Setup of HelseID for SFM - Multi tenant

To start using multi tenant for your system: 

  • Prerequisite: The EPJ system needs to be approved specifically for the use of multi tenancy by HelseID in its own approval process (includes a walk through of the code for the integration). Make sure your system is approved for the "Authorization Code‑flow" to use SFM. 

  • Set up a multi tenant client using HelseID selvbetjening. The client needs an approval before use. 

  • Register as a multi tenant supplier in SFM 

  • Activate an organization for multi tenant

  • The vendor must implement and be approved for explicit integration requirements for multitenant use in SFM. The vendor must provide functionality for creating and maintaning the journal-id for their customers, and include the journal-id i the token request for HelseID. 

 

Set up a multi tenant client

In multi tenancy there is only one multi tenant HelseID client system for the system/supplier, supporting several tenants (in contrast with single tenancy where each organization has its own HelseID client. 

To set up a multi tenant client in test, you log into the self service portal for HelseiD in test: Selvbetjening i TEST

You log in by using your personal electronic id, for instance using ID-porten or BankID. Make sure that you represent the correct organization, that will become the "owner" of this multi tenant client.

Choose to create a multi tenant client in Selvbetjening and follow the flow.

Note that your multi tenant client needs an approval from NHN before it can be used. 

 

Register as a multi tenant supplier in SFM

The owner of the multi tenant client (orgnr_supplier) needs to be pre-registered by SFM before it can be used towards SFM. This may be done by sending an email to kundersenter@nhn.no.

 

Activate an organization for multi tenant

To be able to retrieve a multi tenant token for an an organization, there are two things that needs to be fulfilled: 

  • Necessary rights has to be delegated - a check is made in HelseID to ensure that the top level (Parent) has delegated rights to act on behalf of the organization in HelseID - to the owner of the HelseID client. Delegation is done using Altinn. Note that the delatation has to be done to the top level (Parent) in Brreg. 

  • Necessary agreements has to be signed -  all necessary NHN documents have to be signed by the organization. 

Multi tenant client owners should only add organizations that have the necessary signed agreements in place for SFM. Information about which "tenants" can be added is available in self-service under the "tenants" tab or via the self-service API. Here, each tenant will have a status of "Active" when delegation is in place and the necessary terms are signed for SFM.

Integration requirements for use of multitenant in SFM

Specific integration requirements for multi tenant need to be adopted before using multi tenant in SFM. The EPJ needs to be approved for these integration requirements before multi tenant tokens can be used towards SFM. 

The requirements include functionality for creating and maintaning the journal-id for their customers, and providing the journal-id i the token request for HelseID. 

When using Multi tenant HelseID towards SFM, it is the Journal-id that represents the Journal. See Setup of Organizations and Journals in Production for more details. 

When the EPJ requests a token from HelseID for a sub-unit, both Parent and Child must be included in the request.

Below is an example of parts of the token request for multi-tenant. See HelseID's pages for details.

"authorization_details": [
    {
      "type": "helseid_authorization",
      "practitioner_role": {
        "organization": {
          "identifier": {
            "system": "urn:oid:1.0.6523",
            "type": "ENH",
            "value": "NO:ORGNR:100100126:999944582"
          }
        }    
      }
    },
    {
      "type": "nhn:sfm:journal-id",
      "value": {
        "journal_id": "7fbfbcbd-6f08-4e95-9f7a-9d69c40f6a35"
      }
    }
 ]

In the example above, it is specified which two organization numbers (top level/parent and under_org/child) should be specified in the token, and that the journal ID is specified for the correct instance of SFM. There can be multiple journal IDs that point to the same instance.

Note a detail in the JSON structure: The JSON variable “journal_id” has an underscore, while the helseID scope has a hyphen. This is for technical reasons.

For more information on HelseID: https://www.nhn.no/helseid/hvordan-ta-i-bruk-helseid/

Informasjon on journal-id: HelseID info om journal-id/sfm-id

For more information on the JWT token: https://jwt.io/

 

Søk i Utviklerportalen

Søket er fullført!