Description of federated authentication and authorization for Municipal Users using SEB and KOMBIT ConcextHandler.

Authorization Flow

When a client starts an OIDC Authorization Code Flow for a municipal user, it goes through the following federation process.

The sequence diagram for clinicians' logins, explained in https://ehealth-dk.atlassian.net/wiki/spaces/EDTW/pages/101122074/Login#Clinical-logins, shows how the OIDC Authorization Code Flow is redirected through a series of steps involving OIOSAML-based AuthNRequest and AuthNResponse.

Here's a summary of the responsibilities of the services involved:

The KOMBIT Context Handler created a SAML AuthnResponse based on registrations stored in the KOMBIT user administration system KOMBIT STS Administration (STS Admin or DK Admin for short).
The eHealth Infrastructure-hosted SAML Proxy - This service does tasks like substituting and translating KOMBIT-flavor SAML Attributes to ensure uniform OIOSAML OIO-BPP Attributes are provided to SEB. It also enhances OIOSAML Attributes by adding the employee's CPR number, obtained from the KOMBIT FK Organisation system.
Sundhedsvæsenets Elektroniske Brugerstyring (SEB) - This is the shared user administration platform for the Danish healthcare sector.
The eHealth Authorization Service (KeyCloak) - When the KOMBIT NSIS Context Handler can connect directly with SEB and the SAML-proxy is removed from the flow. The KeyCloak service shall then modify and adapt KOMBIT-style SAML Attributes to ensure they match the uniform OIOSAML OIO-BPP Attributes used.

Registrations Required in Municipal KOMBIT Systems

KOMBIT Terms and Concepts

The English terms used in the following do not constitute official, KOMBIT translations of the Danish terms used throughout KOMBIT documentation and systems. The Danish terms stem from section 3 in Brugervejledning til Administrationsmodulerne for leverandører.

The following terms are used in registrations in “Fælleskommunalt Administrationsmodul” (KOMBIT STS Admin):

Term

Description

User-facing system

(Danish: Brugervendt system)

An IT system that provides an access-controlled user interface,
accessed via a browser. That is, a system directly used by an enduser.

A user-facing system registered in the KOMBIT STS admin enables it to use KOMBIT systems for access control of end-users.

For the KOMBIT external test environment the following eHealth environments are registered as user-facing systems, and thereby use KOMBIT systems for access control:

“FUT - SAML Proxy (devtest)” for the internal Systematic Test Environment
“FUT - SAML Proxy (inttest)” for the eHealth Internal Test Environment
“FUT - SAML Proxy (exttest)” for the eHealth External Test environment and external development environment (devenvcgi).
“FUT - SAML Proxy (test002) for the eHealth Education environment (TEST002)
“FUT - SAML Proxy (preprod)” for the eHealth pre-production environment

Similar registrations are made in the KOMBIT STS Admin in the KOMBIT production environment, only here the sole SAML Proxy is in eHealth Infrastructure production environment (PROD).

User system role

(Danish: Brugersystemrolle)

Grouping of rights or permissions that define access and access restrictions to a specific user-facing system

For eHealth Infrastructure, these are KOMBIT-flavored versions of the eHealth Infrastructure OIO BPP system roles. See list of roles below

Data constraint

(Danish: Dataafgrænsning)

Restriction of a “user system role”, which narrows the system role's field of action

Concerning eHealth Infrastructure, these are:

System-specific data constraint

CareTeam - CareTeam identifier is optional for some user system roles, required for others (see below)

Cross-cutting (data constraint

Organisation - Organisation identifier from KOMBIT FK Organisation.

Job function role

(Danish: Jobfunktionsrolle)

Grouping of user system roles for an authority (e.g. municipality) used by the authority to assign access to the user.

Each municipality shall maintain a set in KOMBIT STS Admin.

Concerning eHealth Infrastructure, these comprise:

A collection of user system roles
An Organisation identifier
A possible CareTeam identifier

Data constraints (Danish: “data afgrænsninger”)

The data constraints are which narrow the user system role. In eHealth Infrastructure, there are two data constraints in use:

CareTeam - a system-specific data constraint identifying a CareTeam. The optional for some user system roles, required for others (see below)
Organisation - Cross-cutting (data constraint) identifying Organisation from KOMBIT FK Organisation.

	Usersystem	Name	EntityId	Syntax validation
1	DEVTEST	Careteam	http://ehealth.sundhed.dk/constraints/careteam/1	([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})
2	INTTEST	Careteam	http://saml-proxy.inttest.ehealth.sundhed.dk/constraints/careteam/1	([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})
3	EXTTEST, DEVENVCGI	Careteam	http://saml-proxy.exttest.ehealth.sundhed.dk/constraints/careteam/1	([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})
4	TEST002	Careteam	http://saml-proxy.test002.ehealth.sundhed.dk/constraints/careteam/1	([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})
5	PREPROD	Careteam	http://saml-proxy.preprod.ehealth.sundhed.dk/constraints/careteam/1	([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})

STS Admin User system roles for the eHealth Infrastructure

User system roles for the eHealth Infrastructure registered in KOMBIT STS Admin:

shall have an EntityId on the form: <namespace> appended with <KOMBIT user system role for the eHealth Infrastructure> (see below).
can have (and should have) a name in Danish which is the Danish designation https://docs.ehealth.sundhed.dk/latest-released/ig/CodeSystem-ehealth-oio-bpp-roles.html for the corresponding eHealth Infrastructure OIO BPP system role.

