EFA Policy Assertion SAML2 Binding

Aus Hl7wiki
(Teildokument von CDA für die elektronische Fallakte)
Wechseln zu: Navigation, Suche
Dieses Material ist Teil des Leitfadens CDA für die elektronische Fallakte.
  • Direkt im Wiki geändert werden sollten Schreibfehler, ergänzende Hinweise.
  • Offene Fragen, die der Diskussionen bedürfen, sollten auf der Diskussionsseite aufgenommen werden.
  • Liste der Seiten dieses Leitfadens: hier, Liste der Seiten, in denen dieses Material verwendet (transkludiert) siehe hier .

Anmerkung: Die Kürzel unter den einzelnen Überschriften dienen der Unterstützung des Kommentierungsverfahrens. Bitte geben Sie bei einem Kommentar oder einem Verbesserungsvorschlag zu dieser Spezifikation immer das Kürzel des Abschnitts an, auf den sich Ihr Kommentar bezieht. Alle Kommentare werden in der Lasche "Diskussion" zu der kommentierten Seite gesammelt und gegenkommentiert.
Hinweise zum Kommentierungsverfahren einschließlich aller Formulare und Kontaktadressen finden Sie auf der Seite "Kommentierung EFAv2.0".


SAML 2.0 Profile for ECR Policy Assertions

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {Eocyo.01}

Assertion Element Opt Usage Convention
@Version R MUST be “2.0”
@ID R URN encoded unique identifier (UUID) of the assertion
@IssueInstant R Time instant of issuance in UTC
Issuer R Address URI that identifies the endpoint of the issuing service
Subject R This element defines the subject confirmation method of the user in order to use the Policy Assertion as a supporting token. Moreover, it defines the subject name identifier that accords with the user identity from an Identity Assertion.
NameID R Identifier of the HP given in the Identity Asstertion encoded as an X.509 subject name, an e-Mail address or as a string value (unspecified format). Only identifiers must be used that can be long-term tracked back to an individual person.
@Format R MUST be urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

or urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
or urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
For providing an OID as a subject identifier the unspecified format must be used. The OID must be provided as a string encoded in ISO format.

SubjectConfirmation R
@Method R This element MUST hold a URI reference that identifies a protocol to be used to authenticate the subject.[SAML2.0core] The value of this element MUST be set to

urn:oasis:names:tc:SAML:2.0:cm:holder-of-key

SubjectConfirmationData R
ds:KeyInfo R The XML Signature [XMLSignature] element MUST embed a cryptographic key that is only held by the user. This can be the user’s public key (ds:KeyValue/ds:RSAKeyValue), the complete user’s X.509 certificate (ds:X509Data/ds:X509Certificate), or an encrypted symmetric key (xenc:EncryptedKey [XMLEncryption]). This symmetric key MUST be encrypted by using the public key of the consumer service’s certificate [eFA PKI 1.2].
Conditions R
@NotBefore R time instant from which the assertion is useable. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion.
@NotOnOrAfter R Time instant at which the assertion expires. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. The maximum validity timespan for a Policy Assertion MUST NOT be more than 4 hours.
XACMLPolicyStatement R
PolicySet R PolicySet that expresses the given authorization (see section below for details).
ds:Signature R Enveloped XML signature of the issuer of the Policy Assertion (see section below for details).

PolicySet Profile

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {Eocyo.01.01}

The ECR 2.0 specification differentiates three kinds of an authorization statement as it is described logically in the security token services section for the Policy Provider. These are:

  • Reference without semantics (policyId) to an access policy which contains the valid authorization rules for an eCR Consumer
  • Access policy which contains the valid authorization rules for an eCR Consumer

In order to implement such differentiations the <PolicySet> element has different sub-elements.

Policy Assignment

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {Eocyo.01.02}

A Policy Assignment shall be one of:

Policy for a health professional

If not in the role of a health record manager, health professionals may have access to the health record if it neither suspended nor retired.

Element or Attribute Opt. Constraints
Policy R
@PolicyId R Shall be of type UUID or OID. Shall not be URN encoded.
@RuleCombiningAlgId R Shall be urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides
Target R
Subjects R
Subject R
SubjectMatch R

Shall contain at leat one of the following SubjectMatch elements:

Shall contain a SubjectMatch for structural role with attribute value of

  • dentist,
  • pharmacist,
  • physician, or
  • nurse midwife.
Resources R
Resource R
ResourceMatch R

Restricts access to open ECRs. This match relates to ecrStatus. It applies the IHE-D Cookbook XACML binding of DocumentEntry.availabilityStatus.

