Versions Compared

Old Version 4

changes.mady.by.user Rami Sellami

Saved on

compared with

New Version Current

changes.mady.by.user Unknown User (fabian.steels@cetic.be)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This version is a draft one and it will be enhanced as the sprints progress.

Table of Contents

Used documentation

Cookbook/ materialsVersionLocation
Identity & Authorization Management (I.AM) - Overview1.0https://www.ehealth.fgov.be/ehealthplatform/file/view/c87f7d093e56ff1054c73d6aae09e0bb?filename=ehealth_i.am_-_overv
Identity & Authorization Management (I.AM) - Identity Provider (IDP)1.0https://www.ehealth.fgov.be/ehealthplatform/fr/data/file/view/d43784683d86392e68f1a95b860f721170f30c7b?name=ehealth_i.am_-_idp_v1.0.pdf
CSAM Youtube channel-https://www.youtube.com/channel/UCzMGudd9xdMeGjYpbpjsXFw

General information

In the figure below, we provide an overview about the interaction between the different services of the e-health platform involved in the IAM. It is noteworthy that the presented architecture is dedicated to the WebSSO solution. 

TBCImage Added


Basic flow

FlowSpecification
Image Removed

Priority






Image Added

Use case ID

ATH-UC-05-BF

Use case name

Authentication using an eID card

Actors

  • Citizen

  • Healthcare giver
  • Representative of an institution

Short Description

Create an account for the citizen. To do so, the citizen tries to authenticate himself/herself via the mobile application interface. The IDentity Provider (IDP) detects that it consists on a first authentication and redirects the user to the CSAM portal. Hence, the citizen creates a new account by giving his/her eID card for the first time. To connect his/her eID card, the citizen should have a wireless card reader.

This use case denotes the authentication of a user via an eID card.


1 (High)

Must have: The system must implement this goal/ assumption to be accepted.

Pre-Conditions

  • The

citizen

  • user has

not

  • already an account

  • The

citizen

  • user has:

an e-mail address

    • an eID card

    • a PIN code

PIN

    • of his/her eID card

a wireless card

    • a card reader

Post-Conditions

  • The

citizen has an accountThe citizen knows his credentials

  • user is authenticated

  • The user has access to the services of the mobile application

Steps (basic flow)

0

The
citizen
user access to the WebSSO application interface
(i.e. WebSSO) to create an account (first authentication)
to authenticate him/herself and choose the option eID

1

The

citizen connects for the first time to the application

user connects using his/her credentials (eID card + PIN) and the card reader


2

The application sends
a
an access request
message
to the
Service Provider (
SP
)

3The SP sends a request message
(i.e. ask authentication get SSO token)  to
to the AS to access to the IDP

4

The

IDP checks the identity of the citizen and it does not find it in the authentic data source via the AA

AS sends a message to the IDP to identify the non authenticated user


5

The IDP

contacts the CSAM to ask it to create the certificate to the citizen (first authentication)

checks the identity of the user with the AA 


6

The

CSAM opens a new web browser page to invite the citizen to enter his/her credentials using the eID card

IDP sends a response message to the AA to inform it that the user is identified


7The
citizen sends his/her credentials

8

The CSAM returns the credentials/certificate to the IDP

9

AS sends a message with the identify of the user to the SP

8

The SP returns

The IDP sends

a response message to the

SP

application to

inform it that the citizen is now authenticated and identified

enable the authentication


9

The user is authenticated and can use the the services of the mobile application

10

The SP returns a response message to the application to enable a first connection

Exceptions (exception flows)

The citizen made an error when editing his/her credentials

  • The PIN of the eID card is not correct

  • The creation is aborted (e.g. loss of connection, problem with the card reader, the session is expired)

Frequency

  • Every time

for a new citizen needs to create a new account

  • the user needs to authenticate to the mobile application


Alternative flow 1

Flow
Specification

Image Removed

Use case ID

ATH-UC-

01

05-AF-01

Use case name

Create a new account for a citizen using a security code via a mobile applicationFlowSpecificationImage Removed

Use case ID

ATH-UC-01-AF-02

Use case name

Create a new account for a citizen using itsme

Actors

  • Citizen

Short Description

Create an account for the citizen. To do so, the citizen tries to authenticate himself/herself via the mobile application interface. The IDP detects that it consists on a first authentication and redirects the user to the CSAM portal. Hence, the citizen creates a new account by using his/her account on itsme.
First authentication using an eID card

Actors

  • Citizen

  • Healthcare giver

  • Representative of an institution

Short Description

Create an account for the citizen. To do so, the citizen tries to authenticate himself/herself via the mobile application interface. The IDP detects that it consists on a first authentication and redirects the user to the CSAM portal. Hence, the citizen creates a new account by using a third party application called Mydigipass to have a security code.

Priority

1 (High)

Must have: The system must implement this goal/ assumption to be accepted.

