Challenge
The Swedish healthcare system has high demands for security in order to access a patient's information, such as a journal. The requirements are designed based on the law that exists to protect a patient's personal data, PDL (Patient Data Act). To protect digital access to systems that process patient data, authentication with SITHS is required. SITHS functions as a service credential where a user is tied to an organization, almost all employees in Sweden's regions and many employees in Sweden's municipalities have a SITHS card, in order to access patient data. SITHS can also be used to access other systems that do not process patient data. Many regions and municipalities use software from Microsoft to manage their infrastructure in the form of computers, servers, user accounts and permissions. Microsoft provides Active Directory Federation Services to allow users to easily log in and single-sign-on to different types of systems. However, ADFS lacks support for logging in with SITHS.
Solution
With Fortified ID's SITHS ADFS adapter, SITHS can be added as an authentication method to ADFS. The solution is very cost effective since the systems within the organization that are already connected to ADFS do not need to change anything! The solution supports login via Inera's client software SITHS eID, with SITHS card or mobile SITHS. There is support to authenticate with SITHS on the same device or on another device. Same device means that card authentication will be automatically selected on a computer and that mobile SITHS will be automatically selected on a mobile device. Other device means that a QR code is displayed that the user needs to read in SITHS eID on the mobile device. The graphical user interface, the one that meets users, is fully customizable in order to align with the organization's graphic profile. It is possible to turn on/off the requirement for SITHS authentication for a user based on a number of criteria, such as which system the user is about to log in to, if the user is sitting in the office or at home, if the user is connecting from a trusted device etc.
Other
The solution integrates with Inera's API (authentication service). Cryptographic keys are required for communication from the solution to Inera's API to create a secure tunnel. These keys can be stored in a secured file area or in an HSM (Hardware Security Model). ADFS has a hard dependency on a user's account in Active Directory (AD) during authentication. The solution maps the identifier on the SITHS card, social security number or HSA-id, with an attribute on the user's account in AD to link SITHS with the AD account. The organization chooses which attribute to use for this mapping.