10.4.5 | IHE ITI-40 | Provide X-User Assertion
- Ben van der Stigchel
Analytics
Scope
This transaction is used to add user attributes in the SOAP TTA transactions. The attributes are placed in a SAML-token in the security header of a, for example, ITI-75 transaction.
Use Case Roles
Referenced Standards
SAMLCore SAML V2.0 Core standard
WSS10 OASIS Standard, "OASIS Web Services Security: SOAP Message Security 1.0 (WS-Security 2004)", March 2004.
WSS11 OASIS Standard, "OASIS Web Services Security: SOAP Message Security 1.1 (WS-Security 2004)", February 2006.
WSS:SAMLTokenProfile1.0 OASIS Standard, “Web Services Security: SAML Token Profile”, December 2004
WSS:SAMLTokenProfile1.1 OASIS Standard, “Web Services Security: SAML Token Profile 1.1”, February 2006
XSPA-SAMLv1.0 OASIS Standard, “Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of the Security Assertion Markup Language (SAML) for Healthcare v1.0” , November 2009
SAML 2.0 Profile For XACML 2.0 OASIS Standard, February 2005
Informative -- assist with understanding or implementing this transaction
IHE Profiles
Personnel White Pages Profile
Enterprise User Authentication Profile
Basic Patient Privacy Consents Profile
OASIS
SAML V2.0 Standards http://www.oasis-open.org/committees/security/ .
SAML V2.0 Technical Overview
SAML Executive Overview
SAML Tutorial presentation by Eve Maler of Sun Microsystems
SAML Specifications
WS-Trust - OASIS Web Services Secure Exchange (WS-SX) TC
XSPA-XACMLv1.0 OASIS Standard, “Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML v2.0 for Healthcare v1.0” , November 2009
Messages
Provide X-User Assertion
For more technical specification, see the original document: IHE ITI TF Vol2
Twiin implementation
The SAML token is only valid for 10 minutes. The SAML token has the following attributes (in addition to the required attributes from the SAML-standard)
Element | Opt. | DataType |
urn:nl:otv:names:tc:1.0:subject:mandated | C | HL7 V3 II |
urn:ihe:iti:xua:2017:subject:provider-identifier | R | HL7 V3 II |
urn:oasis:names:tc:xacml:2.0:subject:role | R | HL7 V3 CE |
urn:ihe:iti:appc:2016:document-entry:event-code | O | HL7 V3 CV |
urn:nl:otv:names:tc:1.0:subject:provider-institution | R | HL7 V3 II |
urn:oasis:names:tc:xspa:1.0:subject:purposeofuse | R | HL7 V3 CV |
The SAML token is only required in the transactions between GtK (external traffic).
| Identification Raadpleger | |
Name: | urn:nl:otv:names:tc:1.0:subject:mandated | |
Type: | urn:hl7-org:v3:II | |
Example: | extension="123456789" root="2.16.528.1.1007.3.1" assigningAuthorityName="CIBG" | |
Opt.: | Conditional, required if the person is mandated by the verantwoordelijke-id. |
Identification Verantwoordelijke | |
Name: | urn:ihe:iti:xua:2017:subject:provider-identifier |
Type: | urn:hl7-org:v3:II |
Example: | extension="123456782" root="2.16.528.1.1007.3.1" assigningAuthorityName="CIBG" |
Opt.: | Required, UZI-nummer verantwoordelijke. |
Rolcode verantwoordelijke healthcare provider | |
Name: | urn:oasis:names:tc:xacml:2.0:subject:role |
Type: | urn:hl7-org:v3:CE |
Example: | code="01.013" codeSystem="2.16.840.1.113883.2.4.15.111" codeSystemName="RoleCodeNL" displayName="Arts v. maag-darm-leverziekten" |
Opt.: | Required, UZI rolcode |
Data category | |
Name: | urn:ihe:iti:appc:2016:document-entry:event-code |
Type: | urn:hl7-org:v3:CV |
Example: | code="GGC007" codeSystem="2.16.840.1.113883.2.4.3.111.5.10.1" |
Opt.: | Optional |
Identification verantwoordelijke provider | |
Name: | urn:nl:otv:names:tc:1.0:subject:provider-institution |
Type: | urn:hl7-org:v3:II |
Example: | <AttributeValue DataType="urn:hl7-org:v3#II" > <InstanceIdentifier xmlns="urn:hl7-org:v3" extension="00014332" root="2.16.528.1.1007.3.3" /></AttributeValue> |
Opt.: | Required, URA |
Purpose of use | ||
Name: | urn:oasis:names:tc:xspa:1.0:subject:purposeofuse |
|
Type: | urn:hl7-org:v3#CV |
|
Example: | <AttributeValue DataType=" urn:hl7-org:v3#CV"> |
|
Opt.: | Required |
|