SITHS
SITHS cards are a form of electronic identification used throughout the e-healthcare sector of Sweden. SITHS cards allow for strong, multi-factor authentication of physicians, nurses, and other healthcare workers. The Curity Identity Server supports this form of authentication, allowing Swedish county councils and municipalities to identify users with SITHS cards and integrate them into electronic services using OAuth, OpenID Connect, and SAML.
In this diagram, the user accesses an application via their browser. They are redirected to the Curity Identity Server using one of the supported integration protocols. When the user selects to login using their SITHS card, they are redirected to the Windows Connector where they must make a mutual TLS connection to IIS. This is only possible if they unlock their SITHS card with a PIN using a smartcard reader and some sort of security application that interfaces with the smartcard reader. To ensure that only SITHS cards are supported for this, the trusted Certificate Authorities (CAs) are configured in IIS.
For information about which CAs to trust in pre-production and production environments, refer to Inera Web site.
Configuring an Authenticator#
To configure a SITHS authenticator instance, ensure that the Windows Connector is installed and then configure an authenticator of type siths. You will need to use the same symmetric-key and windows-connector-url that are configured for Windows Integrated Authentication (IWA) if a windows authenticator is also configured. If IWA is not being used together with SITHS authentication, these can be any random key and the URL of the Windows Connector running in the IIS machine, respectively.
Sample SITHS authenticator configuration#
<authenticator>
<id>siths1</id>
<siths xmlns="https://curity.se/ns/conf/authenticators/siths">
<windows-connector-url>https://ad.example.com/<windows-connector-url>
<symmetric-key>MyGoodPassword</symmetric-key>
</siths>
</authenticator>Test Mode#
The Curity Identity Server also supports test SITHS cards. These are cards where the serial number of the client key start with the prefix TSE or QSE (as opposed to SE used by non-test SITHS cards). To support these, the authenticator must be explicitly configured to be in test mode. It is also possible to configure a SITHS card authenticator instance to support either test or production SITHS cards; however, only production mode should be used in normal operations.
| Mode | Meaning |
|---|---|
| production (default) | Only accepts authentication performed by production SITHS cards (those with a serial number prefixed with SE) |
| test | Accepts authentication performed using test SITHS cards (those with a serial number prefixed with TSE or QSE) |
| test-or-production | Accepts authentication performed using either test or production SITHS cards |
Sample test SITHS authenticator configuration#
<authenticator>
<id>siths1</id>
<siths xmlns="https://curity.se/ns/conf/authenticators/siths">
<windows-connector-url>https://ad.example.com/<windows-connector-url>
<symmetric-key>MyGoodPassword</symmetric-key>
<mode>test</mode>
</siths>
</authenticator>Creating a SITHS Authenticator with the RESTCON API#
As with any other authenticator, a SITHS authenticator instance can be configured using the REST service. To add a new SITHS authenticator, a PATCH or POST request can be made, similarly to the following (where authentication-service refers to the ID of the authentication profile that should be updated to include the SITHS authenticator):
$ AUTHENTICATION_PROFILE_ID=authentication-service
$ curl -X PATCH -u admin:Password1 -k -H "Content-Type: application/yang-data+xml" -d '<authenticators>
<authenticator>
<id>siths1</id>
<siths xmlns="https://curity.se/ns/conf/authenticators/siths">
<symmetric-key>MyGoodPassword</symmetric-key>
<windows-connector-url>https://ad.example.com/</windows-connector-url>
<mode>test</mode>
</siths>
</authenticator>
</authenticators>' "https://localhost:6749/admin/api/restconf/data/profiles/profile=$AUTHENTICATION_PROFILE_ID,authentication-service/settings/authentication-service/authenticators"