EFA Policy Assertion SAML2 Binding
(Teildokument von CDA für die elektronische Fallakte)
Dieses Material ist Teil des Leitfadens CDA für die elektronische Fallakte.
|
Anmerkung: Die Kürzel unter den einzelnen Überschriften dienen der Unterstützung des Kommentierungsverfahrens. Bitte geben Sie bei einem Kommentar oder einem Verbesserungsvorschlag zu dieser Spezifikation immer das Kürzel des Abschnitts an, auf den sich Ihr Kommentar bezieht. Alle Kommentare werden in der Lasche "Diskussion" zu der kommentierten Seite gesammelt und gegenkommentiert.
Hinweise zum Kommentierungsverfahren einschließlich aller Formulare und Kontaktadressen finden Sie auf der Seite "Kommentierung EFAv2.0".
Inhaltsverzeichnis
SAML 2.0 Profile for ECR Policy Assertions
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {Eocyo.01}
 |
This profile applies to scenarios where the eCR Context Manager requests an Access Policy Assertion from the eCR Policy Provider and thus implements a policy push authorization model. There is no specification in the case that the Authorization Decision Provider requests policies from the eCR Policy Provider. |
| Assertion Element | Opt | Usage Convention | |||
|---|---|---|---|---|---|
| @Version | R | MUST be “2.0” | |||
| @ID | R | URN encoded unique identifier (UUID) of the assertion | |||
| @IssueInstant | R | Time instant of issuance in UTC | |||
| Issuer | R | Address URI that identifies the endpoint of the issuing service | |||
| Subject | R | This element defines the subject confirmation method of the user in order to use the Policy Assertion as a supporting token. Moreover, it defines the subject name identifier that accords with the user identity from an Identity Assertion. | |||
| NameID | R | Identifier of the HP given in the Identity Asstertion encoded as an X.509 subject name, an e-Mail address or as a string value (unspecified format). Only identifiers must be used that can be long-term tracked back to an individual person. | |||
| @Format | R | MUST be urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified or urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName | |||
| SubjectConfirmation | R | ||||
| @Method | R | This element MUST hold a URI reference that identifies a protocol to be used to authenticate the subject.[SAML2.0core] The value of this element MUST be set to | |||
| SubjectConfirmationData | R | ||||
| ds:KeyInfo | R | The XML Signature [XMLSignature] element MUST embed a cryptographic key that is only held by the user. This can be the user’s public key (ds:KeyValue/ds:RSAKeyValue), the complete user’s X.509 certificate (ds:X509Data/ds:X509Certificate), or an encrypted symmetric key (xenc:EncryptedKey [XMLEncryption]). This symmetric key MUST be encrypted by using the public key of the consumer service’s certificate [eFA PKI 1.2]. | |||
| Conditions | R | ||||
| @NotBefore | R | time instant from which the assertion is useable. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. | |||
| @NotOnOrAfter | R | Time instant at which the assertion expires. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. The maximum validity timespan for a Policy Assertion MUST NOT be more than 4 hours. | |||
| XACMLPolicyStatement | R | ||||
| PolicySet | R | PolicySet that expresses the given authorization (see section below for details). | |||
| ds:Signature | R | Enveloped XML signature of the issuer of the Policy Assertion (see section below for details). | |||
PolicySet Profile
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {Eocyo.01.01}
The ECR 2.0 specification differentiates three kinds of an authorization statement as it is described logically in the security token services section for the Policy Provider. These are:
- Reference without semantics (policyId) to an access policy which contains the valid authorization rules for an eCR Consumer
- Access policy which contains the valid authorization rules for an eCR Consumer
In order to implement such differentiations the <PolicySet> element has different sub-elements.
