EFA WS Trust Policy Provider
(Expected Actions und Response Message ergänzt) |
K (Markup-Fehler behoben) |
||
(6 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
Zeile 7: | Zeile 7: | ||
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.01}</tt> | <tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.01}</tt> | ||
− | + | This section defines how to use the OASIS Standard ''WS-Trust 1.3'' to implement the logical operations of the EFA Policy Provider by means of technical bindings. | |
− | + | The actor EFA Policy Provider SHALL be implemented as Security Token Service (STS) in terms of the ''WS Services Trust Model''. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | == EFA WS-Trust Binding: requestPolicy == | + | The actor EFA Context Manager SHALL be implemented as Requestor in terms of the ''WS Services Trust Model''. |
+ | |||
+ | === EFA WS-Trust Binding: requestPolicy === | ||
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02}</tt> | <tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02}</tt> | ||
− | + | This section defines the technical binding for the operation ''requestPolicy''. | |
− | |||
− | |||
− | === Request Message === | + | ==== Request Message ==== |
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.01}</tt> | <tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.01}</tt> | ||
− | The RequestSecurityToken message | + | The requestor SHALL send a ''RequestSecurityToken'' message as defined in ''WS-Trust 1.3''. The format of the message SHOULD be ''SOAP Version 1.2''. |
− | + | As for the ''RequestSecurityToken'' element, this binding defines the following constraints and extensions: | |
;<nowiki>/wst:RequestSecurityToken/wst:TokenType</nowiki> | ;<nowiki>/wst:RequestSecurityToken/wst:TokenType</nowiki> | ||
Zeile 49: | Zeile 33: | ||
;<nowiki>/wst:RequestSecurityToken/{any}</nowiki> | ;<nowiki>/wst:RequestSecurityToken/{any}</nowiki> | ||
:The extensibility point is used. It holds the values for both input parameters, ecrRef and consentInfo. | :The extensibility point is used. It holds the values for both input parameters, ecrRef and consentInfo. | ||
− | :The value of ecrRef.purpose MUST be encoded with the | + | :The value of ecrRef.purpose MUST be encoded with the [[ihecb:IHE-XACML_Binding#Code|IHE-XACML Binding for Folder.codeList]]. |
− | :The value of ecrRef.patientID MUST be encoded with the | + | :The value of ecrRef.patientID MUST be encoded with the [[ihecb:IHE-XACML_Binding#Patient_ID_2|IHE-XACML Binding for Folder.patientId]]. |
{{WorkBox|The binding for values of consentInfo is under reconciliation.}} | {{WorkBox|The binding for values of consentInfo is under reconciliation.}} | ||
− | ==== Example ==== | + | ===== Example ===== |
<syntaxhighlight lang="xml"> | <syntaxhighlight lang="xml"> | ||
<wst:RequestSecurityToken | <wst:RequestSecurityToken | ||
Zeile 64: | Zeile 48: | ||
AttributeId="urn:ihe:iti:xds-b:2007:patient-id" | AttributeId="urn:ihe:iti:xds-b:2007:patient-id" | ||
DataType="urn:hl7-org:v3#II"> | DataType="urn:hl7-org:v3#II"> | ||
+ | <xacml-context:AttributeValue> | ||
+ | <hl7:InstanceIdentifier | ||
+ | extension="6578946" | ||
+ | root="1.3.6.1.4.1.21367.2005.3.7"/> | ||
+ | </xacml-context:AttributeValue> | ||
+ | </xacml-context:Attribute> | ||
+ | <xacml-context:Attribute | ||
+ | AttributeId="urn:ihe:iti:xds-b:2007:folder:code" | ||
+ | DataType="urn:hl7-org:v3#CV"> | ||
<xacml-context:AttributeValue> | <xacml-context:AttributeValue> | ||
− | <hl7: | + | <hl7:CodedValue |
− | + | code="K70.0" | |
− | + | codeSystem="1.2.276.0.76.5.311"/> | |
</xacml-context:AttributeValue> | </xacml-context:AttributeValue> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
</xacml-context:Attribute> | </xacml-context:Attribute> | ||
</wst:RequestSecurityToken> | </wst:RequestSecurityToken> | ||
Zeile 81: | Zeile 69: | ||
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.02}</tt> | <tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.02}</tt> | ||
− | The STS SHALL authenticate the requester by validating the SOAP | + | The STS SHALL authenticate the requester by validating the SOAP Security Header and the EFA Identity Assertion. If the authentication fails the STS responds with a SOAP Fault message. |
The STS retrieves a matching subject access policy from its policy repository. A subject access policy matches | The STS retrieves a matching subject access policy from its policy repository. A subject access policy matches | ||
