SITHS

SITHS cards are a form of electronic identification used throughout the e-healthcare sector of Sweden. SITHS cards allow for strong, multi-factor authentication of physicians, nurses, and other healthcare workers. The Curity Identity Server supports this form of authentication, allowing Swedish county councils and municipalities to identify users with SITHS cards and integrate them into electronic services using OAuth, OpenID Connect, and SAML.

Like Integrated Windows Authentication (IWA), SITHS card support is provided in part by the Windows Connector. This agent is a Web application that runs on Windows Server using the built-in Windows Web server, IIS. By using the Windows Connector, authentication of SITHS cards can be controlled using the TLS settings of IIS. This is important because mutual TLS authentication of clients is fundamental to SITHS card authentication. The overall architecture is shown in the following figure:

../../_images/siths_arch.png

Fig. 87 SITHS architecture

In this diagram, the user accesses an application via their browser. They are redirected to the Curity Authentication Server using one of the supported integration protocols. When the user selects to login using their SITHS card, they are redirected to the Windows Connector where they must make a mutual TLS connection to IIS. This is only possible if they unlock their SITHS card with a PIN using a smartcard reader and some sort of security application that interfaces with the smartcard reader. To ensure that only SITHS cards are supported for this, the trusted Certificate Authorities (CAs) are configured in IIS.

See also

For information about which CAs to trust in pre-production and production environments, refer to the Inera Web site.

Configuring an Authenticator

To configure a SITHS authenticator instance, ensure that the Windows Connector is installed and then configure an authenticator of type siths. To do this, you will need to use the same symmetric-key and windows-connector-url that are configured for Windows Integrated Authentication (IWA) if a windows authenticator is also configured. If IWA is not being used together with SITHS authentication, these can be any random key and the URL of the Windows Connector running in the IIS machine, respectively. A sample configuration is shown in Listing 107:

Listing 107 Sample SITHS authenticator configuration
<authenticator>
    <id>siths1</id>
    <siths xmlns="https://curity.se/ns/conf/authenticators/siths">
        <windows-connector-url>https://ad.example.com/<windows-connector-url>
        <symmetric-key>MyGoodPassword</symmetric-key>
    </siths>
</authenticator>

Test Mode

New in version 1.6.0.

The Curity Authentication Server also supports test SITHS cards. These are cards where the serial number of the client key start with the prefix TSE or QSE (as opposed to SE used by non-test SITHS cards). To support these, the authenticator must be explicitly configured to be in test mode. It is also possible to configure a SITHS card authenticator instance to support either test or production SITHS cards; however, only production mode should be used in normal operations. The following table summarizes the modes supported and Listing 108 shows how to configure a SITHS authenticator to allow test SITHS cards to be used.

Mode Meaning
production (default) Only accepts authentication performed by production SITHS cards (those with a serial number prefixed with SE)
test Accepts authentication performed using test SITHS cards (those with a serial number prefixed with TSE or QSE)
test-or-production Accepts authentication performed using either test or production SITHS cards
Listing 108 Sample test SITHS authenticator configuration
<authenticator>
        <id>siths1</id>
    <siths xmlns="https://curity.se/ns/conf/authenticators/siths">
        <windows-connector-url>https://ad.example.com/<windows-connector-url>
        <symmetric-key>MyGoodPassword</symmetric-key>
        <mode>test</mode>
    </siths>
</authenticator>

Creating a SITHS Authenticator with the RESTCON API

As with any other authenticator, a SITHS authenticator instance can be configured using the REST service. To add a new SITHS authenticator, a PATCH or POST request can be made, similarly to the following (where authentication-service refers to the ID of the authentication profile that should be updated to include the SITHS authenticator):

$ AUTHENTICATION_PROFILE_ID=authentication-service
$ curl -X PATCH -u admin:Password1 -k -H "Content-Type: application/yang-data+xml" -d '<authenticators>
    <authenticator>
    <id>siths1</id>
    <siths xmlns="https://curity.se/ns/conf/authenticators/siths">
        <symmetric-key>MyGoodPassword</symmetric-key>
        <windows-connector-url>https://ad.example.com/</windows-connector-url>
        <mode>test</mode>
    </siths>
</authenticator>
</authenticators>' "https://localhost:6749/admin/api/restconf/data/profiles/profile=$AUTHENTICATION_PROFILE_ID,authentication-service/settings/authentication-service/authenticators"