Policy Assignment
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {Eocyo.01.02}
| PolicySet Element | Opt | Usage Convention | |||||
|---|---|---|---|---|---|---|---|
| @PolicySetId | R | UUID or OID of the policy set. The value MUST NOT be URN encoded. | |||||
| @PolicyCombiningAlgId | R | This attribute is REQUIRED. Its value is a predefined identifier of the policy-combining algorithm for this policy set (see Appendix C and section B.10 in [XACML2.0Core]). The identifier urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides MUST be used. | |||||
| Target | R | This element is used to specify the resource match (i.e., purpose) | |||||
| Subjects | R | This element contains at least one xacml:Subject element. | |||||
| Subject | R | It contains one xacml:SubjectMatch element. | |||||
| SubjectMatch | R | It defines matches of the subject attributes. | |||||
| @MatchId | R | Its value specifies the matching function. The identifier refers to the subject nameID format of the Identity Assertion. The following list defines the used matching functions (see Section 7.5 in [XACML2.0Core]):
Alternatively, the following HCP attributes MAY be used:
| |||||
| AttributeValue | R | It defines the subject value for matching depending on the subject match id format. | |||||
| @DataType | R | Its value is either http://www.w3.org/2001/XMLSchema#string, urn:oasis:names:tc:xacml:1.0:data-type:x500Name, or urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name that corresponds to the subject match. | |||||
| SubjectAttributeDesignator | R | It defines the designator of a resource attribute. | |||||
| @SubjectCategory | O | It specifies the categorized subject from which to match named subject attributes. If set, it MUST have the value urn:oasis:names:tc:xacml:1.0:subject-category:access-subject. | |||||
| @AttributeId | R | If the nameID is provided for the XACML subject, then the value of this attribute is set to urn:oasis:names:tc:xacml:1.0:subject:subject-id. Otherwhise the following attribute IDs SHALL be used: | |||||
| @DataType | R | Its value is either http://www.w3.org/2001/XMLSchema#string, urn:oasis:names:tc:xacml:1.0:data-type:x500Name, or urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name that corresponds to the subject match. | |||||
| Resources | R | This element contains one xacml:Resource element. | |||||
| Resource | R | It contains one xacml:ResourceMatch element. | |||||
| ResourceMatch | R | It defines matches of the resource attributes. | |||||
| @MatchId | R | Its value specifies the matching function. The identifier urn:hl7-org:v3:function:CV-equal (see IHE DE Cookbook, XACML Binding). | |||||
| AttributeValue | R | It defines the regular expression for matching. | |||||
| @DataType | R | SHALL be urn:hl7-org:v3#CV. | |||||
| ResourceAttributeDesignator | R | It defines the designator of a resource attribute. | |||||
| @AttributeId | R | It specifies the identifier of the attribute that is used for matching. The value of this attribute is set to urn:ihe:iti:xds-b:2007:folder:code. | |||||
| @DataType | R | It specifies the type of the values that the resource attribute designator returns. The value of this attribute is set to urn:hl7-org:v3#CV (HL7v3 "Coded Value" data type, see HL7v3 Abstract Data Type Specification - ANSI/HL7 V3 DT, R1-2004 11/29/2004; section 2.9). This custom data type holds a code and its associated code system using the following format: code@code-system. Example: <CodedValue code="ECR" codeSystem="IHE-D-Cookbook-FolderClassCode" /> is mapped to "ECR@IHE-D-Cookbook-FolderClassCode". | |||||
| ResourceMatch | R | Defines the matches of the patient ID. | |||||
| @MatchId | R | Its value specifies the matching function. The identifier urn:hl7-org:v3:function:II-equal (see IHE DE Cookbook, XACML Binding). | |||||
| AttributeValue | R | It defines the regular expression for matching. | |||||
| @DataType | R | SHALL be urn:hl7-org:v3#II. | |||||
| ResourceAttributeDesignator | R | It defines the designator of a resource attribute. | |||||
| @AttributeId | R | It specifies the identifier of the attribute that is used for matching. The value of this attribute is set to urn:ihe:iti:xds-b:2007:patient-id. | |||||
| @DataType | R | It specifies the type of the values that the resource attribute designator returns. The value of this attribute is set to urn:hl7-org:v3#II (see IHE DE Cookbook, XACML Binding). | |||||
| PolicySetIdReference | R | Its value either references an assigned access policy that is expressed in a separate XACML PolicySet or already expresses the given authorization. | |||||
Policy Attachment
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {Eocyo.01.03}
The ECR's lifecycle is represented by means of interaction patterns and communication patterns. These patterns are bound to XACML actions. The following XACML Action element SHALL be used in a separate XACML Policy which shares the definition of the Policy Assignment.
