cdaefa:EFA Identity Assertion SAML2 Binding

Aus Hl7wiki
Wechseln zu: Navigation, Suche

SAML 2.0 Profile for ECR Identity Assertions

Assertion Element Opt Usage Convention
@Version R MUST be “2.0”
@ID R URN encoded unique identifier (UUID) of the assertion
@IssueInstant R time instant of issuance in UTC
Issuer R address URI that identifies the endpoint of the issuing service
Subject R This element defines the subject confirmation method of the user in order to use the Identity Assertion as a protection token. Moreover, it defines the subject name identifier that accords with the user identity.
NameID R Identifier of the HP encoded as an X.509 subject name, an e-Mail address or as a string value (unspecified format). Only identifiers must be used that can be long-term tracked back to an individual person.
@Format R MUST be urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

or urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
or urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

SubjectConfirmation R
@Method R This element MUST hold a URI reference that identifies a protocol to be used to authenticate the subject.[SAML2.0core] The value of this element MUST be set to

urn:oasis:names:tc:SAML:2.0:cm:holder-of-key

SubjectConfirmationData R
ds:KeyInfo R The XML Signature [XMLSignature] element MUST embed a cryptographic key that is only held by the user. This can be the user’s public key (ds:KeyValue/ds:RSAKeyValue), the complete user’s X.509 certificate (ds:X509Data/ds:X509Certificate), or an encrypted symmetric key (xenc:EncryptedKey [XMLEncryption]). This symmetric key MUST be encrypted by using the public key of the consumer service’s certificate [eFA PKI 1.2].
Conditions R
@NotBefore R time instant from which the assertion is useable. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion.
@NotOnOrAfter R time instant at which the assertion expires. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. The maximum validity timespan for an HCP Identity Assertion MUST NOT be more than 4 hours.
AuthnStatement R
@AuthnInstant R time instant of HP authentication in UTC
@SessionNotOnOrAfter O Time instant of the expiration of the session
AuthnContext R
AuthnContextClassRef R A URI reference that specifies the type of authentication that took place. The URI reference identifying the accepted authentication protocol is urn:oasis:names:tc:SAML:2.0:ac:classes:X509
AttributeStatement R HP identity attributes and permissions (see section below for details)
ds:Signature R Enveloped XML signature of the issuer of the HCP Identity Assertion (see section below for details).

Assertion Signature

Every HP Identity Assertion MUST be signed by its issuer. The XML signature MUST be applied by using the saml:Assertion/ds:Signature element as defined below.

Signature Parameter Usage Convention
CanonicalizationMethod SHOULD be http://www.w3.org/2001/10/xml-exc-c14n#
Transformation Enveloped signature transform acc. to section 6.6.4 of [W3C XMLDSig] SHOULD be used (http://www.w3.org/2000/09/xmldsig#enveloped-signature). In addition, exclusive canonicalization SHOULD be defined as transformation (http://www.w3.org/2001/10/xml-exc-c14n#, acc. [W3C XMLDSig] and [W3C XML-EXC 1.0]). As inclusive namespaces other prefixes than the ones defined in EFA Namespaces MUST NOT be used.
SignatureMethod For signing assertions the signature method

http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 or
http://www.w3.org/2000/09/xmldsig#rsa-sha1
SHOULD be used. An assertion consumer MAY reject signatures that use SHA-1 for digesting.

DigestMethod For signing assertions the digest method

http://www.w3.org/2000/09/xmldsig#sha1 or
http://www.w3.org/2001/04/xmlenc#sha256
SHOULD be used. An assertion consumer MAY reject SHA-1 digests.

KeyInfo This element MUST either contain a wsse:SecurityTokenReference element which references the X.509 certificate of the assertion’s issuer by using a subject key identifier OR contain a ds:X509Data element which contains the X.509 certificate of the assertion issuer.

HCP Identity Attributes

An identity assertion can carry an arbitrary number of attributes on the authenticated entity. Each attribute MUST be encoded using a SAML attribute element.

For ECR the following attribute names and catalogues are defined.

