10.4.5 | IHE ITI-40 | Provide X-User Assertion
Scope
This transaction is used to add user attributes in the SOAP TTA transactions. The attributes are placed in a SAML-token in the security header of a, for example, ITI-75 transaction.
Use Case Roles
Referenced Standards
SAMLCore SAML V2.0 Core standard
WSS10 OASIS Standard, "OASIS Web Services Security: SOAP Message Security 1.0 (WS-Security 2004)", March 2004.
WSS11 OASIS Standard, "OASIS Web Services Security: SOAP Message Security 1.1 (WS-Security 2004)", February 2006.
WSS:SAMLTokenProfile1.0 OASIS Standard, “Web Services Security: SAML Token Profile”, December 2004
WSS:SAMLTokenProfile1.1 OASIS Standard, “Web Services Security: SAML Token Profile 1.1”, February 2006
XSPA-SAMLv1.0 OASIS Standard, “Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of the Security Assertion Markup Language (SAML) for Healthcare v1.0” , November 2009
SAML 2.0 Profile For XACML 2.0 OASIS Standard, February 2005
Informative -- assist with understanding or implementing this transaction
IHE Profiles
Personnel White Pages Profile
Enterprise User Authentication Profile
Basic Patient Privacy Consents Profile
OASIS
SAML V2.0 Standards http://www.oasis-open.org/committees/security/ .
SAML V2.0 Technical Overview
SAML Executive Overview
SAML Tutorial presentation by Eve Maler of Sun Microsystems
SAML Specifications
WS-Trust - OASIS Web Services Secure Exchange (WS-SX) TC
XSPA-XACMLv1.0 OASIS Standard, “Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML v2.0 for Healthcare v1.0” , November 2009
Messages
Provide X-User Assertion
For more technical specification, see the original document: https://profiles.ihe.net/ITI/TF/Volume2/ITI-40.html
Twiin implementation
The SAML token is only valid for 10 minutes. The SAML token has the following attributes (in addition to the required attributes from the SAML-standard)
Element | Opt. | DataType |
urn:nl:otv:names:tc:1.0:subject:mandated | C | HL7 V3 II |
urn:ihe:iti:xua:2017:subject:provider-identifier | R | HL7 V3 II |
urn:oasis:names:tc:xacml:2.0:subject:role | R | HL7 V3 CE |
urn:ihe:iti:appc:2016:document-entry:event-code | O | HL7 V3 CV |
urn:nl:otv:names:tc:1.0:subject:provider-institution | R | HL7 V3 II |
urn:oasis:names:tc:xspa:1.0:subject:organization | O | String |
urn:oasis:names:tc:xspa:1.0:subject:organization-id | O | anyURI |
urn:oasis:names:tc:xspa:1.0:subject:purposeofuse | R | HL7 V3 CV |
The SAML token is only required in the transactions between GtK (external traffic).
Identification Raadpleger | ||
Name: | urn:nl:otv:names:tc:1.0:subject:mandated | |
Type: | urn:hl7-org:v3:II | |
Example: |
| |
Opt.: | Conditional, required if the person is mandated by the verantwoordelijke-id. |
Identification Verantwoordelijke | |
Name: | urn:ihe:iti:xua:2017:subject:provider-identifier |
Type: | urn:hl7-org:v3:II |
Example: |
|
Opt.: | Required, UZI-nummer verantwoordelijke. |
Rolcode verantwoordelijke healthcare provider | |
Name: | urn:oasis:names:tc:xacml:2.0:subject:role |
Type: | urn:hl7-org:v3:CE |
Example: |
|
Opt.: | Required, UZI rolcode |
Data category | |
Name: | urn:ihe:iti:appc:2016:document-entry:event-code |
Type: | urn:hl7-org:v3:CV |
Example: |
|
Opt.: | Optional |
Identification verantwoordelijke provider | |
Name: | urn:nl:otv:names:tc:1.0:subject:provider-institution |
Type: | urn:hl7-org:v3:II |
Example: |
|
Opt.: | Required, URA |
Alternative Identification verantwoordelijke provider | |
Name: | urn:oasis:names:tc:xspa:1.0:subject:organization |
Type: | String |
Example: |
|
Opt.: | Conditional, required if urn:oasis:names:tc:xspa:1.0:subject:organization-id is not empty |
Alternative Identification verantwoordelijke provider (id) | |
Name: | urn:oasis:names:tc:xspa:1.0:subject:organization-id |
Type: | AnyURI |
Example: |
|
Opt.: | Conditional, required if urn:oasis:names:tc:xspa:1.0:subject:organization is not empty |
Purpose of use | ||
Name: | urn:oasis:names:tc:xspa:1.0:subject:purposeofuse | |
Type: | urn:hl7-org:v3#CV | |
Example: | <AttributeValue DataType=" urn:hl7-org:v3#CV"> | |
Opt.: | Required |