The <namespace> shall reflect the eHealth Infrastructure environment for registration in the KOMBIT STS Admin. The <namespace> shall be one of the following:

	eHealth Infrastructure Environment	<namespace>
1	INTTEST	`saml-proxy.inttest.ehealth.sundhed.dk`
2	EXTTEST, DEVENVCGI	`saml-proxy.exttest.ehealth.sundhed.dk`
3	TEST002	`saml-proxy.test002.ehealth.sundhed.dk`
4	PREPROD	`saml-proxy.preprod.ehealth.sundhed.dk`
5	PROD	`ehealth.sundhed.dk`

In case of change in what eHealth Infrastructure environments shall support municipal federation of authentication and authorization, the above list needs to be updated. In addition, such a change needs to be implemented in the mapping performed by the SAML Proxy.

<KOMBIT user system role for the eHealth Infrastructure> shall be one from the list below:

The table shows the KOMBIT user system role, the corresponding OIO BPP roles, and what data constraints are possible and which are mandatory.

KOMBIT user system roles for the eHealth Infrastructure	eHealth Infrastructure OIO BPP system roles	Data constraints (EXTTEST) STS Organisationsenhed	Careteam	Data constraints (Prod) Organisation	SOR Organisationsenhed	SSL Organisationsenhed	Careteam
`/roles/usersystemrole/order_placer/1`	`urn:dk:sundhed:ehealth:role:order_placer`	Mandatory		Mandatory	X
`/roles/usersystemrole/citizen_enroller/1`	`urn:dk:sundhed:ehealth:role:citizen_enroller`	Mandatory	Mandatory	Mandatory	x		x
`/roles/usersystemrole/careteam_administrator/1`	`urn:dk:sundhed:ehealth:role:careteam_administrator`	Mandatory		Mandatory	x
`/roles/usersystemrole/incident_reporter/1`	`urn:dk:sundhed:eHealth:role:incident_reporter`	Mandatory	Mandatory	Mandatory	x		x
`/roles/usersystemrole/clinical_viewer/1`	`urn:dk:sundhed:eHealth:role:clinical_viewer`	Mandatory	Mandatory	Mandatory	x
`/roles/usersystemrole/clinical_supporter/1`	`urn:dk:sundhed:eHealth:role:clinical_supporter`	Mandatory	Mandatory	Mandatory	x
`/roles/usersystemrole/monitoring_assistor/1`	`urn:dk:sundhed:eHealth:role:monitoring_assistor`	Mandatory	Mandatory	Mandatory	x		x
`/roles/usersystemrole/monitoring_adjuster/1`	`urn:dk:sundhed:eHealth:role:monitoring_adjuster`	Mandatory	Mandatory	Mandatory	x		X
`/roles/usersystemrole/report_user/1`	`urn:dk:sundhed:ehealth:role:report_user`	Mandatory		Mandatory	x		x
`/roles/usersystemrole/clinical_administrator/1`	`urn:dk:sundhed:eHealth:role:clinical_administrator`	Mandatory		Mandatory	x
`/roles/usersystemrole/service_and_logistics/1`	`urn:dk:sundhed:eHealth:role:service_and_logistics`	Mandatory	Mandatory			x	x
`/roles/usersystemrole/questionnaire_editor/1`	`urn:dk:sundhed:eHealth:role:questionnaire_editor`	Mandatory		Mandatory	x
`/roles/usersystemrole/incident_manager/1`	`urn:dk:sundhed:eHealth:role:incident_manager`	Mandatory	Mandatory			x	x
`/roles/usersystemrole/terminology_administrator/1`	`urn:dk:sundhed:eHealth:role:terminology_administrator`	Mandatory
`/roles/usersystemrole/ssl_catalogue_responsible/1`	`urn:dk:sundhed:eHealth:role:ssl_catalogue_responsible`	Mandatory				x	x
`/roles/usersystemrole/ssl_catalogue_annotator/1`	`urn:dk:sundhed:eHealth:role:ssl_catalogue_annotator`	Mandatory				x	x
`/roles/usersystemrole/ssl_contract_responsible/1`	`urn:dk:sundhed:eHealth:role:ssl_contract_responsible`	Mandatory				x	x

If the OIO BPP system roles system listed above deviate from the list in eHealth Infrastructure OIO BPP system roles, the above list needs to be updated. In addition, such a change needs to be implemented in the mapping performed by the SAML Proxy.

Federated Authentication and Authorization for Municipal Users

Authorization Flow

Registrations Required in Municipal KOMBIT Systems

KOMBIT Terms and Concepts

Data constraints (Danish: “data afgrænsninger”)

STS Admin User system roles for the eHealth Infrastructure