EFA Policy Assertion SAML2 Binding
(Die Seite wurde neu angelegt: „== SAML 2.0 Profile for ECR Access Policy Assertions == {{NoteBox|This profile applies to scenarios where the eCR Context Manager requests an Access Policy Asser…“) |
K (Markup-Fehler behoben) |
||
(25 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt) | |||
Zeile 1: | Zeile 1: | ||
− | + | {{DocumentPart | |
+ | }} | ||
+ | ''Anmerkung: Die Kürzel unter den einzelnen Überschriften dienen der Unterstützung des Kommentierungsverfahrens. Bitte geben Sie bei einem Kommentar oder einem Verbesserungsvorschlag zu dieser Spezifikation immer das Kürzel des Abschnitts an, auf den sich Ihr Kommentar bezieht. Alle Kommentare werden in der Lasche "Diskussion" zu der kommentierten Seite gesammelt und gegenkommentiert.<br>Hinweise zum Kommentierungsverfahren einschließlich aller Formulare und Kontaktadressen finden Sie auf der Seite "[[cdaefa:Kommentierung EFAv2.0|Kommentierung EFAv2.0]]".'' | ||
+ | ---- | ||
− | {{NoteBox|This profile applies to scenarios where the eCR Context Manager requests an Access Policy Assertion from the eCR Policy Provider and thus implements a policy push authorization model.}} | + | === SAML 2.0 Profile for ECR Policy Assertions === |
+ | <tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {Eocyo.01}</tt> | ||
+ | |||
+ | {{NoteBox|This profile applies to scenarios where the eCR Context Manager requests an Access Policy Assertion from the eCR Policy Provider and thus implements a policy push authorization model. There is no specification in the case that the Authorization Decision Provider requests policies from the eCR Policy Provider.}} | ||
+ | |||
+ | {|class="wikitable" style="text-align: left; cellpadding: 10;" | ||
+ | !colspan="4"|Assertion Element | ||
+ | !Opt | ||
+ | !Usage Convention | ||
+ | |- | ||
+ | |colspan="4"|@Version | ||
+ | |R | ||
+ | |MUST be “2.0” | ||
+ | |- | ||
+ | |colspan="4"|@ID | ||
+ | |R | ||
+ | |URN encoded unique identifier (UUID) of the assertion | ||
+ | |- | ||
+ | |colspan="4"|@IssueInstant | ||
+ | |R | ||
+ | |Time instant of issuance in UTC | ||
+ | |- | ||
+ | |colspan="4"|Issuer | ||
+ | |R | ||
+ | |Address URI that identifies the endpoint of the issuing service | ||
+ | |- | ||
+ | |colspan="4"|Subject | ||
+ | |R | ||
+ | |This element defines the subject confirmation method of the user in order to use the Policy Assertion as a supporting token. Moreover, it defines the subject name identifier that accords with the user identity from an Identity Assertion. | ||
+ | |- | ||
+ | | | ||
+ | |colspan="3"|NameID | ||
+ | |R | ||
+ | |Identifier of the HP given in the Identity Asstertion encoded as an X.509 subject name, an e-Mail address or as a string value (unspecified format). Only identifiers must be used that can be long-term tracked back to an individual person. | ||
+ | |- | ||
+ | | | ||
+ | | | ||
+ | |colspan="2"|@Format | ||
+ | |R | ||
+ | |MUST be ''urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'' <br> | ||
+ | or ''urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName''<br> | ||
+ | or ''urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress''<br> | ||
+ | For providing an OID as a subject identifier the ''unspecified'' format must be used. The OID must be provided as a string encoded in ISO format. | ||
+ | |- | ||
+ | | | ||
+ | |colspan="3"|SubjectConfirmation | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | | | ||
+ | | | ||
+ | |colspan="2"|@Method | ||
+ | |R | ||
+ | |This element MUST hold a URI reference that identifies a protocol to be used to authenticate the subject.[SAML2.0core] The value of this element MUST be set to <br> | ||
+ | ''urn:oasis:names:tc:SAML:2.0:cm:holder-of-key'' | ||
+ | |- | ||
+ | | | ||
+ | | | ||
+ | |colspan="2"|SubjectConfirmationData | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | |ds:KeyInfo | ||
+ | |R | ||
+ | |The XML Signature [XMLSignature] element MUST embed a cryptographic key that is only held by the user. This can be the user’s public key (ds:KeyValue/ds:RSAKeyValue), the complete user’s X.509 certificate (ds:X509Data/ds:X509Certificate), or an encrypted symmetric key (xenc:EncryptedKey [XMLEncryption]). This symmetric key MUST be encrypted by using the public key of the consumer service’s certificate [eFA PKI 1.2]. | ||
+ | |- | ||
+ | |colspan="4"|Conditions | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | | | ||
+ | |colspan="3"|@NotBefore | ||
+ | |R | ||
+ | |time instant from which the assertion is useable. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. | ||
+ | |- | ||
+ | | | ||
+ | |colspan="3"|@NotOnOrAfter | ||
+ | |R | ||
+ | |Time instant at which the assertion expires. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. The maximum validity timespan for a Policy Assertion MUST NOT be more than 4 hours. | ||
+ | |- | ||
+ | |colspan="4"|XACMLPolicyStatement | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | | | ||
+ | |colspan="3"|PolicySet | ||
+ | |R | ||
+ | |PolicySet that expresses the given authorization (see section below for details). | ||
+ | |- | ||
+ | |colspan="4"|ds:Signature | ||
+ | |R | ||
+ | |Enveloped XML signature of the issuer of the Policy Assertion (see section below for details). | ||
+ | |} | ||
+ | |||
+ | ==== PolicySet Profile ==== | ||
+ | <tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {Eocyo.01.01}</tt> | ||
+ | |||
+ | The ECR 2.0 specification differentiates three kinds of an authorization statement as it is described logically in the security token services section for the [[cdaefa:EFA_Sicherheitsdienste_(logische_Spezifikation)|Policy Provider]]. These are: | ||
+ | * Reference without semantics (policyId) to an access policy which contains the valid authorization rules for an eCR Consumer | ||
+ | * Access policy which contains the valid authorization rules for an eCR Consumer | ||
+ | |||
+ | In order to implement such differentiations the ''<PolicySet>'' element has different sub-elements. | ||
+ | |||
+ | ==== Policy Assignment ==== | ||
+ | <tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {Eocyo.01.02}</tt> | ||
+ | |||
+ | {|class="wikitable" style="text-align: left;" | ||
+ | !colspan="6"|Element or Attribute | ||
+ | !Opt. | ||
+ | !Constraints | ||
+ | |- | ||
+ | |colspan="6"|PolicySet | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="8" style="background-color:white"| | ||
+ | |colspan="5"|@PolicySetId | ||
+ | |R | ||
+ | |Shall be of type UUID or OID. Shall not be URN encoded. | ||
+ | |- | ||
+ | |colspan="5"|@PolicyCombiningAlgId | ||
+ | |R | ||
+ | |Shall be ''urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides''. | ||
+ | |- | ||
+ | |colspan="5"|Target | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="3" style="background-color:white"| | ||
