IHE ITI-40 | Provide X-User Assertion | Twiin Afsprakenstelsel

Scope

This transaction is used to add user attributes in the SOAP TTA transactions. The attributes are placed in a SAML-token in the security header of a, for example, ITI-75 transaction.

Use Case Roles

Referenced Standards

OASIS http://www.oasis-open.org/committees/security/
SAMLCore SAML V2.0 Core standard
WSS10 OASIS Standard, "OASIS Web Services Security: SOAP Message Security 1.0 (WS-Security 2004)", March 2004.
WSS11 OASIS Standard, "OASIS Web Services Security: SOAP Message Security 1.1 (WS-Security 2004)", February 2006.
WSS:SAMLTokenProfile1.0 OASIS Standard, “Web Services Security: SAML Token Profile”, December 2004
WSS:SAMLTokenProfile1.1 OASIS Standard, “Web Services Security: SAML Token Profile 1.1”, February 2006
XSPA-SAMLv1.0 OASIS Standard, “Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of the Security Assertion Markup Language (SAML) for Healthcare v1.0” , November 2009
SAML 2.0 Profile For XACML 2.0 OASIS Standard, February 2005

Informative -- assist with understanding or implementing this transaction

IHE Profiles
- Personnel White Pages Profile
- Enterprise User Authentication Profile
- Basic Patient Privacy Consents Profile
OASIS
- SAML V2.0 Standards http://www.oasis-open.org/committees/security/ .
- SAML V2.0 Technical Overview
- SAML Executive Overview
- SAML Tutorial presentation by Eve Maler of Sun Microsystems
- SAML Specifications
- WS-Trust - OASIS Web Services Secure Exchange (WS-SX) TC
- XSPA-XACMLv1.0 OASIS Standard, “Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML v2.0 for Healthcare v1.0” , November 2009

Messages
Provide X-User Assertion

For more technical specification, see the original document: https://profiles.ihe.net/ITI/TF/Volume2/ITI-40.html

Twiin implementation

The SAML token is only valid for 10 minutes. The SAML token has the following attributes (in addition to the required attributes from the SAML-standard)

Element	Opt.	DataType
urn:nl:otv:names:tc:1.0:subject:mandated	C	HL7 V3 II
urn:ihe:iti:xua:2017:subject:provider-identifier	R	HL7 V3 II
urn:oasis:names:tc:xacml:2.0:subject:role	R	HL7 V3 CE
urn:ihe:iti:appc:2016:document-entry:event-code	O	HL7 V3 CV
urn:nl:otv:names:tc:1.0:subject:provider-institution	R	HL7 V3 II
urn:oasis:names:tc:xspa:1.0:subject:organization	O	String
urn:oasis:names:tc:xspa:1.0:subject:organization-id	O	anyURI
urn:oasis:names:tc:xspa:1.0:subject:purposeofuse	R	HL7 V3 CV

The SAML token is only required in the transactions between GtK (external traffic).

Identification Raadpleger
Name:	urn:nl:otv:names:tc:1.0:subject:mandated
Type:	urn:hl7-org:v3:II
Example:	`extension="123456789" root="2.16.528.1.1007.3.1" assigningAuthorityName="CIBG"`
Opt.:	Conditional, required if the person is mandated by the verantwoordelijke-id.

Identification Verantwoordelijke
Name:	urn:ihe:iti:xua:2017:subject:provider-identifier
Type:	urn:hl7-org:v3:II
Example:	`extension="123456782" root="2.16.528.1.1007.3.1" assigningAuthorityName="CIBG"`
Opt.:	Required, UZI-nummer verantwoordelijke.

Rolcode verantwoordelijke healthcare provider
Name:	urn:oasis:names:tc:xacml:2.0:subject:role
Type:	urn:hl7-org:v3:CE
Example:	`code="01.013" codeSystem="2.16.840.1.113883.2.4.15.111" codeSystemName="RoleCodeNL" displayName="Arts v. maag-darm-leverziekten"`
Opt.:	Required, UZI rolcode

Data category
Name:	urn:ihe:iti:appc:2016:document-entry:event-code
Type:	urn:hl7-org:v3:CV
Example:	`code="GGC007" codeSystem="2.16.840.1.113883.2.4.3.111.5.10.1"`
Opt.:	Optional

Identification verantwoordelijke provider
Name:	urn:nl:otv:names:tc:1.0:subject:provider-institution
Type:	urn:hl7-org:v3:II
Example:	`<AttributeValue DataType="urn:hl7-org:v3#II" > <InstanceIdentifier xmlns="urn:hl7-org:v3" extension="00014332" root="2.16.528.1.1007.3.3" /></AttributeValue>`
Opt.:	Required, URA

Alternative Identification verantwoordelijke provider
Name:	urn:oasis:names:tc:xspa:1.0:subject:organization
Type:	String
Example:	`<saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization"> <saml:AttributeValue>Family Medical Clinic</saml:AttributeValue> </saml:Attribute>`
Opt.:	Conditional, required if urn:oasis:names:tc:xspa:1.0:subject:organization-id is not empty

Alternative Identification verantwoordelijke provider (id)
Name:	urn:oasis:names:tc:xspa:1.0:subject:organization-id
Type:	AnyURI
Example:	`<saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"> <saml:AttributeValue>http://familymedicalclinic.org</saml:AttributeValue> </saml:Attribute>`
Opt.:	Conditional, required if urn:oasis:names:tc:xspa:1.0:subject:organization is not empty

Purpose of use
Name:	urn:oasis:names:tc:xspa:1.0:subject:purposeofuse
Type:	urn:hl7-org:v3#CV
Example:	<AttributeValue DataType=" urn:hl7-org:v3#CV"> <CodedValue xmlns="urn:hl7-org:v3" code="TREAT" codeSystem="2.16.840.1.113883.1.11.20448" displayName="treatment" /> </AttributeValue>
Opt.:	Required

Scope

Use Case Roles

Referenced Standards

Informative -- assist with understanding or implementing this transaction

Messages Provide X-User Assertion

Messages
Provide X-User Assertion