Zeile 91: | Zeile 79: | ||
The STS responds with the EFA Policy Assertion. | The STS responds with the EFA Policy Assertion. | ||
− | === Response Message (Full Success Scenario) === | + | ==== Response Message (Full Success Scenario) ==== |
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.03}</tt> | <tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.03}</tt> | ||
The response message SHALL be a WS-Trust response with a RequestSecurityTokenResponseCollection element in the SOAP-Body. It contains exactly one RequestSecurityTokenResponse element. | The response message SHALL be a WS-Trust response with a RequestSecurityTokenResponseCollection element in the SOAP-Body. It contains exactly one RequestSecurityTokenResponse element. | ||
− | === Response Message (Failure or Partial Failure Scenario) === | + | ==== Response Message (Failure or Partial Failure Scenario) ==== |
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.04}</tt> | <tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.04}</tt> | ||
The response message SHALL be a SOAP Fault. The message should conform to the section Error Handling of WS-Trust 1.3. | The response message SHALL be a SOAP Fault. The message should conform to the section Error Handling of WS-Trust 1.3. | ||
− | === Security Audit Considerations === | + | ==== Security Audit Considerations ==== |
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.05}</tt> | <tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.05}</tt> | ||
See [[cdaefa:EFA_XDS_SecurityConsiderations|Security Considerations]]. | See [[cdaefa:EFA_XDS_SecurityConsiderations|Security Considerations]]. | ||
− | == | + | === EFA WS-Trust Binding: issueAccessToken === |
+ | <tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.03}</tt> | ||
+ | |||
+ | This section defines the technical binding for the operation ''issueAccessToken''. | ||
+ | |||
+ | ==== Request Message ==== | ||
+ | <tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.03.01}</tt> | ||
+ | |||
+ | The requestor SHALL send a ''RequestSecurityToken'' message as defined in ''WS-Trust 1.3''. The format of the message SHOULD be ''SOAP Version 1.2''. | ||
+ | |||
+ | As for the ''RequestSecurityToken'' element, this binding defines the following constraints and extensions: | ||
+ | |||
+ | ;<nowiki>/wst:RequestSecurityToken/wst:TokenType</nowiki> | ||
+ | :This element is required. The value SHOULD be "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0". | ||
+ | |||
+ | {{WorkBox|The standard WS-Trust suggests, that application may use there own values for TokenType. But in practice, vendors often expect certain values like "...#SAMLV2.0". Evaluate support for none-standard values of TokenType. An aspect in favour of a EFA-specific values of TokenType is that an STS could provide the operations of EFA Policy Provider in a single URL-context.}} | ||
+ | |||
+ | ;<nowiki>/wst:RequestSecurityToken/wst:RequestType</nowiki> | ||
+ | :This element is required. The value MUST be "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue". | ||
+ | |||
+ | ;<nowiki>/wst:RequestSecurityToken/{any}</nowiki> | ||
+ | :The extensibility point is used. It holds the values of the input parameter ecrRef. | ||
+ | :The value of ecrRef.purpose MUST be encoded with the [[ihecb:IHE-XACML_Binding#Code|IHE-XACML Binding for Folder.codeList]]. | ||
+ | :The value of ecrRef.patientID MUST be encoded with the [[ihecb:IHE-XACML_Binding#Patient_ID_2|IHE-XACML Binding for Folder.patientId]]. | ||
+ | |||
+ | ===== Example ===== | ||
+ | <syntaxhighlight lang="xml"> | ||
+ | <wst:RequestSecurityToken | ||
+ | xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" | ||
+ | xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" | ||
+ | xmlns:hl7="urn:hl7-org:v3"> | ||
+ | <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType> | ||
+ | <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType> | ||
+ | <xacml-context:Attribute | ||
+ | AttributeId="urn:ihe:iti:xds-b:2007:patient-id" | ||
+ | DataType="urn:hl7-org:v3#II"> | ||
+ | <xacml-context:AttributeValue> | ||
+ | <hl7:InstanceIdentifier | ||
+ | extension="6578946" | ||
+ | root="1.3.6.1.4.1.21367.2005.3.7"/> | ||
+ | </xacml-context:AttributeValue> | ||
+ | </xacml-context:Attribute> | ||
