EFA WS Trust Policy Provider

Aus Hl7wiki
(Teildokument von CDA für die elektronische Fallakte)
Wechseln zu: Navigation, Suche
K (EFA Policy Provider WS-Trust Binding)
K (Markup-Fehler behoben)
 
(10 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 7: Zeile 7:
 
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.01}</tt>
 
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.01}</tt>
  
Within EFA the actors and transactions of the OASIS WS-Trust 1.3 standard are mapped onto EFA Policy Provider actors and operations as follows:
+
This section defines how to use the OASIS Standard ''WS-Trust 1.3'' to implement the logical operations of the EFA Policy Provider by means of technical bindings.
  
{|class="wikitable" style="text-align: left; cellpadding: 10;"
+
The actor EFA Policy Provider SHALL be implemented as Security Token Service (STS) in terms of the ''WS Services Trust Model''.
!Role
 
!EFA Policy Provider Service
 
!OASIS WS-Trust 1.3
 
|-
 
!Actor
 
|EFA Context Manager
 
|Requestor
 
|-
 
!Actor
 
|EFA Policy Provider
 
|Security Token Service  
 
|-
 
!Transaction
 
|[[cdaefa:EFA_Policy_Provider_SFM#requestPolicy|requestPolicy]]
 
|RequestSecurityToken (RST) <br>RequestSecurityTokenResponse (RSTR)
 
|}
 
  
== EFA WS-Trust Binding: requestPolicy ==
+
The actor EFA Context Manager SHALL be implemented as Requestor in terms of the ''WS Services Trust Model''.
 +
 
 +
=== EFA WS-Trust Binding: requestPolicy ===
 
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02}</tt>
 
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02}</tt>
  
A ECR consumer may use the "Policy Push" paradigm to forward the requestor's ECR access policy to an ECR business service. This requires the ECR consumer to send a request to the ECR Policy Provider service to issue and provide a policy that can be trusted and processed by other ECR services (even in case these services are located on a remote peer).  
+
This section defines the technical binding for the operation ''requestPolicy''.
 +
 
 +
==== Request Message ====
 +
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.01}</tt>
 +
 
 +
The requestor SHALL send a ''RequestSecurityToken'' message as defined in ''WS-Trust 1.3''. The format of the message SHOULD be ''SOAP Version 1.2''.
 +
 
 +
As for the ''RequestSecurityToken'' element, this binding defines the following constraints and extensions:
 +
 
 +
;<nowiki>/wst:RequestSecurityToken/wst:TokenType</nowiki>
 +
:This element is required. The value SHOULD be "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".
 +
 
 +
;<nowiki>/wst:RequestSecurityToken/wst:RequestType</nowiki>
 +
:This element is required. The value MUST be "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue".
 +
 
 +
;<nowiki>/wst:RequestSecurityToken/{any}</nowiki>
 +
:The extensibility point is used. It holds the values for both input parameters, ecrRef and consentInfo.
 +
:The value of ecrRef.purpose MUST be encoded with the [[ihecb:IHE-XACML_Binding#Code|IHE-XACML Binding for Folder.codeList]].
 +
:The value of ecrRef.patientID MUST be encoded with the [[ihecb:IHE-XACML_Binding#Patient_ID_2|IHE-XACML Binding for Folder.patientId]].
 +
{{WorkBox|The binding for values of consentInfo is under reconciliation.}}
 +
 
 +
===== Example =====
 +
<syntaxhighlight lang="xml">
 +
<wst:RequestSecurityToken
 +
  xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"
 +
  xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
 +
  xmlns:hl7="urn:hl7-org:v3">
 +
  <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
 +
  <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
 +
  <xacml-context:Attribute
 +
    AttributeId="urn:ihe:iti:xds-b:2007:patient-id"
 +
    DataType="urn:hl7-org:v3#II">
 +
    <xacml-context:AttributeValue>
 +
      <hl7:InstanceIdentifier
 +
        extension="6578946"
 +
        root="1.3.6.1.4.1.21367.2005.3.7"/>
 +
    </xacml-context:AttributeValue>
 +
  </xacml-context:Attribute>
 +
  <xacml-context:Attribute
 +
    AttributeId="urn:ihe:iti:xds-b:2007:folder:code"
 +
    DataType="urn:hl7-org:v3#CV">
 +
  <xacml-context:AttributeValue>
 +
    <hl7:CodedValue
 +
      code="K70.0"
 +
      codeSystem="1.2.276.0.76.5.311"/>
 +
  </xacml-context:AttributeValue>
 +
  </xacml-context:Attribute>
 +
</wst:RequestSecurityToken>
 +
</syntaxhighlight>
 +
 
