2021-09-05 20:49:23 +02:00
|
|
|
Pro Santé Connect
|
|
|
|
=================
|
|
|
|
|
|
|
|
|logo|
|
|
|
|
|
|
|
|
Presentation
|
|
|
|
------------
|
|
|
|
|
|
|
|
`Pro Santé Connect <https://tech.esante.gouv.fr/outils-services/pro-sante-connect-e-cps/presentation-generale>`__ is
|
|
|
|
a French identity provider for healthcare professionals. It relies on OpenID Connect protocol.
|
|
|
|
|
|
|
|
Register on Pro Santé Connect
|
|
|
|
-----------------------------
|
|
|
|
|
|
|
|
Once :doc:`OpenID Connect service<openidconnectservice>` is configured,
|
|
|
|
you need to register to Pro Santé Connect.
|
|
|
|
|
|
|
|
Go on https://integrateurs-cps.asipsante.fr.
|
|
|
|
|
|
|
|
You need to provide the callback URLs, for example
|
2021-09-20 14:45:20 +02:00
|
|
|
https://auth.domain.com/?openidconnectcallback=1.
|
2021-09-05 20:49:23 +02:00
|
|
|
|
|
|
|
And also a logout URL, for example
|
|
|
|
https://auth.domain.com/?logout=1.
|
|
|
|
|
|
|
|
You will then get a ``client_id`` and a ``client_secret``.
|
|
|
|
|
|
|
|
Declare Pro Santé Connect in your LL::NG server
|
|
|
|
-----------------------------------------------
|
|
|
|
|
|
|
|
Go in Manager and create a new OpenID Connect provider. You can call it
|
|
|
|
``psc-connect`` for example.
|
|
|
|
|
|
|
|
Click on ``Metadata`` and set manually the metadata of the service.
|
|
|
|
|
|
|
|
For the sandbox server:
|
|
|
|
|
|
|
|
.. code-block:: javascript
|
|
|
|
|
|
|
|
{
|
|
|
|
"issuer": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet",
|
|
|
|
"authorization_endpoint": "https://wallet.bas.esw.esante.gouv.fr/auth",
|
|
|
|
"token_endpoint": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/token",
|
|
|
|
"introspection_endpoint": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/token/introspect",
|
|
|
|
"userinfo_endpoint": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/userinfo",
|
|
|
|
"end_session_endpoint": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/logout",
|
|
|
|
"jwks_uri": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/certs",
|
|
|
|
"check_session_iframe": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/login-status-iframe.html",
|
|
|
|
"grant_types_supported": [
|
|
|
|
"authorization_code",
|
|
|
|
"implicit",
|
|
|
|
"refresh_token",
|
|
|
|
"password",
|
|
|
|
"client_credentials"
|
|
|
|
],
|
|
|
|
"response_types_supported": [
|
|
|
|
"code",
|
|
|
|
"none",
|
|
|
|
"id_token",
|
|
|
|
"token",
|
|
|
|
"id_token token",
|
|
|
|
"code id_token",
|
|
|
|
"code token",
|
|
|
|
"code id_token token"
|
|
|
|
],
|
|
|
|
"subject_types_supported": [
|
|
|
|
"public",
|
|
|
|
"pairwise"
|
|
|
|
],
|
|
|
|
"id_token_signing_alg_values_supported": [
|
|
|
|
"PS384",
|
|
|
|
"ES384",
|
|
|
|
"RS384",
|
|
|
|
"HS256",
|
|
|
|
"HS512",
|
|
|
|
"ES256",
|
|
|
|
"RS256",
|
|
|
|
"HS384",
|
|
|
|
"ES512",
|
|
|
|
"PS256",
|
|
|
|
"PS512",
|
|
|
|
"RS512"
|
|
|
|
],
|
|
|
|
"id_token_encryption_alg_values_supported": [
|
|
|
|
"RSA-OAEP",
|
|
|
|
"RSA1_5"
|
|
|
|
],
|
|
|
|
"id_token_encryption_enc_values_supported": [
|
|
|
|
"A256GCM",
|
|
|
|
"A192GCM",
|
|
|
