PJD - XUA - SAML specification
Content:
1. Identity and Context claims
1.1 SAML Assertions
1.2 Relationship to IHE XUA Integration Profile
2. Assertion for Norwegian Identity Trust Framework for Health Care Services
2.1 Generic Structure of the Identity Assertion
2.2 Assertion Signature
2.3 Attributes for Norwegian Trust Framework for Health Care Services
2.4 Audit Trail Consideration
3. Norwegian Citizen Identity Assertion for Public Access
1. Identity and Context Claims
The OASIS Security Assertion Markup Language [OASIS SAML 2.0] is an XML framework for sharing identity, authenticity and authorization claims within a distributed environment.
The standard defines:
- Assertions for encoding identity, authenticity, and authorization claims
- Protocols for interacting with services which manage the lifecycle of SAML assertions
- Bindings for implementing the protocols on different platforms.
- Profiles for adapting assertions and protocols to specific scenarios.
SAML Assertions
SAML Assertions encapsulate statements about a subject. Such statements may cover the context of subject authentication, describing attributes about the subject and/or the subject's permissions. Each SAML assertion additionally contains information about the issuer of the assertion and the lifecycle of the assertion (e.g. validity conditions). SAML assertions are usually digitally signed by their issuer.
Relationship to IHE XUA Integration Profile
The IHE Cross-Enterprise User Assertion (XUA) integration profile defines conventions for using SAML identity assertions within healthcare scenarios.
For verifying the authenticity and legitimacy of the presenter of an assertion the XUA profile considers both the bearer method and the holder-of-key method.
These methods do not match the needs of a trust-brokered environment were the presenter of the assertion is not the subject but vouches for the subject.
2. Assertion for Norwegian Identity Trust Framework for Health Care Services
Generic Structure of the Identity Assertion
The following table specified how the elements and attributes of a SAML v2.0 assertion are to be used with regard to the context of the eHealth DSI Identity Assertion.
Elements and attributes which are not explicitly profiled within this table MUST be ignored by the assertion consumer.
Attributes, presented in this norwegian specification, are build upon OASIS-specification Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of SAML v2.0 for Healthcare version 2.0.
Additional attributes for norwegian trust framework are specified as extension in their own namespace.
The following table defines which categories MUST be filled (R), which MAY be filled (O) and which categories MUST NOT be used (X).
Assertion Element | Optionality | Usage convention | ||
---|---|---|---|---|
@Version | R | MUST be "2.0" | ||
@ID | R | URN encoded unique identifier (UUID) of the assertion | ||
@IssueInstant | R | time instant of issuance in UTC | ||
Issuer | R | address URI that identifies the endpoint of issuing service e.g. "helseid-saml.nhn.no" | ||
Subject | R | |||
NameId | R | Identifier of the HCP encoded as a string value (unspecified format) | ||
@Format | R | MUST be "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" | ||
SubjectConfirmation | R | |||
@Method | R | MUST be "urn:oasis:names:tc:SAML:2.0:cm:sender-vouches" | ||
SubjectConfirmationData | X | |||
Conditions | R | |||
@NotBefore | R | Time instant from which the assertion is useable. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. | ||
AudienceRestriction | R | |||
Audience | R | This element of the assertion should contain a value identifying the X-Service Provider e.g. "kjernejournal-portal" | ||
@NotOnOrAfter | R | Time instant at which the assertion expires. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. | ||
AuthnStatement | R | |||
@AuthnInstant | R | Time instant of HCP authentication in UTC | ||
@SessionNotOnOrAfter | O | Time instant of the expiration of the session | ||
AuthnContext | R | |||
AuthnContextClassRef | R | Reference to the HCP's authentication method, Two-Factor Authentication method MUST be used: See [OASIS SAML Authn] for a list of valid authentication methods: - urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered - urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract - urn:oasis:names:tc:SAML:2.0:ac:classes:X509 - urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI - urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI - urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI - urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient |
Assertion Signature
Every HCS Identity MUST be signed by its issuer.
Attributes for Norwegian Trust Framework for Health Care Services
An identity assertion can carry an arbitrary number of attributes on the authenticated entity. Each attribute MUST be encoded using a SAML attribute element.