 +
==== Expected Actions ====
 +
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.02}</tt>
 +
 
 +
The STS SHALL authenticate the requester by validating the SOAP Security Header and the EFA Identity Assertion. If the authentication fails the STS responds with a SOAP Fault message.
 +
 
 +
The STS retrieves a matching subject access policy from its policy repository. A subject access policy matches
 +
* if it matches the xacml-context:Attribute elements in the WS-Trust extensibility point, and
 +
* if it matches the subject of the EFA Identity Assertion.
 +
 
 +
The STS builds an EFA Policy Assertion that contains the matching subject access policy, if any.
 +
 
 +
The STS responds with the EFA Policy Assertion.
 +
 
 +
==== Response Message (Full Success Scenario) ====
 +
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.03}</tt>
 +
 
 +
The response message SHALL be a WS-Trust response with a RequestSecurityTokenResponseCollection element in the SOAP-Body. It contains exactly one RequestSecurityTokenResponse element.
 +
 
 +
==== Response Message (Failure or Partial Failure Scenario) ====
 +
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.04}</tt>
  
Such retrieval of an ECR access policy from an ECR provider's Policy Provider service is bound to the OASIS WS-Trust 1.3 ''RequestSecurityToken (RST)'' and ''RequestSecurityTokenResponse (RSTR)'' messages. This EFA binding introduces extensions and restrictions on the respective WS Trust 1.3 definitions:
+
The response message SHALL be a SOAP Fault. The message should conform to the section Error Handling of WS-Trust 1.3.
* Provided Security Token shall comply to the specification of the ECR Policy Assertion.
 
* The Policy Assertion is issued for the requestor and an identified ECR instance. The identifier of the ECR instance (''ecrRef'') is embedded into the RST element as a ''secondary parameter''.
 
* The application of security measures and the contents of the SOAP security header are specified normatively.  
 
  
=== Constraints and Extensions to the Request Message (RST) ===
+
==== Security Audit Considerations ====
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.01}</tt>
+
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.05}</tt>
  
The RequestSecurityToken message is issued by an ECR Context Manager actor for requesting a policy that allows the current user to access an identified ECR instance.  
+
See [[cdaefa:EFA_XDS_SecurityConsiderations|Security Considerations]].
  
The request message implements a SOAP message including a single RST element as specified in [WS-Trust 1.3] considering the following constraints and extensions:
+
=== EFA WS-Trust Binding: issueAccessToken ===
 +
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.03}</tt>
  
/wst:RequestSecurityToken/@Context
+
This section defines the technical binding for the operation ''issueAccessToken''.
  
This optional URI specifies an identifier/context for this request. All subsequent RSTR elements relating to this request MUST carry this attribute. This, for example, allows the request and subsequent responses to be correlated. Note that no ordering semantics are provided; that is left to the application/transport.
+
==== Request Message ====
 +
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.03.01}</tt>
  
/wst:RequestSecurityToken/wst:TokenType
+
The requestor SHALL send a ''RequestSecurityToken'' message as defined in ''WS-Trust 1.3''. The format of the message SHOULD be ''SOAP Version 1.2''.
  
This optional element describes the type of security token requested, specified as a URI.  That is, the type of token that will be returned in the <wst:RequestSecurityTokenResponse> message.  Token type URIs are typically defined in token profiles such as those in the OASIS WSS TC.
+
As for the ''RequestSecurityToken'' element, this binding defines the following constraints and extensions:
  
/wst:RequestSecurityToken/wst:RequestType
+
;<nowiki>/wst:RequestSecurityToken/wst:TokenType</nowiki>
 +
:This element is required. The value SHOULD be "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".
  
