SITHS

About SITHS

SITHS by Inera is a Swedish smartcard-based eID solution for professional use. It is used by healthcare professionals and other employees in the Swedish healthcare sector, as well as other employees in the Swedish public sector. SITHS is approved as a Swedish eID (svensk e-legitimation) by the Swedish authority DIGG for assurance level substantial (Swedish level 3). This includes the old version of SITHS, which is approved until June 2020.

Key features

  • LoA 3 (regular cards) / LoA 2 (replacement cards)
  • Public key infrastructure (PKI)-based eID with two pairs of certificates. One certificate holds the Swedish national ID number (personnummer) and the other one holds a Swedish HSA-id (an identification number for health personnel).
  • The smartcards include a Telia eID.

The primary use of SITHS is authentication and signing in local systems in the user’s organization, e.g. in an electronic patient journal system. While this functionality is out of scope for Signicat, Signicat supports online authentication with SITHS through the TLS protocol with client authentication. Authentication-based signing with SITHS is also supported. Other existing solutions are not supported unless otherwise stated.

Old version of SITHS and transition

Until the end of 2020, Signicat will support the previous version of SITHS, in addition to the current one. The previous version only has one certificate pair, containing the HSA-id, which means that the Swedish national ID number is not supported. This version is included for any customer signing up for SITHS before deprecation in June 2020. The transition process to the new SITHS version is described on the Inera website: “Förändringar och åtgärder för att kunna använda SITHS e-id certifikaten” (in Swedish).

Integrating with SITHS through Signicat

Web integration with SITHS is done via the same API as Signicat’s other ID methods. See “Get started with authentication” for more information. Through the single point of integration, merchants get access to Signicat’s wide portfolio of integrated ID methods, as well as other services like identity paper verification and lookups.

Authentication

Holders of a SITHS card can use it to log in to a website of a service provider that supports this method. Note that usage of a specific certificate for authentication is not enforced, which means that the merchant cannot ensure that, for instance, HSA-id is always returned. The certificate that is returned after an authentication process is the one selected by the end-user. Due to this, the merchant must find a way to ensure that end-users select the appropriate certificate if necessary, for example, by displaying a warning text before the authentication process begins.

Note that it is possible to map HSA-id and personnummer by performing a lookup in the HSA catalogue, a service provided by Inera. You can find more information about the service on the Inera website: “Katalogtjänst HSA” (in Swedish). Signicat has no integration to the HSA catalogue, so merchants must assume the responsibility for integrating towards the HSA catalogue if mapping is needed.

Signicat’s default configuration is for an LoA3 service, which means that replacement cards cannot be used for authentication (see Key features above). However, a merchant can ask for a configuration that also includes LoA2, which will make it possible to use replacement cards. Whichever the merchant’s choice, there is no way to dynamically accept LoA3 or LoA2, so the chosen configuration will be used in all cases. Furthermore, keep in mind that LoA checks can only be done after the authentication is done. Thus, in the default configuration, end-users with a replacement card will go through authentication and then be denied access afterwards.

This is what the authentication process looks like for an end-user:

 

How to get started with SITHS

If you want to start using SITHS through Signicat, get in touch with us and our sales team will guide you through the process.

Client side requirements

The end-user needs a SITHS card with certificates, a card reader, and (usually) a specific software (browser plug-in or similar). The user is expected to obtain all of these from their employer, for instance, a health service provider. The following requirements apply:

  • Support for Javascript and cookies is required.
  • Windows systems:
    • Browsers: Edge, Internet Explorer, or Chrome.
    • A version of Net iD Enterprise that supports SITHS cards (see “Mer om tjänsten” on the Inera website, in Swedish)
  • Linux systems:
    • Browsers: Chrome or Firefox.
    • No additional software is required. The browser’s own pkcs11 handles SITHS.
  • Mac OS X:
    • These operating systems have not been tested yet, but installing Net iD Enterprise is recommended.

Test information

Signicat’s test environment preprod.signicat.com is available 24×7, and may be used during your development and test phase. Test cards can be ordered on the Inera website (in Swedish). Bear in mind that only test SITHS cards can be used for testing in Signicat’s preprod environment, and not real ones. On the other hand, SITHS test cards do not work in Signicat’s production environment, where real SITHS cards must be used.

Attributes

Attribute (NS in italics) Example value
subject.name (HSA-id) EMAILADDRESS=SITHStest@inera.se, SERIALNUMBER=TST5565594230-1140, GIVENNAME=Per, SURNAME=Ericsson, CN=Per Ericsson, O=Inera AB, L=SITHS, C=SE
subject.name (personal id number) SERIALNUMBER=189406189812, GIVENNAME=Olof, SURNAME=Olsson Ericsson, CN=Olof Olsson Ericsson, O=Inera AB, L=SITHS, C=SE
subject.format urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
subject.nameQualifier
authentication.method urn:ksi:names:SAML:2.0:ac:SITHS
authentication.instant Wed Oct 16 11:13:41 CEST 2019
signicat.service-name acme
signicat.method-name siths
signicat.security-level 3
signicat.nationality SE
signicat.unique-id (HSA-id) TST5565594230-1140
signicat.unique-id (personal id number) 189406189812
signicat.plain-name Per Ericsson
signicat.pki.serial 7380284372308284555093693108199695
signicat.friendly-name SITHS
siths.hsa-id (only on HSA-id cards) TST5565594230-1140
signicat.national-id (only on personal id number cards) 189406189812
siths.card-number 9752269875700092420
siths.serialnumber TST5565594230-1140
siths.givenname Per
siths.surname Ericsson
siths.cn Per Ericsson
siths.org.name Inera AB
siths.email (only on HSA-id cards) SITHStest@inera.se
siths.user-principal-name (only on V1 cards) TST5565594230-1140@TESTinera.se
siths.cert-policies 1.2.752.35.99.2.3
siths.not-before 2019-07-11T09:06:45.000Z
siths.not-after 2022-04-06T21:58:00.000Z
signicat.attribute.hsa-id (only on HSA-id cards) TST5565594230-1140

OIDC claim mapping

OIDC claim SAML1 attribute reference
name ${signicat.plain-name}
given_name ${siths.given-name}
family_name ${siths.surname}
email ${siths.email}
signicat.certificate_not_before ${siths.not-before}
signicat.certificate_not_after ${siths.not-after}
signicat.certificate_issuer_dn N/A (will be added later)
signicat.certificate_dn N/A (will be added later)
signicat.certificate_policies ${siths.cert-policies}
siths.hsa-id ${siths.hsa-id}
siths.personal-id-no ${siths.personal-id-no}
siths.user-principal-name ${siths.user-principal-name}
siths.card-number ${siths.card-number}
siths.org-siths.org-name ${siths.org.name}

Other sources