@MatchId R Shall be urn:oasis:names:tc:xacml:1.0:function:anyURI-equal
AttributeValue R Shall be urn:oasis:names:tc:ebxml-regrep:StatusType:Approved
@DataType R Shall be http://www.w3.org/2001/XMLSchema#anyURI
ResourceAttributeDesignator R
@AttributeId R Shall be urn:ihe:iti:xds-b:2007:availability-status
@DataType R Shall be http://www.w3.org/2001/XMLSchema#anyURI
Environments R
Environment R
EnvironmentMatch R

Verifies, that the current date is before the date of expiry, i. e. the grace period has not started.

@MatchId R Shall be urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal
AttributeValue R Shall be the point in time when ecrStatus of the record changes to suspended.
@DataType R Shall be http://www.w3.org/2001/XMLSchema#dateTime
EnvironmentAttributeDesignator R
@AttributeId R Shall be urn:oasis:names:tc:xacml:1.0:environment:current-dateTime
@DataType R Shall be http://www.w3.org/2001/XMLSchema#dateTime
Policy for health record managers

Health professionals in the role of a health record manager may have access to the health record if it is suspended but nor retired.

Element or Attribute Opt. Constraints
Policy R
@PolicyId R Shall be of type UUID or OID. Shall not be URN encoded.
@RuleCombiningAlgId R Shall be urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides
Target R
Subjects R
Subject R

Shall contain at leat one of the following SubjectMatch elements:

Shall contain a SubjectMatch for structural role with attribute value health record management.

Environments R
Environment R
EnvironmentMatch R

Verifies, that the current date is before the end of the grace period.

@MatchId R Shall be urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal
AttributeValue R Shall be the point in time when ecrStatus of the record changes to retired.
@DataType R Shall be http://www.w3.org/2001/XMLSchema#dateTime
EnvironmentAttributeDesignator R
@AttributeId R Shall be urn:oasis:names:tc:xacml:1.0:environment:current-dateTime
@DataType R Shall be http://www.w3.org/2001/XMLSchema#dateTime
SubjectMatch for EFA Identity Assertion NameID

This SubjectMatch element relates to the saml:NameID element of the EFA Identity Assertion.

This element applies the IHE-D Cookbook XACML binding of User ID.

Element or Attribute Opt. Constraints
SubjectMatch R
@MatchId R Shall be urn:oasis:names:tc:xacml:1.0:function:string-equal
AttributeValue R

Shall be equal to saml:NameID used for the subject. See EFA Identity Assertion

@DataType R Shall be http://www.w3.org/2001/XMLSchema#string
SubjectAttributeDesignator R
@AttributeId R Shall be urn:oasis:names:tc:xacml:1.0:subject:subject-id
@DataType R Shall be http://www.w3.org/2001/XMLSchema#string
SubjectMatch for health professional ID

This SubjectMatch element relates to the health professional identifier of the EFA Identity Assertion.

Element or Attribute Opt. Constraints
SubjectMatch R
@MatchId R Shall be urn:oasis:names:tc:xacml:1.0:function:string-equal
AttributeValue R

Shall be equal to the HP Identifier as defined for EFA Identity Assertion.

@DataType R Shall be http://www.w3.org/2001/XMLSchema#string
SubjectAttributeDesignator R
@AttributeId R Shall be urn:oasis:names:tc:xacml:1.0:subject:subject-id
@DataType R Shall be http://www.w3.org/2001/XMLSchema#string
SubjectMatch for structural role

This SubjectMatch element relates to the Structural Role of the EFA Identity Assertion.

Element or Attribute Opt. Constraints
Subject R
SubjectMatch R
@MatchId R Shall be urn:oasis:names:tc:xacml:1.0:function:string-equal
AttributeValue R

Shall be one of the following roles defined in ASTM E1986-98 (2005):

  • dentist,
  • pharmacist,
  • physician,
  • nurse midwife, or
  • health record management.
@DataType R Shall be http://www.w3.org/2001/XMLSchema#string
SubjectAttributeDesignator R
@AttributeId R Shall be urn:oasis:names:tc:xacml:2.0:subject:role'
@DataType R Shall be http://www.w3.org/2001/XMLSchema#string
SubjectMatch for health professional organization ID

This SubjectMatch element relates to the HP Organization ID of the EFA Identity Assertion.

This element applies the IHE-D Cookbook XACML binding of User Organization ID.

Element or Attribute Opt. Constraints
SubjectMatch R
@MatchId R Shall be urn:oasis:names:tc:xacml:1.0:function:anyURI-equal
AttributeValue R

Shall be the URN encoded OID of the Healthcare Professional Organisation.