+ | <xacml-context:Attribute | ||
+ | AttributeId="urn:ihe:iti:xds-b:2007:folder:code" | ||
+ | DataType="urn:hl7-org:v3#CV"> | ||
+ | <xacml-context:AttributeValue> | ||
+ | <hl7:CodedValue | ||
+ | code="K70.0" | ||
+ | codeSystem="1.2.276.0.76.5.311"/> | ||
+ | </xacml-context:AttributeValue> | ||
+ | </xacml-context:Attribute> | ||
+ | </wst:RequestSecurityToken> | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ==== Expected Actions ==== | ||
+ | <tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.03.02}</tt> | ||
+ | |||
+ | The STS SHALL authenticate the requester by validating the SOAP Security Header and the EFA Identity Assertion. If the authentication fails the STS responds with a SOAP Fault message. | ||
+ | |||
+ | {{WorkBox|Building the accessToken is described in the specification EFA 1.2 Offline Token. A detailed description of the wire format and building rules should be given here, too.}} | ||
+ | |||
+ | The STS responds with the access token. | ||
+ | |||
+ | ==== Response Message (Full Success Scenario) ==== | ||
+ | <tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.03.03}</tt> | ||
+ | |||
+ | The response message SHALL be a WS-Trust response with a RequestSecurityTokenResponseCollection element in the SOAP-Body. It contains exactly one RequestSecurityTokenResponse element. | ||
+ | |||
+ | ==== Response Message (Failure or Partial Failure Scenario) ==== | ||
+ | <tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.03.04}</tt> | ||
+ | |||
+ | The response message SHALL be a SOAP Fault. The message should conform to the section Error Handling of WS-Trust 1.3. | ||
+ | |||
+ | ==== Security Audit Considerations ==== | ||
+ | <tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.03.05}</tt> | ||
+ | |||
+ | See [[cdaefa:EFA_XDS_SecurityConsiderations|Security Considerations]]. | ||
+ | |||
+ | |||
+ | |||
+ | ---- | ||
+ | |||
+ | {{NoteBox|'''Referenzen und Querverweise''' | ||
* [[cdaefa:EFA_Spezifikation_v2.0|EFA-2.0-Spezifikation]] | * [[cdaefa:EFA_Spezifikation_v2.0|EFA-2.0-Spezifikation]] | ||
+ | <nowiki></nowiki> | ||
+ | }} |
Aktuelle Version vom 26. Januar 2015, 16:12 Uhr
Dieses Material ist Teil des Leitfadens CDA für die elektronische Fallakte.
|
Anmerkung: Die Kürzel unter den einzelnen Überschriften dienen der Unterstützung des Kommentierungsverfahrens. Bitte geben Sie bei einem Kommentar oder einem Verbesserungsvorschlag zu dieser Spezifikation immer das Kürzel des Abschnitts an, auf den sich Ihr Kommentar bezieht. Alle Kommentare werden in der Lasche "Diskussion" zu der kommentierten Seite gesammelt und gegenkommentiert.
Hinweise zum Kommentierungsverfahren einschließlich aller Formulare und Kontaktadressen finden Sie auf der Seite "Kommentierung EFAv2.0".
Inhaltsverzeichnis
EFA Policy Provider WS-Trust Binding
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.01}
This section defines how to use the OASIS Standard WS-Trust 1.3 to implement the logical operations of the EFA Policy Provider by means of technical bindings.
The actor EFA Policy Provider SHALL be implemented as Security Token Service (STS) in terms of the WS Services Trust Model.
The actor EFA Context Manager SHALL be implemented as Requestor in terms of the WS Services Trust Model.
EFA WS-Trust Binding: requestPolicy
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02}
This section defines the technical binding for the operation requestPolicy.
Request Message
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02.01}
The requestor SHALL send a RequestSecurityToken message as defined in WS-Trust 1.3. The format of the message SHOULD be SOAP Version 1.2.
As for the RequestSecurityToken element, this binding defines the following constraints and extensions:
- /wst:RequestSecurityToken/wst:TokenType
- This element is required. The value SHOULD be "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".
- /wst:RequestSecurityToken/wst:RequestType
- This element is required. The value MUST be "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue".
- /wst:RequestSecurityToken/{any}
- The extensibility point is used. It holds the values for both input parameters, ecrRef and consentInfo.
- The value of ecrRef.purpose MUST be encoded with the IHE-XACML Binding for Folder.codeList.
- The value of ecrRef.patientID MUST be encoded with the IHE-XACML Binding for Folder.patientId.
