Het eHealth-platform: doel, uitwerking en stand van zaken
Download
Report
Transcript Het eHealth-platform: doel, uitwerking en stand van zaken
WS eHealth MediPrima
Service presentation
Access to the WS
Access to the webservice “eCarmed”
•
•
Certificate required
Cfr : Schema eCarmed_WSDL_v1_0_4.zip
eHealth certificates
•
https://www.ehealth.fgov.be/fr/support/services-de-base/certificats-ehealth
STS call ( SSO)
21/08/2012
2
Operation available
ConsultCarmedIntervention : obtain information about the
intervention accorded (an electronic decision support) and, if
applicable, an approval number to guarantee payment
• Inputs :
- Cover identifier (eCarmed number)
- OR Patient identifier + Period/Reference date
• Outputs (if results exist):
- Medical card identifier
- Medical card content
- Approval number
21/08/2012
3
Request specification
21/08/2012
4
Request example
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:n1="http://kszbcss.fgov.be/intf/ECarmedService/v1">
<soapenv:Header/>
<soapenv:Body>
<n1:ConsultCarmedInterventionRequest>
<InformationCustomer>
<Ticket>test BCSS</Ticket>
<CustomerIdentification>
<CbeNumber>0212344876</CbeNumber>
</CustomerIdentification>
</InformationCustomer>
<LegalContext>rights eCarmed</LegalContext>
<SelectionCriteria>
<BySsin>
<Ssin>87121528116</Ssin>
<Period>
<StartDate>2012-01-29</StartDate>
<EndDate>2012-06-02</EndDate>
</Period>
</BySsin>
</SelectionCriteria>
</n1:ConsultCarmedInterventionRequest >
</soapenv:Body>
</soapenv:Envelope>
21/08/2012
5
Response specification
21/08/2012
6
eHealth-Certificates: specifications
x509v3 certificate
Issued by GovernmentCA (fedict)
Current Subject specifications
•
•
•
•
21/08/2012
CN = Logical name of the certificate
O = Official name of the organization
OU = Type of identification no.
e.g. CBE / NIHII / …
SerialNumber = Identification no. of the organization
7
SSO @ web services
21/08/2012
8
SSO general principles (1/2)
Purpose
• Completes the "Integrated user and access management"
• Access to various services within a single session
Main features
• Supports ABAC and ZBAC principles
• Based on SAML protocol
Terminology
• WSC : web service consumer
• WSP : web service provider
• STS : Secure Token Service
21/08/2012
9
SSO general principles (2/2)
WSC
eHealth-platform
(1)
SAML REQUEST
(2)
SAML RESPONSE
(3)
Secure Token
Service (STS)
(3)
SAML ASSERTION
SIGNED BY EHEALTH
+
BUSINESS DATA
+
proof holder-of-key
(3)
SAML ASSERTION
SIGNED BY EHEALTH
+
BUSINESS DATA
+
proof holder-of-key
21/08/2012
WSP 1
WSP 2
10
STS Request/Response (1/5)
Description of the flows (1) and
(2)
Illustration with the set of
attributes
•
•
eHealth-platform
Hospital
(1)
SAML REQUEST
(2)
SAML RESPONSE
Recognized pharmacy
Recognized pharmacist
(3)
Secure Token
Service (STS)
Other rules will be supported in
the same way
•
21/08/2012
(3)
SAML ASSERTION
SIGNED BY EHEALTH
+
BUSINESS DATA
+
proof holder-of-key
Attribute or access oriented
11
WSP
STS Request/Response (2/5)
Request general structure
Header deals with 'security of the
call to the STS service'
x509 Identification certificate
• eID
• eHealth certificate
• Federal Government
Example:
x509:identification of the hospital
21/08/2012
12
STS Request/Response (3/5)
Request : SAML elements
Confirmation method:
•
•
Subject
•
•
•
13
Attributetype
Example
•
•
21/08/2012
SAML assertion
Identification Attr.
Policy Attr
Attribute to confirm
•
Holder-of-Key
Sender-Vouches
claim: recognized general practitioner
claim: recognized hospital
STS Request/Response(4/5)
Response general structure
General characteristic
•
•
•
global Status
assertion signed by eH
Response to requested claims
Example
•
claim: recognized general
practitioner
- TRUE
•
claim: recognized hospital
- TRUE
21/08/2012
14
STS Request/Response (5/5)
Remarks
Attributes not certified
•
Example
- claim: recognized pharmacy
- claim: recognized pharmacist
TRUE
FALSE
Technical errors
•
when error occurred while processing request
- abort request
- error message send to WSC
•
Example
- REQ-01: Checks on ConfirmationMethod failed
Time validity
•
21/08/2012
each attribute is certified for a certain period
15
WSC/WSP communication (1/3)
Description of the flow (3)
eHealth-platform
Hospital
Illustration
•
(1)
SAML REQUEST
(2)
SAML RESPONSE
with the set of attributes
-
Recognized hospital
Recognized general practitioner
(3)
Secure Token
Service (STS)
(3)
SAML ASSERTION
SIGNED BY EHEALTH
+
BUSINESS DATA
+
proof holder-of-key
21/08/2012
16
WSP
WSC/WSP communication (2/3)
Request general structure
Header deals with 'security of
the call to the WSP service'
Identification based on SAML
assertion
Example:
SAML assertion delivered by
eHealth
21/08/2012
17
WSC/WSP communication (3/3)
Remark
Verifications to perform by the WSP
•
Validity of x509 certificate
- Certificate Revocation List (CRL)
- Trusted Certificate Authority
•
Check SAML assertion
- Signed by eHealth
- Assertion still valid (cfr. Time Validity)
•
Check Holder-Of-Key profile
- SAML assertion & x509
•
21/08/2012
and, obviously, its further access rules
18
SSO specification
The SAML token request is secured with the eHealth certificate of the nihii
organization. The certificate used by the Holder-Of-Key verification
mechanism is the same eHealth certificate.
Needed attributes : (AttributeNamespace: "urn:be:fgov:identificationnamespace"):
urn:be:fgov:person:ssin (social security identification number of the person)
urn:be:fgov:ehealth:1.0:certificateholder:hospital:nihii-number
urn:be:fgov:ehealth:1.0:hospital:nihii-number
Information which must be asserted by eHealth (AttributeNamespace:
urn:be:fgov:certifiednamespace:ehealth):
urn:be:fgov:person:ssin (social security identification number of the person)
urn:be:fgov:ehealth:1.0:certificateholder:hospital:nihii-number
urn:be:fgov:ehealth:1.0:hospital:nihii-number
urn:be:fgov:ehealth:1.0:hospital:nihii-number:recognisedhopsital: nihii11 (NIHII number of
the organization)
21/08/2012
19