Setup of HelseID for SFM - Multi tenant
To start using multi tenant for your system:
- Prerequisites:The EPJ system needs to be approved specifically for the use of multi tenancy by HelseID in its own approval process (includes a walk through of the code for the integration)
- Setting up a multi tenant "client system"
- Approving the multi tenant system for use of SFM
- Activating an organization for multi tenant
- Vendors must provide functionality for creating and maintaning the journal-id for their customers, and include the journal-id i the token request for HelseID.
Specific integration requirements for multi tenant need to be adopted before using multi tenant in SFM.
Setting up a multi tenant "client system"
In multi tenancy there is only one multi tenant HelseID client system for the system/supplier, supporting several tenants (in contrast with single tenancy where each organization is represented with one HelseID
To set up a multi tenant client system in test, you log into the self service portal for HelseiD in test: Selvbetjening i TEST
You log in by using your personal electronic id, for instance using ID-porten or BankID. Make sure that you represent the correct organization, that will become the "owner" of this "client system".
Choose "Dine klienstystemer" in Selvbetjening and follow the flow.
The client system may be configured as a multi tenant client, by choosing "Ja" for multi tenant
TODO: Describe how to add secret and how it works, and the rest of the flow.
Approving the multi tenant system for use of SFM
The multi tenant client system needs to be pre-registered for use of SFM with the organization number appearing in orgnr_supplier before it can be used towards SFM. In test this may be done by an email to kundersenter@nhn.no or by other effective channels.
Activating an organization for multi tenant
To be able to retrieve a multi tenant token for an an organization, there are two things that needs to be fulfilled:
- Necessary rights has to be delegated - a check is made in HelseID to ensure that the top level (Parent) has delegated rights to act on behalf of the organization in HelseID - to the owner of the HelseID client. Delegation must always be done at the top level!
- Necessary agreements has to be signed - all necessary documents have to be signed by the organization.
Multi tenant client owners should only add organizations that have the necessary signed agreements in place for SFM. Information about which "tenants" can be added is available in self-service under the "tenants" tab or via the self-service API. Here, each tenant will have a status of "Active" when delegation is in place and the necessary terms are signed for SFM.
The Journal-id represents a Journal
When using Multi tenant HelseID towards SFM, it is the Journal-id that represents Journal. See Setup of Organizations and Journals in Production for more details.
Vendors must provide functionality for creating and maintaning the journal-id for their customers, and include the journal-id i the token request for HelseID.
When the EPJ requests a token from HelseID for a sub-unit, both Parent and Child must be included in the request.
Below is an example of parts of the token request for multi-tenant. See HelseID's pages for details.
"authorization_details": [
{
"type": "helseid_authorization",
"practitioner_role": {
"organization": {
"identifier": {
"system": "urn:oid:1.0.6523",
"type": "ENH",
"value": "NO:ORGNR:100100126:999944582"
}
}
}
},
{
"type": "nhn:sfm:journal-id",
"value": {
"journal_id": "7fbfbcbd-6f08-4e95-9f7a-9d69c40f6a35"
}
}
]
In the example above, it is specified which two organization numbers (top level/parent and under_org/child) should be specified in the token, and that the journal ID is specified for the correct instance of SFM. There can be multiple journal IDs that point to the same instance.
Note: there is detail in the JSON structure here: The JSON variable “journal_id” has an underscore, while the helseID scope has a hyphen. This is for technical reasons.
For more information on HelseID: https://www.nhn.no/helseid/hvordan-ta-i-bruk-helseid/
Informasjon on journal-id: HelseID info om journal-id/sfm-id
For more information on the JWT token: https://jwt.io/