EFA WS Trust Policy Provider
K (→Constraints and Extensions to the Request Message (RST)) |
(Constraints on RST ergänzt.) |
||
Zeile 9: | Zeile 9: | ||
Within EFA the actors and transactions of the OASIS WS-Trust 1.3 standard are mapped onto EFA Policy Provider actors and operations as follows: | Within EFA the actors and transactions of the OASIS WS-Trust 1.3 standard are mapped onto EFA Policy Provider actors and operations as follows: | ||
− | {|class="wikitable | + | {|class="wikitable" |
!Role | !Role | ||
!EFA Policy Provider Service | !EFA Policy Provider Service | ||
Zeile 41: | Zeile 41: | ||
The request message implements a SOAP message including a single RST element as specified in [WS-Trust 1.3] considering the following constraints and extensions: | The request message implements a SOAP message including a single RST element as specified in [WS-Trust 1.3] considering the following constraints and extensions: | ||
− | {|class="wikitable | + | {|class="wikitable" |
!OASIS WS-Trust 1.3 | !OASIS WS-Trust 1.3 | ||
!Optionality | !Optionality | ||
!Constraints | !Constraints | ||
− | |||
− | |||
− | |||
− | |||
|- | |- | ||
|/wst:RequestSecurityToken/wst:TokenType | |/wst:RequestSecurityToken/wst:TokenType | ||
|mandatory | |mandatory | ||
− | |SHALL be <tt>http:// | + | |SHALL be <tt>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</tt> |
|- | |- | ||
|/wst:RequestSecurityToken/wst:RequestType | |/wst:RequestSecurityToken/wst:RequestType | ||
Zeile 58: | Zeile 54: | ||
|SHALL be <tt>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</tt> | |SHALL be <tt>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</tt> | ||
|- | |- | ||
− | |/wst:RequestSecurityToken/ | + | |/wst:RequestSecurityToken/{any} |
− | |||
− | |||
− | |||
− | |||
|mandatory | |mandatory | ||
− | | | + | | |
− | + | SHALL contain values of the parameters ecrRef and consentInfo as XACML-Attribute. | |
− | + | ||
− | | | + | The value of ecrRef.purpose MUST be encoded with the [[ihecb:IHE-XACML_Binding#Code|IHE-XACML Binding for Folder.codeList]]. |
− | |||
− | |||
+ | The value of ecrRef.patientID MUST be encoded with the [[ihecb:IHE-XACML_Binding#Patient_ID_2|IHE-XACML Binding for Folder.patientId]]. | ||
+ | {{WorkBox|The binding for values of consentInfo is under reconciliation.}} | ||
+ | |} | ||
==== Example ==== | ==== Example ==== | ||
− | ... | + | <syntaxhighlight lang="xml"> |
+ | <wst:RequestSecurityToken | ||
+ | xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" | ||
+ | xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" | ||
+ | xmlns:hl7="urn:hl7-org:v3"> | ||
+ | <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType> | ||
+ | <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType> | ||
+ | <xacml-context:Attribute | ||
+ | AttributeId="urn:ihe:iti:xds-b:2007:patient-id" | ||
+ | DataType="urn:hl7-org:v3#II"> | ||
+ | <xacml-context:AttributeValue> | ||
+ | <hl7:InstanceIdentifier | ||
+ | extension="6578946" | ||
+ | root="1.3.6.1.4.1.21367.2005.3.7"/> | ||
+ | </xacml-context:AttributeValue> | ||
+ | </xacml-context:Attribute> | ||
+ | <xacml-context:Attribute | ||
+ | AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-id" | ||
+ | DataType="http://www.w3.org/2001/XMLSchema#string"> | ||
+ | <xacml-context:AttributeValue>1.3.6.1.4.1.21367.2005.3.7.3670984664</xacml-context:AttributeValue> | ||
+ | </xacml-context:Attribute> | ||
+ | </wst:RequestSecurityToken> | ||
+ | </syntaxhighlight> | ||
=== Expected Actions === | === Expected Actions === |
Version vom 27. Oktober 2014, 14:38 Uhr
Dieses Material ist Teil des Leitfadens CDA für die elektronische Fallakte.
|
Anmerkung: Die Kürzel unter den einzelnen Überschriften dienen der Unterstützung des Kommentierungsverfahrens. Bitte geben Sie bei einem Kommentar oder einem Verbesserungsvorschlag zu dieser Spezifikation immer das Kürzel des Abschnitts an, auf den sich Ihr Kommentar bezieht. Alle Kommentare werden in der Lasche "Diskussion" zu der kommentierten Seite gesammelt und gegenkommentiert.