+ | |colspan="4"|Resources | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="1" style="background-color:white"| | ||
+ | |colspan="3"|Resource | ||
+ | |R | ||
+ | | | ||
+ | Shall contain at least: | ||
+ | * [[#ResourceMatch_for_EFA_Folder_classification|ResourceMatch for EFA Folder classification]], | ||
+ | * [[#ResourceMatch_for_purpose_classification|ResourceMatch for purpose classification]], | ||
+ | * [[#ResourceMatch_for_patientId|ResourceMatch for patientId]]. | ||
+ | |||
+ | |- | ||
+ | |colspan="4"|Actions | ||
+ | |R | ||
+ | | | ||
+ | May contain Action elements that qualify the use of specific operations in the context of an EFA. | ||
+ | |||
+ | |- | ||
+ | |colspan="5"|Policy | ||
+ | |cond. R | ||
+ | | | ||
+ | Shall be the policy for the subject stated in the ECR Policy Assertion. This element shall conform to one of | ||
+ | * [[#Policy_Attachment_for_a_health_professional|Policy Attachment for a health professional]] or | ||
+ | * [[#Policy_Attachment_for_health_record_managers|Policy Attachment for health record managers]]. | ||
+ | |||
+ | Either Policy or PolicyIdReference shall be used. | ||
+ | |||
+ | |- | ||
+ | |colspan="5"|PolicyIdReference | ||
+ | |cond. R | ||
+ | | | ||
+ | Shall be the reference to the policy for the subject stated in the ECR Policy Assertion. This referenced policy shall conform to one of: | ||
+ | * [[#Policy_Attachment_for_a_health_professional|Policy Attachment for a health professional]] or | ||
+ | * [[#Policy_Attachment_for_health_record_managers|Policy Attachment for health record managers]]. | ||
+ | |||
+ | Either Policy or PolicyIdReference shall be used. | ||
+ | |||
+ | |} | ||
+ | |||
+ | ===== Policy Attachment for a health professional ===== | ||
+ | If not in the role of a health record manager, health professionals may have access to the health record if it neither suspended nor retired. | ||
+ | |||
+ | {|class="wikitable" style="text-align: left;" | ||
+ | !colspan="18"|Element or Attribute | ||
+ | !Opt. | ||
+ | !Constraints | ||
+ | |- | ||
+ | |colspan="18"|Policy | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="24" style="background-color:white"| | ||
+ | |colspan="17"|@PolicyId | ||
+ | |R | ||
+ | |Shall be of type UUID or OID. Shall not be URN encoded. | ||
+ | |- | ||
+ | |colspan="17"|@RuleCombiningAlgId | ||
+ | |R | ||
+ | |Shall be ''urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides'' | ||
+ | |- | ||
+ | |colspan="17"|Target | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="21" style="background-color:white"| | ||
+ | |colspan="16"|Subjects | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="2" style="background-color:white"| | ||
+ | |colspan="15"|Subject | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="1" style="background-color:white"| | ||
+ | |colspan="14"|SubjectMatch | ||
+ | |R | ||
+ | | | ||
+ | Shall contain at leat one of the following SubjectMatch elements: | ||
+ | * [[#SubjectMatch_for_EFA_Identity_Assertion_NameID|SubjectMatch for EFA Identity Assertion NameID]], | ||
+ | * [[#SubjectMatch_for_health_professional_ID|SubjectMatch for health professional ID]], and | ||
+ | * [[#SubjectMatch_for_health_professional_organization_ID|SubjectMatch for health professional organization ID]]. | ||
+ | |||
+ | Shall contain a [[#SubjectMatch_for_structural_role|SubjectMatch for structural role]] with attribute value of | ||
+ | * ''dentist'', | ||
+ | * ''pharmacist'', | ||
+ | * ''physician'', or | ||
+ | * ''nurse midwife''. | ||
+ | |||
+ | |- | ||
+ | |colspan="16"|Resources | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="8" style="background-color:white"| | ||
+ | |colspan="15"|Resource | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="7" style="background-color:white"| | ||
+ | |colspan="14"|ResourceMatch | ||
+ | |R | ||
+ | | | ||
+ | Restricts access to open ECRs. This match relates to [[cdaefa:EFA_Metadata_Bindings#ecrStatus|ecrStatus]]. It applies the IHE-D Cookbook XACML binding of [[ihecb:IHE-XACML_Binding#Availability_Status|DocumentEntry.availabilityStatus]]. | ||
+ | |||
+ | |- | ||
+ | |rowspan="6" style="background-color:white"| | ||
+ | |colspan="13"|@MatchId | ||
+ | |R | ||
+ | |Shall be ''urn:oasis:names:tc:xacml:1.0:function:anyURI-equal'' | ||
+ | |- | ||
+ | |colspan="13"|AttributeValue | ||
+ | |R | ||
+ | |Shall be ''urn:oasis:names:tc:ebxml-regrep:StatusType:Approved'' | ||
+ | |- | ||
+ | |rowspan="1" style="background-color:white"| | ||
+ | |colspan="12"|@DataType | ||
+ | |R | ||
+ | |Shall be ''http://www.w3.org/2001/XMLSchema#anyURI'' | ||
+ | |- | ||
+ | |colspan="13"|ResourceAttributeDesignator | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="2" style="background-color:white"| | ||
+ | |colspan="12"|@AttributeId | ||
+ | |R | ||
+ | |Shall be ''urn:ihe:iti:xds-b:2007:availability-status'' | ||
+ | |- | ||
+ | |colspan="12"|@DataType | ||
+ | |R | ||
+ | |Shall be ''http://www.w3.org/2001/XMLSchema#anyURI'' | ||
+ | |- | ||
+ | |colspan="16"|Environments | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="8" style="background-color:white"| | ||
+ | |colspan="15"|Environment | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="7" style="background-color:white"| | ||
+ | |colspan="14"|EnvironmentMatch | ||
+ | |R | ||
+ | | | ||
+ | Verifies, that the current date is before the date of expiry, i. e. the grace period has not started. | ||
+ | |||
+ | |- | ||
+ | |rowspan="6" style="background-color:white"| | ||
+ | |colspan="13"|@MatchId | ||
+ | |R | ||
+ | |Shall be ''urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal'' | ||
+ | |- | ||
+ | |colspan="13"|AttributeValue | ||
+ | |R | ||
+ | |Shall be the point in time when ecrStatus of the record changes to suspended. | ||
+ | |- | ||
+ | |rowspan="1" style="background-color:white"| | ||
+ | |colspan="12"|@DataType | ||
+ | |R | ||
+ | |Shall be ''http://www.w3.org/2001/XMLSchema#dateTime'' | ||
+ | |- | ||
+ | |colspan="13"|EnvironmentAttributeDesignator | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="2" style="background-color:white"| | ||
+ | |colspan="12"|@AttributeId | ||
+ | |R | ||
+ | |Shall be ''urn:oasis:names:tc:xacml:1.0:environment:current-dateTime'' | ||
+ | |- | ||
+ | |colspan="12"|@DataType | ||
+ | |R | ||
+ | |Shall be ''http://www.w3.org/2001/XMLSchema#dateTime'' | ||
+ | |} | ||
+ | |||
+ | ===== Policy Attachment for health record managers ===== | ||
+ | Health professionals in the role of a health record manager may have access to the health record if it is suspended but nor retired. | ||
+ | |||
+ | {|class="wikitable" style="text-align: left;" | ||
+ | !colspan="11"|Element or Attribute | ||
+ | !Opt. | ||
+ | !Constraints | ||
+ | |- | ||