@DataType R Shall be http://www.w3.org/2001/XMLSchema#anyURI
SubjectAttributeDesignator R
@AttributeId R Shall be urn:oasis:names:tc:xspa:1.0:subject:organization-id
@DataType R Shall be http://www.w3.org/2001/XMLSchema#anyURI
ResourceMatch for EFA Folder classification

This ResourceMatch element relates to the Folder.codeList entry which indicates an EFA Folder.

This element applies the IHE-D Cookbook XACML binding of Folder.codeList.

Element or Attribute Opt. Constraints
ResourceMatch R
@MatchId R Shall be urn:hl7-org:v3:function:CV-equal (see IHE DE Cookbook, XACML Binding).
AttributeValue R
@DataType R Shall be urn:hl7-org:v3#CV.
hl7:CodedValue R
@code R Shall be ECR.
@codeSystem R Shall be IHE-D-Cookbook-FolderClassCode.
ResourceAttributeDesignator R
@AttributeId R Shall be urn:ihe:iti:xds-b:2007:folder:code.
@DataType R Shall be urn:hl7-org:v3#CV.
ResourceMatch for purpose classification

This ResourceMatch element relates to the Folder.codeList entry which indicates the purpose.

This element applies the IHE-D Cookbook XACML binding of Folder.codeList.

Element or Attribute Opt. Constraints
ResourceMatch R
@MatchId R Shall be urn:hl7-org:v3:function:CV-equal (see IHE DE Cookbook, XACML Binding).
AttributeValue R
@DataType R Shall be urn:hl7-org:v3#CV.
hl7:CodedValue R
@code R Shall be equal to the purpose code of the case record.
@codeSystem R Shall be equal the purpose codingScheme of the case record.
ResourceAttributeDesignator R
@AttributeId R Shall be urn:ihe:iti:xds-b:2007:folder:code
@DataType R Shall be urn:hl7-org:v3#CV.
ResourceMatch for patientId

This ResourceMatch element relates to Folder.patientId and DocumentEntry.patientId.

This element applies the IHE-D Cookbook XACML binding of Folder.patientId.

Element or Attribute Opt. Constraints
ResourceMatch R
@MatchId R Shall be urn:hl7-org:v3:function:II-equal (see IHE DE Cookbook, XACML Binding).
AttributeValue R
@DataType R Shall be urn:hl7-org:v3#II.
hl7:InstanceIdentifier R
@extension R Shall be equal to the Id-Number value of the XDS Metadata Attributes patientId.
@root R Shall be equal to the Assigning-Authority value of the XDS Metadata Attributes patientId.
ResourceAttributeDesignator R
@AttributeId R Shall be urn:ihe:iti:xds-b:2007:patient-id.
@DataType R Shall be urn:hl7-org:v3#II.

Policy Attachment

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {Eocyo.01.03}

The ECR's lifecycle is represented by means of interaction patterns and communication patterns. These patterns are bound to XACML actions. The following XACML Action element SHALL be used in a separate XACML Policy which shares the definition of the Policy Assignment.

Policy Element Opt Usage Convention
@PolicyId R UUID or OID of the policy. The value MUST NOT be URN encoded.
@RuleCombiningAlgId R This attribute is REQUIRED. Its value is a predefined identifier of the rule-combining algorithm for this policy (see Appendix C and section B.10 in [XACML2.0Core]). The identifier urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides MUST be used.
Target R This element is used to specify the resource match (i.e., purpose)
Subjects R see Policy Assignment
Resources R see Policy Assignment
Actions R This element contains at least one xacml:Action element.
Action R It contains one xacml:ActionMatch element.
ActionMatch R It defines matches of the action attributes.
@MatchId R Its value specifies the matching function. The following matching function SHALL be used:

urn:oasis:names:tc:xacml:1.0:function:string-equal

AttributeValue R It defines the action value for matching depending on the action match id format. The action value refers to the EFA transaction as defined in EFA Audit Trail Binding.
@DataType R The value of this attribute is set to urn:hl7-org:v3#CV (HL7v3 "Coded Value" data type, see HL7v3 Abstract Data Type Specification - ANSI/HL7 V3 DT, R1-2004 11/29/2004; section 2.9). This custom data type holds a code and its associated code system name using the following format: code@code-system-name. Example: <CodedValue code="EFA-01" codeSystem="EFAv2 Transaction" /> is mapped to "ECR-01@EFAv2 Transaction".
ActionAttributeDesignator R It defines the designator of a resource attribute.
@AttributeId R The following attribute ID SHALL be used:

urn:oasis:names:tc:xacml:1.0:action:action-id

@DataType R Its value is http://www.w3.org/2001/XMLSchema#string that corresponds to the action match.

