WS eHealth MediPrimaService presentation
221/08/2012
Access to the WS
Access to the webservice “eCarmed”• Certificate required• Cfr : Schema eCarmed_WSDL_v1_0_4.zip
eHealth certificates• https://www.ehealth.fgov.be/fr/support/services-de-base/certificats-ehealth
STS call ( SSO)
321/08/2012
Operation available
ConsultCarmedIntervention : obtain information about the intervention accorded (an electronic decision support) and, if applicable, an approval number to guarantee payment
• Inputs : - Cover identifier (eCarmed number)- OR Patient identifier + Period/Reference date
• Outputs (if results exist): - Medical card identifier- Medical card content- Approval number
421/08/2012
Request specification
521/08/2012
Request example<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:n1="http://kszbcss.fgov.be/intf/ECarmedService/v1">
<soapenv:Header/>
<soapenv:Body>
<n1:ConsultCarmedInterventionRequest>
<InformationCustomer>
<Ticket>test BCSS</Ticket>
<CustomerIdentification>
<CbeNumber>0212344876</CbeNumber>
</CustomerIdentification>
</InformationCustomer>
<LegalContext>rights eCarmed</LegalContext>
<SelectionCriteria>
<BySsin>
<Ssin>87121528116</Ssin>
<Period>
<StartDate>2012-01-29</StartDate>
<EndDate>2012-06-02</EndDate>
</Period>
</BySsin>
</SelectionCriteria>
</n1:ConsultCarmedInterventionRequest >
</soapenv:Body>
</soapenv:Envelope>
621/08/2012
Response specification
721/08/2012
eHealth-Certificates: specifications x509v3 certificate
Issued by GovernmentCA (fedict)
Current Subject specifications• CN = Logical name of the certificate• O = Official name of the organization• OU = Type of identification no.
e.g. CBE / NIHII / …• SerialNumber = Identification no. of the organization
821/08/2012
SSO @ web services
921/08/2012
SSO general principles (1/2) Purpose
• Completes the "Integrated user and access management"
• Access to various services within a single session
Main features• Supports ABAC and ZBAC principles
• Based on SAML protocol
Terminology• WSC : web service consumer
• WSP : web service provider
• STS : Secure Token Service
1021/08/2012
SSO general principles (2/2)
WSC eHealth-platform
Secure Token Service (STS)
WSP 2
SAML REQUEST
SAML RESPONSE
(3)SAML ASSERTION
SIGNED BY EHEALTH+
BUSINESS DATA+
proof holder-of-key
(1)
(2)
(3)
WSP 1(3)SAML ASSERTION
SIGNED BY EHEALTH+
BUSINESS DATA+
proof holder-of-key
1121/08/2012
STS Request/Response (1/5) Description of the flows (1) and
(2)
Illustration with the set of attributes
• Recognized pharmacy
• Recognized pharmacist
Other rules will be supported in the same way
• Attribute or access oriented
Hospital eHealth-platform
Secure Token Service (STS)
WSP
SAML REQUEST
SAML RESPONSE
(3)SAML ASSERTION
SIGNED BY EHEALTH+
BUSINESS DATA+
proof holder-of-key
(1)
(2)
(3)
1221/08/2012
STS Request/Response (2/5)Request general structure
Header deals with 'security of the call to the STS service'
x509 Identification certificate• eID
• eHealth certificate
• Federal Government
Example:x509:identification of the hospital
1321/08/2012
STS Request/Response (3/5)Request : SAML elements
Confirmation method:• Holder-of-Key• Sender-Vouches
Subject• SAML assertion• Identification Attr.• Policy Attr
Attribute to confirm• Attributetype
Example• claim: recognized general practitioner• claim: recognized hospital
1421/08/2012
STS Request/Response(4/5)Response general structure
General characteristic• global Status• assertion signed by eH• Response to requested claims
Example• claim: recognized general
practitioner - TRUE
• claim: recognized hospital- TRUE
1521/08/2012
STS Request/Response (5/5)Remarks
Attributes not certified• Example
- claim: recognized pharmacy TRUE- claim: recognized pharmacist FALSE
Technical errors• when error occurred while processing request
- abort request - error message send to WSC
• Example- REQ-01: Checks on ConfirmationMethod failed
Time validity• each attribute is certified for a certain period
1621/08/2012
WSC/WSP communication (1/3) Description of the flow (3)
Illustration • with the set of attributes
- Recognized hospital- Recognized general practitioner
Hospital eHealth-platform
Secure Token Service (STS)
WSP
SAML REQUEST
SAML RESPONSE
(3)SAML ASSERTION
SIGNED BY EHEALTH+
BUSINESS DATA+
proof holder-of-key
(1)
(2)
(3)
1721/08/2012
WSC/WSP communication (2/3)Request general structure
Header deals with 'security of the call to the WSP service'
Identification based on SAML assertion
Example:SAML assertion delivered by eHealth
1821/08/2012
WSC/WSP communication (3/3)Remark
Verifications to perform by the WSP• Validity of x509 certificate
- Certificate Revocation List (CRL)
- Trusted Certificate Authority
• Check SAML assertion- Signed by eHealth
- Assertion still valid (cfr. Time Validity)
• Check Holder-Of-Key profile- SAML assertion & x509
• and, obviously, its further access rules
1921/08/2012
SSO specification
The SAML token request is secured with the eHealth certificate of the nihii organization. The certificate used by the Holder-Of-Key verification mechanism is the same eHealth certificate.
Needed attributes : (AttributeNamespace: "urn:be:fgov:identification-namespace"):urn:be:fgov:person:ssin (social security identification number of the person)
urn:be:fgov:ehealth:1.0:certificateholder:hospital:nihii-number
urn:be:fgov:ehealth:1.0:hospital:nihii-number
Information which must be asserted by eHealth (AttributeNamespace: urn:be:fgov:certifiednamespace:ehealth):urn:be:fgov:person:ssin (social security identification number of the person)
urn:be:fgov:ehealth:1.0:certificateholder:hospital:nihii-number
urn:be:fgov:ehealth:1.0:hospital:nihii-number
urn:be:fgov:ehealth:1.0:hospital:nihii-number:recognisedhopsital: nihii11 (NIHII number of the organization)