Home Community ID | |||||
---|---|---|---|---|---|
Friendly name: | homecommunity-id | ||||
Name: |
urn:ihe:iti:xca:2010:homeCommunityId |
||||
Datatype: |
xs:anyURI |
||||
Valid values: | Valid OID to Home Community MUST be presented. Example values:
|
||||
Optionality: | Mandatory | ||||
Description: | OID-identifier to homeCommunity according IHE XDS/XCA-profiles where request is originating from. Can be also identifier to middleware product as KJ-portal where Norsk helsenett is homeCommunity object in such case, otherwise it should be identifer representing home community as defined in IHE XDS |
||||
Sample fragment: | |||||
... |
Healthcare professional (HCP) | |
---|---|
Friendly name: | hcp-name |
Name: |
urn:oasis:names:tc:xacml:1.0:subject:subject-id |
Datatype: |
xs:string |
Valid values: | Human readable name of HCP, supporting norwegian alphabet Example values: Ola Nordmann Kari Nordmann Kåre Skøyen Nordmann |
Optionality: | Mandatory |
Description: | This attribute MUST contain the full name of the HCP in human readable form |
Sample fragment: | |
... |
Healthcare Profesional Structional Role (HCP) | |||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Friendly name: | hcp-role | ||||||||||||
Name: |
urn:oasis:names:tc:xacml:2.0:subject:role |
||||||||||||
Datatype: |
urn:hl7-org#CE |
||||||||||||
Valid values: | Value for structural role should represented as one of possible healthcare categories as defined in norwegian valueset Example value:
|
||||||||||||
Optionality: | Optional | ||||||||||||
Description: | HCP's approved health education level/approval in Norway. One HCP can have multiple different approvals in different healthcare categories. Just the most appropriate role MUST be used in this context. |
||||||||||||
Sample fragment: | |||||||||||||
... |
Healthcare Professional ID (HCP) | |
---|---|
Friendly name: | hcp-professional-id |
Name: |
urn:oasis:names:tc:xspa:1.0:subject:npi |
Datatype: |
xs:string |
Valid values: | Value represented in this attribute should refer to HCP's HPR-identifier if there is one existing (acknowleged authorized healthcare personell). HPR-identifier is up to 9-digit string. Example values: 123456789 12345678 1234567 |
Optionality: | Optional |
Description: | Identifier refering to HCP's approved health education level/approval in Norway |
Sample fragment: | |
... |
Healthcare Professional ID-provider (HCP) | |
---|---|
Friendly name: | hcp-professional-id-provider |
Name: |
urn:ihe:iti:xua:2017:subject:provider-identifier |
Type |
urn:hl7-org:v3#II |
Valid values: | Value represented in this attribute should refer to HCP's HPR-identifier if there is one existing (acknowleged authorized healthcare personell), together with reference to assigning authority. HPR-identifier is up to 9-digit string. OID to assigning authority for norwegian healthcare personnel's identifier is always "2.16.578.1.12.4.1.4.4" Example values: <id xmlns="urn:hl7-org:v3" type="II" extension="9999971" root="2.16.578.1.12.4.1.4.4" displayable="false" /> <id xmlns="urn:hl7-org:v3" type="II" extension="12345678" root="2.16.578.1.12.4.1.4.4" displayable="false" /> <id xmlns="urn:hl7-org:v3" type="II" extension="123456789" root="2.16.578.1.12.4.1.4.4" displayable="false" /> |
Optionality: | Optional |
Description: | Identifier refering to HCP's approved health education level/approval in Norway |
Sample fragment: | |
... |
Healthcare Professional Organization (HCPO) | |
---|---|
Friendly name: | hcpo-organization-name |
Name: |
urn:oasis:names:tc:xspa:1.0:subject:organization |
Datatype: |
xs:string |
Valid values: | Human readable name of healthcare professional organization Example values: Legekontor i Mordor Hobbiton kommune |
Optionality: | Mandatory |
Description: | The name of the requesting organization, expecting the legal level of organization of the requesting HCP-user belongs to. In plain text, the organization that the user belongs to shall be placed in the value of the element. |
Sample fragment: | |
... |
Healthcare Professional Organization ID (HCPO) | |
---|---|
Friendly name: | hcpo-organization-id |
Name: |
urn:oasis:names:tc:xspa:1.0:subject:organization-id |
Datatype: |
urn:hl7-org:v3#II |
