This version is a draft one and it will be enhanced as the sprints progress.
Table of Contents |
---|
Used documentation
Cookbook/ materials | Version | Location |
---|---|---|
Identity & Authorization Management (I.AM) - Overview | 1.0 | https://www.ehealth.fgov.be/ehealthplatform/file/view/c87f7d093e56ff1054c73d6aae09e0bb?filename=ehealth_i.am_-_overv |
Identity & Authorization Management (I.AM) - Identity Provider (IDP) | 1.0 | https://www.ehealth.fgov.be/ehealthplatform/fr/data/file/view/d43784683d86392e68f1a95b860f721170f30c7b?name=ehealth_i.am_-_idp_v1.0.pdf |
CSAM Youtube channel | - | https://www.youtube.com/channel/UCzMGudd9xdMeGjYpbpjsXFw |
General information
...
In the figure below, we provide an overview about the interaction between the different services of the e-health platform involved in the IAM. It is noteworthy that the presented architecture is dedicated to the WebSSO solution.
TBC
Basic flow
Flow | Specification |
---|
Use case ID | ATH-UC- |
05-BF | |
Use case name |
Priority
Authentication using an eID card | ||
Actors |
| |
Short Description |
Create an account for the citizen. To do so, the citizen tries to authenticate himself/herself via the mobile application interface. The IDentity Provider (IDP) detects that it consists on a first authentication and redirects the user to the CSAM portal. Hence, the citizen creates a new account by giving his/her eID card for the first time. To connect his/her eID card, the citizen should have a wireless card reader.
This use case denotes the authentication of a user via an eID card. | |
1 (High) Must have: The system must implement this goal/ assumption to be accepted. | ||
Pre-Conditions |
|
|
|
|
|
|
| ||
Post-Conditions |
|
| ||
Steps (basic flow) | 0 | The |
user access to the WebSSO application interface |
to authenticate him/herself and choose the option eID | ||
1 | The |
user connects using his/her credentials (eID card + PIN) and the card reader | ||
2 | The application sends |
an access request |
to the |
SP |
3 | The SP sends a request message |
to the AS to access to the IDP | ||
4 | The |
AS sends a message to the IDP to identify the non authenticated user | ||
5 | The IDP |
checks the identity of the user with the AA | ||
6 | The |
IDP sends a response message to the AA to inform it that the user is identified | ||
7 | The |
8
The CSAM returns the credentials/certificate to the IDP
9
AS sends a message with the identify of the user to the SP | ||
8 | The SP returns |
a response message to the |
application to |
enable the authentication | ||
9 | The user is authenticated and can use the the services of the mobile application |
10
Exceptions (exception flows) |
| ||
Frequency |
|
|
Alternative flow 1
...
Specification |
---|
Use case ID | ATH-UC- |
05-AF-01 | |
Use case name |
Use case ID
ATH-UC-01-AF-02
Use case name
Create a new account for a citizen using itsme
Actors
Citizen
Short Description
First authentication using an eID card | ||
Actors |
| |
Short Description |
Create an account for the citizen. To do so, the citizen tries to authenticate himself/herself via the mobile application interface. The IDP detects that it consists on a first authentication and redirects the user to the CSAM portal. Hence, the citizen creates a new account by using a third party application called Mydigipass to have a security code.
Priority
1 (High)
Must have: The system must implement this goal/ assumption to be accepted.
Pre-Conditions
The citizen has not an account
The citizen has:
an email address
an account in the web application Mygipass (via an e-mail address)
a smartphone with the application Mygipass
Post-Conditions
The citizen has an account
The citizen knows his credentials (the username, the password)
Steps
0
The citizen access to the application interface (i.e. WebSSO) to create an account (first authentication)
1
The citizen connects for the first time to the application
2
The application sends a request message to the SP
3
The SP sends a request message (i.e. ask authentication get SSO token) to the IDP
4
The IDP checks the identity of the citizen and it does not find it in the authentic data source via the AA
5
The IDP contact CSAM to ask it to create the certificate to the citizen (first authentication)
6
The CSAM opens a new web browser page to invite the citizen to enter his/her credentials (username, password and security code)
8
The citizen sends his/her credentials
9
The CSAM sends the credentials/certificate to the IDP
10
The IDP sends a response message to the SP to inform it that the citizen is now authenticated and identified
11
The SP returns a response message to the application to enable a first connection
Exceptions (exception flows)
The citizen made an error when editing his/her credentials
The creation is aborted (e.g. loss of connection)
- The security code has expired
Frequency
Every time for a new citizen needs to create a new account via the mobile application Mydigipaas
Alternative flow 2
Depending on the profile of the actor, this alternative flow will be instantiated by one of the four use cases dedicated to the creation of a new account (refer to the basic flows): ATH-UC-01, ATH-UC-02, ATH-UC-03, ATH-UC-04. To implement this flow, the user should authenticate him/herself in the mobile application using the eID card. | ||
Priority | 1 (High) Must have: The system must implement this goal/ assumption to be accepted. | |
Pre-Conditions |
|
|
|
|
a smartphone with the application itsme
| ||
Post-Conditions |
|
|
|
Steps
0
The citizen access to the application interface (i.e. WebSSO) to create an account (first authentication)
1
