Note |
---|
The KOMBIT Context handler implementation currently only support privileges and constraints addressed in the form http: and not also in the urn: form as stated in the OIO-BPP documentation (section “Representation and processing of Privileges (normative)“). Because of this and the fact that all privileges roles in the eHealth Infrastructure has been stated in the urn: form the following precautions must be taken in the OIO-BPP block when constructed by the local IdP in the municipalities situated behind the KOMBIT Context handler:. |
Note |
---|
OIO BPP block below illustrates an example of what is expected by the eHealth Infrastructure: |
Code Block |
---|
<?xml version="1.0" encoding="UTF-8"?>
<bpp:PrivilegeList
xmlns:bpp="http://itst.dk/oiosaml/basic_privilege_profile"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
<PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:29190925">
<Constraint Name="urn:dk:kombit:orgUnit">12345678-37a5-43c3-8e58-8b9ec5222b1c</Constraint>
<Constraint Name="urn:dk:sundhed:ehealth:careteam">95c7aef7-ec7f-487b-9687-6e6624d25fdb</Constraint>
<Privilege>urn:dk:sundhed:ehealth:role:monitoring_assistor</Privilege>
</PrivilegeGroup>
</bpp:PrivilegeList> |
|
Note |
---|
The following is how local IdP administrators should express it: |
...
Note |
---|
Notice how the value of Constraint Name and the value of Privilege differ as they are expressed in the form http: |
A component outside the eHealth Infrastructure (FUT proxyThe eHealth service SAML proxy (SAML Proxy ) is responsible for the conversion to the form expected by the eHealth Infrastructure.
See also general rules for BPP here: Basic Privilege Profile - eHealth Infrastructure Wiki - Confluence (atlassian.net)