Valid values: | Organization identifier from Brønnøysundsregistrene should be presented Example values: <id xmlns="urn:hl7-org:v3" xsi:type="II" extension="123456789" root="2.16.578.1.12.4.1.4.101" assigningAuthorityName="Enhetsregisteret" displayable="true"/> <id xmlns="urn:hl7-org:v3" xsi:type="II" extension="987654321" root="2.16.578.1.12.4.1.4.101" assigningAuthorityName="Enhetsregisteret" displayable="true"/> |
Optionality: | Mandatory |
Description: | Unique identifier of legal level of consuming organization (Healthcare Professional Organization), according to registration in Brønnøysundsregistrene. A unique identifier for the organization that the user is representing in performing this transaction shall be placed in the value of the element. The organization ID may be an Object Identifier (OID), using the urn format (that is, “urn:oid:” appended with the OID); or it may be a URL assigned to that organization. |
Sample fragment: | |
... |
Point of care (HCPO) | |
---|---|
Friendly name: | hcpo-point-of-care |
Name: |
urn:nhn:trust-framework:1.0:ext:subject:child-organization-name |
Datatype: |
xs:string |
Valid values: | Human readable name of healthcare professional organization Example values: Legekontor i Mordor Kommunal legekontor i Hobbiton |
Optionality: | Optional |
Description: | Name of the hospital or medical facility which HCP is currently assosiated with. Can be the same as HCPO, but can differ in large medical organizations |
Sample fragment: | |
... |
Point of care ID (HCPO) | |
---|---|
Friendly name: | hcpo-child-organization-id |
Name: |
urn:oasis:names:tc:xspa:1.0:subject:child-organization |
Datatype: |
urn:hl7-org:v3#II |
Valid values: | Organization's identifier from Brønnøysundsregistrene should be presented Example values: <id xmlns="urn:hl7-org:v3" xsi:type="II" extension="123456789" root="2.16.578.1.12.4.1.4.101" assigningAuthorityName="Enhetsregisteret" displayable="true"/> <id xmlns="urn:hl7-org:v3" xsi:type="II" extension="987654321" root="2.16.578.1.12.4.1.4.101" assigningAuthorityName="Enhetsregisteret" displayable="true"/> |
Optionality: | Optional |
Description: | Identifier to the hospital or medical facility (HCPO point-of-care). |
Sample fragment: | |
... |
Department (HCPO) | |
---|---|
Friendly name: | hcpo-department |
Datatype: |
xs:string |
Name: |
urn:nhn:trust-framework:1.0:ext:subject:facility-name |
Valid values: | Human-readable name of department or facility which HCP is currently assosiated with in current patient context Example values: Gastrokirurgisk avdeling Barnenevrologisk avdeling |
Optionality: | Optional |
Description: | Name of sub-unit in medical treatment facility which HCP is currently assosiated with, in current patient context. |
Sample fragment: | |
... |
HCPO Department ID (HCPO) | |
---|---|
Friendly name: | hcpo-department-id |
Name: |
urn:oasis:names:tc:xspa:1.0:subject:facility |
Datatype: |
urn:hl7-org:v3#II |
Valid values: | Department-ID should be referred as ID from respective register in Norway, e.g. RESH Example values:
<Facility xmlns="urn:hl7-org:v3" xsi:type="II" extension="123456" root="2.16.578.1.12.4.1.4.102" assigningAuthorityName="Register over enheter i spesialisthelsetjenesten" displayable="true" /> |
Optionality: | Optional |
Description: | Idenfifier of sub-unit/department in medical treatment facility which HCP is currently assosiated with. |
Sample fragment: | |
... |
Patient identifier (Patient) | |
---|---|
Friendly name: | patient-id |
Name: |
urn:oasis:names:tc:xacml:1.0:resource:resource-id |
Datatype: |
HL7 V2.5 CX |
Valid values: | Patient's identifier is presented in HL7 v2.5 CX-format Use OID for respective format of patients identifier: F-number OID: 2.16.578.1.12.4.1.4.1 (fødselsnummer) - registered citizen/permanent approval for residency in Norway D-number OID: 2.16.578.1.12.4.1.4.2 (d-nummer) - temporary approval for residency in Norway FHN-number OID: 2.16.578.1.12.4.1.4.3 (felles-hjelpenummer) - temporary identifer for health sector for unknown people DUF-number OID: 2.16.578.1.12.4.1.4.5 (duf-nummer) - temporary identifier for registered refugee in Norway Example values: <saml2:AttributeValue>13116900216^^^&2.16.578.1.12.4.1.4.1&ISO</saml2:AttributeValue> <saml2:AttributeValue>41018500216^^^&2.16.578.1.12.4.1.4.2&ISO</saml2:AttributeValue> |
Optionality: | Mandatory |