Pre-Conditions

  • The citizen has not an account

  • The citizen has:

    • an email address

    • an account in the web application Mygipass (via an e-mail address)

    • a smartphone with the application Mygipass

Post-Conditions

  • The citizen has an account

  • The citizen knows his credentials (the username, the password)

Steps

0

The citizen access to the application interface (i.e. WebSSO) to create an account (first authentication)

1

The citizen connects for the first time to the application

2

The application sends a request message to the SP

3

The SP sends a request message (i.e. ask authentication get SSO token) to the IDP

4

The IDP checks the identity of the citizen and it does not find it in the authentic data source via the AA

5

The IDP contact CSAM to ask it to create the certificate to the citizen (first authentication)

6

The CSAM opens a new web browser page to invite the citizen to enter his/her credentials (username, password and security code)

7The citizen connects to the Mydigipass application using his/her e-mail address to get the security code

8

The citizen sends his/her credentials

9

The CSAM sends the credentials/certificate to the IDP

10

The IDP sends a response message to the SP to inform it that the citizen is now authenticated and identified

11

The SP returns a response message to the application to enable a first connection

Exceptions (exception flows)

  • The citizen made an error when editing his/her credentials

  • The creation is aborted (e.g. loss of connection)

  • The security code has expired

Frequency

  • Every time for a new citizen needs to create a new account via the mobile application Mydigipaas

Alternative flow 2

Depending on the profile of the actor, this alternative flow will be instantiated by one of the four use cases dedicated to the creation of a new account (refer to the basic flows): ATH-UC-01, ATH-UC-02, ATH-UC-03, ATH-UC-04. To implement this flow, the user should authenticate him/herself in the mobile application using the eID card.

Priority

1 (High)

Must have: The system must implement this goal/ assumption to be accepted.

Pre-Conditions

  • The

citizen

  • user has not an account

  • The

citizen

  • user has:

a phone number

    • an e-mail address

    • an

account in itsme

  • a smartphone with the application itsme

    • a five secure code to confirm the operation on itsme

      • eID card

      • a code PIN of his/her eID card

      • a card reader

    Post-Conditions

    • The

    citizen

    • user has an account

    • The

    citizen

    • user knows his credentials

    (the username, the password)

    Steps

    0

    The citizen access to the application interface (i.e. WebSSO) to create an account (first authentication)

    1

    The citizen connects for the first time to the application

    2

    The application sends a request message to the SP

    3

    The SP sends a request message (i.e. ask authentication get SSO token) to the IDP

    4

    The IDP checks the identity of the citizen and it does not find it in the authentic data source via the AA

    5

    The IDP contact CSAM to ask it to create the certificate to the citizen (first authentication)

    6

    The CSAM opens a new web browser page to invite the citizen to enter his/her credentials (username, password and secure code)

    7The citizen choose the authentication option itsme8The citizen enter his/her phone number recognized by itsme9The citizen connects to the itsme application and confirm the operation

    10

    The citizen sends his/her credentials

    11

    The CSAM sends the credentials/certificate to the IDP

    12

    The IDP sends a response message to the SP to inform it that the citizen is now authenticated and identified

    13

    The SP returns a response message to the application to enable a first connection

    • The user is authenticated

    • The user has access to the services of the mobile application

    Steps

    For more details and depending on the type of the actor, see:

    Exceptions (exception flows)

    • The

    citizen made

    • user makes an error when editing his/her credentials

    (e.g. phone number)

    • The PIN of the eID card is not correct

    • The creation is aborted (e.g. loss of connection)

    Frequency

    • Every time

    for a new citizen needs to create a new account via itsme

    • the user wants to authenticate him/herself and he/she does not have an account.


    Exception flow 1

    Specification

    Use case ID

    ATH-UC-

    01

    05-EF-01

    Use case name

    The

    citizen made an error when editing his/her credentials

    PIN of the eID card is not correct

    Actors

    • Citizen

    • Representative of an institution

    • Healthcare giver

    Short Description

    This

    It denotes the use case

    represents the situation

    when the

    citizen is trying to create a new account in the CSAM portal and he/she make an error when entering his/her credentials (e.g. an error un the e-mail address, an error in the password, etc.). This exception flow may be triggered by the basic flow and any alternative one.

    user tries to authenticate with his/her eID card and fails in entering the PIN.

    Priority

    1 (High)

    Must have: The system must implement this goal/ assumption to be accepted.

