/
OIO-BPP URI naming precautions for municipalities

OIO-BPP URI naming precautions for municipalities

Owned by Jens Kristian Villadsen
Last updated: 17-02-2025 by John SchneiderVersion comment
1 min read

The KOMBIT Context handler implementation currently only supports privileges and constraints addressed in the http: form and not in the urn: form, as stated in the OIO-BPP documentation (section “Representation and processing of Privileges (normative)“).

Because of this and the fact that roles in the eHealth Infrastructure have been stated in the urn, the following precautions must be taken in the OIO-BPP block when constructed by the local IdP in the municipalities behind the KOMBIT Context handler.

OIO BPP block below illustrates an example of what is expected by the eHealth Infrastructure:

<?xml version="1.0" encoding="UTF-8"?> <bpp:PrivilegeList xmlns:bpp="http://itst.dk/oiosaml/basic_privilege_profile" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > <PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:29190925"> <Constraint Name="urn:dk:kombit:orgUnit">12345678-37a5-43c3-8e58-8b9ec5222b1c</Constraint> <Constraint Name="urn:dk:sundhed:ehealth:careteam">95c7aef7-ec7f-487b-9687-6e6624d25fdb</Constraint> <Privilege>urn:dk:sundhed:ehealth:role:monitoring_assistor</Privilege> </PrivilegeGroup> </bpp:PrivilegeList>

The following is how local IdP administrators should express it:

<?xml version="1.0" encoding="UTF-8"?> <bpp:PrivilegeList xmlns:bpp="http://itst.dk/oiosaml/basic_privilege_profile" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > <PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:29190925"> <Constraint Name="http://ehealth.sundhed.dk/contraints/orgUnit">12345678-37a5-43c3-8e58-8b9ec5222b1c</Constraint> <Constraint Name="http://ehealth.sundhed.dk/contraints/careteam">95c7aef7-ec7f-487b-9687-6e6624d25fdb</Constraint> <Privilege>http://sundhed.dk/ehealth/role/monitoring_assistor</Privilege> </PrivilegeGroup> </bpp:PrivilegeList>

The eHealth authentication service (KewyCloak) is responsible for the conversion to the form expected by the eHealth Infrastructure.

See also the general rules for BPP here: Basic Privilege Profile

 

Related content

OIO BPP Role to eHealth Privilege mapping
OIO BPP Role to eHealth Privilege mapping
eHealth Infrastructure Wiki
More like this
Basic Privilege Profile
Basic Privilege Profile
eHealth Infrastructure Wiki
More like this
Federated Authentication and Authorization for Municipal and Regional Users
Federated Authentication and Authorization for Municipal and Regional Users
eHealth Infrastructure Wiki
Read with this
OIO BPP Tool
OIO BPP Tool
eHealth Infrastructure Wiki
More like this
Access Control in eHealth Services
Access Control in eHealth Services
eHealth Infrastructure Wiki
Read with this
Federated Authentication and Authorization for Municipal Users
Federated Authentication and Authorization for Municipal Users
eHealth Infrastructure Wiki
More like this