The binding for values of consentInfo is under reconciliation. |
Example
<wst:RequestSecurityToken
xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:hl7="urn:hl7-org:v3">
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
<wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
<xacml-context:Attribute
AttributeId="urn:ihe:iti:xds-b:2007:patient-id"
DataType="urn:hl7-org:v3#II">
<xacml-context:AttributeValue>
<hl7:InstanceIdentifier
extension="6578946"
root="1.3.6.1.4.1.21367.2005.3.7"/>
</xacml-context:AttributeValue>
</xacml-context:Attribute>
<xacml-context:Attribute
AttributeId="urn:ihe:iti:xds-b:2007:folder:code"
DataType="urn:hl7-org:v3#CV">
<xacml-context:AttributeValue>
<hl7:CodedValue
code="K70.0"
codeSystem="1.2.276.0.76.5.311"/>
</xacml-context:AttributeValue>
</xacml-context:Attribute>
</wst:RequestSecurityToken>
Expected Actions
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02.02}
The STS SHALL authenticate the requester by validating the SOAP Security Header and the EFA Identity Assertion. If the authentication fails the STS responds with a SOAP Fault message.
The STS retrieves a matching subject access policy from its policy repository. A subject access policy matches
- if it matches the xacml-context:Attribute elements in the WS-Trust extensibility point, and
- if it matches the subject of the EFA Identity Assertion.
The STS builds an EFA Policy Assertion that contains the matching subject access policy, if any.
The STS responds with the EFA Policy Assertion.
Response Message (Full Success Scenario)
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02.03}
The response message SHALL be a WS-Trust response with a RequestSecurityTokenResponseCollection element in the SOAP-Body. It contains exactly one RequestSecurityTokenResponse element.
Response Message (Failure or Partial Failure Scenario)
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02.04}
The response message SHALL be a SOAP Fault. The message should conform to the section Error Handling of WS-Trust 1.3.
Security Audit Considerations
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02.05}
EFA WS-Trust Binding: issueAccessToken
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.03}
This section defines the technical binding for the operation issueAccessToken.
Request Message
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.03.01}
The requestor SHALL send a RequestSecurityToken message as defined in WS-Trust 1.3. The format of the message SHOULD be SOAP Version 1.2.
As for the RequestSecurityToken element, this binding defines the following constraints and extensions:
- /wst:RequestSecurityToken/wst:TokenType
- This element is required. The value SHOULD be "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".
- /wst:RequestSecurityToken/wst:RequestType
- This element is required. The value MUST be "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue".
- /wst:RequestSecurityToken/{any}
- The extensibility point is used. It holds the values of the input parameter ecrRef.
- The value of ecrRef.purpose MUST be encoded with the IHE-XACML Binding for Folder.codeList.
- The value of ecrRef.patientID MUST be encoded with the IHE-XACML Binding for Folder.patientId.
Example
<wst:RequestSecurityToken
xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:hl7="urn:hl7-org:v3">
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
<wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
<xacml-context:Attribute
AttributeId="urn:ihe:iti:xds-b:2007:patient-id"
DataType="urn:hl7-org:v3#II">
<xacml-context:AttributeValue>
<hl7:InstanceIdentifier
extension="6578946"
root="1.3.6.1.4.1.21367.2005.3.7"/>
</xacml-context:AttributeValue>
</xacml-context:Attribute>
<xacml-context:Attribute
AttributeId="urn:ihe:iti:xds-b:2007:folder:code"
DataType="urn:hl7-org:v3#CV">
<xacml-context:AttributeValue>
<hl7:CodedValue
code="K70.0"
codeSystem="1.2.276.0.76.5.311"/>
</xacml-context:AttributeValue>
</xacml-context:Attribute>
</wst:RequestSecurityToken>
Expected Actions
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.03.02}
The STS SHALL authenticate the requester by validating the SOAP Security Header and the EFA Identity Assertion. If the authentication fails the STS responds with a SOAP Fault message.
Building the accessToken is described in the specification EFA 1.2 Offline Token. A detailed description of the wire format and building rules should be given here, too. |
The STS responds with the access token.
Response Message (Full Success Scenario)
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.03.03}
The response message SHALL be a WS-Trust response with a RequestSecurityTokenResponseCollection element in the SOAP-Body. It contains exactly one RequestSecurityTokenResponse element.
Response Message (Failure or Partial Failure Scenario)
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.03.04}
The response message SHALL be a SOAP Fault. The message should conform to the section Error Handling of WS-Trust 1.3.
Security Audit Considerations
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.03.05}
Referenzen und Querverweise |