WS eHealth MediPrimaService presentation

221/08/2012

Access to the WS

Access to the webservice “eCarmed”• Certificate required• Cfr : Schema eCarmed_WSDL_v1_0_4.zip

eHealth certificates• https://www.ehealth.fgov.be/fr/support/services-de-base/certificats-ehealth

STS call ( SSO)

321/08/2012

Operation available

ConsultCarmedIntervention : obtain information about the intervention accorded (an electronic decision support) and, if applicable, an approval number to guarantee payment

• Inputs : - Cover identifier (eCarmed number)- OR Patient identifier + Period/Reference date

• Outputs (if results exist): - Medical card identifier- Medical card content- Approval number

421/08/2012

Request specification

521/08/2012

Request example<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:n1="http://kszbcss.fgov.be/intf/ECarmedService/v1">

<soapenv:Header/>

<soapenv:Body>

<n1:ConsultCarmedInterventionRequest>

<InformationCustomer>

<Ticket>test BCSS</Ticket>

<CustomerIdentification>

<CbeNumber>0212344876</CbeNumber>

</CustomerIdentification>

</InformationCustomer>

<LegalContext>rights eCarmed</LegalContext>

<SelectionCriteria>

<BySsin>

<Ssin>87121528116</Ssin>

<Period>

<StartDate>2012-01-29</StartDate>

<EndDate>2012-06-02</EndDate>

</Period>

</BySsin>

</SelectionCriteria>

</n1:ConsultCarmedInterventionRequest >

</soapenv:Body>

</soapenv:Envelope>

621/08/2012

Response specification

721/08/2012

eHealth-Certificates: specifications x509v3 certificate

Issued by GovernmentCA (fedict)

Current Subject specifications• CN = Logical name of the certificate• O = Official name of the organization• OU = Type of identification no.

e.g. CBE / NIHII / …• SerialNumber = Identification no. of the organization

821/08/2012

SSO @ web services

921/08/2012

SSO general principles (1/2) Purpose

• Completes the "Integrated user and access management"

• Access to various services within a single session

Main features• Supports ABAC and ZBAC principles

• Based on SAML protocol

Terminology• WSC : web service consumer

• WSP : web service provider

• STS : Secure Token Service

1021/08/2012

SSO general principles (2/2)

WSC eHealth-platform

Secure Token Service (STS)

WSP 2

SAML REQUEST

SAML RESPONSE

(3)SAML ASSERTION

SIGNED BY EHEALTH+

BUSINESS DATA+

proof holder-of-key

(1)

(2)

(3)

WSP 1(3)SAML ASSERTION

SIGNED BY EHEALTH+

BUSINESS DATA+

proof holder-of-key

1121/08/2012

STS Request/Response (1/5) Description of the flows (1) and

(2)

Illustration with the set of attributes

• Recognized pharmacy

• Recognized pharmacist

Other rules will be supported in the same way

• Attribute or access oriented

Hospital eHealth-platform

Secure Token Service (STS)

WSP

SAML REQUEST

SAML RESPONSE

(3)SAML ASSERTION

SIGNED BY EHEALTH+

BUSINESS DATA+

proof holder-of-key

(1)

(2)

(3)

1221/08/2012

STS Request/Response (2/5)Request general structure

Header deals with 'security of the call to the STS service'

x509 Identification certificate• eID

• eHealth certificate

• Federal Government

Example:x509:identification of the hospital

1321/08/2012

STS Request/Response (3/5)Request : SAML elements

Confirmation method:• Holder-of-Key• Sender-Vouches

Subject• SAML assertion• Identification Attr.• Policy Attr

Attribute to confirm• Attributetype

Example• claim: recognized general practitioner• claim: recognized hospital

1421/08/2012

STS Request/Response(4/5)Response general structure

General characteristic• global Status• assertion signed by eH• Response to requested claims

Example• claim: recognized general

practitioner - TRUE

• claim: recognized hospital- TRUE

1521/08/2012

STS Request/Response (5/5)Remarks

Attributes not certified• Example

- claim: recognized pharmacy TRUE- claim: recognized pharmacist FALSE

Technical errors• when error occurred while processing request

- abort request - error message send to WSC

• Example- REQ-01: Checks on ConfirmationMethod failed

Time validity• each attribute is certified for a certain period

1621/08/2012

WSC/WSP communication (1/3) Description of the flow (3)

Illustration • with the set of attributes

- Recognized hospital- Recognized general practitioner

Hospital eHealth-platform

Secure Token Service (STS)

WSP

SAML REQUEST

SAML RESPONSE

(3)SAML ASSERTION

SIGNED BY EHEALTH+

BUSINESS DATA+

proof holder-of-key

(1)

(2)

(3)

1721/08/2012

WSC/WSP communication (2/3)Request general structure

Header deals with 'security of the call to the WSP service'

Identification based on SAML assertion

Example:SAML assertion delivered by eHealth

1821/08/2012

WSC/WSP communication (3/3)Remark

Verifications to perform by the WSP• Validity of x509 certificate

- Certificate Revocation List (CRL)

- Trusted Certificate Authority

• Check SAML assertion- Signed by eHealth

- Assertion still valid (cfr. Time Validity)

• Check Holder-Of-Key profile- SAML assertion & x509

• and, obviously, its further access rules

1921/08/2012

SSO specification

The SAML token request is secured with the eHealth certificate of the nihii organization. The certificate used by the Holder-Of-Key verification mechanism is the same eHealth certificate.

Needed attributes : (AttributeNamespace: "urn:be:fgov:identification-namespace"):urn:be:fgov:person:ssin (social security identification number of the person)

urn:be:fgov:ehealth:1.0:certificateholder:hospital:nihii-number

urn:be:fgov:ehealth:1.0:hospital:nihii-number

Information which must be asserted by eHealth (AttributeNamespace: urn:be:fgov:certifiednamespace:ehealth):urn:be:fgov:person:ssin (social security identification number of the person)

urn:be:fgov:ehealth:1.0:certificateholder:hospital:nihii-number

urn:be:fgov:ehealth:1.0:hospital:nihii-number

urn:be:fgov:ehealth:1.0:hospital:nihii-number:recognisedhopsital: nihii11 (NIHII number of the organization)