|
"A128GCM",
|
|
|
|
"A128CBC-HS256",
|
|
|
|
"A192CBC-HS384",
|
|
|
|
"A256CBC-HS512"
|
|
|
|
],
|
|
|
|
"userinfo_signing_alg_values_supported": [
|
|
|
|
"PS384",
|
|
|
|
"ES384",
|
|
|
|
"RS384",
|
|
|
|
"HS256",
|
|
|
|
"HS512",
|
|
|
|
"ES256",
|
|
|
|
"RS256",
|
|
|
|
"HS384",
|
|
|
|
"ES512",
|
|
|
|
"PS256",
|
|
|
|
"PS512",
|
|
|
|
"RS512",
|
|
|
|
"none"
|
|
|
|
],
|
|
|
|
"request_object_signing_alg_values_supported": [
|
|
|
|
"PS384",
|
|
|
|
"ES384",
|
|
|
|
"RS384",
|
|
|
|
"HS256",
|
|
|
|
"HS512",
|
|
|
|
"ES256",
|
|
|
|
"RS256",
|
|
|
|
"HS384",
|
|
|
|
"ES512",
|
|
|
|
"PS256",
|
|
|
|
"PS512",
|
|
|
|
"RS512",
|
|
|
|
"none"
|
|
|
|
],
|
|
|
|
"response_modes_supported": [
|
|
|
|
"query",
|
|
|
|
"fragment",
|
|
|
|
"form_post"
|
|
|
|
],
|
|
|
|
"registration_endpoint": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/clients-registrations/openid-connect",
|
|
|
|
"token_endpoint_auth_methods_supported": [
|
|
|
|
"private_key_jwt",
|
|
|
|
"client_secret_basic",
|
|
|
|
"client_secret_post",
|
|
|
|
"tls_client_auth",
|
|
|
|
"client_secret_jwt"
|
|
|
|
],
|
|
|
|
"token_endpoint_auth_signing_alg_values_supported": [
|
|
|
|
"PS384",
|
|
|
|
"ES384",
|
|
|
|
"RS384",
|
|
|
|
"HS256",
|
|
|
|
"HS512",
|
|
|
|
"ES256",
|
|
|
|
"RS256",
|
|
|
|
"HS384",
|
|
|
|
"ES512",
|
|
|
|
"PS256",
|
|
|
|
"PS512",
|
|
|
|
"RS512"
|
|
|
|
],
|
|
|
|
"claims_supported": [
|
|
|
|
"aud",
|
|
|
|
"sub",
|
|
|
|
"iss",
|
|
|
|
"auth_time",
|
|
|
|
"name",
|
|
|
|
"given_name",
|
|
|
|
"family_name",
|
|
|
|
"preferred_username",
|
|
|
|
"email",
|
|
|
|
"acr"
|
|
|
|
],
|
|
|
|
"claim_types_supported": [
|
|
|
|
"normal"
|
|
|
|
],
|
|
|
|
"claims_parameter_supported": false,
|
|
|
|
"scopes_supported": [
|
|
|
|
"openid",
|
|
|
|
"address",
|
|
|
|
"email",
|
|
|
|
"identity",
|
|
|
|
"microprofile-jwt",
|
|
|
|
"offline_access",
|
|
|
|
"phone",
|
|
|
|
"profile",
|
|
|
|
"roles",
|
|
|
|
"scope_1",
|
|
|
|
"scope_2",
|
|
|
|
"scope_all",
|
|
|
|
"web-origins",
|
|
|
|
"eidas2"
|
|
|
|
],
|
|
|
|
"request_parameter_supported": true,
|
|
|
|
"request_uri_parameter_supported": true,
|
|
|
|
"code_challenge_methods_supported": [
|
|
|
|
"plain",
|
|
|
|
"S256"
|
|
|
|
],
|
|
|
|
"tls_client_certificate_bound_access_tokens": true
|
|
|
|
}
|
|
|
|
|
|
|
|
You should alos import JWKS data from https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/certs
|
|
|
|
directly in configuration to avoid requests to reload them.
|
|
|
|
|
|
|
|
Go in ``Exported attributes`` to choose which attributes you want to collect.
|
|
|
|
Read the technical documentation to know available attributes:
|
|
|
|
https://tech.esante.gouv.fr/outils-services/pro-sante-connect-e-cps/documentation-technique
|
|
|
|
|
|
|
|
Now go in ``Options``:
|
|
|
|
|
|
|
|
- Register the ``client_id`` and ``client_secret`` given by Pro Santé Connect
|
|
|
|
- In ``Scopes`` set ``openid scope_all``
|
|
|
|
- In ``ACR values`` set ``eidas2``
|
|
|
|
- You can also set the name and the logo
|
|
|
|
|
|
|
|
.. |logo| image:: /applications/prosanteconnect_logo.png
|
|
|
|
:class: align-center
|