+ | |colspan="11"|Policy | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="14" style="background-color:white"| | ||
+ | |colspan="10"|@PolicyId | ||
+ | |R | ||
+ | |Shall be of type UUID or OID. Shall not be URN encoded. | ||
+ | |- | ||
+ | |colspan="10"|@RuleCombiningAlgId | ||
+ | |R | ||
+ | |Shall be ''urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides'' | ||
+ | |- | ||
+ | |colspan="10"|Target | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="11" style="background-color:white"| | ||
+ | |colspan="9"|Subjects | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="1" style="background-color:white"| | ||
+ | |colspan="8"|Subject | ||
+ | |R | ||
+ | | | ||
+ | Shall contain at leat one of the following SubjectMatch elements: | ||
+ | * [[#SubjectMatch_for_EFA_Identity_Assertion_NameID|SubjectMatch for EFA Identity Assertion NameID]], | ||
+ | * [[#SubjectMatch_for_health_professional_ID|SubjectMatch for health professional ID]], and | ||
+ | * [[#SubjectMatch_for_health_professional_organization_ID|SubjectMatch for health professional organization ID]] | ||
+ | |||
+ | Shall contain a [[#SubjectMatch_for_structural_role|SubjectMatch for structural role]] with attribute value ''health record management''. | ||
+ | |||
+ | |- | ||
+ | |colspan="9"|Environments | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="8" style="background-color:white"| | ||
+ | |colspan="8"|Environment | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="7" style="background-color:white"| | ||
+ | |colspan="7"|EnvironmentMatch | ||
+ | |R | ||
+ | | | ||
+ | Verifies, that the current date is before the end of the grace period. | ||
+ | |||
+ | |- | ||
+ | |rowspan="6" style="background-color:white"| | ||
+ | |colspan="6"|@MatchId | ||
+ | |R | ||
+ | |Shall be ''urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal'' | ||
+ | |- | ||
+ | |colspan="6"|AttributeValue | ||
+ | |R | ||
+ | |Shall be the point in time when ecrStatus of the record changes to retired. | ||
+ | |- | ||
+ | |rowspan="1" style="background-color:white"| | ||
+ | |colspan="5"|@DataType | ||
+ | |R | ||
+ | |Shall be ''http://www.w3.org/2001/XMLSchema#dateTime'' | ||
+ | |- | ||
+ | |colspan="6"|EnvironmentAttributeDesignator | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="2" style="background-color:white"| | ||
+ | |colspan="5"|@AttributeId | ||
+ | |R | ||
+ | |Shall be ''urn:oasis:names:tc:xacml:1.0:environment:current-dateTime'' | ||
+ | |- | ||
+ | |colspan="5"|@DataType | ||
+ | |R | ||
+ | |Shall be ''http://www.w3.org/2001/XMLSchema#dateTime'' | ||
+ | |} | ||
+ | |||
+ | ===== SubjectMatch for EFA Identity Assertion NameID ===== | ||
+ | This SubjectMatch element relates to the [[cdaefa:EFA_Identity_Assertion_SAML2_Binding|saml:NameID element of the EFA Identity Assertion]]. | ||
+ | |||
+ | This element applies the IHE-D Cookbook XACML binding of [[ihecb:IHE-XACML_Binding#User_ID|User ID]]. | ||
+ | |||
+ | {|class="wikitable" style="text-align: left;" | ||
+ | !colspan="5"|Element or Attribute | ||
+ | !Opt. | ||
+ | !Constraints | ||
+ | |- | ||
+ | |colspan="5"|SubjectMatch | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="6" style="background-color:white"| | ||
+ | |colspan="4"|@MatchId | ||
+ | |R | ||
+ | |Shall be ''urn:oasis:names:tc:xacml:1.0:function:string-equal'' | ||
+ | |- | ||
+ | |colspan="4"|AttributeValue | ||
+ | |R | ||
+ | | | ||
+ | Shall be equal to saml:NameID used for the subject. See [[cdaefa:EFA_Identity_Assertion_SAML2_Binding|EFA Identity Assertion]] | ||
+ | |||
+ | |- | ||
+ | |rowspan="1" style="background-color:white"| | ||
+ | |colspan="3"|@DataType | ||
+ | |R | ||
+ | |Shall be ''http://www.w3.org/2001/XMLSchema#string'' | ||
+ | |- | ||
+ | |colspan="4"|SubjectAttributeDesignator | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="2" style="background-color:white"| | ||
+ | |colspan="3"|@AttributeId | ||
+ | |R | ||
+ | |Shall be ''urn:oasis:names:tc:xacml:1.0:subject:subject-id'' | ||
+ | |- | ||
+ | |colspan="3"|@DataType | ||
+ | |R | ||
+ | |Shall be ''http://www.w3.org/2001/XMLSchema#string'' | ||
+ | |} | ||
+ | |||
+ | ===== SubjectMatch for health professional ID ===== | ||
+ | This SubjectMatch element relates to the [[cdaefa:EFA_Identity_Assertion_SAML2_Binding#HCP_Identity_Attributes|health professional identifier of the EFA Identity Assertion]]. | ||
+ | |||
+ | {|class="wikitable" style="text-align: left;" | ||
+ | !colspan="5"|Element or Attribute | ||
+ | !Opt. | ||
+ | !Constraints | ||
+ | |- | ||
+ | |colspan="5"|SubjectMatch | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="6" style="background-color:white"| | ||
+ | |colspan="4"|@MatchId | ||
+ | |R | ||
+ | |Shall be ''urn:oasis:names:tc:xacml:1.0:function:string-equal'' | ||
+ | |- | ||
+ | |colspan="4"|AttributeValue | ||
+ | |R | ||
+ | | | ||
+ | Shall be equal to the HP Identifier as defined for [[cdaefa:EFA_Identity_Assertion_SAML2_Binding|EFA Identity Assertion]]. | ||
+ | |||
+ | |- | ||
+ | |rowspan="1" style="background-color:white"| | ||
+ | |colspan="3"|@DataType | ||
+ | |R | ||
+ | |Shall be ''http://www.w3.org/2001/XMLSchema#string'' | ||
+ | |- | ||
+ | |colspan="4"|SubjectAttributeDesignator | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="2" style="background-color:white"| | ||
+ | |colspan="3"|@AttributeId | ||
+ | |R | ||
+ | |Shall be ''urn:oasis:names:tc:xacml:1.0:subject:subject-id'' | ||
+ | |- | ||
+ | |colspan="3"|@DataType | ||
+ | |R | ||
+ | |Shall be ''http://www.w3.org/2001/XMLSchema#string'' | ||
+ | |} | ||
+ | |||
+ | ===== SubjectMatch for structural role ===== | ||
+ | This SubjectMatch element relates to the [[cdaefa:EFA_Identity_Assertion_SAML2_Binding#HCP_Identity_Attributes|Structural Role of the EFA Identity Assertion]]. | ||
+ | |||
+ | {|class="wikitable" style="text-align: left;" | ||
+ | !colspan="6"|Element or Attribute | ||
+ | !Opt. | ||
+ | !Constraints | ||
+ | |- | ||
+ | |colspan="6"|Subject | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="7" style="background-color:white"| | ||
+ | |colspan="5"|SubjectMatch | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="6" style="background-color:white"| | ||
+ | |colspan="4"|@MatchId | ||
+ | |R | ||
+ | |Shall be ''urn:oasis:names:tc:xacml:1.0:function:string-equal'' | ||
+ | |- | ||
+ | |colspan="4"|AttributeValue | ||
+ | |R | ||
+ | | | ||
+ | Shall be one of the following roles defined in ASTM E1986-98 (2005): | ||
+ | * ''dentist'', | ||
+ | * ''pharmacist'', | ||
+ | * ''physician'', | ||
+ | * ''nurse midwife'', or | ||
+ | * ''health record management''. | ||
+ | |||
+ | |- | ||
+ | |rowspan="1" style="background-color:white"| | ||
+ | |colspan="3"|@DataType | ||
+ | |R | ||
+ | |Shall be ''http://www.w3.org/2001/XMLSchema#string'' | ||