Description: | One of patient's norwegian identifier which is approved for use in norwegian health sector. Identifier of the data object(s) being requested, e.g. the patient unique identifier, or the query string defining the requested data in case of bulk requests. |
Sample fragment: | |
... |
Point-of-care (Patient) | |
---|---|
Friendly name: | patient-point-of-care |
Name: |
urn:nhn:trust-framework:1.0:ext:resource:child-organization-name |
Datatype: |
xs:string |
Valid values: | Human-readable name of institution where patient potentialy belongs to. Example values: Galtvort sykehjem Mordor helsestasjon |
Optionality: | Optional |
Description: | Name of the hospital or medical facility where patient belongs to |
Sample fragment: | |
... |
Point-of-care ID (Patient) | |||||
---|---|---|---|---|---|
Friendly name: | patient-point-of-care-id | ||||
Name: |
urn:nhn:trust-framework:1.0:ext:resource:child-organization |
||||
Datatype: |
urn:hl7-org:v3#II |
||||
Valid values: | Organization's identifier from Brønnøysundsregistrene should be presented Example values: <id xmlns="urn:hl7-org:v3" xsi:type="II" extension="123456789" root="2.16.578.1.12.4.1.4.101" assigningAuthorityName="Enhetsregisteret" displayable="true"/> <id xmlns="urn:hl7-org:v3" xsi:type="II" extension="987654321" root="2.16.578.1.12.4.1.4.101" assigningAuthorityName="Enhetsregisteret" displayable="true"/> |
||||
Optionality: | Conditional, mandatory if "Patient point-of-care"-attribute is present | ||||
Description: | Identifier of the hospital or medical facility where patient belongs to | ||||
Sample fragment: | |||||
... |
Treatment facility (Patient) | |
---|---|
Friendly name: | patient-department |
Name: |
urn:nhn:trust-framework:1.0:ext:resource:facility-name |
Datatype: |
xs:string |
Valid values: | Human-readable name of department/sub-unit in patients point-of-care organization where patient is treated. Valid examples: Palliativ avdeling Barne- og ungdomspsykiatrisk avdeling (BUPA) |
Optionality: | Optional |
Description: | Name of sub-unit in medical treatment facility where patient is treated |
Sample fragment: | |
... |
Treatment facility ID (Patient) | |
---|---|
Friendly name: | patient-department-id |
Name: |
urn:nhn:trust-framework:1.0:ext:resource:facility |
Datatype: |
urn:hl7-org:v3#II |
Valid values: | Organization's identifier from Brønnøysundsregistrene should be presented Example values: <id xmlns="urn:hl7-org:v3" xsi:type="II" extension="123456789" root="2.16.578.1.12.4.1.4.101" assigningAuthorityName="Enhetsregisteret" displayable="true"/> <id xmlns="urn:hl7-org:v3" xsi:type="II" extension="987654321" root="2.16.578.1.12.4.1.4.101" assigningAuthorityName="Enhetsregisteret" displayable="true"/> |
Optionality: | Conditional, mandatory if "Patient department"-attribute is present |
Description: | Identifier of sub-unit in medical treatment facility where patient is treated |
Sample fragment: | |
... |
Purpose of use (relationship) | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Friendly name: | purpose | |||||||||||||||
Name: |
urn:oasis:names:tc:xacml:2.0:action:purpose |
|||||||||||||||
Datatype: |
urn:hl7-org:v3#CE |
|||||||||||||||
Valid values: | Values for "purpose of use" is based on usage HL7 Valueset "PurposeOfUse" [urn:oid:2.16.840.1.113883.1.11.20448] One of following values MUST be used in norwegian perspective:
Example values: <Purpose xmlns="urn:hl7-org:v3" xsi:type="CE" code="TREAT" codeSystem="2.16.840.1.113883.1.11.20448&ISO" displayName="treatment" /> <Purpose xmlns="urn:hl7-org:v3" xsi:type="CE" code="ETREAT" codeSystem="2.16.840.1.113883.1.11.20448&ISO" displayName="emergency treatment" /> <Purpose xmlns="urn:hl7-org:v3" xsi:type="CE" code="COC" codeSystem="2.16.840.1.113883.1.11.20448&ISO" displayName="coordination of care" /> |
|||||||||||||||
Optionality: | Mandatory | |||||||||||||||
Description: | This attribute refers to the usual working environment of the user Note: Usage of "urn:oasis:names:tc:xspa:1.0:subject:purposeofuse" is deprecated by XSPA-profile for healthcare v2.0 |
|||||||||||||||
Sample fragment: | ||||||||||||||||
... |
Healthcare service (relationship) | ||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Friendly name: | healthcare-service | |||||||||||||||||||||
Name: |
urn:nhn:trust-framework:1.0:ext:care-relationship:healthcare-service |
|||||||||||||||||||||
Datatype: |
urn:hl7-org:v3#CE |
|||||||||||||||||||||
