EFA Identity Assertion SAML2 Binding
Dieses Dokument gibt wieder:
Implementierungsleitfaden EFA Identity Assertion SAML2 Binding (0.9). Die Teilmaterialien gehören der Kategorie cdaefa an. |
February 2013
Jörg Caumanns, Raik Kuhlisch
Anmerkung: Die unter den einzelnen Überschriften in geschweiften Klammern angegebenen Kürzel dienen der Unterstützung des Kommentierungsverfahrens. Bitte geben Sie bei einem Kommentar oder einem Verbesserungsvorschlag zu dieser Spezifikation immer das Kürzel des Abschnitts an, auf den sich Ihr Kommentar bezieht. Alle Kommentare werden in der Lasche "Diskussion" zu der kommentierten Seite gesammelt und gegenkommentiert.
Hinweise zum Kommentierungsverfahren einschließlich aller Formulare und Kontaktadressen finden Sie auf der Seite "Kommentierung EFAv2.0".
Inhaltsverzeichnis
SAML 2.0 Profile for ECR Identity Assertions
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {ItyAn.01}
Assertion Element | Opt | Usage Convention | |||
---|---|---|---|---|---|
@Version | R | MUST be “2.0” | |||
@ID | R | URN encoded unique identifier (UUID) of the assertion | |||
@IssueInstant | R | time instant of issuance in UTC | |||
Issuer | R | address URI that identifies the endpoint of the issuing service | |||
Subject | R | This element defines the subject confirmation method of the user in order to use the Identity Assertion as a protection token. Moreover, it defines the subject name identifier that accords with the user identity. | |||
NameID | R | Identifier of the HP encoded as an X.509 subject name, an e-Mail address or as a string value (unspecified format). Only identifiers must be used that can be long-term tracked back to an individual person. | |||
@Format | R | MUST be urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified or urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName | |||
SubjectConfirmation | R | ||||
@Method | R | This element MUST hold a URI reference that identifies a protocol to be used to authenticate the subject.[SAML2.0core] The value of this element MUST be set to urn:oasis:names:tc:SAML:2.0:cm:holder-of-key or | |||
SubjectConfirmationData | R | ||||
ds:KeyInfo | R | The XML Signature [XMLSignature] element MUST embed a cryptographic key that is only held by the user. This can be the user’s public key (ds:KeyValue/ds:RSAKeyValue), the complete user’s X.509 certificate (ds:X509Data/ds:X509Certificate), or an encrypted symmetric key (xenc:EncryptedKey [XMLEncryption]). This symmetric key MUST be encrypted by using the public key of the consumer service’s certificate [eFA PKI 1.2]. | |||
Conditions | R | ||||
@NotBefore | R | time instant from which the assertion is useable. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. | |||
@NotOnOrAfter | R | time instant at which the assertion expires. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. The maximum validity timespan for an HCP Identity Assertion MUST NOT be more than 4 hours. | |||
AuthnStatement | R | ||||
@AuthnInstant | R | time instant of HP authentication in UTC | |||
@SessionNotOnOrAfter | O | Time instant of the expiration of the session | |||
AuthnContext | R | ||||
AuthnContextClassRef | R | A URI reference that specifies the type of authentication that took place (see SAML 2.0). | |||
AttributeStatement | R | HP identity attributes and permissions (see section below for details) | |||
ds:Signature | R | Enveloped XML signature of the issuer of the HCP Identity Assertion (see section below for details). |
German Profile
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {ItyAn.01.05}
The subject must refer to a health professional. The subject identifier must be provided as an OID. Only the following identitification schemes must be used. The order of the table denotes the order of preference.
Person Role | Scheme | Code System OID |
---|---|---|
Physician | Telematik ID This ID scheme MUST be preferred only if the Telematik ID is recorded within the HBA AUT certificate of the physician. |
not defined yet |
Physician | ID of the HBA AUT Certificate | 1.2.276.0.76.4.75 |
Physician | Lebenslange Arztnummer KV | 1.2.276.0.76.4.16 |
Physician Hospital Staff Practice Staff |
Any internal identification scheme that guarantees a unique identification within the scope of the identified organization. The <representedOrganization> and an <id> for this organization MUST be recorded. | local code system |
Assertion Signature
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {ItyAn.01.01}
Every HP Identity Assertion MUST be signed by its issuer. The XML signature MUST be applied by using the saml:Assertion/ds:Signature element as defined below.
Signature Parameter | Usage Convention |
---|---|
CanonicalizationMethod | SHOULD be http://www.w3.org/2001/10/xml-exc-c14n# |
Transformation | Enveloped signature transform acc. to section 6.6.4 of [W3C XMLDSig] SHOULD be used (http://www.w3.org/2000/09/xmldsig#enveloped-signature). In addition, exclusive canonicalization SHOULD be defined as transformation (http://www.w3.org/2001/10/xml-exc-c14n#, acc. [W3C XMLDSig] and [W3C XML-EXC 1.0]). As inclusive namespaces other prefixes than the ones defined in EFA Namespaces MUST NOT be used. |
SignatureMethod | For signing assertions the signature method http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 or |
DigestMethod | For signing assertions the digest method http://www.w3.org/2000/09/xmldsig#sha1 or |
KeyInfo | This element MUST either contain a wsse:SecurityTokenReference element which references the X.509 certificate of the assertion’s issuer by using a subject key identifier OR contain a ds:X509Data element which contains the X.509 certificate of the assertion issuer. |
HCP Identity Attributes
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {ItyAn.01.02}
An identity assertion can carry an arbitrary number of attributes on the authenticated entity. Each attribute MUST be encoded using a SAML attribute element.