The mandatory RequestType element is used to indicate, using a URI, the class of function that is being requested. The allowed values are defined by specific bindings and profiles of WS-Trust. Frequently this URI corresponds to the [WS-Addressing] Action URI provided in the message header as described in the binding/profile; however, specific bindings can use the Action URI to provide more details on the semantic processing while this parameter specifies the general class of operation (e.g., token issuance).  This parameter is required.
+
{{WorkBox|The standard WS-Trust suggests, that application may use there own values for TokenType. But in practice, vendors often expect certain values like "...#SAMLV2.0". Evaluate support for none-standard values of TokenType. An aspect in favour of a EFA-specific values of TokenType is that an STS could provide the operations of EFA Policy Provider in a single URL-context.}}
  
/wst:RequestSecurityToken/wst: SecondaryParameters
+
;<nowiki>/wst:RequestSecurityToken/wst:RequestType</nowiki>
 +
:This element is required. The value MUST be "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue".
  
If specified, this optional element contains zero or more valid RST parameters (except wst:SecondaryParameters) for which the requestor is not the originator.
+
;<nowiki>/wst:RequestSecurityToken/{any}</nowiki>
 +
:The extensibility point is used. It holds the values of the input parameter ecrRef.
 +
:The value of ecrRef.purpose MUST be encoded with the [[ihecb:IHE-XACML_Binding#Code|IHE-XACML Binding for Folder.codeList]].
 +
:The value of ecrRef.patientID MUST be encoded with the [[ihecb:IHE-XACML_Binding#Patient_ID_2|IHE-XACML Binding for Folder.patientId]].
  
/wst:RequestSecurityToken/ecr:EcrRef
+
===== Example =====
 +
<syntaxhighlight lang="xml">
 +
<wst:RequestSecurityToken
 +
  xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"
 +
  xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
 +
  xmlns:hl7="urn:hl7-org:v3">
 +
  <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
 +
  <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
 +
  <xacml-context:Attribute
 +
    AttributeId="urn:ihe:iti:xds-b:2007:patient-id"
 +
    DataType="urn:hl7-org:v3#II">
 +
    <xacml-context:AttributeValue>
 +
      <hl7:InstanceIdentifier
 +
        extension="6578946"
 +
        root="1.3.6.1.4.1.21367.2005.3.7"/>
 +
    </xacml-context:AttributeValue>
 +
  </xacml-context:Attribute>
 +
  <xacml-context:Attribute
 +
    AttributeId="urn:ihe:iti:xds-b:2007:folder:code"
 +
    DataType="urn:hl7-org:v3#CV">
 +
    <xacml-context:AttributeValue>
 +
      <hl7:CodedValue
 +
        code="K70.0"
 +
        codeSystem="1.2.276.0.76.5.311"/>
 +
    </xacml-context:AttributeValue>
 +
  </xacml-context:Attribute>
 +
</wst:RequestSecurityToken>
 +
</syntaxhighlight>
  
==== Example ====
+
==== Expected Actions ====
...
+
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.03.02}</tt>
  
=== Expected Actions ===
+
The STS SHALL authenticate the requester by validating the SOAP Security Header and the EFA Identity Assertion. If the authentication fails the STS responds with a SOAP Fault message.
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.02}</tt>
 
  
...
+
{{WorkBox|Building the accessToken is described in the specification EFA 1.2 Offline Token. A detailed description of the wire format and building rules should be given here, too.}}
  
=== Response Message (Full Success Scenario) ===
+
The STS responds with the access token.
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.03}</tt>
 
  
If the EFA Policy Provider Service is able to decode the received message and to properly issue a policy it responds with an WS Trust 1.3 RequestSecurityTokenResponse message that carries a single ECR Policy Assertion.
+
==== Response Message (Full Success Scenario) ====
 +
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.03.03}</tt>
  
=== Response Message (Failure or Partial Failure Scenario) ===
+
The response message SHALL be a WS-Trust response with a RequestSecurityTokenResponseCollection element in the SOAP-Body. It contains exactly one RequestSecurityTokenResponse element.
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.04}</tt>
 
  
If the EFA Policy Provider Service provider is able to decode the received message but fails to issue the requested policy, ...
+
==== Response Message (Failure or Partial Failure Scenario) ====
 +
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.03.04}</tt>
  
 +
The response message SHALL be a SOAP Fault. The message should conform to the section Error Handling of WS-Trust 1.3.
  
