EFA Identity Assertion SAML2 Binding

Aus Hl7wiki
(Teildokument von CDA für die elektronische Fallakte)
Wechseln zu: Navigation, Suche
Dieses Material ist Teil des Leitfadens CDA für die elektronische Fallakte.
  • Direkt im Wiki geändert werden sollten Schreibfehler, ergänzende Hinweise.
  • Offene Fragen, die der Diskussionen bedürfen, sollten auf der Diskussionsseite aufgenommen werden.
  • Liste der Seiten dieses Leitfadens: hier, Liste der Seiten, in denen dieses Material verwendet (transkludiert) siehe hier .

Anmerkung: Die unter den einzelnen Überschriften in geschweiften Klammern angegebenen Kürzel dienen der Unterstützung des Kommentierungsverfahrens. Bitte geben Sie bei einem Kommentar oder einem Verbesserungsvorschlag zu dieser Spezifikation immer das Kürzel des Abschnitts an, auf den sich Ihr Kommentar bezieht. Alle Kommentare werden in der Lasche "Diskussion" zu der kommentierten Seite gesammelt und gegenkommentiert.
Hinweise zum Kommentierungsverfahren einschließlich aller Formulare und Kontaktadressen finden Sie auf der Seite "Kommentierung EFAv2.0".

SAML 2.0 Profile for ECR Identity Assertions

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {ItyAn.01}

Assertion Element Opt Usage Convention
@Version R MUST be “2.0”
@ID R URN encoded unique identifier (UUID) of the assertion
@IssueInstant R time instant of issuance in UTC
Issuer R address URI that identifies the endpoint of the issuing service
Subject R This element defines the subject confirmation method of the user in order to use the Identity Assertion as a protection token. Moreover, it defines the subject name identifier that accords with the user identity.
NameID R Identifier of the HP encoded as an X.509 subject name, an e-Mail address or as a string value (unspecified format). Only identifiers must be used that can be long-term tracked back to an individual person.
@Format R MUST be urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

or urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
or urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
For providing an OID as a subject identifier the unspecified format must be used. The OID must be provided as a string encoded in ISO format.

SubjectConfirmation R
@Method R This element MUST hold a URI reference that identifies a protocol to be used to authenticate the subject.[SAML2.0core] The value of this element MUST be set to

urn:oasis:names:tc:SAML:2.0:cm:holder-of-key or
If the bearer method is used, the EFA Identity Assertion SHALL only be exchanged over secure channels with trusted endpoints in order to maintain confidentiality and message integrity.

SubjectConfirmationData R
ds:KeyInfo R The XML Signature [XMLSignature] element MUST embed a cryptographic key that is only held by the user. This can be the user’s public key (ds:KeyValue/ds:RSAKeyValue), the complete user’s X.509 certificate (ds:X509Data/ds:X509Certificate), or an encrypted symmetric key (xenc:EncryptedKey [XMLEncryption]). This symmetric key MUST be encrypted by using the public key of the consumer service’s certificate [eFA PKI 1.2].
Conditions R
@NotBefore R time instant from which the assertion is useable. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion.
@NotOnOrAfter R time instant at which the assertion expires. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. The maximum validity timespan for an HCP Identity Assertion MUST NOT be more than 4 hours.
AuthnStatement R
@AuthnInstant R time instant of HP authentication in UTC
@SessionNotOnOrAfter O Time instant of the expiration of the session
AuthnContext R
AuthnContextClassRef R A URI reference that specifies the type of authentication that took place (see SAML 2.0).
AttributeStatement R HP identity attributes and permissions (see section below for details)
ds:Signature R Enveloped XML signature of the issuer of the HCP Identity Assertion (see section below for details).

German Profile

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {ItyAn.01.05}

The subject must refer to a health professional. The subject identifier must be provided as an OID. Only the following identitification schemes must be used. The order of the table denotes the order of preference.

Person Role Scheme Code System OID
Physician Telematik ID
This ID scheme MUST be preferred only if the Telematik ID is recorded within the HBA AUT certificate of the physician.
not defined yet
Physician ID of the HBA AUT Certificate
Physician Lebenslange Arztnummer KV
Hospital Staff
Practice Staff
Any internal identification scheme that guarantees a unique identification within the scope of the identified organization. The <representedOrganization> and an <id> for this organization MUST be recorded. local code system

Assertion Signature

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {ItyAn.01.01}

Every HP Identity Assertion MUST be signed by its issuer. The XML signature MUST be applied by using the saml:Assertion/ds:Signature element as defined below.

Signature Parameter Usage Convention
CanonicalizationMethod SHOULD be http://www.w3.org/2001/10/xml-exc-c14n#
Transformation Enveloped signature transform acc. to section 6.6.4 of [W3C XMLDSig] SHOULD be used (http://www.w3.org/2000/09/xmldsig#enveloped-signature). In addition, exclusive canonicalization SHOULD be defined as transformation (http://www.w3.org/2001/10/xml-exc-c14n#, acc. [W3C XMLDSig] and [W3C XML-EXC 1.0]). As inclusive namespaces other prefixes than the ones defined in EFA Namespaces MUST NOT be used.
SignatureMethod For signing assertions the signature method

http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 or
SHOULD be used. An assertion consumer MAY reject signatures that use SHA-1 for digesting.