+ | |- | ||
+ | |colspan="4"|SubjectAttributeDesignator | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="2" style="background-color:white"| | ||
+ | |colspan="3"|@AttributeId | ||
+ | |R | ||
+ | |Shall be ''urn:oasis:names:tc:xacml:2.0:subject:role' | ||
+ | |- | ||
+ | |colspan="3"|@DataType | ||
+ | |R | ||
+ | |Shall be ''http://www.w3.org/2001/XMLSchema#string'' | ||
+ | |} | ||
+ | |||
+ | ===== SubjectMatch for health professional organization ID ===== | ||
+ | This SubjectMatch element relates to the [[cdaefa:EFA_Identity_Assertion_SAML2_Binding#HCP_Identity_Attributes|HP Organization ID of the EFA Identity Assertion]]. | ||
+ | |||
+ | This element applies the IHE-D Cookbook XACML binding of [[ihecb:IHE-XACML_Binding#User_Organization_ID|User Organization ID]]. | ||
+ | |||
+ | {|class="wikitable" style="text-align: left;" | ||
+ | !colspan="5"|Element or Attribute | ||
+ | !Opt. | ||
+ | !Constraints | ||
+ | |- | ||
+ | |colspan="5"|SubjectMatch | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="6" style="background-color:white"| | ||
+ | |colspan="4"|@MatchId | ||
+ | |R | ||
+ | |Shall be ''urn:oasis:names:tc:xacml:1.0:function:anyURI-equal'' | ||
+ | |- | ||
+ | |colspan="4"|AttributeValue | ||
+ | |R | ||
+ | | | ||
+ | Shall be the URN encoded OID of the Healthcare Professional Organisation. | ||
+ | |||
+ | |- | ||
+ | |rowspan="1" style="background-color:white"| | ||
+ | |colspan="3"|@DataType | ||
+ | |R | ||
+ | |Shall be ''http://www.w3.org/2001/XMLSchema#anyURI'' | ||
+ | |- | ||
+ | |colspan="4"|SubjectAttributeDesignator | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="2" style="background-color:white"| | ||
+ | |colspan="3"|@AttributeId | ||
+ | |R | ||
+ | |Shall be ''urn:oasis:names:tc:xspa:1.0:subject:organization-id'' | ||
+ | |- | ||
+ | |colspan="3"|@DataType | ||
+ | |R | ||
+ | |Shall be ''http://www.w3.org/2001/XMLSchema#anyURI'' | ||
+ | |} | ||
+ | |||
+ | ===== ResourceMatch for EFA Folder classification ===== | ||
+ | This ResourceMatch element relates to the Folder.codeList entry which indicates an [[cdaefa:EFA_XDS_Folder_Metadata_Binding#codeList|EFA Folder]]. | ||
+ | |||
+ | This element applies the IHE-D Cookbook XACML binding of [[ihecb:IHE-XACML_Binding#Code|Folder.codeList]]. | ||
+ | |||
+ | {|class="wikitable" style="text-align: left;" | ||
+ | !colspan="5"|Element or Attribute | ||
+ | !Opt. | ||
+ | !Constraints | ||
+ | |- | ||
+ | |colspan="5"|ResourceMatch | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="9" style="background-color:white"| | ||
+ | |colspan="4"|@MatchId | ||
+ | |R | ||
+ | |Shall be ''urn:hl7-org:v3:function:CV-equal'' (see [[ihecb:IHE-XACML_Binding#Custom_Data_Types|IHE DE Cookbook, XACML Binding]]). | ||
+ | |- | ||
+ | |colspan="4"|AttributeValue | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="4" style="background-color:white"| | ||
+ | |colspan="3"|@DataType | ||
+ | |R | ||
+ | |Shall be ''urn:hl7-org:v3#CV''. | ||
+ | |- | ||
+ | |colspan="3"|hl7:CodedValue | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="2" style="background-color:white"| | ||
+ | |colspan="2"|@code | ||
+ | |R | ||
+ | |Shall be ''ECR''. | ||
+ | |- | ||
+ | |colspan="2"|@codeSystem | ||
+ | |R | ||
+ | |Shall be ''IHE-D-Cookbook-FolderClassCode''. | ||
+ | |- | ||
+ | |colspan="4"|ResourceAttributeDesignator | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="2" style="background-color:white"| | ||
+ | |colspan="3"|@AttributeId | ||
+ | |R | ||
+ | |Shall be ''urn:ihe:iti:xds-b:2007:folder:code''. | ||
+ | |- | ||
+ | |colspan="3"|@DataType | ||
+ | |R | ||
+ | |Shall be ''urn:hl7-org:v3#CV''. | ||
+ | |} | ||
+ | |||
+ | ===== ResourceMatch for purpose classification ===== | ||
+ | This ResourceMatch element relates to the Folder.codeList entry which indicates the [[cdaefa:EFA_XDS_Folder_Metadata_Binding#codeList|purpose]]. | ||
+ | |||
+ | This element applies the IHE-D Cookbook XACML binding of [[ihecb:IHE-XACML_Binding#Code|Folder.codeList]]. | ||
+ | |||
+ | {|class="wikitable" style="text-align: left;" | ||
+ | !colspan="5"|Element or Attribute | ||
+ | !Opt. | ||
+ | !Constraints | ||
+ | |- | ||
+ | |colspan="5"|ResourceMatch | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="9" style="background-color:white"| | ||
+ | |colspan="4"|@MatchId | ||
+ | |R | ||
+ | |Shall be ''urn:hl7-org:v3:function:CV-equal'' (see [[ihecb:IHE-XACML_Binding#Custom_Data_Types|IHE DE Cookbook, XACML Binding]]). | ||
+ | |- | ||
+ | |colspan="4"|AttributeValue | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="4" style="background-color:white"| | ||
+ | |colspan="3"|@DataType | ||
+ | |R | ||
+ | |Shall be ''urn:hl7-org:v3#CV''. | ||
+ | |- | ||
+ | |colspan="3"|hl7:CodedValue | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="2" style="background-color:white"| | ||
+ | |colspan="2"|@code | ||
+ | |R | ||
+ | |Shall be equal to the purpose code of the case record. | ||
+ | |- | ||
+ | |colspan="2"|@codeSystem | ||
+ | |R | ||
+ | |Shall be equal the purpose codingScheme of the case record. | ||
+ | |- | ||
+ | |colspan="4"|ResourceAttributeDesignator | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="2" style="background-color:white"| | ||
+ | |colspan="3"|@AttributeId | ||
+ | |R | ||
+ | |Shall be ''urn:ihe:iti:xds-b:2007:folder:code'' | ||
+ | |- | ||
+ | |colspan="3"|@DataType | ||
+ | |R | ||
+ | |Shall be ''urn:hl7-org:v3#CV''. | ||
+ | |} | ||
+ | |||
+ | ===== ResourceMatch for patientId ===== | ||
+ | This ResourceMatch element relates to [[cdaefa:EFA_Metadata_Bindings|Folder.patientId and DocumentEntry.patientId]]. | ||
+ | |||
+ | This element applies the IHE-D Cookbook XACML binding of [[ihecb:IHE-XACML_Binding#Patient_ID_3|Folder.patientId]]. | ||
+ | |||
+ | {|class="wikitable" style="text-align: left;" | ||
+ | !colspan="5"|Element or Attribute | ||
+ | !Opt. | ||
+ | !Constraints | ||
+ | |- | ||
+ | |colspan="5"|ResourceMatch | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="9" style="background-color:white"| | ||
+ | |colspan="4"|@MatchId | ||
+ | |R | ||
+ | |Shall be ''urn:hl7-org:v3:function:II-equal'' (see [[ihecb:IHE-XACML_Binding#Custom_Data_Types|IHE DE Cookbook, XACML Binding]]). | ||
+ | |- | ||
+ | |colspan="4"|AttributeValue | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="4" style="background-color:white"| | ||
+ | |colspan="3"|@DataType | ||
+ | |R | ||
+ | |Shall be ''urn:hl7-org:v3#II''. | ||
+ | |- | ||
+ | |colspan="3"|hl7:InstanceIdentifier | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="2" style="background-color:white"| | ||
+ | |colspan="2"|@extension | ||
+ | |R | ||
+ | |Shall be equal to the Id-Number value of the XDS Metadata Attributes ''patientId''. | ||
+ | |- | ||
+ | |colspan="2"|@root | ||