=== Security Audit Considerations ===
+
==== Security Audit Considerations ====
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.05}</tt>
+
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.03.05}</tt>
  
 
See [[cdaefa:EFA_XDS_SecurityConsiderations|Security Considerations]].
 
See [[cdaefa:EFA_XDS_SecurityConsiderations|Security Considerations]].
  
== Querverweise und Referenzen ==
 
  
 +
 +
----
 +
 +
 +
{{NoteBox|'''Referenzen und Querverweise'''
 
* [[cdaefa:EFA_Spezifikation_v2.0|EFA-2.0-Spezifikation]]
 
* [[cdaefa:EFA_Spezifikation_v2.0|EFA-2.0-Spezifikation]]
 +
<nowiki></nowiki>
 +
}}

Aktuelle Version vom 26. Januar 2015, 16:12 Uhr

Dieses Material ist Teil des Leitfadens CDA für die elektronische Fallakte.
  • Direkt im Wiki geändert werden sollten Schreibfehler, ergänzende Hinweise.
  • Offene Fragen, die der Diskussionen bedürfen, sollten auf der Diskussionsseite aufgenommen werden.
  • Liste der Seiten dieses Leitfadens: hier, Liste der Seiten, in denen dieses Material verwendet (transkludiert) siehe hier .

Anmerkung: Die Kürzel unter den einzelnen Überschriften dienen der Unterstützung des Kommentierungsverfahrens. Bitte geben Sie bei einem Kommentar oder einem Verbesserungsvorschlag zu dieser Spezifikation immer das Kürzel des Abschnitts an, auf den sich Ihr Kommentar bezieht. Alle Kommentare werden in der Lasche "Diskussion" zu der kommentierten Seite gesammelt und gegenkommentiert.
Hinweise zum Kommentierungsverfahren einschließlich aller Formulare und Kontaktadressen finden Sie auf der Seite "Kommentierung EFAv2.0".

EFA Policy Provider WS-Trust Binding

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.01}

This section defines how to use the OASIS Standard WS-Trust 1.3 to implement the logical operations of the EFA Policy Provider by means of technical bindings.

The actor EFA Policy Provider SHALL be implemented as Security Token Service (STS) in terms of the WS Services Trust Model.

The actor EFA Context Manager SHALL be implemented as Requestor in terms of the WS Services Trust Model.

EFA WS-Trust Binding: requestPolicy

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02}

This section defines the technical binding for the operation requestPolicy.

Request Message

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02.01}

The requestor SHALL send a RequestSecurityToken message as defined in WS-Trust 1.3. The format of the message SHOULD be SOAP Version 1.2.

As for the RequestSecurityToken element, this binding defines the following constraints and extensions:

/wst:RequestSecurityToken/wst:TokenType
This element is required. The value SHOULD be "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".
/wst:RequestSecurityToken/wst:RequestType
This element is required. The value MUST be "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue".
/wst:RequestSecurityToken/{any}
The extensibility point is used. It holds the values for both input parameters, ecrRef and consentInfo.
The value of ecrRef.purpose MUST be encoded with the IHE-XACML Binding for Folder.codeList.
The value of ecrRef.patientID MUST be encoded with the IHE-XACML Binding for Folder.patientId.
Under construction icon-blue.svg The binding for values of consentInfo is under reconciliation.
Example
<wst:RequestSecurityToken
  xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"
  xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
  xmlns:hl7="urn:hl7-org:v3">
  <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
  <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
  <xacml-context:Attribute
    AttributeId="urn:ihe:iti:xds-b:2007:patient-id"
    DataType="urn:hl7-org:v3#II">
    <xacml-context:AttributeValue>
      <hl7:InstanceIdentifier
        extension="6578946"
        root="1.3.6.1.4.1.21367.2005.3.7"/>
    </xacml-context:AttributeValue>
  </xacml-context:Attribute>
  <xacml-context:Attribute
    AttributeId="urn:ihe:iti:xds-b:2007:folder:code"
    DataType="urn:hl7-org:v3#CV">
  <xacml-context:AttributeValue>
    <hl7:CodedValue
      code="K70.0"
      codeSystem="1.2.276.0.76.5.311"/>
  </xacml-context:AttributeValue>
  </xacml-context:Attribute>
</wst:RequestSecurityToken>

Expected Actions

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02.02}

The STS SHALL authenticate the requester by validating the SOAP Security Header and the EFA Identity Assertion. If the authentication fails the STS responds with a SOAP Fault message.