    Pre-Conditions

    • The

    citizen

    • user has

    not

    • already an account

    • The

    citizen

    • user has:

    an e-mail address

      • an eID card

      • a PIN code

    PIN

      • of his/her eID card

  • an account in the web application Mygipass

    • a wireless card

      • a card reader

    Post-Conditions

    • The
    creation of the account falls
    • authentication is interrupted
    • An error message should be displayed

    Steps (basic flow)

    Steps

    0

    The

    citizen

    user access to the WebSSO application interface

    (i.e. WebSSO) to create an account (first authentication)

    1

    The citizen connects for the first time to the application

    2

    The application sends a request message to the SP

    3

    The SP sends a request message (i.e. ask authentication get SSO token) to the IDP

    4

    The IDP checks the identity of the citizen and it does not find it in the authentic data source via the AA

    to authenticate him/herself and choose the option eID


    1

    The user tries to connect using a wrong PIN code


    2

    		The authentication is interrupted

    5

    The IDP contact CSAM to ask it to create the certificate to the citizen (first authentication)

    6

    The CSAM opens a new web browser page to invite the citizen to enter his/her credentials (username, password and secure code)

    7

    The citizen makes an error when entering his/her credentials to the CSAM

    Frequency

    • Every time for a

    new citizen

    • user needs to

    create a new account

    • authenticate him/herself and enter a wrong PIN code

    Exception flow 2

    Specification

    Use case ID

    ATH-UC-

    01

    05-EF-02

    Use case name

    The creation is aborted (e.g. loss of connection, problem with the card reader, the session is expired)

    Actors

    • Citizen

    • Representative of an institution

    • Healthcare giver

    Short Description

    It denotes the exception use case when the

    citizen

    user loses the connection and he/she will not be able to finish the authentication. It may happens at any step of the basic and alternative flows.

    Priority

    1 (High)

    Must have: The system must implement this goal/ assumption to be accepted.

    Pre-Conditions

    • The

    citizen

    • user has

    not

    • already an account

    • The

    citizen

    • user has:

    an e-mail address

      • an eID card

      • a PIN code

    PIN a wireless card

      • of his/her eID card

  • an account in the web application Mygipass

      • a card reader

    Post-Conditions

    • The authentication is interrupted

    Steps (basic flow)

    Frequency

    • Every time for a new citizen needs to create a new account and loses the connection

    Exception flow 3

    Spcification

    Use case ID

    ATH-UC-01-EF-03

    Use case name

    The secure code has expired

    Actors

    • Citizen

    Short Description

    It is an exception that the citizen may encounter when he/she tries to connect to CSAM portal via the mobil application Mydigipass. Indeed, this application creates a secure code that is available only for 30 seconds and the citizen should finish the connection before the expiration of the code.

    Priority

    1 (High)

    Must have: The system must implement this goal/ assumption to be accepted.

    Pre-Conditions

    • The citizen has not an account

    • The citizen has:

      • an e-mail address

      • an account in the web application Mygipass

    Post-Conditions

    • The authentication is interrupted

    Steps (basic flow)

    0

    The citizen access to the application interface (i.e. WebSSO) to create an account (first authentication)

    1

    The citizen connects for the first time to the application

    2

    The application sends a request message to the SP

    3

    The SP sends a request message (i.e. ask authentication get SSO token) to the IDP

    4

    The IDP checks the identity of the citizen and it does not find it in the authentic data source via the AA

    5

    The IDP contact CSAM to ask it to create the certificate to the citizen (first authentication)

    6

    The CSAM opens a new web browser page to invite the citizen to enter his/her credentials (username, password and secure code)

    7

    The citizen connects to the Mydigipass application using his/her e-mail address to get the secure code

    8

    The secure code expired

    • An error message should be displayed

    Steps (basic flow)



    Frequency

    • Every time for a

    new citizen needs to create a new account using the mobile application Mydigipass and the secure code exipres

    Exception flow 4

    Specification

    Use case ID

    ATH-UC-01-EF-04

    Use case name

    The PIN of the eID card is not correct

    Actors

    • Citizen

    Short Description

    It denotes the use cas when the citizen tries to connect to the CSAM with his/her eID card and fails in entering the PIN.

    Priority

    1 (High)

    Must have: The system must implement this goal/ assumption to be accepted.

    Pre-Conditions

    • The citizen has not an account

    • The citizen has:

      • an e-mail address

      • an eID card

      • a code PIN of his/her eID card

      • a wireless card reader

    Post-Conditions

    • The authentication is interrupted

    Steps (basic flow)

    0

    The citizen access to the application interface (i.e. WebSSO) to create an account (first authentication)

    1

    The citizen connects for the first time to the application

    2

    The application sends a request message to the Service Provider (SP)

    3

    The SP sends a request message (i.e. ask authentication get SSO token) to the IDP

    4

    The IDP checks the identity of the citizen and it does not find it in the authentic data source via the AA

    5

    The IDP contacts the CSAM to ask it to create the certificate to the citizen (first authentication)

    6

    The CSAM opens a new web browser page to invite the citizen to enter his/her credentials using the eID card

    7

    The citizen tries to send his/her credentials with a wrong PIN.

    8

    The authentication is interrupted

    Frequency

    Every time for a new citizen needs to create a new account and enter a wrong PIN

    • user needs to authenticate him/herself and loses the connection