The citizen connects for the first time to the application
2
The application sends a request message to the SP
3
The SP sends a request message (i.e. ask authentication get SSO token) to the IDP
4
The IDP checks the identity of the citizen and it does not find it in the authentic data source via the AA
| ||
Steps | For more details and depending on the type of the actor, see: |
5
The IDP contact CSAM to ask it to create the certificate to the citizen (first authentication)
6
The CSAM opens a new web browser page to invite the citizen to enter his/her credentials (username, password and secure code)
10
The citizen sends his/her credentials
11
The CSAM sends the credentials/certificate to the IDP
12
The IDP sends a response message to the SP to inform it that the citizen is now authenticated and identified
13
Exceptions (exception flows) |
|
|
| ||
Frequency |
|
|
Exception flow 1
Specification | ||
---|---|---|
Use case ID | ATH-UC- |
05-EF-01 | ||
Use case name | The |
PIN of the eID card is not correct | ||
Actors |
| |
Short Description |
It denotes the use case |
when the |
user tries to authenticate with his/her eID card and fails in entering the PIN. | ||
Priority | 1 (High) Must have: The system must implement this goal/ assumption to be accepted. | |
Pre-Conditions |
|
|
|
|
|
|
an account in the web application Mygipass
| ||
Post-Conditions |
|
| |
Steps (basic flow) |
0 | The |
user access to the WebSSO application interface |
1
The citizen connects for the first time to the application
2
The application sends a request message to the SP
3
The SP sends a request message (i.e. ask authentication get SSO token) to the IDP
4
The IDP checks the identity of the citizen and it does not find it in the authentic data source via the AA
to authenticate him/herself and choose the option eID | ||
1 | The user tries to connect using a wrong PIN code | |
2 | The authentication is interrupted |
5
The IDP contact CSAM to ask it to create the certificate to the citizen (first authentication)
6
The CSAM opens a new web browser page to invite the citizen to enter his/her credentials (username, password and secure code)
7
Frequency |
|
|
|
Exception flow 2
Specification | ||
---|---|---|
Use case ID | ATH-UC- |
05-EF-02 | ||
Use case name | The creation is aborted (e.g. loss of connection, problem with the card reader, the session is expired) | |
Actors |
| |
Short Description | It denotes the exception use case when the |
user loses the connection and he/she will not be able to finish the authentication. It may happens at any step of the basic and alternative flows. | ||
Priority | 1 (High) Must have: The system must implement this goal/ assumption to be accepted. | |
Pre-Conditions |
|
|
|
|
|
|
an account in the web application Mygipass
| ||
Post-Conditions |
|
Steps (basic flow)
Frequency
Every time for a new citizen needs to create a new account and loses the connection
Exception flow 3
Use case ID
ATH-UC-01-EF-03
Use case name
The secure code has expired
Actors
Citizen
Short Description
It is an exception that the citizen may encounter when he/she tries to connect to CSAM portal via the mobil application Mydigipass. Indeed, this application creates a secure code that is available only for 30 seconds and the citizen should finish the connection before the expiration of the code.
Priority
1 (High)
Must have: The system must implement this goal/ assumption to be accepted.
Pre-Conditions
The citizen has not an account
The citizen has:
an e-mail address
an account in the web application Mygipass
Post-Conditions
The authentication is interrupted
Steps (basic flow)
0
The citizen access to the application interface (i.e. WebSSO) to create an account (first authentication)
1
The citizen connects for the first time to the application
2
The application sends a request message to the SP
3
The SP sends a request message (i.e. ask authentication get SSO token) to the IDP
4
The IDP checks the identity of the citizen and it does not find it in the authentic data source via the AA
5
The IDP contact CSAM to ask it to create the certificate to the citizen (first authentication)
6
The CSAM opens a new web browser page to invite the citizen to enter his/her credentials (username, password and secure code)
7
The citizen connects to the Mydigipass application using his/her e-mail address to get the secure code
8
The secure code expired
| ||
Steps (basic flow) |
Frequency |
|
Exception flow 4
Use case ID
ATH-UC-01-EF-04
Use case name
The PIN of the eID card is not correct
Actors
Citizen
Short Description
It denotes the use cas when the citizen tries to connect to the CSAM with his/her eID card and fails in entering the PIN.
Priority
1 (High)
Must have: The system must implement this goal/ assumption to be accepted.
Pre-Conditions
The citizen has not an account
The citizen has:
an e-mail address
an eID card
a code PIN of his/her eID card
a wireless card reader
Post-Conditions
- The authentication is interrupted
Steps (basic flow)
0
The citizen access to the application interface (i.e. WebSSO) to create an account (first authentication)
1
The citizen connects for the first time to the application
2
3
The SP sends a request message (i.e. ask authentication get SSO token) to the IDP
4
The IDP checks the identity of the citizen and it does not find it in the authentic data source via the AA
5
The IDP contacts the CSAM to ask it to create the certificate to the citizen (first authentication)
6
The CSAM opens a new web browser page to invite the citizen to enter his/her credentials using the eID card
7
The citizen tries to send his/her credentials with a wrong PIN.
8
The authentication is interrupted
Frequency
|