The STS retrieves a matching subject access policy from its policy repository. A subject access policy matches

  • if it matches the xacml-context:Attribute elements in the WS-Trust extensibility point, and
  • if it matches the subject of the EFA Identity Assertion.

The STS builds an EFA Policy Assertion that contains the matching subject access policy, if any.

The STS responds with the EFA Policy Assertion.

Response Message (Full Success Scenario)

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02.03}

The response message SHALL be a WS-Trust response with a RequestSecurityTokenResponseCollection element in the SOAP-Body. It contains exactly one RequestSecurityTokenResponse element.

Response Message (Failure or Partial Failure Scenario)

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02.04}

The response message SHALL be a SOAP Fault. The message should conform to the section Error Handling of WS-Trust 1.3.

Security Audit Considerations

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02.05}

See Security Considerations.

EFA WS-Trust Binding: issueAccessToken

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.03}

This section defines the technical binding for the operation issueAccessToken.

Request Message

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.03.01}

The requestor SHALL send a RequestSecurityToken message as defined in WS-Trust 1.3. The format of the message SHOULD be SOAP Version 1.2.

As for the RequestSecurityToken element, this binding defines the following constraints and extensions:

/wst:RequestSecurityToken/wst:TokenType
This element is required. The value SHOULD be "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".
Under construction icon-blue.svg The standard WS-Trust suggests, that application may use there own values for TokenType. But in practice, vendors often expect certain values like "...#SAMLV2.0". Evaluate support for none-standard values of TokenType. An aspect in favour of a EFA-specific values of TokenType is that an STS could provide the operations of EFA Policy Provider in a single URL-context.
/wst:RequestSecurityToken/wst:RequestType
This element is required. The value MUST be "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue".
/wst:RequestSecurityToken/{any}
The extensibility point is used. It holds the values of the input parameter ecrRef.
The value of ecrRef.purpose MUST be encoded with the IHE-XACML Binding for Folder.codeList.
The value of ecrRef.patientID MUST be encoded with the IHE-XACML Binding for Folder.patientId.
Example
<wst:RequestSecurityToken
  xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"
  xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
  xmlns:hl7="urn:hl7-org:v3">
  <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
  <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
  <xacml-context:Attribute
    AttributeId="urn:ihe:iti:xds-b:2007:patient-id"
    DataType="urn:hl7-org:v3#II">
    <xacml-context:AttributeValue>
      <hl7:InstanceIdentifier
        extension="6578946"
        root="1.3.6.1.4.1.21367.2005.3.7"/>
    </xacml-context:AttributeValue>
  </xacml-context:Attribute>
  <xacml-context:Attribute
    AttributeId="urn:ihe:iti:xds-b:2007:folder:code"
    DataType="urn:hl7-org:v3#CV">
    <xacml-context:AttributeValue>
      <hl7:CodedValue
        code="K70.0"
        codeSystem="1.2.276.0.76.5.311"/>
    </xacml-context:AttributeValue>
  </xacml-context:Attribute>
</wst:RequestSecurityToken>

Expected Actions

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.03.02}

The STS SHALL authenticate the requester by validating the SOAP Security Header and the EFA Identity Assertion. If the authentication fails the STS responds with a SOAP Fault message.

Under construction icon-blue.svg Building the accessToken is described in the specification EFA 1.2 Offline Token. A detailed description of the wire format and building rules should be given here, too.

The STS responds with the access token.

Response Message (Full Success Scenario)

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.03.03}

The response message SHALL be a WS-Trust response with a RequestSecurityTokenResponseCollection element in the SOAP-Body. It contains exactly one RequestSecurityTokenResponse element.

Response Message (Failure or Partial Failure Scenario)

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.03.04}

The response message SHALL be a SOAP Fault. The message should conform to the section Error Handling of WS-Trust 1.3.

Security Audit Considerations

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.03.05}

See Security Considerations.



Information icon.svg Referenzen und Querverweise
Abgerufen von „https://wiki.hl7.de/index.php?title=cdaefa:EFA_WS_Trust_Policy_Provider&oldid=22141