For ECR the following attribute names and catalogues are defined.
HP Identifier | |
---|---|
FriendlyName | XSPA Subject |
Name | urn:oasis:names:tc:xacml:1.0:subject:subject-id |
Values | Human readable name of the HP |
Type | String |
Optionality | Mandatory |
Description | This attribute MUST contain the full name of the HP. |
Structural Role of the HCP | |
FriendlyName | XSPA Role |
Name | urn:oasis:names:tc:xacml:2.0:subject:role |
Values | See ASTM E1986-98 (2005). Only the ASTM structural roles “dentist”, “nurse” “pharmacist”, “physician”, “nurse midwife”, “admission clerk”, “ancillary services” and “clinical services” MUST be used. |
Type | String |
Optionality | Mandatory |
Delegated Rights | |
FriendlyName | OnBehalfOf |
Name | urn:epsos:names:wp3.4:subject:on-behalf-of |
Values | See ASTM E1986-98 (2005). Only the ASTM structural roles “dentist”, “pharmacist”, “physician” and “nurse midwife” MUST be used. |
Type | String |
Optionality | Mandatory if a structural role of “ancillary services” or “clinical services” is presented. For all other structural roles this attribute is optional |
Description | If a person is acting on behalf of another person the role of this person MAY be provided with this attribute. If this attribute is included with a HCP identity assertion, the issuer of the assertion MUST be able to track back the delefation to the two natural persons involved. Only valid roles as defined for HCP structural roles MUST be used. An assertion consumer MAY decide not to accept delegated access rights by just ignoring this attribute. |
Healthcare Professional Organisation | |
FriendlyName | XSPA Organization |
Name | urn:oasis:names:tc:xspa:1.0:subject:organization |
Values | Name of the Healthcare Professional Organisation |
Type | String |
Optionality | Optional |
Description | This value SHOULD only be provided if different from the point of care (e.g. in cases where a hospital organization runs multiple points of care or where a hospital just provides a professional environment for otherwise independent care providers) |
Healthcare Professional Organisation ID | |
FriendlyName | XSPA Organization Id |
Name | urn:oasis:names:tc:xspa:1.0:subject:organization-id |
Values | URN encoded OID of the Healthcare Professional Organisation |
Type | URI |
Optionality | Mandatory |
Purpose of Use | |
FriendlyName | XSPA Purpose of Use |
Name | urn:oasis:names:tc:xspa:1.0:subject:purposeofuse |
Values | MUST be TREATMENT |
Optionality | Optional |
Description | ECR access is only granted for treatment purposes. |
Point of Care | |
Attribute Name | XSPA Locality |
Name | urn:oasis:names:tc:xspa:1.0:environment:locality |
Values | String |
Optionality | Optional |
Description | Name of the hospital or medical facility where patient care takes place. |
ECR regional networks MAY agree on further attributes. Any attributes not listed in this list MAY be ignored by the assertion consumer.
German Extensions
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {ItyAn.01.03}
Speciality of the HP | |
---|---|
FriendlyName | Clinical Speciality |
Name | TO BE DEFINED |
Values | HIER MUSS NOCH DIE PASSENDE KBV SCHLÜSSELTABELLE RAUSGESUCHT WERDEN |
Type | URI |
Optionality | Optional |
Description | Clinical speciality of the HP as expressed in her Health Professional Card (HBA) |
HBA attributes will only be available with the Telematik-Infrastruktur. Before the final roll-out of the Telematik-Infrastruktur identifiers based on HBA SHOULD NOT be used. |
Example Assertion
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {ItyAn.01.04}
<soap12:Envelope … >
<soap12:Header … >
<wsse:Security … >
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_2c356d70-1215-42f9-93a0-fc6fab1c966e"
IssueInstant="2009-09-21T12:03:28.788Z" Version="2.0">
<saml:Issuer>urn:de:berlin:hp:idp</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#urn:uuid:7102AC72154DCFD1F51253534608780">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="ds saml xs" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>A1LyLvFHRrYaOJ28YVFd3MfKGSI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>cH+lCY … </ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate> … </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
...
</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml:SubjectConfirmationData>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate> … </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</saml:SubjectConfirmationData/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions
NotBefore="2012-09-21T12:03:28.788Z"
NotOnOrAfter="2012-09-21T16:03:28.788Z">
</saml:Conditions>
<saml:AuthnStatement
AuthnInstant="2012-09-21T12:03:28.788Z"
SessionNotOnOrAfter="2012-09-21T16:03:28.788Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:X509
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute
FriendlyName="XSPA Subject"
Name="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Dr. Peter Meier
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute
FriendlyName="XSPA Organization"
Name="urn:oasis:names:tc:xspa:1.0:subject:organization"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Kreiskrankenhaus Neustadt
</saml:AttributeValue>
</saml:Attribute>
</saml:Attribute>
<saml:Attribute
FriendlyName="XSPA Role"
Name="urn:oasis:names:tc:xacml:2.0:subject:role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">physician
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute
FriendlyName="XSPA Purpose of Use"
Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">TREATMENT
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute
FriendlyName="XSPA Locality"
Name="urn:oasis:names:tc:xspa:1.0:environment:locality"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Kreiskrankenhaus Neustadt
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</wsse:Security>
</pre>