| Policy Element | Opt | Usage Convention | |||||
|---|---|---|---|---|---|---|---|
| @PolicyId | R | UUID or OID of the policy. The value MUST NOT be URN encoded. | |||||
| @RuleCombiningAlgId | R | This attribute is REQUIRED. Its value is a predefined identifier of the rule-combining algorithm for this policy (see Appendix C and section B.10 in [XACML2.0Core]). The identifier urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides MUST be used. | |||||
| Target | R | This element is used to specify the resource match (i.e., purpose) | |||||
| Subjects | R | see Policy Assignment | |||||
| Resources | R | see Policy Assignment | |||||
| Actions | R | This element contains at least one xacml:Action element. | |||||
| Action | R | It contains one xacml:ActionMatch element. | |||||
| ActionMatch | R | It defines matches of the action attributes. | |||||
| @MatchId | R | Its value specifies the matching function. The following matching function SHALL be used: | |||||
| AttributeValue | R | It defines the action value for matching depending on the action match id format. The action value refers to the EFA transaction as defined in EFA Audit Trail Binding. | |||||
| @DataType | R | The value of this attribute is set to urn:hl7-org:v3#CV (HL7v3 "Coded Value" data type, see HL7v3 Abstract Data Type Specification - ANSI/HL7 V3 DT, R1-2004 11/29/2004; section 2.9). This custom data type holds a code and its associated code system name using the following format: code@code-system-name. Example: <CodedValue code="EFA-01" codeSystem="EFAv2 Transaction" /> is mapped to "ECR-01@EFAv2 Transaction". | |||||
| ActionAttributeDesignator | R | It defines the designator of a resource attribute. | |||||
| @AttributeId | R | The following attribute ID SHALL be used: | |||||
| @DataType | R | Its value is http://www.w3.org/2001/XMLSchema#string that corresponds to the action match. | |||||
Assertion Signature
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {Eocyo.01.04}
Every Policy Assertion MUST be signed by its issuer. The XML signature MUST be applied by using the saml:Assertion/ds:Signature element as defined below.
| Signature Parameter | Usage Convention |
|---|---|
| CanonicalizationMethod | SHOULD be http://www.w3.org/2001/10/xml-exc-c14n# |
| Transformation | Enveloped signature transform acc. to section 6.6.4 of [W3C XMLDSig] SHOULD be used (http://www.w3.org/2000/09/xmldsig#enveloped-signature). In addition, exclusive canonicalization SHOULD be defined as transformation (http://www.w3.org/2001/10/xml-exc-c14n#, acc. [W3C XMLDSig] and [W3C XML-EXC 1.0]). As inclusive namespaces other prefixes than the ones defined in EFA Namespaces MUST NOT be used. |
| SignatureMethod | For signing assertions the signature method http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 or |
| DigestMethod | For signing assertions the digest method http://www.w3.org/2000/09/xmldsig#sha1 or |
| KeyInfo | This element MUST either contain a wsse:SecurityTokenReference element which references the X.509 certificate of the assertion’s issuer by using a subject key identifier OR contain a ds:X509Data element which contains the X.509 certificate of the assertion issuer. |
Example Assertion
Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {Eocyo.01.05}
<soap12:Envelope … >
<soap12:Header … >
<wsse:Security … >
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="uuid-6dbb391c-20d3-4568-8c04-ff9d91d049c1"
IssueInstant="2013-04-05T08:14:28.788Z" Version="2.0">
<saml:Issuer>urn:de:berlin:hp:pap</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#urn:uuid:7102AC72154DCFD1F51253534608780">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="ds saml xs" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>A1LyLvFHRrYaOJ28YVFd3MfKGSI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>ggyn … LQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate> … </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
...
</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml:SubjectConfirmationData>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate> … </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</saml:SubjectConfirmationData/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions
NotBefore="2013-04-05T08:14:28.788Z"
NotOnOrAfter="2013-04-05T12:14:28.788Z">
</saml:Conditions>
<xacml-saml:XACMLPolicyStatement>
<xacml:PolicySet>
<xacml:Target>
<xacml:Subjects>
<xacml:Subject>
<xacml:SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:x500Name-equal">
<xacml:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">CN= ...</AttributeValue>
<xacml:SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:1.0:data-type:x500Name"/>
</xacml:SubjectMatch>
</xacml:Subject>
</xacml:Subjects>
<xacml:Resources>
<xacml:Resource>
<xacml:ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
<xacml:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">...</AttributeValue>
<xacml:ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
</xacml:ResourceMatch>
</xacml:Resource>
</xacml:Resources>
</xacml:Target>
<xacml:PolicySetIdReference>urn:ecr:names:xacml:2.0:default:policyid:permit-all</xacml:PolicySetIdReference>
</xacml:PolicySet>
</xacml-saml:XACMLPolicyStatement>
</saml:Assertion>
</wsse:Security>
</soap12:Header>
<soap12:Body/>
</soap12:Envelope>
|
|
Referenzen und Querverweise |
