraints)
At most one Constraint specifying a care team identifier (see Care Team Constraints)
At least one Privilege element
Organization Constraints
An organization constraint identifies an Organization resource by an external identifier and type.
There are three types of organizations:
SOR organizations:
Identified by Constraints with Name attribute = "urn:dk:gov:saml:sorIdentifier" and value = {sor-id}
Refers to Fhir Organization with Identifier.system = "urn:oid:1.2.208.176.1.1" and Identifier.value = {sor-id}
Example:
Constraint:
Code Block language xml <Constraint Name="urn:dk:gov:saml:sorIdentifier">950531000016003</Constraint>
Refers to Organization with:
Code Block language json "Identifier": [{"system": "urn:oid:1.2.208.176.1.1", "value": "950531000016003"}]
STS organizations
Identified by Constraints with Name attribute = "urn:dk:kombit:orgUnit" and value = {sts-id}
Refers to Fhir Organization with Identifier.system = "https://www.kombit.dk/sts/organisation" and Identifier.value = {sts-id}
Example:
...
Constraint:
Code Block language xml <Constraint Name="urn:dk:kombit:orgUnit">eeeeeeee-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>
Refers to Organization with:
Code Block language json "Identifier": [{"system": "https://www.kombit.dk/sts/organisation", "value": "eeeeeeee-b760-11e9-a2a3-2a2ae2dbcce4"}]
SSL organizations
Identified by Constraints with Name attribute = "urn:dk:sundhed:ehealth:sslOrg"
Refers to Fhir Organization with Identifier.system = "http://ehealth.sundhed.dk/organization/ssl" and Identifier.value = {ssl-id}
Example:
Constraint:
Code Block <Constraint Name="urn:dk:sundhed:ehealth:sslOrg">aaaaaaaa-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>
Refers to Organization with:
Code Block "Identifier": [{"system": "http://ehealth.sundhed.dk/organization/ssl", "value": "aaaaaaaa-b760-11e9-a2a3-2a2ae2dbcce4"}]
Care Team Constraints
A care team constraint identifies a CareTeam resource by an external identifier.
...
Example:
Constraint:
Code Block language xml <Constraint Name="urn:dk:sundhed:ehealth:careteam">cccccccc-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>
Refers to CareTeam with:
Code Block language json "Identifier": [{"system": "urn:ietf:rfc:3986", "value": "urn:uuid:cccccccc-b760-11e9-a2a3-2a2ae2dbcce4"}]
Privileges:
Allowed privileges:
Acceptance of PrivilegeList
This section describes different scenarios for eHealth Infrastructure acceptance of privilege lists:
| Code Block | ||
|---|---|---|
| ||
<?xml version="1.0"?>
<PrivilegeList xmlns="http://itst.dk/oiosaml/basic_privilege_profile">
<PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:20921897">
<Constraint Name="urn:dk:gov:saml:sorIdentifier">eeeeeeee-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>
<Constraint Name="urn:dk:sundhed:ehealth:careteam">cccccccc-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>
<Privilege>urn:dk:sundhed:ehealth:role:monitoring_assistor</Privilege>
<Privilege>urn:dk:sundhed:ehealth:role:citizen_enroller</Privilege>
</PrivilegeGroup>
<PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:20921897">
...
</PrivilegeGroup>
</PrivilegeList> |
In the same <PrivilegeList> there can be both valid and invalid PrivilegeGroups. The valid ones will still be able to be used even if the list also contains invalid ones.
The invalid group will be in a list of "warnings" in the response from Keycloak's /contexts endpoint to the calling system.
Scenario | Handling | |
|---|---|---|
| 1 | Referenced Organization does not exist in the eHealth Infrastructure Example | The entire Other |
| 2 | Unknown privilege in privilegegroup. Eg. group contain privilege like
| The entire Other |
| 3 | Unknown <Constraint> in <PrivilegeGroup> E.g.
| The Other |
| 4 | Referenced CareTeam does not exist | The entire Other |
| 5 | Referenced CareTeam is not active | The entire Other |
| 6 | Refrence CareTeam “from date” is in the future. | The |
| 7 | Referenced sorIdentifier does not exist
| The entire Other |