HP Identifier
FriendlyName XSPA Subject
Name urn:oasis:names:tc:xacml:1.0:subject:subject-id
Values Human readable name of the HP
Type String
Optionality Mandatory
Description This attribute MUST contain the full name of the HP.
Structural Role of the HCP
FriendlyName XSPA Role
Name urn:oasis:names:tc:xacml:2.0:subject:role
Values See ASTM E1986-98 (2005). Only the ASTM structural roles “dentist”, “nurse” “pharmacist”, “physician”, “nurse midwife”, “admission clerk”, “ancillary services” and “clinical services” MUST be used.
Type String
Optionality Mandatory

Speciality of the HP FriendlyName: HITSP Clinical Speciality Name: urn:epsos:names:wp3.4:subject:clinical-speciality Values: SNOMED CT based value set 2.16.840.1.113883.3.88.12.80.72 as defined in [HITSP C80 2.0]. See table 2-149 in [HITSP C80 2.0] for the full list of possible values. NOTE to CLINICAL TF: Assess alternatives to SNOMED for PN’s not being able to use/license SNOMED. Type: String Optionality: Optional Permissions acc. to the legislation of the country of care (country B) FriendlyName: XSPA permissions according with Hl7 Name: urn:oasis:names:tc:xspa:1.0:subject:hl7:permission Values: See section 3.4 of this document Type: URI Optionality: Optional. If no permissions are given, only the permissions of the HCP structural role acc. to the legislation of the country of affiliation (country A) are considered for the access control decision. If permissions are defines, the country of affiliation SHOULD consider these for all access control decisions. Delegated Rights FriendlyName: OnBehalfOf Name: urn:epsos:names:wp3.4:subject:on-behalf-of Values: See ASTM E1986-98 (2005). Acc. to [epSOS D3.6.2] only the ASTM structural roles “dentist”, “nurse” “pharmacist”, “physician” and “nurse midwife” MUST be used. Type: String Optionality: Mandatory if a structural role of “ancillary services” or “clinical services” is presented. For all other structural roles this attribute is optional Description If a person is acting on behalf of another person the role of this person MAY be provided with this attribute. If this attribute is included with a HCP identity assertion, the issuer of the assertion MUST be able to track back the delefation to the two natural persons involved. Only valid roles as defined for HCP structural roles MUST be used. An assertion consumer MAY decide not to accept delegated access rights by just ignoring this attribute. Healthcare Professional Organisation FriendlyName: XSPA Organization Name: urn:oasis:names:tc:xspa:1.0:subject:organization Values: Name of the Healthcare Professional Organisation Type: String Optionality: Optional Description This value SHOULD only be provided if different from the point of care (e.g. in cases where a hospital organization runs multiple points of care or where a hospital just provides a professional environment for otherwise independent care providers) Healthcare Professional Organisation ID FriendlyName: XSPA Organization Id Name: urn:oasis:names:tc:xspa:1.0:subject:organization-id Values: URN encoded OID of the Healthcare Professional Organisation Type: URI Optionality: Optional Type of HCPO FriendlyName: epSOS Healthcare Facility Type Name: urn:epsos:names:wp3.4:subject:healthcare-facility-type Values: epSOS code list 1.3.6.1.4.1.12559.11.10.1.3.2.2.2. Possible values are: “Hospital”, “Resident Physician”, “Pharmacy”, “Other”. Type: String Optionality: Mandatory Description If a healthcare facility is not operated under the supervision of a physician or pharmacist the healthcare facility type MUST be set to “Other”. Purpose of Use FriendlyName: XSPA Purpose of Use Name: urn:oasis:names:tc:xspa:1.0:subject:purposeofuse Values: For epSOS only TREATMENT (healthcare facility) and EMERGENCY (emergency department, ambulance, etc.) are allowed as purpose of use. If a HCP requests claims for another purpose of use, the request must be rejected as unauthorized. Optionality: Mandatory Description As the HCP identity assertion is independent of a specific patient’s treatment, this attribute refers to the usual working environment of the user. Point of Care Attribute Name: XSPA Locality Catalogue: urn:oasis:names:tc:xspa:1.0:environment:locality Values: String Optionality: Mandatory Description Name of the hospital or medical facility where patient care takes place.

Pilot projects MAY agree on further attributes. Any attributes not listed in this list MAY be ignored by the assertion consumer.