Identification and authentication service

DATE: 23-08-2024 STATUS: ADOPTED

 

The identification and authentication service consists of a collection of applications that identify and authenticate a user. Identification and authentication are the first two steps in the access control process, authorization is the third.

• Identification refers to making a user's identity known, whereby the user submits his or her digital identity to the system.

• Authentication checks whether the user really is who he or she says he or she is. The digital identity is verified with the party that issued it, the identity provider.

• Authorization controls access to services and data. This is out of scope for the Identification and Authentication service.

Open

Assumptions

• The identification and authentication service complies with the NEN standard Identification & authentication (under development).

• Health-RI itself does not act as an Identity Provider (IdP), but uses identities issued and controlled by other organizations, creating a federated trust network.

• We use the AARC blueprint architecture as a reference architecture.

• We use an interoperable IAA solution to connect internationally in the future and to enable single log-on in the Health-RI ecosystem.

• We use eIDAS reliability levels

• The required reliability level is determined per service and per dataset to which access is granted

Required functionality

• Identify end users from the following user groups:

  • Researchers at UMCs

  • Healthcare providers and researchers at general and top clinical hospitals

  • Innovators (companies)

  • Policymakers

  • Patients/Citizens

• A user who logs in to the national health data portal can use the data catalogue, the application system and an analysis environment, without having to log in again.

• User information can be exchanged between different parts of the national health data portal for a personalized experience (dashboard).

• Objects such as algorithms and processing environments can be identified.

Requirements for Identity Providers and IdP federations

• The issued identity must have a high level of reliability, which means that we are almost certain to which person the identity is linked. To achieve this, the identity must be verified, for example through a passport control.

• Identity information can be exchanged via the OIDC protocol.

• To use services that provide access to highly confidential data, an IdP must require Multi Factor Authentication.

• IdP offers at least the following attributes:

  • User ID

  • Name

  • Organization

  • Role

Requirements for Identification and Authentication service

• Complies with Government Information Security Baseline (BIO)

• ISO 27001 certified.

• Complies with the General Data Protection Regulation (GDPR).

• Can connect different IdPs and IdP federations.

• Uses the OIDC protocol.

• Complies with NEN standard 7518

Expected setup per user group

Different user groups of the Health-RI ecosystem use different identities in their daily lives. We would like to reuse these to give them access to Health-RI services and therefore to health data. To achieve this, we must investigate whether these identities generate enough trust and whether they may and can be used by Health-RI.

The largest group of users consists of researchers and data specialists at research institutions. These institutions are often members of SURF and their employees can therefore use identity federation SRAM, SURF Research Access management.

We will also investigate whether healthcare employees can gain access via a recognized login tool (for example Yivi) in combination with attributes from the UZI register and which identities are suitable for use by:

• Innovators

• Policymakers

• Citizens and patients

A possible solution for citizens and patients and eventually also for other user groups is SSI, Self-sovereign Identity. In this case, it is not an identity provider, but the person himself who has the proof in his pocket to authenticate the identity and carry out authorization and can offer this to a service via an app.

Possible suppliers