OIO-BPP URI naming precautions for municipalities
The KOMBIT Context handler implementation currently only support privileges and constraints addressed in the form http:
and not also in the urn:
form as stated in the OIO-BPP documentation (section “Representation and processing of Privileges (normative)“).
Because of this and the fact that roles in the eHealth Infrastructure has been stated in the urn:
form the following precautions must be taken in the OIO-BPP block when constructed by the local IdP in the municipalities situated behind the KOMBIT Context handler.
OIO BPP block below illustrates an example of what is expected by the eHealth Infrastructure:
<?xml version="1.0" encoding="UTF-8"?>
<bpp:PrivilegeList
xmlns:bpp="http://itst.dk/oiosaml/basic_privilege_profile"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
<PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:29190925">
<Constraint Name="urn:dk:kombit:orgUnit">12345678-37a5-43c3-8e58-8b9ec5222b1c</Constraint>
<Constraint Name="urn:dk:sundhed:ehealth:careteam">95c7aef7-ec7f-487b-9687-6e6624d25fdb</Constraint>
<Privilege>urn:dk:sundhed:ehealth:role:monitoring_assistor</Privilege>
</PrivilegeGroup>
</bpp:PrivilegeList> |
The following is how local IdP administrators should express it:
<?xml version="1.0" encoding="UTF-8"?>
<bpp:PrivilegeList
xmlns:bpp="http://itst.dk/oiosaml/basic_privilege_profile"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
<PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:29190925">
<Constraint Name="http://ehealth.sundhed.dk/contraints/orgUnit">12345678-37a5-43c3-8e58-8b9ec5222b1c</Constraint>
<Constraint Name="http://ehealth.sundhed.dk/contraints/careteam">95c7aef7-ec7f-487b-9687-6e6624d25fdb</Constraint>
<Privilege>http://sundhed.dk/ehealth/role/monitoring_assistor</Privilege>
</PrivilegeGroup>
</bpp:PrivilegeList>
The eHealth service SAML proxy (SAML Proxy ) is responsible for the conversion to the form expected by the eHealth Infrastructure.
See also general rules for BPP here: Basic Privilege Profile - eHealth Infrastructure Wiki - Confluence (atlassian.net)