1.4.110. Technische kern
IHE ITI-40 | Provide X-User Assertion¶
Scope¶
This transaction is used to add user attributes in the SOAP TTA transactions. The attributes are placed in a SAML-token in the security header of a, for example, ITI-75 transaction.
Use Case Roles¶
Referenced Standards¶
- OASIS http://www.oasis-open.org/committees/security/
- SAMLCore SAML V2.0 Core standard
- WSS10 OASIS Standard, "OASIS Web Services Security: SOAP Message Security 1.0 (WS-Security 2004)", March 2004.
- WSS11 OASIS Standard, "OASIS Web Services Security: SOAP Message Security 1.1 (WS-Security 2004)", February 2006.
- WSS:SAMLTokenProfile1.0 OASIS Standard, “Web Services Security: SAML Token Profile”, December 2004
- WSS:SAMLTokenProfile1.1 OASIS Standard, “Web Services Security: SAML Token Profile 1.1”, February 2006
- XSPA-SAMLv1.0 OASIS Standard, “Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of the Security Assertion Markup Language (SAML) for Healthcare v1.0” , November 2009
- SAML 2.0 Profile For XACML 2.0 OASIS Standard, February 2005
Informative -- assist with understanding or implementing this transaction¶
-
IHE Profiles
-
Personnel White Pages Profile
- Enterprise User Authentication Profile
- Basic Patient Privacy Consents Profile
-
OASIS
-
SAML V2.0 Standards http://www.oasis-open.org/committees/security/ .
- SAML V2.0 Technical Overview
- SAML Executive Overview
- SAML Tutorial presentation by Eve Maler of Sun Microsystems
- SAML Specifications
- WS-Trust - OASIS Web Services Secure Exchange (WS-SX) TC
- XSPA-XACMLv1.0 OASIS Standard, “Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML v2.0 for Healthcare v1.0” , November 2009
Messages Provide X-User Assertion¶
For more technical specification, see the original document: https://profiles.ihe.net/ITI/TF/Volume2/ITI-40.html
Twiin implementation
The SAML token is only valid for 10 minutes. The SAML token has the following attributes (in addition to the required attributes from the SAML-standard)
| Element | Opt. | DataType |
urn otv:names:tc:1.0:subject:mandated |
C | HL7 V3 II |
| urn:ihe:iti:xua:2017:subject:provider-identifier | R | HL7 V3 II |
urn:oasis:names xacml:2.0:subject:role |
R | HL7 V3 CE |
| urn:ihe:iti:appc:2016:document-entry:event-code | O | HL7 V3 CV |
| urnotv:names:tc:1.0:subject:provider-institution |
R | HL7 V3 II |
| urn:oasis:namesxspa:1.0:subject:organization |
O | String |
| urn:oasis:namesxspa:1.0:subject:organization-id |
O | anyURI |
| urn:oasis:namesxspa:1.0:subject:purposeofuse |
R | HL7 V3 CV |
The SAML token is only required in the transactions between GtK (external traffic).
| Identification Raadpleger | ||
| Name: | urnotv:names:tc:1.0:subject:mandated |
|
| Type: | urn:hl7-org:v3:II | |
| Example: | extension="123456789" root="2.16.528.1.1007.3.1" assigningAuthorityName="CIBG" |
|
| Opt.: | Conditional, required if the person is mandated by the verantwoordelijke-id. |
| Identification Verantwoordelijke | |
| Name: | urn:ihe:iti:xua:2017:subject:provider-identifier |
| Type: | urn:hl7-org:v3:II |
| Example: | extension="123456782" root="2.16.528.1.1007.3.1" assigningAuthorityName="CIBG" |
| Opt.: | Required, UZI-nummer verantwoordelijke. |
| Rolcode verantwoordelijke healthcare provider | |
| Name: | urn:oasis:namesxacml:2.0:subject:role |
| Type: | urn:hl7-org:v3:CE |
| Example: | code="01.013" codeSystem="2.16.840.1.113883.2.4.15.111" codeSystemName="RoleCodeNL" displayName="Arts v. maag-darm-leverziekten" |
| Opt.: | Required, UZI rolcode |
| Data category | |
| Name: | urn:ihe:iti:appc:2016:document-entry:event-code |
| Type: | urn:hl7-org:v3:CV |
| Example: | code="GGC007" codeSystem="2.16.840.1.113883.2.4.3.111.5.10.1" |
| Opt.: | Optional |
| Identification verantwoordelijke provider | |
| Name: | urnotv:names:tc:1.0:subject:provider-institution |
| Type: | urn:hl7-org:v3:II |
| Example: | <AttributeValue DataType="urn:hl7-org:v3#II" > <InstanceIdentifier xmlns="urn:hl7-org:v3" extension="00014332" root="2.16.528.1.1007.3.3" /></AttributeValue> |
| Opt.: | Required, URA |
| Alternative Identification verantwoordelijke provider | |
| Name: | urn:oasis:namesxspa:1.0:subject:organization |
| Type: | String |
| Example: | <saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization"> <saml:AttributeValue>Family Medical Clinic</saml:AttributeValue> </saml:Attribute> |
| Opt.: | Conditional, required if urn:oasis:namesxspa:1.0:subject:organization-id is not empty |
| Alternative Identification verantwoordelijke provider (id) | |
| Name: | urn:oasis:namesxspa:1.0:subject:organization-id |
| Type: | AnyURI |
| Example: | <saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"> <saml:AttributeValue>http://familymedicalclinic.org</saml:AttributeValue> </saml:Attribute> |
| Opt.: | Conditional, required if urn:oasis:namesxspa:1.0:subject:organization is not empty |
| Purpose of use | ||
| Name: | urn:oasis:namesxspa:1.0:subject:purposeofuse |
|
| Type: | urn:hl7-org:v3#CV | |
| Example: | ||
| Opt.: | Required |