Pro Santé Connect¶
Presentation¶
Pro Santé Connect is a French identity provider for healthcare professionals. It relies on OpenID Connect protocol.
Register on Pro Santé Connect¶
Once OpenID Connect service is configured, you need to register to Pro Santé Connect.
Go on https://integrateurs-cps.asipsante.fr.
You need to provide the callback URLs, for example https://auth.domain.com/?openidconnectcallback=1.
And also a logout URL, for example https://auth.domain.com/?logout=1.
You will then get a client_id
and a client_secret
.
Declare Pro Santé Connect in your LL::NG server¶
Go in Manager and create a new OpenID Connect provider. You can call it
psc-connect
for example.
Click on Metadata
and set manually the metadata of the service.
For the sandbox server:
{
"issuer": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet",
"authorization_endpoint": "https://wallet.bas.esw.esante.gouv.fr/auth",
"token_endpoint": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/token",
"introspection_endpoint": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/userinfo",
"end_session_endpoint": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/logout",
"jwks_uri": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/certs",
"check_session_iframe": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials"
],
"response_types_supported": [
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"subject_types_supported": [
"public",
"pairwise"
],
"id_token_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"id_token_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA1_5"
],
"id_token_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"userinfo_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"request_object_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"response_modes_supported": [
"query",
"fragment",
"form_post"
],
"registration_endpoint": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"token_endpoint_auth_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"claims_supported": [
"aud",
"sub",
"iss",
"auth_time",
"name",
"given_name",
"family_name",
"preferred_username",
"email",
"acr"
],
"claim_types_supported": [
"normal"
],
"claims_parameter_supported": false,
"scopes_supported": [
"openid",
"address",
"email",
"identity",
"microprofile-jwt",
"offline_access",
"phone",
"profile",
"roles",
"scope_1",
"scope_2",
"scope_all",
"web-origins",
"eidas2"
],
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"code_challenge_methods_supported": [
"plain",
"S256"
],
"tls_client_certificate_bound_access_tokens": true
}
You should alos import JWKS data from https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/certs directly in configuration to avoid requests to reload them.
Go in Exported attributes
to choose which attributes you want to collect.
Read the technical documentation to know available attributes:
https://tech.esante.gouv.fr/outils-services/pro-sante-connect-e-cps/documentation-technique
Now go in Options
:
Register the
client_id
andclient_secret
given by Pro Santé ConnectIn
Scopes
setopenid scope_all
In
ACR values
seteidas2
You can also set the name and the logo