EFA WS Trust Policy Provider

Aus Hl7wiki
(Teildokument von CDA für die elektronische Fallakte)
Wechseln zu: Navigation, Suche
[gesichtete Version][gesichtete Version]
(Constraints on RST ergänzt.)
(Expected Actions und Response Message ergänzt)
Zeile 20: Zeile 20:
 
!Actor
 
!Actor
 
|EFA Policy Provider
 
|EFA Policy Provider
|Security Token Service  
+
|WS-Trust Security Token Service (STS)
 
|-
 
|-
 
!Transaction
 
!Transaction
Zeile 34: Zeile 34:
 
Such retrieval of an ECR access policy from an ECR provider's Policy Provider service is bound to the OASIS WS-Trust 1.3 ''RequestSecurityToken (RST)'' and ''RequestSecurityTokenResponse (RSTR)'' messages. This EFA binding introduces extensions and restrictions on the respective WS Trust 1.3 definitions.
 
Such retrieval of an ECR access policy from an ECR provider's Policy Provider service is bound to the OASIS WS-Trust 1.3 ''RequestSecurityToken (RST)'' and ''RequestSecurityTokenResponse (RSTR)'' messages. This EFA binding introduces extensions and restrictions on the respective WS Trust 1.3 definitions.
  
=== Constraints and Extensions to the Request Message (RST) ===
+
=== Request Message ===
 
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.01}</tt>
 
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.01}</tt>
  
Zeile 41: Zeile 41:
 
The request message implements a SOAP message including a single RST element as specified in [WS-Trust 1.3] considering the following constraints and extensions:
 
The request message implements a SOAP message including a single RST element as specified in [WS-Trust 1.3] considering the following constraints and extensions:
  
{|class="wikitable"
+
;<nowiki>/wst:RequestSecurityToken/wst:TokenType</nowiki>
!OASIS WS-Trust 1.3
+
:This element is required. The value SHOULD be "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".
!Optionality
 
!Constraints
 
|-
 
|/wst:RequestSecurityToken/wst:TokenType
 
|mandatory
 
|SHALL be <tt>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</tt>
 
|-
 
|/wst:RequestSecurityToken/wst:RequestType
 
|mandatory
 
|SHALL be <tt>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</tt>
 
|-
 
|/wst:RequestSecurityToken/{any}
 
|mandatory
 
|
 
SHALL contain values of the parameters ecrRef and consentInfo as XACML-Attribute.
 
  
The value of ecrRef.purpose MUST be encoded with the [[ihecb:IHE-XACML_Binding#Code|IHE-XACML Binding for Folder.codeList]].
+
;<nowiki>/wst:RequestSecurityToken/wst:RequestType</nowiki>
 
+
:This element is required. The value MUST be "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue".
The value of ecrRef.patientID MUST be encoded with the [[ihecb:IHE-XACML_Binding#Patient_ID_2|IHE-XACML Binding for Folder.patientId]].
 
  
 +
;<nowiki>/wst:RequestSecurityToken/{any}</nowiki>
 +
:The extensibility point is used. It holds the values for both input parameters, ecrRef and consentInfo.
 +
:The value of ecrRef.purpose MUST be encoded with the IHE-XACML Binding for [[ihecb:IHE-XACML_Binding#Code|IHE-XACML Binding for Folder.codeList]].
 +
:The value of ecrRef.patientID MUST be encoded with the IHE-XACML Binding for [[ihecb:IHE-XACML_Binding#Patient_ID_2|IHE-XACML Binding for Folder.patientId]].
 
{{WorkBox|The binding for values of consentInfo is under reconciliation.}}
 
{{WorkBox|The binding for values of consentInfo is under reconciliation.}}
|}
 
  
 
==== Example ====
 
==== Example ====
Zeile 91: Zeile 78:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
=== Expected Actions ===
+
==== Expected Actions ====
 
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.02}</tt>
 
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.02}</tt>
  
...
+
The STS SHALL authenticate the requester by validating the SOAP security header and the EFA Identity Assertion. If the authentication fails the STS responds with a fault code.
 +
 
 +
The STS retrieves a matching subject access policy from its policy repository. A subject access policy matches
 +
* if it matches the xacml-context:Attribute elements in the WS-Trust extensibility point, and
 +
* if it matches the subject of the EFA Identity Assertion.
 +
 
 +
The STS builds an EFA Policy Assertion that contains the matching subject access policy, if any.
 +
 
 +
The STS responds with the EFA Policy Assertion.
  
 
=== Response Message (Full Success Scenario) ===
 
=== Response Message (Full Success Scenario) ===
 
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.03}</tt>
 
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.03}</tt>
  
If the EFA Policy Provider Service is able to decode the received message and to properly issue a policy it responds with an WS Trust 1.3 RequestSecurityTokenResponse message that carries a single ECR [[cdaefa:EFA_Security_Informationsmodell#subjectAccessPolicy|subjectAccessPolicy]].
+
The response message SHALL be a WS-Trust response with a RequestSecurityTokenResponseCollection element in the SOAP-Body. It contains exactly one RequestSecurityTokenResponse element.
  
 
=== Response Message (Failure or Partial Failure Scenario) ===
 
=== Response Message (Failure or Partial Failure Scenario) ===
 
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.04}</tt>
 
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EWuPo.02.04}</tt>
  
If the EFA Policy Provider Service provider is able to decode the received message but fails to issue the requested policy, ...
+
The response message SHALL be a SOAP Fault. The message should conform to the section Error Handling of WS-Trust 1.3.
 
