Zorgdomein Integration: A Guide to Secure .NET and Azure Architecture

Interoperability in European healthcare is no longer a buzzword; it is a regulatory imperative. The Dutch Zorgdomein portal acts as the national conduit for patient data, imposing a “Double‑Lock” model that blends transport‑level mutual TLS with application‑level JWTs. For CTOs overseeing SaaS platforms, this architecture forces a shift from quick‑code solutions to a disciplined security‑first design. Understanding the policy‑driven requirements—such as strict certificate trust chains and mandated claim structures—sets the foundation for any cross‑border health‑IT initiative.

Implementing mTLS in an IIS‑hosted .NET service introduces a series of configuration hurdles. The server must not only present a valid certificate but also demand a client certificate, moving the SSL setting from “Ignore” to “Require”. Simultaneously, the JWT layer cannot rely on generic OIDC middleware; Dutch regulations require custom claim validation that ties the token to a specific organization and patient identifier. Extending `JwtSecurityTokenHandler` and injecting a bespoke middleware component ensures that even a compromised certificate cannot be used without a correctly signed token, preserving end‑to‑end trust.

The final piece is semantic translation between internal POCO models and the FHIR standard used by Zorgdomein. Simple field‑to‑field mapping fails to meet the HL7‑NL profiles, which embed national identifiers like the BSN and localized address formats. By building a profile‑aware translation service with the `Hl7.Fhir.Net` library, developers can generate compliant resources for outbound messages and rigorously validate inbound ones before persisting them. This bidirectional validation eliminates data silos, reduces compliance risk, and positions the platform for future expansions into other European health networks.