Assertion Signature

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {Eocyo.01.04}

Every Policy Assertion MUST be signed by its issuer. The XML signature MUST be applied by using the saml:Assertion/ds:Signature element as defined below.

Signature Parameter Usage Convention
CanonicalizationMethod SHOULD be http://www.w3.org/2001/10/xml-exc-c14n#
Transformation Enveloped signature transform acc. to section 6.6.4 of [W3C XMLDSig] SHOULD be used (http://www.w3.org/2000/09/xmldsig#enveloped-signature). In addition, exclusive canonicalization SHOULD be defined as transformation (http://www.w3.org/2001/10/xml-exc-c14n#, acc. [W3C XMLDSig] and [W3C XML-EXC 1.0]). As inclusive namespaces other prefixes than the ones defined in EFA Namespaces MUST NOT be used.
SignatureMethod For signing assertions the signature method

http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 or
http://www.w3.org/2000/09/xmldsig#rsa-sha1
SHOULD be used. An assertion consumer MAY reject signatures that use SHA-1 for digesting.

DigestMethod For signing assertions the digest method

http://www.w3.org/2000/09/xmldsig#sha1 or
http://www.w3.org/2001/04/xmlenc#sha256
SHOULD be used. An assertion consumer MAY reject SHA-1 digests.

KeyInfo This element MUST either contain a wsse:SecurityTokenReference element which references the X.509 certificate of the assertion’s issuer by using a subject key identifier OR contain a ds:X509Data element which contains the X.509 certificate of the assertion issuer.

Example Assertion

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {Eocyo.01.05}

 <soap12:Envelope … >
 <soap12:Header … >
  <wsse:Security … > 
   <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
     ID="uuid-6dbb391c-20d3-4568-8c04-ff9d91d049c1" 
     IssueInstant="2013-04-05T08:14:28.788Z" Version="2.0">
   <saml:Issuer>urn:de:berlin:hp:pap</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <ds:SignedInfo>
      <ds:CanonicalizationMethod
       Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
       <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
       <ds:Reference URI="#urn:uuid:7102AC72154DCFD1F51253534608780">
        <ds:Transforms>
         <ds:Transform 
          Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
         <ds:Transform 
          Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
          <ec:InclusiveNamespaces 
           xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" 
           PrefixList="ds saml xs" />
         </ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <ds:DigestValue>A1LyLvFHRrYaOJ28YVFd3MfKGSI=</ds:DigestValue>
       </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>ggyn … LQ==</ds:SignatureValue>
      <ds:KeyInfo>
       <ds:X509Data>
        <ds:X509Certificate> … </ds:X509Certificate>
       </ds:X509Data>
      </ds:KeyInfo>
     </ds:Signature>
     <saml:Subject>
      <saml:NameID 
       Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
       ...
      </saml:NameID>
      <saml:SubjectConfirmation 
       Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
       <saml:SubjectConfirmationData>
         <ds:KeyInfo>
           <ds:X509Data>
             <ds:X509Certificate> … </ds:X509Certificate>
           </ds:X509Data>
         </ds:KeyInfo>
        </saml:SubjectConfirmationData/>
      </saml:SubjectConfirmation>
     </saml:Subject>
     <saml:Conditions 
      NotBefore="2013-04-05T08:14:28.788Z" 
      NotOnOrAfter="2013-04-05T12:14:28.788Z">
    </saml:Conditions>
    <xacml-saml:XACMLPolicyStatement>
      <xacml:PolicySet>
        <xacml:Target>
          <xacml:Subjects>
             <xacml:Subject>
               <xacml:SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:x500Name-equal">
                 <xacml:AttributeValue 
                   DataType="http://www.w3.org/2001/XMLSchema#string">CN= ...</AttributeValue>
                 <xacml:SubjectAttributeDesignator 
                   AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 
                   DataType="urn:oasis:names:tc:xacml:1.0:data-type:x500Name"/>
               </xacml:SubjectMatch>
             </xacml:Subject>
           </xacml:Subjects>
           <xacml:Resources>
             <xacml:Resource>
               <xacml:ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
                 <xacml:AttributeValue 
                   DataType="http://www.w3.org/2001/XMLSchema#string">...</AttributeValue>
                 <xacml:ResourceAttributeDesignator 
                   AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                   DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
               </xacml:ResourceMatch>
             </xacml:Resource>   
           </xacml:Resources>
         </xacml:Target>
         <xacml:PolicySetIdReference>urn:ecr:names:xacml:2.0:default:policyid:permit-all</xacml:PolicySetIdReference>
       </xacml:PolicySet>
      </xacml-saml:XACMLPolicyStatement>
 </saml:Assertion>
</wsse:Security>
</soap12:Header>
<soap12:Body/>
</soap12:Envelope>