+ | |R | ||
+ | |Shall be equal to the Assigning-Authority value of the XDS Metadata Attributes ''patientId''. | ||
+ | |- | ||
+ | |colspan="4"|ResourceAttributeDesignator | ||
+ | |R | ||
+ | | | ||
+ | |- | ||
+ | |rowspan="2" style="background-color:white"| | ||
+ | |colspan="3"|@AttributeId | ||
+ | |R | ||
+ | |Shall be ''urn:ihe:iti:xds-b:2007:patient-id''. | ||
+ | |- | ||
+ | |colspan="3"|@DataType | ||
+ | |R | ||
+ | |Shall be ''urn:hl7-org:v3#II''. | ||
+ | |} | ||
+ | |||
+ | ==== Assertion Signature ==== | ||
+ | <tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {Eocyo.01.04}</tt> | ||
+ | |||
+ | Every Policy Assertion MUST be signed by its issuer. The XML signature MUST be applied by using the ''saml:Assertion/ds:Signature'' element as defined below. | ||
+ | |||
+ | {|class="wikitable" style="text-align: left; cellpadding: 10;" | ||
+ | !Signature Parameter | ||
+ | !Usage Convention | ||
+ | |- | ||
+ | |CanonicalizationMethod | ||
+ | |SHOULD be ''http://www.w3.org/2001/10/xml-exc-c14n#'' | ||
+ | |- | ||
+ | |Transformation | ||
+ | |Enveloped signature transform acc. to section 6.6.4 of [W3C XMLDSig] SHOULD be used (''http://www.w3.org/2000/09/xmldsig#enveloped-signature''). In addition, exclusive canonicalization SHOULD be defined as transformation (''http://www.w3.org/2001/10/xml-exc-c14n#'', acc. [W3C XMLDSig] and [W3C XML-EXC 1.0]). As inclusive namespaces other prefixes than the ones defined in [[cdaefa:EFA Used Namespaces|''EFA Namespaces'']] MUST NOT be used. | ||
+ | |- | ||
+ | |SignatureMethod | ||
+ | |For signing assertions the signature method<br> | ||
+ | ''http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'' or <br> | ||
+ | ''http://www.w3.org/2000/09/xmldsig#rsa-sha1''<br> | ||
+ | SHOULD be used. An assertion consumer MAY reject signatures that use SHA-1 for digesting. | ||
+ | |- | ||
+ | |DigestMethod | ||
+ | |For signing assertions the digest method <br> | ||
+ | ''http://www.w3.org/2000/09/xmldsig#sha1'' or <br> | ||
+ | ''http://www.w3.org/2001/04/xmlenc#sha256'' <br> | ||
+ | SHOULD be used. An assertion consumer MAY reject SHA-1 digests. | ||
+ | |- | ||
+ | |KeyInfo | ||
+ | |This element MUST either contain a wsse:SecurityTokenReference element which references the X.509 certificate of the assertion’s issuer by using a subject key identifier OR contain a ds:X509Data element which contains the X.509 certificate of the assertion issuer. | ||
+ | |} | ||
+ | |||
+ | ==== Example Assertion ==== | ||
+ | <tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {Eocyo.01.05}</tt> | ||
+ | |||
+ | <syntaxhighlight lang="xml"> | ||
+ | <soap12:Envelope … > | ||
+ | <soap12:Header … > | ||
+ | <wsse:Security … > | ||
+ | <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" | ||
+ | ID="uuid-6dbb391c-20d3-4568-8c04-ff9d91d049c1" | ||
+ | IssueInstant="2013-04-05T08:14:28.788Z" Version="2.0"> | ||
+ | <saml:Issuer>urn:de:berlin:hp:pap</saml:Issuer> | ||
+ | <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | ||
+ | <ds:SignedInfo> | ||
+ | <ds:CanonicalizationMethod | ||
+ | Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> | ||
+ | <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> | ||
+ | <ds:Reference URI="#urn:uuid:7102AC72154DCFD1F51253534608780"> | ||
+ | <ds:Transforms> | ||
+ | <ds:Transform | ||
+ | Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> | ||
+ | <ds:Transform | ||
+ | Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> | ||
+ | <ec:InclusiveNamespaces | ||
+ | xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" | ||
+ | PrefixList="ds saml xs" /> | ||
+ | </ds:Transform> | ||
+ | </ds:Transforms> | ||
+ | <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> | ||
+ | <ds:DigestValue>A1LyLvFHRrYaOJ28YVFd3MfKGSI=</ds:DigestValue> | ||
+ | </ds:Reference> | ||
+ | </ds:SignedInfo> | ||
+ | <ds:SignatureValue>ggyn … LQ==</ds:SignatureValue> | ||
+ | <ds:KeyInfo> | ||
+ | <ds:X509Data> | ||
+ | <ds:X509Certificate> … </ds:X509Certificate> | ||
+ | </ds:X509Data> | ||
+ | </ds:KeyInfo> | ||
+ | </ds:Signature> | ||
+ | <saml:Subject> | ||
+ | <saml:NameID | ||
+ | Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> | ||
+ | ... | ||
+ | </saml:NameID> | ||
+ | <saml:SubjectConfirmation | ||
+ | Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"> | ||
+ | <saml:SubjectConfirmationData> | ||
+ | <ds:KeyInfo> | ||
+ | <ds:X509Data> | ||
+ | <ds:X509Certificate> … </ds:X509Certificate> | ||
+ | </ds:X509Data> | ||
+ | </ds:KeyInfo> | ||
+ | </saml:SubjectConfirmationData/> | ||
+ | </saml:SubjectConfirmation> | ||
+ | </saml:Subject> | ||
+ | <saml:Conditions | ||
+ | NotBefore="2013-04-05T08:14:28.788Z" | ||
+ | NotOnOrAfter="2013-04-05T12:14:28.788Z"> | ||
+ | </saml:Conditions> | ||
+ | <xacml-saml:XACMLPolicyStatement> | ||
+ | <PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" | ||
+ | xmlns:hl7="urn:hl7-org:v3" | ||
+ | xmlns:rim="urn:oasis:names:tc:ebxml-regrep:xsd:rim:3.0" | ||
+ | xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
+ | xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os access_control-xacml-2.0-policy-schema-os.xsd" | ||
+ | PolicySetId="2B789DEE-9CB6-11E4-97F9-246A95DB5880" | ||
+ | PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides"> | ||
+ | <Target> | ||
+ | <Resources> | ||
+ | <Resource> | ||
+ | <!-- ECR Folder Code --> | ||
+ | <ResourceMatch MatchId="urn:hl7-org:v3:function:CV-equal"> | ||
+ | <AttributeValue DataType="urn:hl7-org:v3#CV"> | ||
+ | <hl7:CodedValue code="ECR" | ||
+ | codeSystem="IHE-D-Cookbook-FolderClassCode" /> | ||
+ | </AttributeValue> | ||
+ | <ResourceAttributeDesignator | ||
+ | AttributeId="urn:ihe:iti:xds-b:2007:folder:code" | ||
+ | DataType="urn:hl7-org:v3#CV" /> | ||
+ | </ResourceMatch> | ||
+ | <!-- Purpose Folder Code --> | ||
+ | <ResourceMatch MatchId="urn:hl7-org:v3:function:CV-equal"> | ||
+ | <AttributeValue DataType="urn:hl7-org:v3#CV"> | ||
+ | <hl7:CodedValue code="K70.0" codeSystem="1.2.276.0.76.5.311" /> | ||
+ | </AttributeValue> | ||
+ | <ResourceAttributeDesignator | ||
+ | AttributeId="urn:ihe:iti:xds-b:2007:folder:code" | ||
+ | DataType="urn:hl7-org:v3#CV" /> | ||
+ | </ResourceMatch> | ||
+ | <!-- Patient --> | ||
+ | <ResourceMatch MatchId="urn:hl7-org:v3:function:II-equal"> | ||
+ | <AttributeValue DataType="urn:hl7-org:v3#II"> | ||
+ | <hl7:InstanceIdentifier extension="6578946" | ||
+ | root="1.3.6.1.4.1.21367.2005.3.7" /> | ||
+ | </AttributeValue> | ||
+ | <ResourceAttributeDesignator | ||
+ | AttributeId="urn:ihe:iti:xds-b:2007:patient-id" | ||
+ | DataType="urn:hl7-org:v3#II" /> | ||
+ | </ResourceMatch> | ||
+ | </Resource> | ||
+ | </Resources> | ||
+ | </Target> | ||
+ | |||
+ | <Policy PolicyId="urn:ecr:2.0:xacml:policyid:1" | ||
+ | RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> | ||
+ | <Target> | ||
+ | <Subjects> | ||
+ | <!-- An HC professional and its role --> | ||
+ | <Subject> | ||
+ | <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> | ||
+ | <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI" | ||
+ | >urn:oid:1.2.276.0.76.3.1.81.1.76.4</AttributeValue> | ||
+ | <SubjectAttributeDesignator | ||
+ | AttributeId="urn:oasis:names:tc:xspa:1.0:subject:organization-id" | ||
+ | DataType="http://www.w3.org/2001/XMLSchema#anyURI" /> | ||
+ | </SubjectMatch> | ||
+ | <SubjectMatch | ||
+ | MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> | ||
+ | <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" | ||
+ | >physician</AttributeValue> | ||
+ | <SubjectAttributeDesignator | ||
+ | AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" | ||
+ | DataType="http://www.w3.org/2001/XMLSchema#string" /> | ||
+ | </SubjectMatch> | ||
+ | </Subject> | ||
+ | </Subjects> | ||
+ | <Resources> | ||
+ | <!-- Document.availabilityStatus --> | ||
+ | <Resource> | ||
+ | <ResourceMatch | ||
+ | MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> | ||
+ | <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI" | ||
+ | >urn:oasis:names:tc:ebxml-regrep:StatusType:Approved</AttributeValue> | ||
+ | <ResourceAttributeDesignator | ||
+ | AttributeId="urn:ihe:iti:xds-b:2007:availability-status" | ||
+ | DataType="http://www.w3.org/2001/XMLSchema#anyURI" /> | ||
+ | </ResourceMatch> | ||
+ | </Resource> | ||
+ | </Resources> | ||
+ | <Environments> | ||
+ | <Environment> | ||
+ | <!-- Begin of grace period --> | ||
+ | <EnvironmentMatch | ||
+ | MatchId="urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal"> | ||
+ | <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#dateTime" | ||
+ | >2014-12-24T22:00:00Z</AttributeValue> | ||
+ | <EnvironmentAttributeDesignator | ||
+ | AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-dateTime" | ||
+ | DataType="http://www.w3.org/2001/XMLSchema#dateTime" /> | ||
+ | </EnvironmentMatch> | ||
+ | </Environment> | ||
+ | </Environments> | ||
+ | </Target> | ||
+ | </Policy> | ||
+ | </PolicySet> | ||
+ | </xacml-saml:XACMLPolicyStatement> | ||
+ | </saml:Assertion> | ||
+ | </wsse:Security> | ||
+ | </soap12:Header> | ||
+ | <soap12:Body/> | ||
+ | </soap12:Envelope> | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | ---- | ||
+ | |||
+ | |||
+ | {{NoteBox|'''Referenzen und Querverweise''' | ||
+ | * [[cdaefa:EFA_Spezifikation_v2.0|EFA-2.0-Spezifikation]] | ||
+ | <nowiki></nowiki> | ||
+ | }} |
Aktuelle Version vom 26. Januar 2015, 16:09 Uhr
Dieses Material ist Teil des Leitfadens CDA für die elektronische Fallakte.
|
Anmerkung: Die Kürzel unter den einzelnen Überschriften dienen der Unterstützung des Kommentierungsverfahrens. Bitte geben Sie bei einem Kommentar oder einem Verbesserungsvorschlag zu dieser Spezifikation immer das Kürzel des Abschnitts an, auf den sich Ihr Kommentar bezieht. Alle Kommentare werden in der Lasche "Diskussion" zu der kommentierten Seite gesammelt und gegenkommentiert.
Hinweise zum Kommentierungsverfahren einschließlich aller Formulare und Kontaktadressen finden Sie auf der Seite "Kommentierung EFAv2.0".
Inhaltsverzeichnis
- 1 SAML 2.0 Profile for ECR Policy Assertions
- 1.1 PolicySet Profile
- 1.2 Policy Assignment
- 1.2.1 Policy Attachment for a health professional
- 1.2.2 Policy Attachment for health record managers
- 1.2.3 SubjectMatch for EFA Identity Assertion NameID
- 1.2.4 SubjectMatch for health professional ID
- 1.2.5 SubjectMatch for structural role
- 1.2.6 SubjectMatch for health professional organization ID
- 1.2.7 ResourceMatch for EFA Folder classification
- 1.2.8 ResourceMatch for purpose classification
- 1.2.9 ResourceMatch for patientId
- 1.3 Assertion Signature
- 1.4 Example Assertion
SAML 2.0 Profile for ECR Policy Assertions
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {Eocyo.01}
Assertion Element | Opt | Usage Convention | |||
---|---|---|---|---|---|
@Version | R | MUST be “2.0” | |||
@ID | R | URN encoded unique identifier (UUID) of the assertion | |||
@IssueInstant | R | Time instant of issuance in UTC | |||
Issuer | R | Address URI that identifies the endpoint of the issuing service | |||
Subject | R | This element defines the subject confirmation method of the user in order to use the Policy Assertion as a supporting token. Moreover, it defines the subject name identifier that accords with the user identity from an Identity Assertion. | |||
NameID | R | Identifier of the HP given in the Identity Asstertion encoded as an X.509 subject name, an e-Mail address or as a string value (unspecified format). Only identifiers must be used that can be long-term tracked back to an individual person. | |||
@Format | R | MUST be urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified or urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName | |||
SubjectConfirmation | R | ||||
@Method | R | This element MUST hold a URI reference that identifies a protocol to be used to authenticate the subject.[SAML2.0core] The value of this element MUST be set to | |||
SubjectConfirmationData | R | ||||
ds:KeyInfo | R | The XML Signature [XMLSignature] element MUST embed a cryptographic key that is only held by the user. This can be the user’s public key (ds:KeyValue/ds:RSAKeyValue), the complete user’s X.509 certificate (ds:X509Data/ds:X509Certificate), or an encrypted symmetric key (xenc:EncryptedKey [XMLEncryption]). This symmetric key MUST be encrypted by using the public key of the consumer service’s certificate [eFA PKI 1.2]. | |||
Conditions | R | ||||
@NotBefore | R | time instant from which the assertion is useable. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. | |||
@NotOnOrAfter | R | Time instant at which the assertion expires. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. The maximum validity timespan for a Policy Assertion MUST NOT be more than 4 hours. | |||
XACMLPolicyStatement | R | ||||
PolicySet | R | PolicySet that expresses the given authorization (see section below for details). | |||
ds:Signature | R | Enveloped XML signature of the issuer of the Policy Assertion (see section below for details). |
PolicySet Profile
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {Eocyo.01.01}
The ECR 2.0 specification differentiates three kinds of an authorization statement as it is described logically in the security token services section for the Policy Provider. These are:
- Reference without semantics (policyId) to an access policy which contains the valid authorization rules for an eCR Consumer
- Access policy which contains the valid authorization rules for an eCR Consumer
In order to implement such differentiations the <PolicySet> element has different sub-elements.