Hinweise zum Kommentierungsverfahren einschließlich aller Formulare und Kontaktadressen finden Sie auf der Seite "Kommentierung EFAv2.0".
Inhaltsverzeichnis
EFA Policy Provider WS-Trust Binding
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.01}
Within EFA the actors and transactions of the OASIS WS-Trust 1.3 standard are mapped onto EFA Policy Provider actors and operations as follows:
Role | EFA Policy Provider Service | OASIS WS-Trust 1.3 |
---|---|---|
Actor | EFA Context Manager | Requestor |
Actor | EFA Policy Provider | Security Token Service |
Transaction | requestPolicy | RequestSecurityToken (RST) RequestSecurityTokenResponse (RSTR) |
EFA WS-Trust Binding: requestPolicy
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02}
A ECR consumer may use the "Policy Push" paradigm to forward the requestor's ECR access policy to an ECR business service. This requires the ECR consumer to send a request to the ECR Policy Provider service to issue and provide a policy that can be trusted and processed by other ECR services (even in case these services are located on a remote peer).
Such retrieval of an ECR access policy from an ECR provider's Policy Provider service is bound to the OASIS WS-Trust 1.3 RequestSecurityToken (RST) and RequestSecurityTokenResponse (RSTR) messages. This EFA binding introduces extensions and restrictions on the respective WS Trust 1.3 definitions.
Constraints and Extensions to the Request Message (RST)
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02.01}
The RequestSecurityToken message is issued by an ECR Context Manager actor for requesting a policy that allows the current user to access an identified ECR instance.
The request message implements a SOAP message including a single RST element as specified in [WS-Trust 1.3] considering the following constraints and extensions:
OASIS WS-Trust 1.3 | Optionality | Constraints | ||
---|---|---|---|---|
/wst:RequestSecurityToken/wst:TokenType | mandatory | SHALL be http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 | ||
/wst:RequestSecurityToken/wst:RequestType | mandatory | SHALL be http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue | ||
/wst:RequestSecurityToken/{any} | mandatory |
SHALL contain values of the parameters ecrRef and consentInfo as XACML-Attribute. The value of ecrRef.purpose MUST be encoded with the IHE-XACML Binding for Folder.codeList. The value of ecrRef.patientID MUST be encoded with the IHE-XACML Binding for Folder.patientId.
|
Example
<wst:RequestSecurityToken
xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:hl7="urn:hl7-org:v3">
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
<wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
<xacml-context:Attribute
AttributeId="urn:ihe:iti:xds-b:2007:patient-id"
DataType="urn:hl7-org:v3#II">
<xacml-context:AttributeValue>
<hl7:InstanceIdentifier
extension="6578946"
root="1.3.6.1.4.1.21367.2005.3.7"/>
</xacml-context:AttributeValue>
</xacml-context:Attribute>
<xacml-context:Attribute
AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>1.3.6.1.4.1.21367.2005.3.7.3670984664</xacml-context:AttributeValue>
</xacml-context:Attribute>
</wst:RequestSecurityToken>
Expected Actions
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02.02}
...
Response Message (Full Success Scenario)
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02.03}
If the EFA Policy Provider Service is able to decode the received message and to properly issue a policy it responds with an WS Trust 1.3 RequestSecurityTokenResponse message that carries a single ECR subjectAccessPolicy.
Response Message (Failure or Partial Failure Scenario)
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02.04}
If the EFA Policy Provider Service provider is able to decode the received message but fails to issue the requested policy, ...
Security Audit Considerations
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02.05}