Used documentation
| Cookbook/ materials | Version | Location |
|---|---|---|
| Technical specifications Identity & Authorization Management (I.AM) - Identity Provider (IDP) | 1.0 | https://www.ehealth.fgov.be/ehealthplatform/file/view/91d9a7f7978b8a4e4d90087f83d66883?filename=ehealth_i.am_-_idp_v1.0.pdf |
General information
A user may have one or multiple profiles of the following types:
- Citizen: for the principal with the basic authentication if the user wants to identify himself as a natural person. This is the default profile when a user authenticates on the eHealth IDP.
- Quality: for the principals that identify the user as a professional (eg DOCTOR)
- Organization: for the principals that identify the user as a representative of an organization he belongs to.
- Mandate: for the principals that identify the user as the mandatary of another person or organization from whom he has received a mandate to act on their behalf in a specific context.
The user choose a profile when he is authenticated in the CSAM portal and identified in the IDP and the AA. In order to change a profile, the user should do a global logout in order to close the session in the IDP and he/she should re-authenticate him/herself.
Basic flow
| Flow | Specification | ||
|---|---|---|---|
| Use case ID | ATH-UC-11-BF | |
Use case name | Change the profile of a user | ||
Actors |
| ||
Short Description | In order to change a profile, the user should do a global logout and should authenticate him/herself a second time. | ||
| Priority | 1 (High) Must have: The system must implement this goal/ assumption to be accepted. | ||
Pre-Conditions |
| ||
Post-Conditions |
| ||
Steps (basic flow) | 0 | The user has an open session in the IDP with the old profile | |
| 1 | The user do a global logout in order to close the session in the IDP | ||
2 | The user re-authenticates him/herself via the mobile application in order to change the profile | ||
| 3 | The mobile application sends an openID connect authorization request to the IAM connect | ||
4 | The IAM connects redirects the message to the eHealth IDP in a browser | ||
| 5 | The IDP detects that there is not an open session with the NISS and the name of the user | ||
6 | The IDP redirects the request to the CSAM in order to open a session | ||
7 | The user selects the authentication way (i.e. itsme, eID, TOTP) | ||
| 8 | The user is authenticated and CSAM returns a SAML assertion to the IDP regarding the user | ||
| 9 | The user selects a new profile and the IDP returns the selected profile to the IAM connect | ||
| 10 | The IAM connect creates an access token JWT with the new profile and returns it to the clent | ||
| 11 | The user is authenticated and accesses to the permitted services in the mobile application with respect to the new profile | ||
Exceptions (exception flows) | |||
Frequency |
| ||