Policy Assignment
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {Eocyo.01.02}
Element or Attribute | Opt. | Constraints | |||||
---|---|---|---|---|---|---|---|
PolicySet | R | ||||||
@PolicySetId | R | Shall be of type UUID or OID. Shall not be URN encoded. | |||||
@PolicyCombiningAlgId | R | Shall be urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides. | |||||
Target | R | ||||||
Resources | R | ||||||
Resource | R |
Shall contain at least: | |||||
Actions | R |
May contain Action elements that qualify the use of specific operations in the context of an EFA. | |||||
Policy | cond. R |
Shall be the policy for the subject stated in the ECR Policy Assertion. This element shall conform to one of Either Policy or PolicyIdReference shall be used. | |||||
PolicyIdReference | cond. R |
Shall be the reference to the policy for the subject stated in the ECR Policy Assertion. This referenced policy shall conform to one of: Either Policy or PolicyIdReference shall be used. |
Policy Attachment for a health professional
If not in the role of a health record manager, health professionals may have access to the health record if it neither suspended nor retired.
Element or Attribute | Opt. | Constraints | |||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Policy | R | ||||||||||||||||||
@PolicyId | R | Shall be of type UUID or OID. Shall not be URN encoded. | |||||||||||||||||
@RuleCombiningAlgId | R | Shall be urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides | |||||||||||||||||
Target | R | ||||||||||||||||||
Subjects | R | ||||||||||||||||||
Subject | R | ||||||||||||||||||
SubjectMatch | R |
Shall contain at leat one of the following SubjectMatch elements:
Shall contain a SubjectMatch for structural role with attribute value of
| |||||||||||||||||
Resources | R | ||||||||||||||||||
Resource | R | ||||||||||||||||||
ResourceMatch | R |
Restricts access to open ECRs. This match relates to ecrStatus. It applies the IHE-D Cookbook XACML binding of DocumentEntry.availabilityStatus. | |||||||||||||||||
@MatchId | R | Shall be urn:oasis:names:tc:xacml:1.0:function:anyURI-equal | |||||||||||||||||
AttributeValue | R | Shall be urn:oasis:names:tc:ebxml-regrep:StatusType:Approved | |||||||||||||||||
@DataType | R | Shall be http://www.w3.org/2001/XMLSchema#anyURI | |||||||||||||||||
ResourceAttributeDesignator | R | ||||||||||||||||||
@AttributeId | R | Shall be urn:ihe:iti:xds-b:2007:availability-status | |||||||||||||||||
@DataType | R | Shall be http://www.w3.org/2001/XMLSchema#anyURI | |||||||||||||||||
Environments | R | ||||||||||||||||||
Environment | R | ||||||||||||||||||
EnvironmentMatch | R |
Verifies, that the current date is before the date of expiry, i. e. the grace period has not started. | |||||||||||||||||
@MatchId | R | Shall be urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal | |||||||||||||||||
AttributeValue | R | Shall be the point in time when ecrStatus of the record changes to suspended. | |||||||||||||||||
@DataType | R | Shall be http://www.w3.org/2001/XMLSchema#dateTime | |||||||||||||||||
EnvironmentAttributeDesignator | R | ||||||||||||||||||
@AttributeId | R | Shall be urn:oasis:names:tc:xacml:1.0:environment:current-dateTime | |||||||||||||||||
@DataType | R | Shall be http://www.w3.org/2001/XMLSchema#dateTime |
Policy Attachment for health record managers
Health professionals in the role of a health record manager may have access to the health record if it is suspended but nor retired.
Element or Attribute | Opt. | Constraints | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
Policy | R | |||||||||||
@PolicyId | R | Shall be of type UUID or OID. Shall not be URN encoded. | ||||||||||
@RuleCombiningAlgId | R | Shall be urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides | ||||||||||
Target | R | |||||||||||
Subjects | R | |||||||||||
Subject | R |
Shall contain at leat one of the following SubjectMatch elements:
Shall contain a SubjectMatch for structural role with attribute value health record management. | ||||||||||
Environments | R | |||||||||||
Environment | R | |||||||||||
EnvironmentMatch | R |
Verifies, that the current date is before the end of the grace period. | ||||||||||
@MatchId | R | Shall be urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal | ||||||||||
AttributeValue | R | Shall be the point in time when ecrStatus of the record changes to retired. | ||||||||||
@DataType | R | Shall be http://www.w3.org/2001/XMLSchema#dateTime | ||||||||||
EnvironmentAttributeDesignator | R | |||||||||||
@AttributeId | R | Shall be urn:oasis:names:tc:xacml:1.0:environment:current-dateTime | ||||||||||
@DataType | R | Shall be http://www.w3.org/2001/XMLSchema#dateTime |
SubjectMatch for EFA Identity Assertion NameID
This SubjectMatch element relates to the saml:NameID element of the EFA Identity Assertion.
This element applies the IHE-D Cookbook XACML binding of User ID.
Element or Attribute | Opt. | Constraints | ||||
---|---|---|---|---|---|---|
SubjectMatch | R | |||||
@MatchId | R | Shall be urn:oasis:names:tc:xacml:1.0:function:string-equal | ||||
AttributeValue | R |
Shall be equal to saml:NameID used for the subject. See EFA Identity Assertion | ||||
@DataType | R | Shall be http://www.w3.org/2001/XMLSchema#string | ||||
SubjectAttributeDesignator | R | |||||
@AttributeId | R | Shall be urn:oasis:names:tc:xacml:1.0:subject:subject-id | ||||
@DataType | R | Shall be http://www.w3.org/2001/XMLSchema#string |
SubjectMatch for health professional ID
This SubjectMatch element relates to the health professional identifier of the EFA Identity Assertion.
Element or Attribute | Opt. | Constraints | ||||
---|---|---|---|---|---|---|
SubjectMatch | R | |||||
@MatchId | R | Shall be urn:oasis:names:tc:xacml:1.0:function:string-equal | ||||
AttributeValue | R |
Shall be equal to the HP Identifier as defined for EFA Identity Assertion. | ||||
@DataType | R | Shall be http://www.w3.org/2001/XMLSchema#string | ||||
SubjectAttributeDesignator | R | |||||
@AttributeId | R | Shall be urn:oasis:names:tc:xacml:1.0:subject:subject-id | ||||
@DataType | R | Shall be http://www.w3.org/2001/XMLSchema#string |
SubjectMatch for structural role
This SubjectMatch element relates to the Structural Role of the EFA Identity Assertion.
Element or Attribute | Opt. | Constraints | |||||
---|---|---|---|---|---|---|---|
Subject | R | ||||||
SubjectMatch | R | ||||||
@MatchId | R | Shall be urn:oasis:names:tc:xacml:1.0:function:string-equal | |||||
AttributeValue | R |
Shall be one of the following roles defined in ASTM E1986-98 (2005):
| |||||
@DataType | R | Shall be http://www.w3.org/2001/XMLSchema#string | |||||
SubjectAttributeDesignator | R | ||||||
@AttributeId | R | Shall be urn:oasis:names:tc:xacml:2.0:subject:role' | |||||
@DataType | R | Shall be http://www.w3.org/2001/XMLSchema#string |
SubjectMatch for health professional organization ID
This SubjectMatch element relates to the HP Organization ID of the EFA Identity Assertion.
This element applies the IHE-D Cookbook XACML binding of User Organization ID.
Element or Attribute | Opt. | Constraints | ||||
---|---|---|---|---|---|---|
SubjectMatch | R | |||||
@MatchId | R | Shall be urn:oasis:names:tc:xacml:1.0:function:anyURI-equal | ||||
AttributeValue | R |
Shall be the URN encoded OID of the Healthcare Professional Organisation. | ||||
@DataType | R | Shall be http://www.w3.org/2001/XMLSchema#anyURI | ||||
SubjectAttributeDesignator | R | |||||
@AttributeId | R | Shall be urn:oasis:names:tc:xspa:1.0:subject:organization-id | ||||
@DataType | R | Shall be http://www.w3.org/2001/XMLSchema#anyURI |
ResourceMatch for EFA Folder classification
This ResourceMatch element relates to the Folder.codeList entry which indicates an EFA Folder.