DigestMethod For signing assertions the digest method

http://www.w3.org/2000/09/xmldsig#sha1 or
SHOULD be used. An assertion consumer MAY reject SHA-1 digests.

KeyInfo This element MUST either contain a wsse:SecurityTokenReference element which references the X.509 certificate of the assertion’s issuer by using a subject key identifier OR contain a ds:X509Data element which contains the X.509 certificate of the assertion issuer.

HCP Identity Attributes

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {ItyAn.01.02}

An identity assertion can carry an arbitrary number of attributes on the authenticated entity. Each attribute MUST be encoded using a SAML attribute element.

For ECR the following attribute names and catalogues are defined.

HP Identifier
FriendlyName XSPA Subject
Name urn:oasis:names:tc:xacml:1.0:subject:subject-id
Values person’s full name according to http://www.ietf.org/rfc/rfc2256.txt chapter 5.4.
Type String
Optionality Mandatory
Description This attribute SHALL contain the full name of the HP.
Structural Role of the HCP
FriendlyName XSPA Role
Name urn:oasis:names:tc:xacml:2.0:subject:role
Values See ASTM E1986-98 (2005). Only the ASTM structural roles “dentist”, “nurse”, “pharmacist”, “physician”, “nurse midwife”, “admission clerk”, “ancillary services”, “clinical services”, and “health records management” MUST be used.
Type String
Optionality Mandatory
Delegated Rights
FriendlyName OnBehalfOf
Name urn:epsos:names:wp3.4:subject:on-behalf-of
Values See ASTM E1986-98 (2005). Only the ASTM structural roles “dentist”, “pharmacist”, “physician”, “nurse midwife”, and “health record management” MUST be used.
Type String
Optionality Mandatory if a structural role of “ancillary services”, or “clinical services” is presented. For all other structural roles this attribute is optional
Description If a person is acting on behalf of another person the role of this person MAY be provided with this attribute. If this attribute is included with a HCP identity assertion, the issuer of the assertion MUST be able to track back the delegation to the two natural persons involved. Only valid roles as defined for HCP structural roles MUST be used.
An assertion consumer MAY decide not to accept delegated access rights by just ignoring this attribute.
Healthcare Professional Organisation
FriendlyName XSPA Organization
Name urn:oasis:names:tc:xspa:1.0:subject:organization
Values Name of the Healthcare Professional Organisation
Type String
Optionality Optional
Description This value SHOULD only be provided if different from the point of care (e.g. in cases where a hospital organization runs multiple points of care or where a hospital just provides a professional environment for otherwise independent care providers)
Healthcare Professional Organisation ID
FriendlyName XSPA Organization Id
Name urn:oasis:names:tc:xspa:1.0:subject:organization-id
Values URN encoded OID of the Healthcare Professional Organisation
Type URI
Optionality Mandatory
Purpose of Use
FriendlyName XSPA Purpose of Use
Name urn:oasis:names:tc:xspa:1.0:subject:purposeofuse
Optionality Optional
Description ECR access is only granted for treatment purposes.
Point of Care
Attribute Name XSPA Locality
Name urn:oasis:names:tc:xspa:1.0:environment:locality
Values String
Optionality Optional
Description Name of the hospital or medical facility where patient care takes place.

ECR regional networks MAY agree on further attributes. Any attributes not listed in this list MAY be ignored by the assertion consumer.

German Extensions

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {ItyAn.01.03}

Speciality of the HP
FriendlyName EFA HP Organization Specialty
Name urn:efa:2-0:subject:organization:specialty
Values Values shall be taken from the value set as defined by IHE Germany.
Type String
Optionality Optional
Description EFA permissions are preferrably managed on the abstraction level of organizations. Therefore the respective clinical specialty of the identified EFA user's organization may be provided as an attribute to a HP Identity Assertion.


    FriendlyName="EFA HP Organization Specialty" 

Example Assertion

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {ItyAn.01.04}

 <soap12:Envelope  >
 <soap12:Header  >
  <wsse:Security  > 
   <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                   IssueInstant="2009-09-21T12:03:28.788Z" Version="2.0">
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
       <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
       <ds:Reference URI="#urn:uuid:7102AC72154DCFD1F51253534608780">
          Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
           PrefixList="ds saml xs" />
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
      <ds:SignatureValue>cH+lCY … </ds:SignatureValue>
    FriendlyName="XSPA Subject" 
     xsi:type="xs:string">Dr. Peter Meier
    FriendlyName="XSPA Organization" 
     xsi:type="xs:string">Kreiskrankenhaus Neustadt
    FriendlyName="XSPA Role" 
    FriendlyName="XSPA Purpose of Use" 
    FriendlyName="XSPA Locality" 
     xsi:type="xs:string">Kreiskrankenhaus Neustadt