''This is a draft of the Cross-Enterprise User Assertion Profile supplement to the IT Infrastructure Technical Framework. This draft is a work in progress, not the official supplement or profile. Content for this profile have been vetted to be used to provide trustable user identity for the use in the XDS Stored Query and XDS Web Services Retrieve Transactions. The final content profile can only be determined after technical assessment by the full [[IT Infrastructure]] Technical Committee.''
''This is a draft of the {{{1}}} Profile ({{{2}}}) supplement to the {{{5}}} Technical Framework. This draft is a work in progress, not the official supplement or profile.''
There are transactions defined by IHE that cross enterprise boundaries. The existing IHE mechanisms to provide an authenticated user identity (EUA) will not function in cross-enterprise transactions. Further in a cross-enterprise environment it is more likely that the transactions will be going between two enterprises that maintain their own independent user directories (PWP). This problem is the same focus of the OASIS-SAML standard. This standard has received much attention and support by the security and the platforms industry. This standard allows for centralized user directory, but also supports the more powerful federation of user directories. This standard supports many methods of user authentication (password, biometrics, smartcard) and can include details about the method(s) used.
__TOC__
The solution proposed is to leverage SAML and the various profiles from [http://www.w3c.org W3C], [http://www.oasis-open.org OASIS], and [http://www.ws-i.org WS-I]. In this way we will be able to take advantage of the vast experience of the communities outside of healthcare standards. This profile will be leveraging the experience of a few programs around the globe that have started work with SAML in healthcare. Most of these projects are applying SAML to XDS as we expect to be doing in the first year.
Discussion about the creation of this profile can be found at [[Cross-Enterprise User Assertion - Discussion]]
==Profile Abstract==
==Profile Abstract==
The Cross-Enterprise User Assertion (XUA) Profile provides a trustable user identity for transactions that cross enterprise boundaries. The user identities may be centrally managed, or distributed.
The {{{1}}} Profile ({{{2}}}) {{{4|has a one paragraph description.}}}
==Glossary==
==Glossary==
; XUA : Cross-Enterprise User Assertion (Formerly Cross-Enterprise User Authentication)
; Term : Definition
==Issue Log==
==Issue Log==
===Open Issues===
===Open Issues===
# Issue 1
# Issue
# Issue
===Closed Issues===
=Volume I=
<pre>Add the following bullet to the list of profiles</pre>
* {{{1}}} - {{{3}}}
===Closed Issues===
===Dependencies===
<pre>Add the following row(s) to the list of dependencies</pre>
** [http://www.oasis-open.org/committees/download.php/20645/sstc-saml-tech-overview-2%200-draft-10.pdf SAMLTechOvw] SAML V2.0 Technical Overview (a work in progress currently at revision 10)
** [http://www.oasis-open.org/committees/download.php/12958/SAMLV2.0-basics.pdf SAML Tutorial] presentation by Eve Maler of Sun Microsystems
** [http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf SAMLCore] SAML V2.0 Core standard
** [http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-SOAPMessageSecurity.pdf WSS] Web Services Security V1.1 including errata
** [http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-SAMLTokenProfile.pdf WSS SAML] Web Services Security SAML Token Profile V1.1 including errata
** [http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf SAML Metadata] Version 2.0
[[Image:seq.jpg|frame|center|{{{1}}} Process Flow]]
<pre>Add the following bullet to the list of profiles</pre>
More text about process flow
== Actor Definitions ==
; Actor : Definition
== Transaction Definitions ==
; Transaction : Definition
==Dependencies==
=Volume II=
<pre>Add the following row(s) to the list of dependencies</pre>
==Transaction 1==
=== Scope ===
=== Use Case Roles ===
[[image:ucr.jpr|frame|center]
; Actor: Actor 1
; Role: Role of Actor 1
lather, rise and repeat for each actor
==Profile Name==
=== Referenced Standards ===
; [http://link.htm STD] : Description
===Use Case===
=== Interaction Diagram ===
This profile will likely take two years to fully fill out. In the first year we will be focusing only on the consumption side of XDS, specifically the Registry Stored Query and Retrieve Document transactions. The motivator for this is that these are the most exposed transactions that IHE has defined; their use is expected to be from a wide variety of consuming applications and enterprises.
[[image:int.jpg|frame|center]]
# General practice doctor retrieving results of a test performed by an outpatient clinic.
# Outpatient clinic retrieving request to perform a test and background information necessary.
# Doctor in an emergency situation request to retrieve documents (that would under normal conditions would not be accessible)
## Where the privacy consent (BPPC) has restricted access
# System, based on a scheduled procedure, pre-fetches the available documents so that it can determine a relevant few documents to offer to the doctor when the patient arrives.
# Patient, using a PHR like application, accesses their own information in XDS.
# Access of a document by an individual that can’t be identified because the SAML-IDP (X-Assertion Provider) is not accessible
==Actors==
==== Message 1 of Interaction ====
* [[X-Assertion Provider]] – This is a SAML Identity Provider (IDP), and is not further specified by IHE.
===== Trigger =====
* [[X-Service User]] – This is the system making a web-services request. In the first year this is the XDS-Document Consumer Actor.
===== Message Semantics =====
* [[X-Service Provider]] – This is the system providing the web-service. In the first year this is the XDS-Document Registry and XDS-Document Repository Actors.
===== Expected Actions =====
=Volume 2=
[[Category:{{{5|Templates}}}]]
[[Category:Draft Profile Supplement]]
Revision as of 18:37, 29 March 2007
Introduction
This is a draft of the {{{1}}} Profile ({{{2}}}) supplement to the {{{5}}} Technical Framework. This draft is a work in progress, not the official supplement or profile.