This element applies the IHE-D Cookbook XACML binding of Folder.codeList.
Element or Attribute | Opt. | Constraints | ||||
---|---|---|---|---|---|---|
ResourceMatch | R | |||||
@MatchId | R | Shall be urn:hl7-org:v3:function:CV-equal (see IHE DE Cookbook, XACML Binding). | ||||
AttributeValue | R | |||||
@DataType | R | Shall be urn:hl7-org:v3#CV. | ||||
hl7:CodedValue | R | |||||
@code | R | Shall be ECR. | ||||
@codeSystem | R | Shall be IHE-D-Cookbook-FolderClassCode. | ||||
ResourceAttributeDesignator | R | |||||
@AttributeId | R | Shall be urn:ihe:iti:xds-b:2007:folder:code. | ||||
@DataType | R | Shall be urn:hl7-org:v3#CV. |
ResourceMatch for purpose classification
This ResourceMatch element relates to the Folder.codeList entry which indicates the purpose.
This element applies the IHE-D Cookbook XACML binding of Folder.codeList.
Element or Attribute | Opt. | Constraints | ||||
---|---|---|---|---|---|---|
ResourceMatch | R | |||||
@MatchId | R | Shall be urn:hl7-org:v3:function:CV-equal (see IHE DE Cookbook, XACML Binding). | ||||
AttributeValue | R | |||||
@DataType | R | Shall be urn:hl7-org:v3#CV. | ||||
hl7:CodedValue | R | |||||
@code | R | Shall be equal to the purpose code of the case record. | ||||
@codeSystem | R | Shall be equal the purpose codingScheme of the case record. | ||||
ResourceAttributeDesignator | R | |||||
@AttributeId | R | Shall be urn:ihe:iti:xds-b:2007:folder:code | ||||
@DataType | R | Shall be urn:hl7-org:v3#CV. |
ResourceMatch for patientId
This ResourceMatch element relates to Folder.patientId and DocumentEntry.patientId.
This element applies the IHE-D Cookbook XACML binding of Folder.patientId.
Element or Attribute | Opt. | Constraints | ||||
---|---|---|---|---|---|---|
ResourceMatch | R | |||||
@MatchId | R | Shall be urn:hl7-org:v3:function:II-equal (see IHE DE Cookbook, XACML Binding). | ||||
AttributeValue | R | |||||
@DataType | R | Shall be urn:hl7-org:v3#II. | ||||
hl7:InstanceIdentifier | R | |||||
@extension | R | Shall be equal to the Id-Number value of the XDS Metadata Attributes patientId. | ||||
@root | R | Shall be equal to the Assigning-Authority value of the XDS Metadata Attributes patientId. | ||||
ResourceAttributeDesignator | R | |||||
@AttributeId | R | Shall be urn:ihe:iti:xds-b:2007:patient-id. | ||||
@DataType | R | Shall be urn:hl7-org:v3#II. |
Assertion Signature
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {Eocyo.01.04}
Every Policy Assertion MUST be signed by its issuer. The XML signature MUST be applied by using the saml:Assertion/ds:Signature element as defined below.
Signature Parameter | Usage Convention |
---|---|
CanonicalizationMethod | SHOULD be http://www.w3.org/2001/10/xml-exc-c14n# |
Transformation | Enveloped signature transform acc. to section 6.6.4 of [W3C XMLDSig] SHOULD be used (http://www.w3.org/2000/09/xmldsig#enveloped-signature). In addition, exclusive canonicalization SHOULD be defined as transformation (http://www.w3.org/2001/10/xml-exc-c14n#, acc. [W3C XMLDSig] and [W3C XML-EXC 1.0]). As inclusive namespaces other prefixes than the ones defined in EFA Namespaces MUST NOT be used. |
SignatureMethod | For signing assertions the signature method http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 or |
DigestMethod | For signing assertions the digest method http://www.w3.org/2000/09/xmldsig#sha1 or |
KeyInfo | This element MUST either contain a wsse:SecurityTokenReference element which references the X.509 certificate of the assertion’s issuer by using a subject key identifier OR contain a ds:X509Data element which contains the X.509 certificate of the assertion issuer. |
Example Assertion
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {Eocyo.01.05}
<soap12:Envelope … >
<soap12:Header … >
<wsse:Security … >
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="uuid-6dbb391c-20d3-4568-8c04-ff9d91d049c1"
IssueInstant="2013-04-05T08:14:28.788Z" Version="2.0">
<saml:Issuer>urn:de:berlin:hp:pap</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#urn:uuid:7102AC72154DCFD1F51253534608780">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="ds saml xs" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>A1LyLvFHRrYaOJ28YVFd3MfKGSI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>ggyn … LQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate> … </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
...
</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml:SubjectConfirmationData>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate> … </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</saml:SubjectConfirmationData/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions
NotBefore="2013-04-05T08:14:28.788Z"
NotOnOrAfter="2013-04-05T12:14:28.788Z">
</saml:Conditions>
<xacml-saml:XACMLPolicyStatement>
<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:hl7="urn:hl7-org:v3"
xmlns:rim="urn:oasis:names:tc:ebxml-regrep:xsd:rim:3.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="2B789DEE-9CB6-11E4-97F9-246A95DB5880"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Target>
<Resources>
<Resource>
<!-- ECR Folder Code -->
<ResourceMatch MatchId="urn:hl7-org:v3:function:CV-equal">
<AttributeValue DataType="urn:hl7-org:v3#CV">
<hl7:CodedValue code="ECR"
codeSystem="IHE-D-Cookbook-FolderClassCode" />
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:ihe:iti:xds-b:2007:folder:code"
DataType="urn:hl7-org:v3#CV" />
</ResourceMatch>
<!-- Purpose Folder Code -->
<ResourceMatch MatchId="urn:hl7-org:v3:function:CV-equal">
<AttributeValue DataType="urn:hl7-org:v3#CV">
<hl7:CodedValue code="K70.0" codeSystem="1.2.276.0.76.5.311" />
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:ihe:iti:xds-b:2007:folder:code"
DataType="urn:hl7-org:v3#CV" />
</ResourceMatch>
<!-- Patient -->
<ResourceMatch MatchId="urn:hl7-org:v3:function:II-equal">
<AttributeValue DataType="urn:hl7-org:v3#II">
<hl7:InstanceIdentifier extension="6578946"
root="1.3.6.1.4.1.21367.2005.3.7" />
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:ihe:iti:xds-b:2007:patient-id"
DataType="urn:hl7-org:v3#II" />
</ResourceMatch>
</Resource>
</Resources>
</Target>
<Policy PolicyId="urn:ecr:2.0:xacml:policyid:1"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
<Target>
<Subjects>
<!-- An HC professional and its role -->
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI"
>urn:oid:1.2.276.0.76.3.1.81.1.76.4</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:subject:organization-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</SubjectMatch>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"
>physician</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<!-- Document.availabilityStatus -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI"
>urn:oasis:names:tc:ebxml-regrep:StatusType:Approved</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:ihe:iti:xds-b:2007:availability-status"
DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</ResourceMatch>
</Resource>
</Resources>
<Environments>
<Environment>
<!-- Begin of grace period -->
<EnvironmentMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#dateTime"
>2014-12-24T22:00:00Z</AttributeValue>
<EnvironmentAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-dateTime"
DataType="http://www.w3.org/2001/XMLSchema#dateTime" />
</EnvironmentMatch>
</Environment>
</Environments>
</Target>
</Policy>
</PolicySet>
</xacml-saml:XACMLPolicyStatement>
</saml:Assertion>
</wsse:Security>
</soap12:Header>
<soap12:Body/>
</soap12:Envelope>
Referenzen und Querverweise |