Valid values: | Value from one of respective valuesets MUST be present. Valuesets er norwegian code valuesets from Volven (helsedirektoratet.no)
Example values: <HealthcareService xmlns="urn:hl7-org:v3" xsi:type="CE" code="KX17" codeSystem="2.16.578.1.12.4.1.1.8663&ISO" displayName="Fastlege, liste uten fast lege" /> <HealthcareService xmlns="urn:hl7-org:v3" xsi:type="CE" code="KP02" codeSystem="2.16.578.1.12.4.1.1.8663&ISO" displayName="Sykepleietjeneste" /> |
|||||||||||||||||||||
Optionality: | Mandatory | |||||||||||||||||||||
Description: | Reference to healthcare service which is provided according to the treatment of patient. Just one, the most relevant, service MUST be presented. | |||||||||||||||||||||
Sample fragment: | ||||||||||||||||||||||
... |
Purpose-of-use-details (relationship) | |
---|---|
Friendly name: | purpose-of-use-details |
Name: |
urn:nhn:trust-framework:1.0:ext:care-relationship:purpose-of-use-details |
Datatype: |
urn:hl7-org:v3#CE |
Valid values: | Refers to summary for purpose of use and providing healthcare services to refered patient. Example values: <purpose-of-use-details xmlns="urn:hl7-org:v3" xsi:type="CE" code="15" codeSystem="urn:oid:2.16.578.1.12.4.1.1.9151" displayName="Helsetjenester i hjemmet" assigningAuthorityName="Helsedirektoratet" /> |
Optionality: | Optional |
Description: | Reference to healthcare service which is provided according to the treatment of patient. |
Sample fragment: | |
... |
Decision reference (relationship) | |
---|---|
Friendly name: | decision-ref |
Name: |
urn:nhn:trust-framework:1.0:ext:care-relationship:decision-ref |
Datatype: |
urn:nhn:trust-framework:1.0#CD |
Valid values: | "Id"-identifier should be presented as UUID "User-selected" MUST be boolean value Example values: <decision-ref> <id tf:value="urn:uuid:b0b87276-79aa-4643-9bb3-7760b1f43a4d" /> <user-selected tf:value="false" /> </decision-ref> <decision-ref> <id tf:value="urn:uuid:c1b87276-27bb-9873-4hh7-1278b1c53a8e" /> <user-selected tf:value="true" /> </decision-ref> |
Optionality: | Optional |
Description: | Reference to EHR's PDP identifier, identifier representing decision point in EHR allowing HCP to access patient record. |
Sample fragment: | |
... |
BPPC DOCID | |||||||
---|---|---|---|---|---|---|---|
Friendly name: | bppc-docid | ||||||
Name: |
urn:ihe:iti:bppc:2007:docid |
||||||
Datatype: |
urn:oid |
||||||
Valid values: | An "OID"-identifier should be present There are to following values:
<saml:AttributeValue xmlns:a="http://www.w3.org/2001/XMLSchema-instance" a:nil="true"/> <saml2:AttributeValue>urn:oid:2.16.578.1.12.4.1.7.2.1.6</saml2:AttributeValue> |
||||||
Optionality: | Conditional, if "XUA ACP"-attribute present | ||||||
Description: | Reference to an OID identifier, identifier represents form of applied consent. | ||||||
Sample fragment: | |||||||
... |
XUA ACP | |||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Friendly name: | xua-acp | ||||||||||||
Name: |
urn:ihe:iti:xua:2012:acp |
||||||||||||
Datatype: |
urn:oid |
||||||||||||
Valid values: | An "OID"-identifier should be present There are to following values:
<saml:AttributeValue xmlns:a="http://www.w3.org/2001/XMLSchema-instance" a:nil="true"/> <saml2:AttributeValue>urn:oid:2.16.578.1.12.4.1.7.2.1.6</saml2:AttributeValue> |
||||||||||||
Optionality: | Optional | ||||||||||||
Description: | Reference to OID identifier, reffering to an existing access consent policy | ||||||||||||
Sample fragment: | |||||||||||||
... |
Audit Trail Consideration
The audit message MUST be assembled according to the HCP Assurance audit schema as defined in [Audit Trail Profile].
The following table defines which categories MUST be filled (R), which MAY be filled (O) and which categories MUST NOT be used (X).
Instance | Optionality | Decription |
---|---|---|
Event | R | Audited event |
Requesting point of care | R | HCPO which is in treatment relationship with the patient |
Human requestor | R | HCP who requested patient information |
Source gateway | R | Outbound gateway that attested authenticity of trust framework information |
Target Gateway | X | |
Audit Source | R | Legal entity that ensures the uniquenes of the identifiers that are used to identify active participants |
Event target | X |
3. Norwegian Citizen Identity Assertion
TO BE CONTINUED...