 
  
 
=== Security Audit Considerations ===
 
=== Security Audit Considerations ===

Version vom 12. November 2014, 17:56 Uhr

Dieses Material ist Teil des Leitfadens CDA für die elektronische Fallakte.
  • Direkt im Wiki geändert werden sollten Schreibfehler, ergänzende Hinweise.
  • Offene Fragen, die der Diskussionen bedürfen, sollten auf der Diskussionsseite aufgenommen werden.
  • Liste der Seiten dieses Leitfadens: hier, Liste der Seiten, in denen dieses Material verwendet (transkludiert) siehe hier .

Anmerkung: Die Kürzel unter den einzelnen Überschriften dienen der Unterstützung des Kommentierungsverfahrens. Bitte geben Sie bei einem Kommentar oder einem Verbesserungsvorschlag zu dieser Spezifikation immer das Kürzel des Abschnitts an, auf den sich Ihr Kommentar bezieht. Alle Kommentare werden in der Lasche "Diskussion" zu der kommentierten Seite gesammelt und gegenkommentiert.
Hinweise zum Kommentierungsverfahren einschließlich aller Formulare und Kontaktadressen finden Sie auf der Seite "Kommentierung EFAv2.0".


EFA Policy Provider WS-Trust Binding

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.01}

Within EFA the actors and transactions of the OASIS WS-Trust 1.3 standard are mapped onto EFA Policy Provider actors and operations as follows:

Role EFA Policy Provider Service OASIS WS-Trust 1.3
Actor EFA Context Manager Requestor
Actor EFA Policy Provider WS-Trust Security Token Service (STS)
Transaction requestPolicy RequestSecurityToken (RST)
RequestSecurityTokenResponse (RSTR)

EFA WS-Trust Binding: requestPolicy

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02}

A ECR consumer may use the "Policy Push" paradigm to forward the requestor's ECR access policy to an ECR business service. This requires the ECR consumer to send a request to the ECR Policy Provider service to issue and provide a policy that can be trusted and processed by other ECR services (even in case these services are located on a remote peer).

Such retrieval of an ECR access policy from an ECR provider's Policy Provider service is bound to the OASIS WS-Trust 1.3 RequestSecurityToken (RST) and RequestSecurityTokenResponse (RSTR) messages. This EFA binding introduces extensions and restrictions on the respective WS Trust 1.3 definitions.

Request Message

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02.01}

The RequestSecurityToken message is issued by an ECR Context Manager actor for requesting a policy that allows the current user to access an identified ECR instance.

The request message implements a SOAP message including a single RST element as specified in [WS-Trust 1.3] considering the following constraints and extensions:

/wst:RequestSecurityToken/wst:TokenType
This element is required. The value SHOULD be "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".
/wst:RequestSecurityToken/wst:RequestType
This element is required. The value MUST be "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue".
/wst:RequestSecurityToken/{any}
The extensibility point is used. It holds the values for both input parameters, ecrRef and consentInfo.
The value of ecrRef.purpose MUST be encoded with the IHE-XACML Binding for IHE-XACML Binding for Folder.codeList.
The value of ecrRef.patientID MUST be encoded with the IHE-XACML Binding for IHE-XACML Binding for Folder.patientId.

Example

<wst:RequestSecurityToken
  xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"
  xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
  xmlns:hl7="urn:hl7-org:v3">
  <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
  <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
  <xacml-context:Attribute
    AttributeId="urn:ihe:iti:xds-b:2007:patient-id"
    DataType="urn:hl7-org:v3#II">
  <xacml-context:AttributeValue>
    <hl7:InstanceIdentifier
      extension="6578946"
      root="1.3.6.1.4.1.21367.2005.3.7"/>
  </xacml-context:AttributeValue>
  </xacml-context:Attribute>
  <xacml-context:Attribute
    AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-id"
    DataType="http://www.w3.org/2001/XMLSchema#string">
  <xacml-context:AttributeValue>1.3.6.1.4.1.21367.2005.3.7.3670984664</xacml-context:AttributeValue>
  </xacml-context:Attribute>
</wst:RequestSecurityToken>

Expected Actions

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02.02}

The STS SHALL authenticate the requester by validating the SOAP security header and the EFA Identity Assertion. If the authentication fails the STS responds with a fault code.

The STS retrieves a matching subject access policy from its policy repository. A subject access policy matches

  • if it matches the xacml-context:Attribute elements in the WS-Trust extensibility point, and
  • if it matches the subject of the EFA Identity Assertion.

The STS builds an EFA Policy Assertion that contains the matching subject access policy, if any.

The STS responds with the EFA Policy Assertion.

Response Message (Full Success Scenario)

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02.03}

The response message SHALL be a WS-Trust response with a RequestSecurityTokenResponseCollection element in the SOAP-Body. It contains exactly one RequestSecurityTokenResponse element.

Response Message (Failure or Partial Failure Scenario)

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02.04}

The response message SHALL be a SOAP Fault. The message should conform to the section Error Handling of WS-Trust 1.3.

Security Audit Considerations

Bitte markieren Sie Kommentare zu diesem Abschnitt mit dem Code {EWuPo.02.05}

See Security Considerations.

Querverweise und Referenzen